Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up split DNS

Status
Not open for further replies.

Thrasonic

IS-IT--Management
Jan 11, 2013
11
US
Hi everyone. I have an associate who owns a small business. He has only seven users on his network and he has one SBS 2003 server. He's utilizing Exchange 2003 and SQL Server 2005. His server also hosts the primary application his company uses including his time and billing data. His SBS server is around 10 years old now and he's finally ready to replace it. To that end he's purchased a new HP server. He has a Microsoft Action Pack subscription so he has access to Windows Server 2012 and Exchange 2013. So he's all set to make the move.

His current Active Directory (AD) and DNS environment are working fine. However, his internal domain is company.local and as we all know you won't be able to get SSL certs with an internal only domain name around 2 years from now. As small as his setup is it wouldn't be a problem to setup his new server with his current public domain name (company.com) to avoid the SSL cert issue coming in around 2 years. However, the time and billing package he uses can't be moved to a new server at this time.

So what I'm thinking of doing is joining the 2012 server to the SBS 2003 domain, adding AD and DNS to it (but letting the SBS 2003 server continue holding the FSMO roles so it won't freak out), and move everything BUT the time and billing software to the new server (including e-mail). The issue, of course, is that the new server will be joining a .local domain and we won't be able to change that later on without completely rebuilding the entire system.

So I was thinking maybe we could use split DNS to solve this issue. I've been reading up on it and it sounds like it would be one way to resolve the issue heading our way 2 years from now. We'll get a SAN cert with mail.company.com and autodiscover.company.com and use split DNS to ensure that, even though the Exchange server will be in the company.local domain, it'll be able to use the cert and serve e-mail internally and externally.

Thoughts?
 
It is really NOT hard at all to keep the .local domain and tweak the Exchange vdir URLs to only use the public (cert) name. That's the way all the more recent versions of SBS do it, and I do it all the time for non-SBS Exchange servers. The change in certificates is *not* an issue. I would not worry about the domain name--don't change it, just move forward with a regular migration (adding a new DC to the existing AD) and only "certify" the public names. There is always a pretty straightforward way to just configure things to use the public name, and not worry about the internal name.

You can even get a single-name cert if you want, and still not have much trouble, if you are willing to an SRV record like they do on SBS 2008/2011.

Feel free to ask more questions about specifics, and I can help you through any minor troubles that come up.

Dave Shackelford
ThirdTier.net
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top