Exchange 2010 Server DNS - SSL help

Hi,

I am currently running 1 x MS exchange 2010 server on Windows 2008 r2. I have gone to renew the SSL cert today and got a warning explaining that if i carried on my SSL would expire on Nov 2015 as it contained a .local address etc. I have resent the cert but excluded the .local reference.

I have on my DNS currently a zone for mail.domain.com that points to the Exchange server and that does seem to work but i havent done anything for autodiscover.domain.com on the internal, I need it to be as smooth transition as possible to new cert as there are quite a few users externally and internally, I have read some reports as saying that people have had a popup asking them if its ok to redirect etc.......

Any help be grateful.

Regards
ComexITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeIT ManagerCommented:
What type of SSL Cert did you originally purchase?

Does your Active Directory domain have a .local suffix?
0
ComexITAuthor Commented:
it was a UCC SSL exactly the same as previous one, just renewed, yes .local
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

If your domain is .local then you need to use a split brain DNS where you need to create DNS zone with the external name you're going to have for autodiscover. Please refer the below link.
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html

Thanks
Manikandan
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

ComexITAuthor Commented:
Thanks, will have a look shortly, is this the best way to handle it ?
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Split brain DNS is normally used when internal and external namespace are different like in your case internal is .local. Also refer the below link this is basically for exchange 2013 with subject alternative certificate.  But this will help you understand the concept of split brain DNS and san

http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/managing-certificates-exchange-server-2013-part1.html

Thanks
Manikandan
0
Simon Butler (Sembee)ConsultantCommented:
If all of your clients are on the domain, then you don't need an internal Autodiscover record. The clients do not use them. Instead they query the domain for the information, which returns the value you can see here:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Therefore as long as the host name in that result is valid, resolves to the Exchange server and is in the SSL certificate, internal clients will continue to work correctly.

Simon.
0
ComexITAuthor Commented:
Thanks Simon, the only prob is that the internal name will no longer be in the ssl cert as app from November they are not issuing them any more .....

Any ideas ?
0
ComexITAuthor Commented:
when i run command the result is

AutoDiscoverServiceInternalUri
--------                                                    ------------------------------
EXCHANGE01                                                  https://exchange01.ssmc.local/Autodiscover/Autodiscover.xml

that cert will not be valid shortly and the new cert will not have the .local in it ......
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Yes your understanding is correct.

Thanks
Manikandan
0
ComexITAuthor Commented:
I know but if i install the new certificate without the .local in it will the local machines stop working ? How do i resolve it ?
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

As Simon mentioned if all the clients inside the domain then you don't need an internal autodiscover record. Instead it queries the domain. Hence the clients won't be affected.

Thanks
Manikandan
0
ComexITAuthor Commented:
Hi Yes i understand that bit but the new SSL will not contain the .local name only the external.
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

The local name anyway is used by the internal clients as long they can query the Active directory and global catalog they don't need the .Local

Thanks
Manikandan
0
ComexITAuthor Commented:
Ahh ok, So Internal clients will be trusted and dont need to be listed in the SSL Cert ?
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Yes indeed

Thanks
Manikandan
0
Simon Butler (Sembee)ConsultantCommented:
I don't understand the answers that are being provided above.
As the internal name is not on the SSL certificate, you need to change it. The fact that it is an internal name has nothing to do with trust or anything.

Therefore you need to setup a split DNS system, then change all of the internal URLs to use the external host name. I have outlined the steps here: http://semb.ee/hostnames2010

Changing the host names is not an optional change - if you don't change them then you will get SSL prompts and core functionality of the server will stop working.

Simon.
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi Simon,

So you mean to say if the internal name is different and is not in the SSL certificate then we need to use the split DNS and change all the internal URL to external host. So the internal clients will access the exchange via the external URL.  

Thanks for clearing my concern.

THanks
Manikandan
0
ComexITAuthor Commented:
Thanks Simon, I will try this later this evening when users have gone home, The cert is authenticated and installed so i will just have to move the services onto the new cert first.
0
Simon Butler (Sembee)ConsultantCommented:
"So you mean to say if the internal name is different and is not in the SSL certificate then we need to use the split DNS and change all the internal URL to external host. So the internal clients will access the exchange via the external URL.  "

Yes.
If you don't do that then the clients will fail to connect because the certificate will fail trust checks.

Simon.
0
ComexITAuthor Commented:
Hi,

Im still getting errors on some machines about the cert not containing the .local bit on internal machines.

I changed all the relevant internal to the external

Thanks
0
ComexITAuthor Commented:
Ive checked on the client account settings and it is still showing the exchange server address as .local one.
0
Simon Butler (Sembee)ConsultantCommented:
The Exchange server address will always be the internal real name of the server - that is fine. You cannot change that and it is not the cause of your prompts.

You need to check that all of the URLs are configured correctly, which includes the ones that you cannot see in the console.
I would also do an Autodiscover test in the Outlook client and verify that the information being returned to the client is correct.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.