Setting up Exchange 2013 to use a different External Domain

HI Experts.

I have a setup with Exchange running a important test environment using  This is used for internal testing and email works fine internally, but mail flow in/out of the domain has never been setup, also I haven't got ownership of an external DNS running this domain.

I now need to get it working so I can send/receive email externally using, whilst not breaking the working internal mail using

I am familiar with DNS and to an extent Certificates however I'm not sure how to configure the certificate and server so I don't break the internal mail flow, whilst allowing staff to send/receive using domain B externally.

They want to have the exchange server referred too as  Do I need to change anything on the exchange server or just create a Cname in the external DNS pointing to the external IP of server?

Can I setup a SAN cert with both domains?  If so how?

Thanks All!  

John sparksAsked:
Who is Participating?
Jason CrawfordConnect With a Mentor Transport NinjaCommented:
You will need to acquire a cert for to secure client connections.  Many people include in a SAN cert, but you can get away with a single domain and an Autodiscover SRV record.  You can add as an accepted domain and assign it to mailboxes; however, until you are able secure admin access to the public DNS host inbound email won't work since you will need to update the MX record(s).
John sparksAuthor Commented:
So get a cert for domainB (the external domain) only?

Happy to get a SAN cert as will go on to link to  Office365 later, so if  I use a SAN, get and

We don't need inbound email on, as long as the users on the local domain can send email to each other using that email. So don't need a MX record for domainA.

I was thinking that if I just put the cert in covering domainB then the internal servers/PCs will reject the connection.  Or does the internal autodiscover SRV record somehow override the cert?

(currently using a self-signed cert for on the exchange server)
Jason CrawfordTransport NinjaCommented:
The cert is only necessary for external connections.  It seems like you're getting mail flow and client connectivity confused.  You can secure email transport with a TLS certificate, but this is generally reserved for business partners and entities subject to compliance.  As long as the MX records are properly configured mail flow will work out of the box with Exchange.  Internal Autodiscover is facilitated with a Service Connection Point in AD, not DNS records.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

John sparksAuthor Commented:
So in summary, to allow in/out mail flow of  (and we don't need a TLS cert for our purposes.)

  • Don't need to do anything internally with regard to DNS,  autodiscover records.
  • Use Exchange to create a cert request for just the outside email domain and (Aware we could get away with one)

This right?  If so I'll mark as done.  

I guess there's some config in the Exchange server configuration but I'll leave that to another question.

Many thanks Jason.
Jason CrawfordTransport NinjaCommented:
That's right
John sparksAuthor Commented:
Thanks very much
Jason CrawfordTransport NinjaCommented:
Glad I could help.  Take care :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.