1

We have an existing internal domain with extension .internal

The .internal extension has been in-place for years and the AD has over 90 users with a linked to Exchange 2007 email accounts.

We now have a need to use signed SSL certificates, these need to be trusted by a third party. We are having difficulty locating a CA who will certify the .internal domain which is to some extent fair enough.

As I see it we have two choices:

One create an internal CA and persuade the 3rd party to add this to their own trusted root store (unlikely)

Two migrate the domain to .local. Does anyone have any experience of this, I know there is a procedure to rename a domain on AD but this does not seem to support Exchange.

uSlackr
  • 6,432
RichardP
  • 33
  • What does RFD in your title mean? – MDMarra Sep 28 '11 at 11:12
  • 1
    You don't say what you need to use SSL certificates for. That information might help us better understand your problem and allow us to offer alternative solutions. – joeqwerty Sep 28 '11 at 11:16
  • I'm curious (as we're planning to use .local).. Do you have some kind of verification that this would have worked with a .local domain? – pauska Sep 28 '11 at 11:41
  • 2
    RFD means I can't type :) RFC see link – RichardP Sep 28 '11 at 12:39
  • The SSL is being used to enable LDAPS on the Domain Controller – RichardP Sep 28 '11 at 12:42
  • Link to acceptable domains policy from the CA we generally use but other CA's may have differing policies. link – RichardP Sep 28 '11 at 12:44
  • So, maybe I missed something here, but why are you using a public CA for an internal resource? Designate one of your DC's as the CA for your domain by installing the role. AD will be default hand out that CA cert to the trusted store on all domain members, then issue a cert for the internal resource that requires it. – SpacemanSpiff Sep 28 '11 at 13:00
  • To answer SpacemanSpiff the AD will be being queired from outside of our domain by our parent company. Unfortunately therefore we need a cert that will be trusted outside of our domain. – RichardP Sep 28 '11 at 13:18
  • 1
    @RichardP .local actually isn't reserved in RFC2606 and the tlds and 2nd levels that are reserved are reserved explicitly for testing. – MDMarra Sep 28 '11 at 14:00

2 Answers2

2

.local is just as bad as .internal! You should use a third level subdomain that you actually own like internal.company.com where company.com is your real legit ICANN (or whatever) registered domain name.

You are right about not being able to rename the domain with Exchange installed. After you have a new domain in place with the right domain name, you can use ADMT to perform a cross-forest migration of users, groups, computers, and servers. You're going to have to do a cross-forest migration of Exchange, too, which can be painful but there are tons of tools out there to do that for you.

MDMarra
  • 101,023
0

Just a quick addtional note. Verisign were able to issue a certificate for a domain ending .internal. So if you want to avoid an AD migration (and who doesn't) then there are alternatives.

RichardP
  • 33