+ Post New Thread
Results 1 to 12 of 12
Windows Server 2012 Thread, windows server 2012 / exchange 2013 split dns in Technical; Hello, I have a question about the way my windows server 2012 resolves the internal and external addresses. Right now ...
  1. #1

    Join Date
    Jul 2014
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    windows server 2012 / exchange 2013 split dns

    Hello,

    I have a question about the way my windows server 2012 resolves the internal and external addresses. Right now I have an intern domain: yyy.example.local, external domain: yyy.example.com. I have an exchange certificate for my external domain yyy.example.com and that is working fine for the exchange users. When the users approach exchange internally they receive an error because the certificate name doesn't match the internal address which is logical.
    My question is: How can I let my internal address redirect to my external address. So when users approach Exchange internal they will receive the right external address without any errors. I've tried the options below, but this does the opposite. It will link my external address to my internal.

    1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert: remote.yyy.org

    2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.

    3. Go into Exchange Admin GUI and go to server section - virtual directories - change the website to the external name: remote.yyy.org/xxx

    4. you can not change autodiscover from GUI - open shell and put in: Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri remote.yyy.org/autodiscover/autodiscover.xml CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri

    5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert: remote.yyy.org

    6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to

    Do you guys have any suggestions?

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    The above steps look right to me

  3. #3

    Join Date
    Jul 2014
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have tried the above steps, but this gives an opposite result. I want to resolve my internal adres yyy.local as my external adres yyy.com

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Split dns means having external resolve to the external ip when outside and the internal ip when internal, that way the name remains the same and the cert works in both places.

  5. #5

    Join Date
    Jul 2014
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    my cert is registered for the name *.yyy.com and my external domain match this name so that's ok. My internal domain however is yyy.local and ofcourse doesn't match the cert name and this is causing the cert error when opening Outlook. I thought this could be resolved with an DNS split solution. Am I wrong?

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    No, you point your internal clients at the external address which resolves to your internal ip that way it works inside and outside

  7. #7

    Join Date
    Jul 2014
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    how do I point my internal clients to the external address?

  8. #8

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    You point everything going to the mail server to external.external.com rather than using your internal address for anything.

  9. #9

    Join Date
    Jul 2014
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I understand that I have to point everything to the external mailserver. But how do I do that?

  10. #10

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    By using the external DNS name everywhere, when the client is inside they will be using the internal DNS which will point them to the internal IP, when they are outside it will point to the external IP. To the client it will be transparent and all look the same so the certificate will be right as it only checks the DNS name not the IP.

  11. #11

    Join Date
    Jul 2014
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    allright thnx i will try it and let you know if it works.

  12. #12

    Join Date
    Jul 2014
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Ok, so I managed to change the Autodiscover URL pointing it to the external URL, so Outlook will connect with the right certificate. If I delete and re-add the outlook profile, the certificate error won't pop-up and everything works fine. My question now is: I am dealing wth 50+ users. Does this mean every single user has to delete his outlook account and re-add it? This is a big amount of work, not to mention the time Outlook needs to sync everything back again (over 50gb worth of data).


    Is there a way to do this faster and more effective?


    thnx



SHARE:
+ Post New Thread

Similar Threads

  1. Server 2012, Exchange 2013 & SCCM 2012 Endpoint
    By TechMonkey in forum Enterprise Software
    Replies: 3
    Last Post: 23rd September 2013, 09:41 AM
  2. Replies: 11
    Last Post: 17th August 2012, 03:05 PM
  3. Replies: 12
    Last Post: 17th August 2012, 01:53 PM
  4. Windows Server 2012
    By synaesthesia in forum Windows Server 2008 R2
    Replies: 18
    Last Post: 2nd June 2012, 02:23 PM
  5. Promoting Windows Server 2008 R2 as DC + DNS in 2003 AD Domain
    By albertwt in forum Windows Server 2008 R2
    Replies: 8
    Last Post: 4th November 2009, 09:27 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •