erik_r
asked on
AD FS with public domain name SSL certificate on private domain
Hello. My Active Directory domain name is private.com. My email domain is public.com which is used with O365 and a public facing website.
I'm setting up AD FS (at the moment NOT for O365) and purchased a wildcard SSL cert for *.public.com. My mind kind of went blank on this one since I see the email (public) domain on a daily basis.
Now, the name of my AD FS farm is adfs.public.com. I would like to use this name and it auto-populated because the SSL cert I installed on this server is *.public.com.
The name of the server running AD FS is adfs-1.private.com. I read that a CNAME record should be created for adfs.public.com to point to adfs-1.private.com. Is this correct? If so, how would you deal with adding more than one AD FS server to the farm.
I don't know how to make adfs.public.com work for internal users in the DNS forward lookup zone for private.com. Now, I can create another forward lookup zone named adfs.public.com (the subdomain name of adfs in front of private.com should alleviate any DNS issues with internal users browsing to public.com websites and such) and create a host entry to adfs-1.private.com. It won't let me create a CNAME record to another forward lookup zone.
At the moment I'm only concerned with internal name resolution.
Either I am over complicating this or my approach is way off base and too simple.
Thank you.
I'm setting up AD FS (at the moment NOT for O365) and purchased a wildcard SSL cert for *.public.com. My mind kind of went blank on this one since I see the email (public) domain on a daily basis.
Now, the name of my AD FS farm is adfs.public.com. I would like to use this name and it auto-populated because the SSL cert I installed on this server is *.public.com.
The name of the server running AD FS is adfs-1.private.com. I read that a CNAME record should be created for adfs.public.com to point to adfs-1.private.com. Is this correct? If so, how would you deal with adding more than one AD FS server to the farm.
I don't know how to make adfs.public.com work for internal users in the DNS forward lookup zone for private.com. Now, I can create another forward lookup zone named adfs.public.com (the subdomain name of adfs in front of private.com should alleviate any DNS issues with internal users browsing to public.com websites and such) and create a host entry to adfs-1.private.com. It won't let me create a CNAME record to another forward lookup zone.
At the moment I'm only concerned with internal name resolution.
Either I am over complicating this or my approach is way off base and too simple.
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Since I don't know the form of your local domain it's hard to say for certain (it's possible you could use either), but in general you should use the public domain. Plan as if someday this will need to be available over the internet (would then require ADFS Web Application Proxy and possibly another load balancer).
To your last question, the simple answer is "no".
To your last question, the simple answer is "no".
ASKER
Somehow I had it in my head that since my users are really only exposed to the public.com domain name (most don't even know what the name of the local AD domain (private.com) is that it would be better for them to see public.com in the address bar of their browsers.
If I create a new forward lookup zone of adfs.public.com and then use an A record to point to the AD FS server, will it just end up resolving to the "real" name of the AD FS server in the address bar and then the SSL cert will be "broken" so to speak?