Autodiscover Certificates for Multiple Domains
I have an exchange 2007 environment with about 30 domains in it.
We bought a Unified Communications Certifiate for our main domain, call it domain1.com
This had the following names in it:
mail.domain1.com autodiscover.domain1.com server5.domain1.local
This stopped the certificate error popping up when we opened outlook, at least for the people who have a domain1.com email address.
Unfortunately for users of the other 29 domains they get a certificate error on launching outlook and other things such as using "out of office".
The error says "autodiscover.domain2.com - The cert is trusted, The cert date is valid, The name on the cert
does not match"
I cannot put all domains in the cert and I cannot buy 30 certs, so how else can I resolve this problem?
I found
this on technet but I don't quite understand it so if anyone could better explain I would be very greatful.
Thanks,
Leigh
February 28th, 2011 2:32pm
For that number of domains you basically have two choices.
1. A certificate that supports the number of domains - they are available, but will cost. You may have to use a different certificate provider.
2. The SRV record or redirect method.
SRV records may well mean that you have to move the domains to a provider that supports them. Many DNS providers do not.
SRV record method: http://support.microsoft.com/kb/940881
Redirection method:
http://technet.microsoft.com/en-us/library/ff923256.aspx
No idea what the link you have provided is - I don't click on random shortened URLs.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2011 5:18pm
Thanks I think I will try using the SRV method as our hosting company (heartinternet) seem to support it.
To confirm, am I right in thinking I should do the following:
Remove all A & C Name entries in domain2.com DNS for autodiscover.domain2.com
Add a SRV record into domain2.com DNS which says: service: _autodiscover protocol: _tcp server: domain1.co.uk
port:
443
Just not 100% sure I've got the 1s and 2s in the right place?
Thanks,
Leigh
February 28th, 2011 6:31pm
The lack of the autodiscover A record is the key, so that autodiscover.example.com doesn't resolve. That will force Outlook to try others. You should also ensure that there isn't a wildcard on the domain so anything.example.com resolves.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2011 7:00pm
Anyway of doing that with ISP's that dont support SRV records ?
Chris
June 7th, 2011 3:08pm
Anyway of doing that with ISP's that don't support SRV records ?
Chris
The redirect method, or dump the ISP in question and use another party for hosting the name servers. In my experience most ISPs are very poor at hosting name servers and DNS records in general, and by doing so they are holding you hostage in the event of you
wanting to dump them. There are lots of companies dedicated to providing name servers for domains.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2011 3:51pm