Solved

Exchange 2010 multi site certificates

Posted on 2013-01-10
5
513 Views
Last Modified: 2013-01-12
Hi All,

I have two sites in one AD domain. Each site has its own Exchange server 2010 hosting mailbox, HT, and internet facing CAS roles. We have multiple e-mail domains being accepted in this exchange environment.

@domain1.com
@domain2.com
@domain3.com

Our local DNS infrastructure is private and is abc.local

In site 1 (primary site) the exchange server is called ex1.abc.local and in site 2, the exchange server is ex2.abc.local.

mail.domain1.com points to ex1.abc.local and mail.domain2.com points to ex2.abc.local

MX records for the above domains:

domain1.com -> mail.domain1.com
domain2.com -> mail.domain2.com
domain3.com -> mail.domain1.com

Note: I need autodiscover to work properly for all domains.

Questions:

1- For each exchange server what are the specifics for each SAN certificate?
2- When SAN certificates are configured properly, will domain2 users going to https://mail.domain1.com/owa be redirected automatically to mail.domain2.com (if their mailbox resides there?)
3- Can I get away with godaddy's SAN certificates instead of having to pay a hefty fee from other providers?

Thanking you all in advance,

George
0
Comment
Question by:giorgio71
  • 3
  • 2
5 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38763944
Moving backwards... GoDaddy certificates - yes they are fine. I have deployed 100s of them.
If you get the external URLs configured correctly, if a user hits the "wrong" server they will be redirected to the correct server with their mailbox on it. You will need a unique host name for each server, configured as the external URL.

A single certificate is going to be your best option here, as GoDaddy will not allow the autodiscover record to apply on multiple certificates.

With the forthcoming changes to the SSL certificate issuing guidelines you will need to use an external host name internally via split DNS. As this only three host names I would do the following:

mail.domain1.com
mail.domain2.com
mail.domain3.com
autodiscover.domain1.com
autodiscover.domain2.com
autodiscover.domain3.com

Setup split DNS so that mail and autodiscover for each domain resolve internally as well, and adjust Exchange on each server to use those host names internally and externally. Don't forget web services and the AutodiscoverServiceInternalURI on set-clientaccessserver.

Make sure you have your AD sites setup correctly so that Autodiscover doesn't cross sites and have an RPC CAS Array per AD site as well.

Simon.
0
 

Author Comment

by:giorgio71
ID: 38764949
Thanks Simon,

Can i get away with not having split-dns?

Do i really need to have mail.domain3.com? domain3.com is only an incoming email domain and mx record for domain3.com is mail.domain1.com.

I bought a godaddy certificate with my internal name and they provided me with one recently. Is this expected to change soon?

Is there an article or pdf regarding the setup of this scenario.

I don't want to have more servers since the number of mailboxes is a around 300.

Thanks for the assistance.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38765054
Split DNS cannot be avoided because you cannot use the internal names any longer. While you can get certificates with internal names at the moment, that will stop from October 2015 (IIRC). Therefore you need to move to the split DNS system at some point, you may as well move to it now. It takes all of 10 minutes to setup.

You only need autodiscover if you have mailboxes with that domain as their PRIMARY email address. If it is just an alias for other users then you don't need them.

The section on SSL certificates on my web site goes through the setup with this model.
http://exchange.sembee.info/2010/install/ssl.asp

Simon.
0
 

Author Comment

by:giorgio71
ID: 38769593
Thanks Simon for the valuable info.

Just one last confirmation, if  I may:

So if i use split-DNS.

Note: mail.domain3.com doesn't exist - mx points to mail.domain1.com

In site 1:

Certificate name: mail.domain1.com
SAN:
autodiscover.domain1.com
autodiscover.domain2.com
autodiscover.domain3.com

In site 2:

Certificate name: mail.domain2.com
SAN:


If not using split-DNS

I would add ex1.abc.local, autodiscover.abc.local  to Site 1's certificate, and ex2.abc.local to site 2's certificate.

Is that correct?

Thanking you in advance,

George
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38769890
You could deploy a single name SSL certificate in the second location if you wish. However you would need to change the server configuration to accommodate that. Nothing too difficult, but would need to be done to ensure that clients in that AD site can use Autodiscover etc.

http://exchange.sembee.info/2010/install/clientaccesshostnames.asp

While you can add internal names to the SSL certificates at the moment, from November 2015 (and for any certificates that expire after that date) you cannot. Therefore at some point you will have to implement split DNS - you may as well do so now.

Simon.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now