Re: Internal Namespace Issue

From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 1 Apr 2009 11:05:44 -0400

Craig Johnson <CraigJohnson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Thank you for your response... First off, renaming the domain is not
an option. I don't need anymore headaches.

My problem is... We have Exch07 deployed and it needs to be
accessible by Outlook from both the inside and outside. So, we
created a verisign cert to handle the external connections, however,
the internal outlook clients are resolving to the FQDN of the server
name and the AD domain, thus generating a cert warning. Just an
inconvenience that we'd like to eliminate.

Then it sounds like something is screwed up somewhere. Your internal Outlook
users should be connecting to localservername.domain.com - which should not
exist on the public Internet. They should use only the private/internal DNS
server IP address(es) in their ipconfigs, so there's no way that
localservername.domain.com should resolve to anything outside your LAN.

Users who connect using OL Anywhere should also be connecting to
localservername.domain.com - using the SSL Certificate for the public
FQDN/autodiscover, which proxies the information to
localservername.domain.com -

I suggest you post in microsoft.public.exchange.admin to confirm your
current settings are corerct.

"Phillip Windell" wrote:

"Craig Johnson" <CraigJohnson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:4455CA3F-DB1E-4349-84D1-79D41D4569BA@xxxxxxxxxxxxxxxx

We have inherited an internal namespace that was created by an
admin that is
no longer with our company. The namespace already exists, and is
registered
to another company on the web. This is now creating problems when
we want to
issue certificates for our Exchange and OCS servers. If we purchase
a 3rd party cert we cannot add the additional internal FQDN to
support the clients
connecting internally.

Your internal Active Directory Domain Name has absolutely nothing to
do with the Internet directly. Simply come up with a new Name for
the *public* presents and leave the AD Name the way it is. At the
very worst you just won't be able to access the website of that
particular company without creating a "www" A Record in you AD Zone
with their IP#,...but if you have no need to interact with that
company then don't worry about it.

On your DNS you create a 2-Zone Split-DNS to cover the DNS for both
your AD Zone and you Public Zone.

For your Certificates,..it is like this....if this is primarily used
against your Public FQDN then you do what I said above (Public FQDN
spelled differently then the AD FQDN) then you are covered. If you
do the certs against your AD FQDN and all the "activity" surrounding
it is done only within your internal network,...then pick a good
Server for the job and install the Windows Certificate Services and
issue your own Certificates instead of going third-party.

Renaming the Domain is possible but dangerous,..as Lanwench said.
It would probably be just as easy to create a whole new Domain and
use the ADMT to migrate everything to the new one and eliminate the
old one. When creating the new Domain you have the opportunity to
choose whether you want the AD FQDN and the Public FQDN to be
spelled the same way of not. That is a personal preference with
"consequences" in either choice,...but keep in mind that they are
two entriely *different* things and have nothing to do with each
other. They just both happen to share the term "domain" between
them.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------

References:
- Internal Namespace Issue
  - From: Craig Johnson
- Re: Internal Namespace Issue
  - From: Phillip Windell
- Re: Internal Namespace Issue
  - From: Craig Johnson

Prev by Date: Re: Internal Namespace Issue
Next by Date: Re: MS Update Breaks External DNS again
Previous by thread: Re: Internal Namespace Issue
Next by thread: Re: Internal Namespace Issue
Index(es):
- Date
- Thread

Relevant Pages

Re: SSL certificates
... Default - which points to the internal FQDN ... My SSL Cert has mail.mydomain.com which is why I am now getting the errors ... Microsoft Exchange couldn't find a certificate that contains the domain name ... self-signed certificate to advertise StartTLS to internet Server to Server ...
(microsoft.public.exchange.admin)
RE: FQDN
... > You must run CEICW and specify the FQDN that you will use to access the ... On the SBS 2003 Server open the Server Management console. ... Click the "Connect to the Internet" link. ... On the "Web Server Certificate" page, choose to create a new Web server ...
(microsoft.public.windows.server.sbs)
RE: FQDN
... > You must run CEICW and specify the FQDN that you will use to access the ... On the SBS 2003 Server open the Server Management console. ... Click the "Connect to the Internet" link. ... On the "Web Server Certificate" page, choose to create a new Web server ...
(microsoft.public.windows.server.sbs)
Re: HELP RPC over HTTP
... >completing all these steps I am still unable to get into outlook from the ... Make sure you have access to the network and the exchange server it ... people have been using a Windows certificate on the box ... connect to htps://servername.domain.com/exchange from the Internet. ...
(microsoft.public.exchange.misc)
Re: WLAN Server Certificate for private internal AD Domain
... > Does anyone know if that FQDN has to correspond to my Active Directory ... you can also use a Certificate issued by your own ... > on the internet therefore I am unable to prove to verisign that I am ...
(microsoft.public.internet.radius)