Migrating from a .local Active directory domain

We need to know the easiest way to get our internal name space changed to be compliant. We have about 450 users and we have an in-house single Exchange 2010 mail server. The Mail server is using a standard UCC certificate that has the .local for a SAN; the certificate provider will not renew the certificate with the .local in the cert and that's the main reason for the migration. We thought about doing a AD name change, but heard that it was not "best practice" when there is an Exchange server in the mix.
Where do I begin? I have 2 extra servers that I can use, if needed.

Our servers are Server 2008r2
Eric HummelAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You do not need to change your internal Active Directory FQDN .local. All you need to do is setup Split DNS internally and then configure your internal virtual directories to match your external virtual directories.

Take a look at the HowTo i have done below...
http://www.wsit.ca/how-tos/exchange-server-2/configure-split-dns-and-exchange-2013-virtual-directories/

This is performed on Exchange 2013 but will also suffice for Exchange 2010/2007.

Will.
Eric HummelAuthor Commented:
Hello Will, thanks for the quick response. Will this solve the problem that internal Outlook clients will encounter when the certificate no longer has a .local SAN? My thought is that Outlook clients will continue to look for "server.local" but the Exchange cert will no longer list that name so there will be a cert error. I don't understand how split DNS will help. It's not so much of a resolution issue as it is a validity check against the certificate.  I hope I'm just missing the big picture here, because a DNS mod will be so much easier than a migration.

Maybe this works because the CAS will tell the internal Outlook clients to connect to server.com instead of server.local (matching the certificate). If that is the case, I understand how split DNS plays into this.
Will SzymkowskiSenior Solution ArchitectCommented:
Split DNS is the correct way to configure this.

When your client are local to your Exchange server they will use the Internal Virtual Directory by default. this usually points to server.domain.local. Your SNA/UCC cert will no longer have domain.local in it. So what needs to be done is, what ik have outlined in my HowTo.

- using the cert with only autodiscover.externaldomain.com and mail.externaldomain.com (no .local)
- creating your Externaldomain.com Zone on your Internal DNS servers (Active Directory)
- Then changing your virtual directories to point to https://externaldomain.com/owa/ews ect

So now your virtual directories will have the same values for internal and external. When a user locally launches Outlook they will use the InternalURL which will point to externaldomain.com internal zone and the internal IP of the server.

This is then using the same FQDN that your certificate has and does not have a name mismatch which gives a cert error.

It will work for you. I would not post a HowTo if this did not work.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Adam BrownSr Solutions ArchitectCommented:
You don't *need* to configure split DNS, and you're still going to get an error unless you change the Autodiscover SCP value in Active Directory. Changing the virtual directories won't do this in Exchange 2013, running
get-clientaccessserver |set-clientaccessserver -AutoDiscoverServiceInternalUri https://autodiscover.company.com/autodiscover/autodiscover.xml

Open in new window

will. (Note, you'll still have to change the virtual directory settings).

You can get away without using split DNS, but only as long as your firewall is allowing traffic that originates inside your LAN to access the Public IP address of the Exchange server. If you allow that, internal clients will default to using the External settings for company.com and obtain the addresses used there, which will be public IP addresses. If you don't have your firewall set up to allow the right kind of traffic, though, you will have to have split DNS configured, since that will allow you to have internal addresses for the same hostnames that are used in Public DNS. Operationally, you can use either technique, but split-dns requires some additional overhead to manage and configure, particularly if you have a lot of public host names.
Will SzymkowskiSenior Solution ArchitectCommented:
As i have illustrated in my HowTo configuring autodiscover is also part of the steps. However for Exchange specifically Split DNS is the recommended approch. It is the actual way to simplify your Exchange setup.

Will.
Adam BrownSr Solutions ArchitectCommented:
Ha! Glossed over the part where he said Exchange 2010. With that version it's better to use Split DNS, but only if you want people to use RPC internally for access to the Exchange server. If you have Outlook Anywhere configured, it really doesn't matter which way you go. Exchange 2013 did away with straight RPC access to Exchange and all traffic goes over HTTPS, so it isn't important to use split dns on those versions.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.