Exchange Certificate Renewal Subject Alternative Name Split DNS Autodiscover

Question

Exchange Certificate Renewal Subject Alternative Name Split DNS Autodiscover

jeff mcnabney 301

Exchange 2016, on a split dns environment with existing local AD CA certificate, will have certificate replaced with 3rd party. The are 3 domains on this server...

domain1.com
domain2.com
domain2.local

I will be ignoring the domain2.local SAN's in the new certificate, but how do i handle the autodiscover?

The Virtual directories [ecp,ews,mapi,activesync,oab,owa] all point at correctly resolving fqdn CN="mail.domain1.com"... my concern is with autodiscover...

if i do an nslookup locally, it resolves to the correct IP of the exchange server, but shows the fqdn as "autodiscover.domain2.local". 3rd party verification will require access to the .local domain to verify ownership, which won't work.

Do I need to change this resolution to the fqdn CN=mail.domain1.com. How do i change this?

When generating the CSR, the server includes autodiscover.domain1.com AND autodiscover.domain2.com... How do i handle this scenario?
If i do a local lookup of autodiscover.domain1.com OR autodiscover.domain2.com... they both come up empty. Are some DNS records missing?

The autodiscover is NOT used off premises, only on the local network. I just don't want to muck up any internal config by screwing up the autodiscover in the certificate.

Accepted answer

1 additional answer

Your answer

Answer 1

Andy David - MVP 157.8K

The nslookup of the server doesnt matter, what matters is what is set internally to the Autodiscover SCP and that it resolves in DNS.

So if you want to set autodiscover internally to mail.domain1.com, then you need that on the cert as a subject name OR part of a wildcard.

Set-ClientAccessService -Identity <server>  -AutoDiscoverServiceInternalUri "https://mail.domain1.com/autodiscover/autodiscover.xml"

If mail.domain1.com resolves in DNS and the subject is on the cert applied to IIS, then you are good.

when generating the CSR, include both of those subject names and ensure they are set in external DNS correctly to point to the external Exchange endpoint.
Internally, there is no absolute requirement to do this because domain joined machines will use the SCP, but I would anyway and create those records:
autodiscover.domain1.com
autodiscover.domain2.com

and have them point to the Exchange Server endpoints and have those as subject names on the certs!

jeff mcnabney 301 Reputation points

2021-02-17T19:03:57.567+00:00

I did a deep dive and found that the AutodiscoverService is already set to mail.domain1.com/autodiscover/autodiscover.xml... So all the internal services point at that domain, and it points to our endpoint externally as well. so i can set the CN=mail.domain1.com.

I'm still not sure i'm following 100% on the SAN records though. Are you saying if i include the autodiscovers as SAN's on the cert, they NEED to resolve in DNS externally as well, even though they would never be used to connect? The second domain has no resolution internally or externally. do i even need to include them as a SAN on the cert?
Andy David - MVP 157.8K Reputation points

2021-02-17T19:22:26.487+00:00

Oh, in that case, no. If you have zero accounts with that second domain set as their primary SMTP address, then you dont need it on the cert or with an autodiscover record. I hope I am understanding you correctly.
In other words, if its not used by clients, then don't include it!
jeff mcnabney 301 Reputation points

2021-02-17T19:52:16.807+00:00

So i have CN=mail.domain1.com in my certificate. If i add a SAN = autodiscover.domain1.com to the certificate as well, i have two scenarios:

1- i need to make sure that the external DNS for domain1 contains a record that resolves autodiscover.domain1.com to the exchange endpoint...

-OR-

2- if no one uses autodiscover outside the local network, do i even need to include it as a SAN, and just create the cert using the CN and that all.

-AND-

If i add SAN = mail.domain2.com to the certificate, it already resolves to the exchange endpoint, so i would also need to make sure the DNS for that domain has a record for autodiscover.domain2.com that points to the exchange endpoint unless i again do NOT need to include it since no one uses autodiscover outside the LAN.

And you're saying that if i do NOT include the autodiscover(s) as SAN's it will not affect the LAN side since local users use the SCP's to connect via the local domain, even when setting up new accounts?
Andy David - MVP 157.8K Reputation points

2021-02-17T20:10:56.517+00:00

You need the autodiscover entry on that cert, because its one cert that both internal and external are users are accessing.
So even if you don't have an autodiscover.domain.com entry in internal DNS, you will have it in External DNS, so it needs to be on the cert.

Sorry it that wasnt clear.

Regardless, I would have an INTERNAL DNS entry for autodiscover.domain1.com that points to Exchange as well so its consistent- even if no one ever uses it. There are clients that may rely on it.

You only need an autodiscover.domain2.com if you have users who have domain2.com set as a primary SMTP or expect you may one day.
If all the users have a domain1.com primary SMTP suffix, then you do not need a autodiscover.domain2.com entry in DNS or on the cert.

Answer 2

Anonymous

Hi @jeff mcnabney ,

If the external users use autodiscover on both domain1.com and domain2.com servers, then you gonna need both autodiscover.domain1.com and autodiscover.domain2.com.
But if there are no external users that will use autodiscover, i think you won't need this. But in this case why do we need the certificate?
I think, as Andy said, it's a better choice to add the autodiscover.domain.com as the SAN.

Regards,
Lou

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Anonymous

2021-02-26T06:59:51.383+00:00

Hi @jeff mcnabney ,

It has been a long time since last reply, did these suggestions help you? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer.Your action would be helpful to other users who encounter the same issue and read this thread.

Regards,
Lou

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

Exchange Certificate Renewal Subject Alternative Name Split DNS Autodiscover

1 additional answer

Your answer