Question about Exchange

dynamitekiddynamitekid Posts: 20Registered Members ■□□□□□□□□□
It is recommended by Microsoft that the internal domain name is different from the external. I have a test lab where i have my internal domain name as globomantics.local and external as globomantics.com. The problem is that when outlook auto configures, it uses the domain .local. Is there a way i can use .com without changing my internal dns name? Maybe a cname record?

Comments

  • it_consultantit_consultant Posts: 1,903Registered Members
    I think you might be talking about two different things. When outlook auto-configures it will use the internal domain name of the server no matter what. This is a big reason we we use SAN certs on our servers because Outlook Anywhere will connect to say "mail.globomantics.com" but when the RPC/HTTPS tunnel is nailed up, it will resolve "mail.globomantics.local" or whatever its internal name is. In your lab - just don't worry about the cert and click through the cert error.

    Now, if the situation is that it configures your email ADDRESS with the .local extension instead of .com, then you just need to change your default email address policy to assign a dot com address to your user accounts.
  • rsuttonrsutton Posts: 1,029Registered Members
    For what it's worth, this "best practice" may be changing soon as the public CA's are not allowing you to generate a certificate with a .local or similar name on your SAN after November of 2015.
  • ClaymooreClaymoore Posts: 1,637Registered Members
    It is recommended by Microsoft that the internal domain name is different from the external.

    Mostly true, but .local domain names have never been recommended. You could use corp.globomantics.com for the internal domain or just keep the domains the same. Many companies keep them the same and it makes things easier when dealing with certificates, UPNs, ADFS and integration with external organizations or Office 365 and Azure.

    Autodiscover has an order of operations, and Outlook Autodiscover can be configured using group policy (if you need to disable SCP lookups in a forest with multiple child domains for example). The CAS registers itself as a Service Connection Point in AD using its FQDN when it is installed. You can change this to a FQDN that is part of your SAN cert with the Set-ClientAccessServer cmdlet.

    Set-ClientAccessServer -Identity "CAS-01" -AutoDiscoverServiceInternalUri "https://autodiscover.contoso.com/autodiscover/autodiscover.xml";

    Make sure you have a DNS record for Autodiscover that points to a CAS or is load balanced to the internal servers.
  • dynamitekiddynamitekid Posts: 20Registered Members ■□□□□□□□□□
    So if the internal domain name is the same as the external, how would an outside client differentiate from the external and internal.
  • ClaymooreClaymoore Posts: 1,637Registered Members
    Most simply, DNS. The client will query Autodiscover.globomantics.com and Webmail.globomantics.com from an external DNS server and get an external IP to connect to the service. Internal DNS will point to an internal IP. More complex is the EXPR and EXCH data returned in an autodiscover response. The EXPR data are the Outlook Anywhere URL and External URLs of the services like EWS and OOF that the Outlook client can use when outside the domain.

    You can have different internal and external names, but that doubles the entries in the SAN certificate and makes it more expensive. If you have a .local internal domain, you won't be able to buy a certificate past November 2015.
Sign In or Register to comment.