Avatar of creative555

asked on 

split dns question and using cname instead of A records

I am running everything in Azure - 2013 Exchange which is Hybrid and 2010 Sp3 Exchange.
Since IPs might change when machine is shut I was reading somewhere that it is advisable to use CNAME instead of A records so instead of pointing to IP, I could use CNAME and point to Exchange2013 hostname

So, I need two records mail and autodiscover for 2013 server. Also, my internal Domain is contoso.local (non routable) and I setup DNS forward lookup zone for domain that is routable - externaldomain.com

So, I have local domain - contoso.local and external domain setup as forward lookup zone in internal DNS- externaldomain.com

what internal DNS records to I need to setup?  Can I setup cname records in both forward lookup zones?

For example:
Contoso.local DNS forward lookup zone
CNAME autodiscover.contoso.local    points to exchange2013.contoso.local
MX record mail.contoso.local points to exchange2013.contoso.loca

Externaldomain forward lookup zone on internal DNS
CNAME mail.externaldomain.com  points to exchange2013.contoso.local
CNAME autodiscover.externaldomain.com points to exchange2013.contoso.local

Please note that because I used digi cert and it doesn't support non-routable domains such as contoso.local, they advise to use external names for exchange server
Please help
Microsoft 365ExchangeAzure

Avatar of undefined
Last Comment
Jason Crawford
Avatar of Jason Crawford
Jason Crawford
Flag of United States of America image

When you say you're running "everything in Azure" that to me means you don't have a server on-prem.  Can you clarify how your network is split up?

If everything truly was hosted in Azure, the only time you would need to worry about that .local domain is if you were using some kind of VDI or DaaS solution on the same hosted network as the Exchange server.  Otherwise everything will be external by default.  I think it would be easiest to explain best practice if everything was on-prem, then make adjustments for the cloud.

SSL cert should cover mail.domain.com and autodiscover.domain.com unless you want to throw in a pop or smtp subdomain.

DNS should be an A record for mail.domain.com pointing to your Exchange server's WAN IP, and either an SRV, CNAME, or A record for autodiscover.domain.com.  I prefer CNAME unless it's a multi-tenant deployment.

All virtual directories should have an internal URL that matches the external URL, ie https://mail.contoso.com/EWS/Exchange.asmx.

Outlook Anywhere should be configured with basic and NTLM auth for IISAuthentication, and NTLM for InternalClientAuthenticationMethod.  

You can avoid the internal forward lookup zone all together with the right firewall settings.  Sonicwalls will do this out of the box, but Cicso requires a little extra configuration called DNS fixup or DNS doctoring.  Basically anytime the firewall query a DNS record that points back to itself, it stops the query before it leaves the network and redirects the connection back to the appropriate server.  Pretty cool actually.
Avatar of creative555


Thank you so much.

If I understand you correctly, basically for Internal DNS:
 I need CNAME autodiscover record in my Internal DNS external forwad lookup zone externaldomain.com and DONT need CNAME in the DNS internal zone contoso.local?

How about internal DNS MX record? Should I have it in external forward lookup zone or internal forward lookup zone contoso.local in my internal DNS? Please note that all clients FQDN is computername.contoso.local (internal DNS). Do I need to add that DNS suffix to all computers as well? Or another CNAME record so that if they reach Exchange Server which also has FQDN with local domain exch2013.contoso.local to point to exch2010.externaldomain.com? Do I need to add DNS suffix to exchnage server as well?

External DNS:
CNAME Autodiscover pointing to Public IP of the VM as well as CNAME mail pointing to the same PUBLIC IP of the VM. MX record pointing to PUBLIC IP

Thanks for cert and virtual directory notes, I did set them up already.
Avatar of Jason Crawford
Jason Crawford
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo