Exchange 2010 UCC Cert - Split DNS - Switch Internal to FQDN

Greetings. I now understand that new Exchange Certs (3rd party) will not include internal network names (only public FQDN names).

This is our current configuration (from Exchange Admin MMC):

Outlook Web App is correct (Internal and External)
Exchange ActiveSync is partially correct (Internal is .Local Name, External is Correct)
Offline Address Book is partially correct (Internal is .Local Name, External is Correct)
Exchange Control Panel is correct (Internal and External)

Receive Connector (Client) is incorrect (Uses .Local Name)
--------------------------------------

Our correct external URL is:  mail.our_company.org

I'm pretty sure I understand how to change all these, but the "Split DNS" confuses me a bit.  We already have "Internal_Doman.LOCAL" as a forward lookup zone in DNS.  However, it is AD Integrated.  From what I've read, I need to create a new forward zone that is *not* AD Integrated, correct ?  Name it anything I want ?  Domain name will be the internal mail host ? (Server_Name.LOCAL)  And create a single A record with the external mail server name, yes ?

Also, from above it looks like I just need to update EAS, OAB, ECP and the Receive Connector, yes ?  I don't have a "default" receive connector, just the "Client" one.

Thanks all.
-Stephen
lapavoniAsked:
Who is Participating?
 
Gareth GudgerCommented:
You basically create a zone for our_company,org on your internal DNS servers. I normally make these AD integrated. Then create A records for all your external URLs but have them point to the internal IPs of the corresponding servers (instead of their public IPs).

For more info. Scroll down to Step 5: Namespace design and Implementation. It is a 2003 to 2010 migration document but it discusses how to correctly configure split brain DNS for 2010. And has lots of screenshots.

http://supertekboy.com/2014/04/07/migrating-exchange-2003-2010-part-iii/
0
 
lapavoniAuthor Commented:
OK, this is interesting.  Looks like the DNS work has been done already.  The "non-AD-integrated" thing threw me.  My forward lookup zones for our FQDN look fine.  We have two .org domains (both same IP) that have the correct autodiscover and mail entries in them.  Here are screenshots.  I guess the EAS, OAB, ECP and Receive connector just weren't updated.  Would you say this is ready for those changes (along with a new cert), based on these DNS settings ? :

Forward Zones
Zones - AutoDiscover and Mail
0
 
Gareth GudgerCommented:
The DNS looks pretty good to me. Yes, you just need to make your internal URLs match your external URLs.
0
 
lapavoniAuthor Commented:
Thanks for the information and confirming the settings we had in place, diggi.  New cert installed, Remote Connectivity Analyzer passes everything, and no one on the inside complaining yet :-)
0
 
Gareth GudgerCommented:
Awesome!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.