SAN Certificate RIP RRS feed

  • Question

  • So now that SAN certs are no longer (as of Nov '15) an option for internal domains/hosts, one has to decide how to design AD/Exchange. I need your input.

    1. In my opinion, if one is now designing a new AD forest, or is willing to go through with a painful domain rename/migration process, it is best to avoid using .local, just use the public domain for AD and all problems are solved. Yeah you'll end up with a split-DNS, needing to create you DNS zone twice, but its worth the (minor) additional work to avoid greater pain. ADs namespace will be, the Exch servers hostname will be Mail (or whatever CN/A record  the external clients use) and you end with an internal url that's identical to the external url, But, what if one has multiple mailbox servers, externally facing CASarrays (true for both 2010 and 2013) and a load balancer. For the external clients, i only need that one URL, but how would i address/name the internal resources?

    Some old timers cant wrap their brain around using a public domain for AD. Indeed, Microsoft has been brainwashing us for years to avoid public domains when deigning AD, its a tough adjustment, but thats pretty much what it comes down to.

    2. But if one cant start from scratch. One option would be to change the internal url to externally facing url and then either use a Split-DNS, or allow your firewall the spoof like traffic (as internal clients go out and back in the same interface). But, does it solve the fact that internal client will be looking for the internal hostname (i.e. ExchSrvr01)? Will this work in an exchange 2013 environment as well?

    3. For those who insist on not using a Public Domain for AD, the only available option would be to use an internal CA for the internal resources and a public certificate for the public side. But, what if one is hosting all roles on a single box (or in the case of 2010 doesnt have an Edge server), is it possible to assign two different certificates to the same box for the same resources? How? Setup a second set of virtual directories? How would that be setup?


    Wednesday, October 16, 2013 4:02 PM

All replies