Solved

Exchange 2010 multi site certificates

Posted on 2013-01-10
5
558 Views
Last Modified: 2013-01-12
Hi All,

I have two sites in one AD domain. Each site has its own Exchange server 2010 hosting mailbox, HT, and internet facing CAS roles. We have multiple e-mail domains being accepted in this exchange environment.

@domain1.com
@domain2.com
@domain3.com

Our local DNS infrastructure is private and is abc.local

In site 1 (primary site) the exchange server is called ex1.abc.local and in site 2, the exchange server is ex2.abc.local.

mail.domain1.com points to ex1.abc.local and mail.domain2.com points to ex2.abc.local

MX records for the above domains:

domain1.com -> mail.domain1.com
domain2.com -> mail.domain2.com
domain3.com -> mail.domain1.com

Note: I need autodiscover to work properly for all domains.

Questions:

1- For each exchange server what are the specifics for each SAN certificate?
2- When SAN certificates are configured properly, will domain2 users going to https://mail.domain1.com/owa be redirected automatically to mail.domain2.com (if their mailbox resides there?)
3- Can I get away with godaddy's SAN certificates instead of having to pay a hefty fee from other providers?

Thanking you all in advance,

George
0
Comment
Question by:giorgio71
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38763944
Moving backwards... GoDaddy certificates - yes they are fine. I have deployed 100s of them.
If you get the external URLs configured correctly, if a user hits the "wrong" server they will be redirected to the correct server with their mailbox on it. You will need a unique host name for each server, configured as the external URL.

A single certificate is going to be your best option here, as GoDaddy will not allow the autodiscover record to apply on multiple certificates.

With the forthcoming changes to the SSL certificate issuing guidelines you will need to use an external host name internally via split DNS. As this only three host names I would do the following:

mail.domain1.com
mail.domain2.com
mail.domain3.com
autodiscover.domain1.com
autodiscover.domain2.com
autodiscover.domain3.com

Setup split DNS so that mail and autodiscover for each domain resolve internally as well, and adjust Exchange on each server to use those host names internally and externally. Don't forget web services and the AutodiscoverServiceInternalURI on set-clientaccessserver.

Make sure you have your AD sites setup correctly so that Autodiscover doesn't cross sites and have an RPC CAS Array per AD site as well.

Simon.
0
 

Author Comment

by:giorgio71
ID: 38764949
Thanks Simon,

Can i get away with not having split-dns?

Do i really need to have mail.domain3.com? domain3.com is only an incoming email domain and mx record for domain3.com is mail.domain1.com.

I bought a godaddy certificate with my internal name and they provided me with one recently. Is this expected to change soon?

Is there an article or pdf regarding the setup of this scenario.

I don't want to have more servers since the number of mailboxes is a around 300.

Thanks for the assistance.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38765054
Split DNS cannot be avoided because you cannot use the internal names any longer. While you can get certificates with internal names at the moment, that will stop from October 2015 (IIRC). Therefore you need to move to the split DNS system at some point, you may as well move to it now. It takes all of 10 minutes to setup.

You only need autodiscover if you have mailboxes with that domain as their PRIMARY email address. If it is just an alias for other users then you don't need them.

The section on SSL certificates on my web site goes through the setup with this model.
http://exchange.sembee.info/2010/install/ssl.asp

Simon.
0
 

Author Comment

by:giorgio71
ID: 38769593
Thanks Simon for the valuable info.

Just one last confirmation, if  I may:

So if i use split-DNS.

Note: mail.domain3.com doesn't exist - mx points to mail.domain1.com

In site 1:

Certificate name: mail.domain1.com
SAN:
autodiscover.domain1.com
autodiscover.domain2.com
autodiscover.domain3.com

In site 2:

Certificate name: mail.domain2.com
SAN:


If not using split-DNS

I would add ex1.abc.local, autodiscover.abc.local  to Site 1's certificate, and ex2.abc.local to site 2's certificate.

Is that correct?

Thanking you in advance,

George
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38769890
You could deploy a single name SSL certificate in the second location if you wish. However you would need to change the server configuration to accommodate that. Nothing too difficult, but would need to be done to ensure that clients in that AD site can use Autodiscover etc.

http://exchange.sembee.info/2010/install/clientaccesshostnames.asp

While you can add internal names to the SSL certificates at the moment, from November 2015 (and for any certificates that expire after that date) you cannot. Therefore at some point you will have to implement split DNS - you may as well do so now.

Simon.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question