split dns , how do i configure exchange and dns for the internal users RRS feed

  • Question

  • split dns , how do i configure exchange and dns for the internal users  to access web mail and outlook 

    1)  what changes need to be done in dns ( forward and reverse ) 

    2) what  changes need to be  done in  urls like autodiscover 

    3) how certificate should be generated 


    Sunday, September 18, 2011 5:45 PM


All replies

  • Hello,

    do you mean OWA with "web mail"? Then I'd prefer use the internal FQDN of your Exchange to connect (e.g. "https://servername.internaldomain.tld") so for OWA you won't need to do any changes in your DNS.

    For Autodiscover add a CNAME (or alternatively a SRV) entry for "autodiscover.internaldomain.tld" which points to your Exchange server's FQDN.

    Add both names to your certificate.

    Please be aware that this will only work for internal users. You have to do more changes when you want to implement access for external users.



    • Edited by da_doni Sunday, September 18, 2011 6:27 PM
    Sunday, September 18, 2011 6:26 PM
  • Let's consider this example: External domain is contoso.com, internal domain is fabrikam.local. You have two Exchange 2010 servers with the CAS role: CA01.fabrikam.local and CA02.fabrikam.local. Exchange is published to the Internet with TMG 2010. Internally, you have a load-balancer.

    Now the external URLs are:

    https://autodiscover.contoso.com (Autodiscover)
    https://mail.contso.com (Outlook Anywhere)
    https://mail.contso.com/owa (Outlook Web App)
    https://mail.contso.com/ecp (Exchange Control Panel)
    https://mail.contso.com/OAB (Offline Address Book)
    https://mail.contso.com/Microsoft-Server-ActiveSync (ActiveSync)
    https://mail.contso.com/ews/exchange.asmx (Exchange Web Services, Availability, Out of Office)

    internally you would add mail.contoso.com as a new zone with the A record pointing to your load-balancer. Externally these URLs will use a public IP address, internally they will use a private IP address. You will change your internal URLs to match these external URLs (Autodiscover will be different). Most of the changes can be preformed in the EMC by changing the internal URLs. For internal Autodiscover, you would issue this command:

    Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:https://mail.contso.com/Autodiscover/Autodiscover.xml

    For Exchange Web Services, you issue:

    Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl 'https://mail.contso.com/ews/exchange.asmx'

    As to certificates, you now need a SAN / UC certificate with the names autodiscover.contoso.com and mail.contoso.com. But since we are using TMG in this example, we will also need to add CA01.fabrikam.local and CA02.fabrikam.local. TMG will typically decrypt and re-encrypt the payload.

    I always use reverse DNS lookup zones internally, but strictly it is not necessary. Externally, you need it for your SMTP servers to the Internet, if you don't use a smart host that has a PTR record.

    For certificate generation, take a look here, but do use a 3rd party provider:

    VIDEO: Certificate Wizard in Exchange 2010

    Some references on Split DNS:

    Exchange Autodiscover (Part 2)

    Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site"



    MCTS: Messaging | MCSE: S+M

    Sunday, September 18, 2011 6:44 PM
  • thanks jon for your reply . I have only one server  for all roles .As you mentioned in the example  , i created a zone called contoso.com and added A record called mail .So the mail.contoso.com  is the fqdn ( it is the same ip address of the exchange server since i have only one server  with all roles ) .Now my dns does not resolve mail .contoso.com  internally .????
    Tuesday, September 20, 2011 6:28 PM
  • You should not add contoso.com as an internal DNS. This was perhaps a bit unclear from my side. You should add mail.contoso.com as an own zone assigned the internal IP address of your Exchange server.

    So, delete the internal zone contoso.com. Add a new zone called mail.contoso.com (if that's is the public name for your Exchange services.)

    When your zone is complete, click Finish (Done).

    And now comes the clue:

    * Right-click your new zone (mail.conto.com), and select “New Host (AAA)”.
    * Add your internal IP address to the host, but leave the Name blank. Also leave the PTR record unchecked. Click Add Host.
    * Now you should see a blank host, with the correct internal IP address.

    The end effect should be that mail.contoso.com has only one A record, and that is the zone itself. nslookup should return:

    nslookup mail.contoso.com

    Name:    mail.contoso.com
    Address: (your internal private IP address)

    Configuring it this way, allows you to resolve all external records belonging to the contoso.com zone, except mail.conto.com.

    MCTS: Messaging | MCSE: S+M
    • Proposed as answer by tbouttell Thursday, April 18, 2013 8:40 PM
    Tuesday, September 20, 2011 7:34 PM
  • Makes a lot of sense and is very easy to understand. Thanks!

    I have one question though.

    Commercial certs only support valid domain names, (.com, .net etc). How do I use a cert to validate my .local exchange server, (keep in mind we do not have a load balancer, just the TMG, which doesn't these types of certs).

    Wednesday, March 27, 2013 1:17 AM
  • This is something that is going to change.  Here in the NEAR future, no more .local on certificates.

    So, if we have 1x domain and 2x domains to deal with, this is why our cell phones FAIL on internal networks.  The ACTIVESYNC and internal server name is the FQDN which will be different than the external domain name on the SAN Certificate.

    I have been digging and reading long and hard trying to figure out what is to be done?

    Internal Receive Connector will not allow us to change the FQDN.

    Any thoughts on how to set this up for internal and external under ONE domain even though the internal domain is different.

    Thursday, December 5, 2013 12:27 AM
  • hi

    your advice can help me .. i am a little confuse .. below is explanation of how i am settings things up

    - i have a site online www.newsite.com

    -by default  web hosting provider automatically set a zone mail.newsite.com

    i would like users to access exchange with same url on both side (Internal and external)

    i have already install Ad map on intra.newsite.com

    so what do i need to ad like zone on both side


    Wednesday, January 30, 2019 7:57 AM