Some specific questions on implementing Split DNS to fix new rules for Exchange SSL problem. RRS feed

  • Question

  • I have an Exchange2010 system running on win2008r2.  We have some people using IPhones and Androids through Activesync and eventually MobileIron.  The system will turn three years old in May.  I got a messsage to renew my 3 year SSL cert for it so I did.  After I got the confirmation, I called their tech support for a related question and the tech told me I can't use my three year cert because of internal domain names.  I will need to renew for one year and then fix our system before next spring.  I will do that, but my question is really about the specifics of what do I do?

    I realize I need a new forward lookup zone I assume for ggcorp.com.  Below are the names currently on the cert so I guess we need to figure out what to do about the ones with server names and ending with .internal.  FYI, Server3 is the CAS/HUB role server.   My questions follow the list.








    1.  Which names above do I need to have on the cert for Outlook/Exchange/ActiveSync to work?  When I set it up, the guy at GoDaddy suggested the list above and it has worked since.

    2.  I read in one thread I had to run a script so Exchange would use the .com address for both internal and external, but do I still need that with a split DNS or is it either one or the other?

    3.  While all the above and a couple other names resolve to internal servers from  the internet, several (especially www) are hosted elsewhere.  The same company that hosts them hosts our external DNS records.  If I go with the split DNS and put a zone for ggcorp on my DNS servers here, the outside people (I think) will know nothing about it and continue hitting it as usual, but my internal users sometimes need to go to

    www.ggcorp.comand its related pages from here.  Do I need to put in the an entry in my new zone for every server in my public A record and then put their external IPs for internal users to find them?

    Thanks for the help!

    Tuesday, April 15, 2014 3:56 PM


All replies

  • you will need pretty much this

    server3.domain.com - you will need this if you use split-dns

    Where Technology Meets Talent

    Tuesday, April 15, 2014 11:33 PM
  • Hi,

    Here are my answers you can refer to:

    1. I assume your user email address suffix is ggcorp.com.
    To ensure Outlook clients can connect to Exchange, we need to add the name autodiscover.ggcorp.com. To ensure mail flow, the name server3.ggcorp.com is needed. The name for ActiveSync depends on the ActiveSync URL .
    If we set all web services URL with the same name, the namespace is minimized.

    2. Before answering the question, I’d like to confirm if there is address suffix ggcorp.internal or some URLs are configured with ggcorp.internal
    If it’s address suffix, I recommend you add the name .com into the accepted domain and create a email address policy.
    If it’s related to URLs, I recommend you change them to .com and recycle MSExchangeAutodiscoverAppPool.

    3. As far as I know, the public DNS entries will sync and are created in the local DNS server. If not, you can manually add the entry for internal users to find it.

    If I misunderstand your meaning, please feel free to let me know.
    Best regards,

    Angela Shi
    TechNet Community Support

    Friday, April 18, 2014 8:12 AM