none
Exchange with Split-DNS. Is it best practice? RRS feed

  • Question

  • I am wondering if it is best practice to run Exchange using a split-dns setup as opposed to having separate internal and external URL;s.

    I ask because, I have an internal private domain (domain.local) and I publish our Exchange services (owa, ews, etc) using of course a public domain (mail.domain.com). With the approaching "certificate cliff", CA's are no longer issuing Certificates with internal domain SAN names, I came across using Split-DNS to get around the issue (I am not going to migrate my domain to the public domain name).

    Also, I recently setup EWS for Apple Mac Mail support and in researching this it seems as most information has both the internal and external URL's as being the same.

    So again, is split-dns ideal when you have a private internal domain name?

    Tuesday, May 28, 2013 5:37 PM

Answers

  • Hi

    Split DNS is the recommended best practice for Exchange and makes you life easier as it reduces the number of namespaces and certificates you need to deal with.

    The one complication is that the domain.com zone in your internal DNS needs to contain the same A records as that zone in your public DNS.

    Cheers, Steve

    • Marked as answer by mac1234 Tuesday, May 28, 2013 6:38 PM
    Tuesday, May 28, 2013 5:44 PM

All replies

  • Hi

    Split DNS is the recommended best practice for Exchange and makes you life easier as it reduces the number of namespaces and certificates you need to deal with.

    The one complication is that the domain.com zone in your internal DNS needs to contain the same A records as that zone in your public DNS.

    Cheers, Steve

    • Marked as answer by mac1234 Tuesday, May 28, 2013 6:38 PM
    Tuesday, May 28, 2013 5:44 PM
  • Thank you for the response.

    I understand the need to maintain A records for the internal zone. However, I was considering (and have actually tested) the following:

    Do not create the new zone as "domain.com", but instead create the zone as "mail.domain.com".  Then create an A record for the IP of my Exchange server.

    In testing this appears to work just fine.  Any issues with this?

    Tuesday, May 28, 2013 5:54 PM
  • No problem.

    That will work fine too if you only have one DNS name - gets a bit complicated when you need to add something else in though.  Having said that you could easily add in a domain.com zone if you needed to expand.

    Steve

    Tuesday, May 28, 2013 5:59 PM
  • great, thanks for the help.
    Tuesday, May 28, 2013 6:38 PM
  • Hi I hope this thread is still open!

    Would the solution proposed by mac1234 also work for an autodiscover record too? I am asking this because the split brain solution is good but obviously you have to maintain public dns records in that zone too and this would require a zone transfer (thus overwriting the records you configure and of course if that happens then the effect of the split brain solution is nullified) or manual update

    I want to implement split-brain dns for my orgainisation as the internal domain is .local and the public domain name is .com. Do you have any ideas about how this might be achieved, perhaps I am missing something simple but that would not be the first time!

    Thanks in advance!

    Friday, January 10, 2014 4:24 PM
  • No zone transfer is needed. This is an internal zone and mail.contoso.com points to an internal IP not the external interface on the Internet. For the issue about the .local you can change the internal Urls to a .com namespace, and use certs with that name. Much easier!

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, January 11, 2014 1:41 AM