What domain names need to be listed on a SAN certificate for an Exchange 2010 server with multiple receive domains
Friday, December 28, 2012 8:04 PM
Previously we would list the following for all our receive domains:
Recently we doubled the amount of receive domains and I’m 30 days out from renewing my SAN certificate. So I'm wondering if I can trim some of those domains off or not. For example, let’s say I have the following domains:
The Main company is A.com but portions of the company need to send and receive as the other domains. Currently each domain has an A record for mail.X.X and CNAMEs for AutoDiscover.X.X and Webmail.X.X that point to mail.x.x (All exchange roles are on the same server).
The SAN cert in question has those domains listed in addition to the local server name, so for example
Common Name: mail.a.com
Subject Alternative Name:
For all the domains except A.com and A.local can I drop all but the Autodiscover domains from the SAN certificate as long as I make that an A record for each domain and put in HTTP redirects for Mail.X.X for Webmail.X.X? Can I also get rid of A.com and A.local and just keep the domain names associated with Exchange services?
Sunday, December 30, 2012 8:17 AM
For Autodiscover to work properly you need to have an autodiscover record for every e-mail address domain for primary e-mail addresses. Since you never receive mail for firstname.lastname@example.org, then there's no need for an autodiscover record for that record. Some find it easier to deploy an SRV record for Autodiscover when you have many e-mail domains.
The general practice is to use the webmail address as the common name of the certificate. You need but one since everyone could use the same URL for webmail regardless of what their e-mail domain is. If you want to provide convenience webmail URLs for each e-mail domain, it's a choice you make.
As to .local (or any other internal-only) domains, I recommend that you employ split-brain DNS and use only external URLs for everything. It makes it easier for you since you don't have to convince your certificate issuer to put unregistered domains in your SANs, cheaper in that you don't need as many SANs, and easier for your users to understand.
That should be everything you need.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
- Marked As Answer by Simon_WuMicrosoft Contingent Staff, Moderator Tuesday, January 08, 2013 4:15 AM
Monday, December 31, 2012 3:10 AMModerator
I think the following article must be helpful for your question:
If you have feedback for TechNet Subscriber Support, contact email@example.com
TechNet Community Support
Friday, January 04, 2013 8:29 PM
Thanks for the help all. Do I still need to include the root domains at all, even for the main namespace (A.com)? From what I’m getting my slimmed down SAN cert will be:
- Common Name: mail.a.com
- Subject Alternative Name:
All the employees (regardless of email domain) will use mail.a.com for ActiveSync and webmail.a.com for OWA. I do also have a SRV record internally.
- Edited by Vox Medica Tuesday, January 08, 2013 3:06 PM
Tuesday, January 22, 2013 2:27 PMAfter doing further research we decided to use AutoDiscover Redirect for all the but the main domain (a.com) and dropped down to a 5 slot SSL SAN Cert. So far it works fine with just the redirect message that pops up occasionally for Outlook users, which we will probably suppress using the instructions in this MS support article.