ComexIT
asked on
Exchange 2010 Server DNS - SSL help
Hi,
I am currently running 1 x MS exchange 2010 server on Windows 2008 r2. I have gone to renew the SSL cert today and got a warning explaining that if i carried on my SSL would expire on Nov 2015 as it contained a .local address etc. I have resent the cert but excluded the .local reference.
I have on my DNS currently a zone for mail.domain.com that points to the Exchange server and that does seem to work but i havent done anything for autodiscover.domain.com on the internal, I need it to be as smooth transition as possible to new cert as there are quite a few users externally and internally, I have read some reports as saying that people have had a popup asking them if its ok to redirect etc.......
Any help be grateful.
Regards
I am currently running 1 x MS exchange 2010 server on Windows 2008 r2. I have gone to renew the SSL cert today and got a warning explaining that if i carried on my SSL would expire on Nov 2015 as it contained a .local address etc. I have resent the cert but excluded the .local reference.
I have on my DNS currently a zone for mail.domain.com that points to the Exchange server and that does seem to work but i havent done anything for autodiscover.domain.com on the internal, I need it to be as smooth transition as possible to new cert as there are quite a few users externally and internally, I have read some reports as saying that people have had a popup asking them if its ok to redirect etc.......
Any help be grateful.
Regards
ASKER
it was a UCC SSL exactly the same as previous one, just renewed, yes .local
Hi,
If your domain is .local then you need to use a split brain DNS where you need to create DNS zone with the external name you're going to have for autodiscover. Please refer the below link.
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html
Thanks
Manikandan
If your domain is .local then you need to use a split brain DNS where you need to create DNS zone with the external name you're going to have for autodiscover. Please refer the below link.
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html
Thanks
Manikandan
ASKER
Thanks, will have a look shortly, is this the best way to handle it ?
Hi,
Split brain DNS is normally used when internal and external namespace are different like in your case internal is .local. Also refer the below link this is basically for exchange 2013 with subject alternative certificate. But this will help you understand the concept of split brain DNS and san
http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/managing-certificates-exchange-server-2013-part1.html
Thanks
Manikandan
Split brain DNS is normally used when internal and external namespace are different like in your case internal is .local. Also refer the below link this is basically for exchange 2013 with subject alternative certificate. But this will help you understand the concept of split brain DNS and san
http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/managing-certificates-exchange-server-2013-part1.html
Thanks
Manikandan
If all of your clients are on the domain, then you don't need an internal Autodiscover record. The clients do not use them. Instead they query the domain for the information, which returns the value you can see here:
get-clientaccessserver | select identity, autodiscoverserviceinterna
Therefore as long as the host name in that result is valid, resolves to the Exchange server and is in the SSL certificate, internal clients will continue to work correctly.
Simon.
get-clientaccessserver | select identity, autodiscoverserviceinterna
Therefore as long as the host name in that result is valid, resolves to the Exchange server and is in the SSL certificate, internal clients will continue to work correctly.
Simon.
ASKER
Thanks Simon, the only prob is that the internal name will no longer be in the ssl cert as app from November they are not issuing them any more .....
Any ideas ?
Any ideas ?
ASKER
when i run command the result is
AutoDiscoverServiceInterna
-------- --------------------------
EXCHANGE01 https://exchange01.ssmc.local/Autodiscover/Autodiscover.xml
that cert will not be valid shortly and the new cert will not have the .local in it ......
AutoDiscoverServiceInterna
-------- --------------------------
EXCHANGE01 https://exchange01.ssmc.local/Autodiscover/Autodiscover.xml
that cert will not be valid shortly and the new cert will not have the .local in it ......
Hi,
Yes your understanding is correct.
Thanks
Manikandan
Yes your understanding is correct.
Thanks
Manikandan
ASKER
I know but if i install the new certificate without the .local in it will the local machines stop working ? How do i resolve it ?
Hi,
As Simon mentioned if all the clients inside the domain then you don't need an internal autodiscover record. Instead it queries the domain. Hence the clients won't be affected.
Thanks
Manikandan
As Simon mentioned if all the clients inside the domain then you don't need an internal autodiscover record. Instead it queries the domain. Hence the clients won't be affected.
Thanks
Manikandan
ASKER
Hi Yes i understand that bit but the new SSL will not contain the .local name only the external.
Hi,
The local name anyway is used by the internal clients as long they can query the Active directory and global catalog they don't need the .Local
Thanks
Manikandan
The local name anyway is used by the internal clients as long they can query the Active directory and global catalog they don't need the .Local
Thanks
Manikandan
ASKER
Ahh ok, So Internal clients will be trusted and dont need to be listed in the SSL Cert ?
Hi,
Yes indeed
Thanks
Manikandan
Yes indeed
Thanks
Manikandan
I don't understand the answers that are being provided above.
As the internal name is not on the SSL certificate, you need to change it. The fact that it is an internal name has nothing to do with trust or anything.
Therefore you need to setup a split DNS system, then change all of the internal URLs to use the external host name. I have outlined the steps here: http://semb.ee/hostnames2010
Changing the host names is not an optional change - if you don't change them then you will get SSL prompts and core functionality of the server will stop working.
Simon.
As the internal name is not on the SSL certificate, you need to change it. The fact that it is an internal name has nothing to do with trust or anything.
Therefore you need to setup a split DNS system, then change all of the internal URLs to use the external host name. I have outlined the steps here: http://semb.ee/hostnames2010
Changing the host names is not an optional change - if you don't change them then you will get SSL prompts and core functionality of the server will stop working.
Simon.
Hi Simon,
So you mean to say if the internal name is different and is not in the SSL certificate then we need to use the split DNS and change all the internal URL to external host. So the internal clients will access the exchange via the external URL.
Thanks for clearing my concern.
THanks
Manikandan
So you mean to say if the internal name is different and is not in the SSL certificate then we need to use the split DNS and change all the internal URL to external host. So the internal clients will access the exchange via the external URL.
Thanks for clearing my concern.
THanks
Manikandan
ASKER
Thanks Simon, I will try this later this evening when users have gone home, The cert is authenticated and installed so i will just have to move the services onto the new cert first.
"So you mean to say if the internal name is different and is not in the SSL certificate then we need to use the split DNS and change all the internal URL to external host. So the internal clients will access the exchange via the external URL. "
Yes.
If you don't do that then the clients will fail to connect because the certificate will fail trust checks.
Simon.
Yes.
If you don't do that then the clients will fail to connect because the certificate will fail trust checks.
Simon.
ASKER
Hi,
Im still getting errors on some machines about the cert not containing the .local bit on internal machines.
I changed all the relevant internal to the external
Thanks
Im still getting errors on some machines about the cert not containing the .local bit on internal machines.
I changed all the relevant internal to the external
Thanks
ASKER
Ive checked on the client account settings and it is still showing the exchange server address as .local one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Does your Active Directory domain have a .local suffix?