Exchange 2013 Certificate Requrement

Hello All,

We are planing to deploy exchange 2013 servers. currently we have 3 domains. Contoso.con, and

we have mailboxes from all above 3 email address (Primary email). Should i want to add, and  ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:

In-case if you have three exchange servers from all of three domains. Then you can think of having a SAN certificate by for all the three locations where all the services like Outlook Anywhere, OAB, EWS and so forth. However out of all the three domains in which one the exchange is installed. Are you using Split brain DNS mechanisms or are you planning to have internal and external DNS separate.

Please confirm

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
ucguyAuthor Commented:

i don't have 3 Exchange Servers. One exchange Server having 3 mail domains.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:

In that case you have to use Split brain DNS mechanisms along with SAN Certificate. And as you mentioned that you are having mailboxes from all the three domains. You need to add all of the following, and in the SAN certificate for proper autodiscover to work properly.

Simon Butler (Sembee)ConsultantCommented:
You have two options.

1. Autodiscover for all three domains, plus a single common name for web services.
Probably the easiest to deploy, and as you can get five name certificates for $80, not much cost difference.

2. Either a single name certificate, or a certificate for just one of the domains with, then use SRV records for the other domains.
A little more complex to setup, but if you were to add more domains, very easy to add them to the server. Obviously requires an external DNS provider that supports SRV record.

Internally, you would use split DNS to have the common name resolve internally. No need for the Autodiscover records to resolve internally unless you have clients on your internal network which are NOT members of the domain.

Keep it very simple, there is no need to get complicated with names on the SSL certificates.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:

The best way to understand the certificate requirements and to understand its planning better. Please refer the links mentioned on my previous post

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.