• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 157
  • Last Modified:

Solution for Exchange cert in a disparate split brain environment

I have a split brain DNS in a small business environment. e.g internal DNS SLGCOM.local exterla SLGCOMLiive.com. Future certificates are not going to support this leading issues in Exchange .

How would I approach this? Do I have to completely change my internal domain and DNS structure or is there a workaround?
0
pchettri
Asked:
pchettri
  • 5
  • 4
1 Solution
 
Seth SimmonsSr. Systems AdministratorCommented:
you use the same certificate; publish your URLs with the external name
all clients connect using the external name

Configure Exchange Services for the Autodiscover Service
https://technet.microsoft.com/en-us/library/bb201695%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
All you need to do is the following...
- create a new internal DNS AD Integrated Zone for SLGCOMLiive.com
- add your Host A record for mail.domain.com
- Configure your Internal and External URL's for Exchange to use https://mail.domain.com/..... for all virtual directories

Then when users connect internally or externally they will be using the same fqdn and not the server name for internal virtual directories.

Will.
0
 
pchettriIT DirectorAuthor Commented:
Hi Seth...
I do not have issue with Certificates. I am using old certificate which is valid till 2015. New certificates do not support split brain setup. My question is different than certificate application. I know how the autodiscovery part of process. I am just worried about the issue I might get into when I renew my certificate which will not support split brain and requires changes in Domain naming structure.
You could find cert related article in godaddy and Digicert.
Thanks
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
pchettriIT DirectorAuthor Commented:
0
 
pchettriIT DirectorAuthor Commented:
As suggested by Will does creating DNS zone would help in this case? or would it better to setup internal CA to address this question.
Setting another DNS zone looks like easier solution but is it actually the correct fix for upcoming exchange certificate issue for non registered local domain name.

??????????
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Installing an Internal Root Cert authority involves a lot of work and you need someone to manage this service as well. ADCS is not a "set-it and forget it". Creating an Internal Zone for your External DNS name space is in fact the more appropriate method. As stated, you would then use the same internal and external URL's in Exchange.

Will.
0
 
pchettriIT DirectorAuthor Commented:
For new zone I would have to add hostA record as mail.SLGCOMLiive.com.  In other words, one that shows on external URL for CAS OWA property. Our inbound name on MX record is different than OWA URL due to the implementation on mail filtering from McCafe. Mx records shows address offered by Mcafe.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
What do you have currently on your Exchange External URL's?

Will.
0
 
pchettriIT DirectorAuthor Commented:
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Right, so creating a Zone on your internal DNS server for slgcomlive.com and adding a HOST A record for mail and giving it the IP of our internal CAS or CAS load balanced IP if you are in fact load balancing.

Will.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now