Jump to content
RESET Forums (homeservershow.com)

windows server 2012 r2 / exchange 2013 split dns


Recommended Posts


I have a question about the way my windows server 2012 resolves the internal and external addresses. Right now I have an intern domain: yyy.example.local, external domain: yyy.example.com. I have an exchange certificate for my external domain yyy.example.com and that is working fine for the exchange users. When the users approach exchange internally they receive an error because the certificate name doesn't match the internal address which is logical.
My question is: How can I let my internal address redirect to my external address. So when users approach Exchange internal they will receive the right external address without any errors. I've tried the options below, but this does the opposite. It will link my external address to my internal. 

1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert:  remote.yyy.org

2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.

3. Go into Exchange Admin GUI and go to server section - virtual directories - change the website to the external name:  remote.yyy.org/xxx

4. you can not change autodiscover from GUI - open shell and put in: Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri remote.yyy.org/autodiscover/autodiscover.xml CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri

5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert: remote.yyy.org

6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to

Do you guys have any suggestions?




Link to comment
Share on other sites

These problem is the name of the Exchange server as seen by external and internal client PCs, let's assume it's exch.yyy.example.local. Outlook 2013 (and to some extent 2010) and Exchange 2013 communicate over SSL even on the internal network and expects to find properly matching certificates.


What you should have done is to purchase a certificate which allows multiple SANs (subject alternate names) so that the certificate name matches the external mail server name (mail.yyy.example.com or whatever) but it will also certify any included SANs and you would have specified exch.yyy.example.local as one of the SANs - you must be sure to use the fully qualified server name.


You may well be able to contact the certification authority and see if they can reissue the cert with an additional SAN. You'll need to manually import the new cert into Exchange and assign the services (IIS mainly) to it.


Alternatively set up your domain controller as a certificate server (add the role and run through the wizard). On the Exchange, server, create a new cert request and submit it to the DC. On the DC create the cert and send it back to the Exchange server (it's been a little while since I have done this and a vaguely recall there being an issue with the certificate template so there's a little bit of command-line work to do). Install the cert on the Exchange server and it theory since it is now certified by the DC and by default all domain-joined client PC also trust anything which has been signed by the DC - assuming it's been configured as a root certification authority - all the PCs will trust the Exchange server and your problems are over.


At least in theory!


Getting internally signed certificates working properly is a real pain in the proverbial so if possible I'd get your third party cert reissued if you can.



Link to comment
Share on other sites

jem101, I'm sure glad you're here to answer these  cert questions. AFAIC, certs are a huge PITA. The whole system is a house of cards waiting to collapse. There has GOT to be a better way.

Link to comment
Share on other sites

Windows Certificate Services - 'proudly causing grief since 2003'


There is a sort of logic to certificates you just need to get your head around the way they work and what they are actually doing, or at least think they're doing.


Call me cynical (and being British it is part of our national makeup), it's almost as if Microsoft are deliberately trying to push everyone away from Exchange to Office 365 - surely not!

Link to comment
Share on other sites

Yeah, I pretty much understand the concepts, but the practical reality is a nightmare: too many CAs (and too many you can't really trust in any case); certs that are way too expensive; and methods of applying for, receiving, and installing certs that are just too arcane.


To me, at this point, the whole system fails to satisfy its primary purpose: to certify that somebody really is who they say they are. I don't think the system is trustworthy.

Link to comment
Share on other sites

  • 3 weeks later...

In my experience a SAN certificate is not required in this type of setup, however, correctly configuring Exchange is required.


There are two URLS for most Exchange Web Services, and internal and external.


These can be set to the same value, and that value can be tied to a single name certificate.


Lets say we use myserver.remotewebaccess.com for our Essentials box, and then mail.mydomain.com for Exchange. If you set the Web Services URLs for Exchange to mail.mydomain.com then your requests will always work.


The other consideration is AutoDiscover, which depending on the configuration of your domain, may behave in a number of different ways. A SAN certificate can help with this, but you will struggle to find anyone who will issue a certificate with internal names on it these days.


I beleive Test-WebServicesConnectivity would be a useful command to look at.



And these commands, niceley collated by the good folks at Third Tier.

Get-ActiveSyncVirtualDirectory | fl internalurl,externalurl
Get-AutoDiscoverVirtualDirectory | fl internalurl,externalurl
Get-ECPVirtualDirectory | fl internalurl,externalurl
Get-OabVirtualDirectory | fl internalurl,externalurl
Get-WebServicesVirtualDirectory | fl internalurl,externalurl

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...