We help IT Professionals succeed at work.

Solution for Exchange cert in a disparate split brain environment

pchettri
pchettri asked
on
I have a split brain DNS in a small business environment. e.g internal DNS SLGCOM.local exterla SLGCOMLiive.com. Future certificates are not going to support this leading issues in Exchange .

How would I approach this? Do I have to completely change my internal domain and DNS structure or is there a workaround?
Comment
Watch Question

Seth SimmonsSr. Systems Administrator

Commented:
you use the same certificate; publish your URLs with the external name
all clients connect using the external name

Configure Exchange Services for the Autodiscover Service
https://technet.microsoft.com/en-us/library/bb201695%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
All you need to do is the following...
- create a new internal DNS AD Integrated Zone for SLGCOMLiive.com
- add your Host A record for mail.domain.com
- Configure your Internal and External URL's for Exchange to use https://mail.domain.com/..... for all virtual directories

Then when users connect internally or externally they will be using the same fqdn and not the server name for internal virtual directories.

Will.

Author

Commented:
Hi Seth...
I do not have issue with Certificates. I am using old certificate which is valid till 2015. New certificates do not support split brain setup. My question is different than certificate application. I know how the autodiscovery part of process. I am just worried about the issue I might get into when I renew my certificate which will not support split brain and requires changes in Domain naming structure.
You could find cert related article in godaddy and Digicert.
Thanks

Author

Commented:
As suggested by Will does creating DNS zone would help in this case? or would it better to setup internal CA to address this question.
Setting another DNS zone looks like easier solution but is it actually the correct fix for upcoming exchange certificate issue for non registered local domain name.

??????????
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Installing an Internal Root Cert authority involves a lot of work and you need someone to manage this service as well. ADCS is not a "set-it and forget it". Creating an Internal Zone for your External DNS name space is in fact the more appropriate method. As stated, you would then use the same internal and external URL's in Exchange.

Will.

Author

Commented:
For new zone I would have to add hostA record as mail.SLGCOMLiive.com.  In other words, one that shows on external URL for CAS OWA property. Our inbound name on MX record is different than OWA URL due to the implementation on mail filtering from McCafe. Mx records shows address offered by Mcafe.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
What do you have currently on your Exchange External URL's?

Will.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Right, so creating a Zone on your internal DNS server for slgcomlive.com and adding a HOST A record for mail and giving it the IP of our internal CAS or CAS load balanced IP if you are in fact load balancing.

Will.