Removing Orphaned Populated msExchangeDelegateLinkList and msExchangeDelegateLinkListBL Automapping Attributes

By Ace Fekay
Published 5/11/2017
Revamped 3/31/2018 – Added the option to selectively remove BLs without removing FullAccess permissions to the shared mailbox

Scope

How to remove a shared mailbox that keeps showing up in your Outlook profile that you’ve been removed as a delegate.

This shows how to remove the mailbox permissions and to re-add, and I just added how to simply just remove the backlinks WITHOUT removing FullAccess permissions. The users in this case, must re-add the mailbox in Outlook once it disappears from their profile.

Automapping

Automapping is an Autodiscover feature that was added to Exchange 2010 SP1 and newer, that allows Outlook to automatically add a delegated mailbox without additional tasks.

Autodiscover looks at the mailbox owner’s AD account for an attribute called the MSExchDelegateListLink attribute.

When you use the EAC or PowerShell to delegate permissions to a shared mailbox or to another user, Exchange will automatically set the Automapping feature to $True. In PowerShell you can disable this, but not in the EAC.

This feature populates the MSExchDelegateListLink attribute on the shared or delegated mailbox with the user accounts that will be Automapped, and vice-versa, it also populates the MSExchDelegateLinkListBL attribute on the user account. I look at this as the “back link” to the shared mailbox.

These two attributes are one of  nine (9) links and backlinks that exist. Here’s a list of all links and backlinks in AD and more specifics can be found at the following link:
http://www.neroblanco.co.uk/2015/07/links-and-backlinks-in-active-directory-for-exchange/

Outlook, Autodiscover, and those attributes

When Outlook fires up, and while running, part of what Autodiscover process performs is it will check these two attributes to determine if there are any shared mailboxes that must be automatically added to the Outlook profile. In some cases using a managed process for shared mailboxes, we may want this feature disabled so the shared mailbox does not get automatically added.

Orphaned Backlink is still populated and the mailbox still shows up in Outlook

If the user was previously delegated to a shared mailbox, then the delegated per,missions were removed, but for some reason, perhaps replication or corruption, or some other unforeseen factor (large environments fall under this category), the shared mailbox still shows up and you can’t get rid of it, and further, since you no longer have permissions, you can’t open it. This will cause the shared or delegated mailbox to still show up in Outlook. But you can clearly see in EAC or running a get-mailboxpermission that the user is no longer delegated.

Example of an account with the msExchDelegateLinkListBL still populated:

image

How to remove it?

First, establish your PowerShell session to Exchange OnPrem or your Office 365 tenant. If unsure how, see this:
http://blogs.msmvps.com/acefekay/2017/05/11/establishing-a-powershell-session-to-your-office-365-tenant-or-onprem-exchange/

Determine, if any, links or backlinks exist on the shared mailbox:

Get-ADUser “SharedMailboxDisplayName” -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink

If any show up, you’ll see their sAMAccountNames. If you don’t know who the sAMAccountNames are and you want to see their displayNames, run the following (this command works for DNs, too):

For one account:
get-aduser sAMAccountName -Properties displayName,mail  | ft Name, DisplayName, mail -A

For a list of accounts in a text file:
get-content c:\temp\names.txt | get-aduser -Properties displayName,mail  | ft Name, DisplayName, mail –A

 

Then remove the msexchDelegateLinkListBL orphaned backlink and FullAccess permissions to the shared mailbox

Note: I’m using the shared mailbox’s displayName. This will also work using the sAMAaccountName or the primary email address.

For one account:
Remove-MailboxPermission “SharedMailboxDisplayName” -user $_ –AccessRights FullAccess -Confirm:$false

For a list of accounts in a text file:
get-content c:\temp\ace\userIDs\users.txt | foreach {Remove-MailboxPermission “SharedMailboxDisplayName”  -user $_ –AccessRights FullAccess -Confirm:$false}

Then if needed, delegate the shared mailbox again & disabling Automapping

Delegate Ace to a shared mailbox:
Add-MailboxPermission “Shared Mailbox Name or email address” -User AceFekay@contoso.com -AccessRights FullAccess -AutoMapping:$false

To just remove the backlink WITHOUT removing permissions

Note, using this method, the shared mailbox will automatically disappear from the Outlook profile. As soon as it does, you must manually re-add the shared mailbox either under the user account properties, where the permissions are proxied through the user account, which is the same as if it were Automapped, or as a separate account, which provides better features including sent and deleted items go into the shared mailbox itself instead of the mailbox owner under an automapped account or added under the user account.

To remove all BLs all at once:

#########################################################
#Remove the MSExchDelegateListBL from an account

$userToClean = “I061859”
  $userDN = Get-ADUser $userToClean | select -ExpandProperty DistinguishedName
  $delegates = Get-ADUser $userToClean -Properties msExchDelegateListBL |  select -ExpandProperty msExchDelegateListBL
  Write-Host “======================================================”
  write-host “List of Delegated accounts that are backlinked:” $Delegates
  Write-Host “======================================================”
  foreach ($delegate in $delegates) {
  Set-ADUser $delegate -Remove @{msExchDelegateListLink = “$UserDN”}
  }
  Write-Host “======================================================”
  Write-Host “If the following get-aduser cmdlet searching for backlinds is empty, then all delegated backlinks have been removed”
  Get-ADUser $user -Properties msExchDelegateListBL |  select -ExpandProperty msExchDelegateListBL
  Write-Host “======================================================”

To remove specific BLs one at a time:

# 1. Find the list of users in a shared mailbox that have been backlinked.
#    Note, as said, this is only for removing users that have requested it, unless you are working on removing all, which use the above

$SharedMailboxOrUserDisplayName = “Shared Mailbox Display Name”
$SharedMailboxOrUser = (get-recipient “$SharedMailboxOrUserDisplayName”).name
Write-Host “======================================================”
Write-host “Shared Mailbox sAMAccountName:” $sharedMailboxorUser
Write-host “List of Users (or ‘Delegates’) that currently have Backlinks on Shared mailbox ‘$sharedMailboxorUser’ :”
Get-ADUser $SharedMailboxOrUser  -Properties msExchDelegateListLink | Select-object -ExpandProperty msExchDelegateListLink | get-aduser -Properties displayName,mail  | ft Name,DisplayName,mail -A
write-host “======================================================”

# 2. Then enter the user account name from the above list that you want to remove, and then find the user’s DN:
  $UserToClean = “User sAMAccountName”
  $userToCleanDisplayName = (get-recipient $UserToClean).displayName
  $userDN = Get-ADUser $UserToClean | select -ExpandProperty DistinguishedName
  Write-Host “The DN of ‘$userToCleanDisplayName’ ($UserToClean) that you want to clean is: ” $userDN
  Write-Host “======================================================”
  write-host “List of Backlink DNs that you want to remove from $UsertoClean :”
  Write-Host
  Get-ADUser  $UserToClean -Properties msExchDelegateListbl |  select -ExpandProperty msExchDelegateListBL

  Write-Host  “======================================================”

# 3. Remove the MSExchDelegateListBL from my account or an account that was migrated to the cloud that previously had a MSExchDelegateListBL
#    Just have to run this, the BL gets removed after you run it
#    This does not remove any AccessRights to the Mailbox, it just removes the automapping

Set-ADUser  $UserToClean -Remove @{msExchDelegateListLink = (Copy and Paste the Backlink DN of the specific shared mailbox from the previous list that you want to remove) }

# 4. Then check to see if it worked:
   Get-ADUser  $UserToClean -Properties msExchDelegateListBL |  select -ExpandProperty msExchDelegateListBL
   Get-ADUser  $UserToClean -Properties msExchDelegateListLink |  select -ExpandProperty msExchDelegateListBL

==========================================================

Summary

I hope this helps!

Published 5/18/2017

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.


 

Listing SendAs and SendOnBehalf Permissions

By Ace Fekay
Published 3/20/2018

Intro

Ace here again.

There are a number of tools that you can use in your day to day AD and Exchange management. This includes Office 365 Hybrid, but we’ll assume that you are performing one way sync to the cloud, and only replicating MSOL attributes back to on premises, so you can manage them locally, for the most part.

This is about getting SendAs and SendOnBehalf rights on a mailbox

SendAs

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox = Ace.Fekay@MSOLUser.com
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-Host “///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\”
Write-Host “*****************************************************************”
Write-host “The following is a list of who has SendAs permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-recipient $_.User).Displayname}}, extendedRights -AutoSize
$MailboxCount = @(Get-recipient $Mailbox | Get-ADPermission  | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)}).count
Write-Host “Total number of users that can SendAs on contact ‘$MailboxDisplayName’ is” $MailboxCount
Write-Host “*****************************************************************”

Write-Host “\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////”
Write-Host “*****************************************************************”

SendOnBehalf

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox =
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-host “The following is a list of who has SendOnBehalf permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
# – property not found – $sendonbehalfList = (get-recipient $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
$sendonbehalfList = (get-mailbox $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
#Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “Grant*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-User $_.User).Displayname}}, extendedRights -AutoSize
Write-Host “And the list of who have SendOnBehalf on ‘$MailboxDisplayName’ is:” $SendonBehalfList  
Write-Host “*****************************************************************”

Example output:

*****************************************************************
///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
*****************************************************************
The following is a list of who has SendAs permissions for ‘Fekay, Ace’ :
*****************************************************************
User            User’s DisplayName                           ExtendedRights
—-            ——————                                          ————–
Contoso\AFekay-Admin Fekay, Ace (Admin Only) {Send-As}    

Total number of users that can SendAs on contact ‘Fekay, Ace’ is 1
*****************************************************************
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////
*****************************************************************

Summary

I hope this helps!

Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs (I may be moving the following site): http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Reanimate an Exchange Server Deleted From the Exchange Organization in the Configuration Container in Active Directory

By Ace Fekay
MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer & Janitor

Background:

Hey everyone, Ace here again. Here’s an interesting issue I came across when an administrator, while using ADSI Edit, deleted one of their Exchange 2010 servers from the Exchange Organization in AD’s Configuration Container. Of course, it was not intentional, so I didn’t even ask why or how, but I was told that they were working on something else in ADSI Edit, and the administrator unintentionally deleted the Exchange server object. And as we all know, there is no “Undelete” button in ADSI Edit.

Before I went about trying to perform an Authoritative Restore with AD, I figured I would try to use the AD Recycle Bin to recover the object. However, I knew it wouldn’t be there, because it was never deleted from ADUC Computer Container, rather it was deleted from the Exchange Organization. But I did it just to show how to do it, and to illustrate the differences in the object’s locations and significance.

What I did was is re-animated the deleted server using ADSI Edit. I used a lab machine to test it before attempted to try it on their production system.

 

Before I performed a test delete in my lab

Here are the three Exchange Servers, Van-EX1, Van-EX2, and Van-EX3, showing in the ADUC’s Computers Container:

 

Here’s VAN-EX3 in ADSI Edit and its attributes. This is what it’s supposed to look like.

 

Looking further into the server object attributes in ADUC Advanced View, Attribute Editor, it shows the server’s ObjectSID:

 

Delete VAN-EX3

Here’s where I deleted VAN-EX3 in ADSI Edit:

 

The delete warning message:

 

And the second delete warning message. Apparently ADSI Edit, the tool that doesn’t have an Undelete” button, wants to make sure that you want to delete it. I think it’s good that it asks twice:

 

VAN-EX3 has now been deleted from the Exchange Organization section in the Configuration Container:

 

However, as you an see in ADUC, it still shows VAN-EX3. That’s because we didn’t delete it from AD, rather it was deleted from the Configuration Container.

 

As you can see here, Exchange’s services still show that they’re still running.

 

Trying to find the deleted object in the Recycle Bin using LDP

Here’s where I looked for the Exchange object in the Recycle Bin using LDP. However, since the Exchange computer object still exists in AD, rather it was deleted from the Organization. I knew it won’t be in the Recycle Bin, because it wasn’t really deleted from AD.

These steps were more to show everyone the differences between a deleted computer object, that would show up here, and an Exchange server deleted from the Organization.

 

Click Connection, then Bind:

 

We’re binding using default values, meaning it will use the currently logged on domain administrator account.

 

In LDP, click Options, then Controls:

 

In the Load Predefined drop-down box, I chose to “Return Deleted Objects:”

 

As you can see, Return Deleted Objects chosen in the drop-down box:

Under Tree View, for the base DN, I typed in cn=deleted objects,dc=adatum,dc-com. As you can see, nothing showed up. So VAN-EX3 is not in the Recycle Bin.

 

Recreating VAN-EX3 in the Exchange Organization in the Configuration Container

I drilled down into the Exchange Organization in the Configuration Container, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Servers. Then I right-clicked CN=Servers, New, Object.

By the way, not to get off topic, but if you’re wondering how the Exchange team came up with that Administrative Group name, “(FYDIBOHF23SPDLT),” click here.

 

Once the server object has been created, now we need to create the necessary Exchange server object containers under the server object we created. What helps is that the attributes are still in AD:

 

For “Select a Class” dialog box, scroll down and select msExchServersContainer

 

For the Value field, type in VAN-EX3:

 

Click Finish:

 

Now we must create the Exchange Information Store container. Right-click, New, choose Object:

 

In the Select a Class dialog box, choose msExchInformationStore:

 

Type “Information Store” in the Value field:

 

Click Finish:

 

The values appear correct so far. If you double-click on the CN=Information Store object, scroll down, you can see the DN value is correct (sorry, I didn’t screenshot that part):

 

Now let’s create the MTA. Same deal as above, in the Select a Class dialog box, right-click, New, scroll down and choose mTA:

 

Type in Microsoft MTA:

 

To get the time out and other values it’s asking, I opened another instance of ADSI Edit, and looked at the values for one of the other existing Exchange Servers:

 

The transRetryMins value of 5 that I populated, which I found from the other Exchange server:

 

The last attribute, which of course is the server’s name:

 

Now we must create the Microsoft System Attendant object for VAN-EX3 by right-clicking Van-Ex3, new, choose Object, and in the Select a Class dialog box, scroll down and select exchangeAdminService:

 

For the CN value, type in Microsoft System Attendant:

 

Scroll down in the Attribute Editor to deliveryMechanism, set it to 0 (zero):

 

Click Finish:

 

Now test logging on with a mailbox that exists in VAN-EX3, and try to send and receive an email. You should find that it works perfectly.

 

Point of the story: Be careful what you do in ADSI Edit.

Suggestions, Comments, Corrections are welcomed.

Ace Fekay

Redirect OWA Exchange 2010 & Exchange 2013 – The Cool and Easy Method

By Ace Fekay
MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer & Janitor

Preface

Hey everyone, Ace here again. An issue was presented to me regarding the EMC and EMS would not open on a new Exchange 2010 SP3 installation. The underlying operating system is Windows 2008 R2 SP1. I could not figure out how to resolve this issue, and not to pat myself on the back, I usually and eventually resolve something or get really close, but I was no where near close on this one, other than knowing it was an IIS issue. I eventually called Microsoft Support to assist in this scenario, instead of wasting any more of my time or the customer’s valuable productivity on the issue. That said, this will be the first time in two years that I’ve needed to contact Microsoft Support.

During the course of the support call, we discussed various ways to redirect the Default Site access by simply typing in, mail.domain.com, and have it redirect to https://mail.domain.com/owa, thus making it easier for users to remember the short URL instead of having to remember the whole URL.

I was originally following Brian Desmond’s blog on how to configure the redirect, and it works great. I’ve used it for a half dozen customers without incident for the past two years. But after I saw this method, I was astonished at the ease of configuration, and it does not affect any subfolders.

The idea behind it is configuring the IIS 7 and 7.5 HTTP Redirect feature on the actual iisstart.htm file, and not for the actual Default Website. If you set it for the website, you must uncheck it for each and every sub web folder which is a pain in the butt to go through each one, and you may make a mistake that can render Exchange useless. Support call anyone? Smile

 

This requires the IIS HTTP Redirect feature installed under Web Role Services

If you don’t already have it installed, you will need to install the HTTP Redirect feature under the IIS Web Server Role Services. If you don’t have it installed, it’s a quick installation that does not require a restart.

Steps to install the HTTP Redirect Feature:

  1. Open Server Manager, and then expand Roles.
  2. Right-click Web Server (IIS), and then choose “Add Role Services.”
  3. Under Web Server section, scroll down to find and click to select the “HTTP Redirect” check box.
  4. Click Next to complete the installation.
  5. Click Close when done.

Steps to configure OWA Redirect in Exchange 2010 and 2013:

  1. Click on the Default Website
  1. Right Click Default Website
  2. Choose “Switch to Content View
    For the full image, click here
  • In the middle pane, you will now see a list of all the sub webs. You will also notice the iisstart.htm file.
  • Right-click the iisstart.htm file
    1. Choose “Switch to Features View
      For the full image, click here
  • In the left pane, you will now see “iisstart.htm” in the navigation tree
    1. Click on iisstart.htm in the left navigation tree
      For the full image, click here
    2. In the middle pane, either (either one gets you to the same place)
    1. Right-click HTTP Redirect, choose Open Feature
    1. Or
  • Double-Click on HTTP Redirect
  • Check the box that states, “Redirect requests to this destination
  • Type in OWA URL, such as https://mail.domain.com/owa
  • Click Apply
    For full image, click here
  • Open a command window, or if you already have a PowerShell window open, that will work, too.
    1. Type in IISRESET
    2. Hit <enter>
      You’re done!

    It’s that easy. And it will not affect any of the Exchange’s necessary subfolders, or any other part of IIS.

    Easy, wasn’t it?

    Exchange 2003 & 2007 OWA Redirect

    1. Navigate to c:\inetpub\webroot
    2. Right click anywhere in the middle pane
    3. Choose New -> Text Document
    1. Notepad will open
    2. Type in (you only need this one line):
    1. <% response.redirect(“https://mail.domain.com/owa”)%>
  • Then save the file
    1. Click Save As
    2. Type in “default.asp
    3. And yes, you MUST use the quotes so the system will not append “.txt” on the end of it and rendering it useless.
  • Click Save
  • Open IIS Management Console
  • If this is Exchange 2000 or 2003 on Windows 2000/2003, IIS6:
    1. Navigate to the Default Website
    2. Right click, properties
    3. Under Default Document, make sure default.asp is at the top of the list. If it’s not, use the arrows to move it to the top.
    1. Click Ok
  • Open the Command prompt
    1. Type in IISRESET, then hit <enter>
  • If this is Exchange 2007 on Windows 2008, IIS7:
    1. Navigate to Default Website
    2. In the middle pane, Double-click on Default Document
    3. Make sure default.asp is at the top of the list
    4. Open the Command prompt
    1. Type in IISRESET, then hit <enter>

           

    References:

    If you want to use Brian Desmond’s which works perfectly, too, and I’ve been using it for over two years without a hitch, here it is:

    Redirecting OWA URLs in Exchange 2010, by Brian Desmond
    http://briandesmond.com/blog/redirecting-owa-urls-in-exchange-2010/

    Microsoft’s KB on OWA Redirect:

    How to redirect requests from HTTP to HTTPS or to the OWA virtual directory in IIS 7
    Applies to Microsoft Internet Information Services 7.0
    http://support.microsoft.com/kb/975341

    Simplify the Outlook Web App URL
    Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
    http://technet.microsoft.com/en-us/library/aa998359(v=exchg.141).aspx

    How to redirect an HTTP connection to HTTPS for Outlook Web Access clients and how to redirect the Default Web Site to point to the Exchange virtual directory
    Applies to Exchange 5.5,  Exchange 2000, Exchange 2003 (Just thought to throw this in here for anyone still on the legacy Exchange versions)
    http://support.microsoft.com/kb/839357

    Other related links, just to get an idea what others have suggested, but I have not tried, so I can’t comment on them. You can try them at your own risk:

    HTTP to HTTPS OWA redirection.
    http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/73e2e794-c2ec-4bd2-9f55-bb47c605e200

    Set-Exchange2010RedirectSSL.ps1 – Redirecting the root web site to /owa and forcing SSL in Exchange 2010 4/28/2010
    http://www.ehloworld.com/186
    http://www.ehloworld.com/wp-content/uploads/2010/04/Set-Exchange2010RedirectSSL.v1.31.zip

     

    Comments, corrections, concerns, and suggestions are all welcomed!

    Ace

    What’s in an Active Directory DNS Name? Choosing the Same As Your Public Domain Name, a ".net" Version of Your Public Name, or ".local"

    Original publication 5/2005
    Updated 5/2010
    Updated 10/15/2010 – Provided a link to my blog with a How-To deal with DNS and the name chosen, and Exchange 2007 & 2010 UC/SAN certificate considerations
    Updated 10/21/2014 – Reflect changes by the certificate companies that no longer support .Local or any other non-public TLD.

    IMPORTANT Note: UCC/SAN “.Local” and other private TLDs will no longer be supported

    When you choose an internal name, it won’t matter, because you now must configure Exchange’s internet URLs to be identical as the external URLs to support your UCC/SAN certificate.

    On the bright side, this will help with configuring clients internally and externally with the same name anyway. I’ve always configured my customer Exchange CAS URLs with the same name because of this reason.

    More info:

    Global changes in legislation regarding SAN SSL Certificates
    http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/

     

    Topics Covered:

    1. Preface: AD Design Considerations

    2. Scenario 1 – Same Name as your external name (Split-Zone)

    3. Scenario 2 – Sub domain name of the public domain name

    4. Scenario 3 – Choosing a TLD Variation of your Public Domain, such as the “.net” version of it

    5. Scenario 4 – Choosing a private TLD such as “.local”

    6. Exchange 2007 & 2010 UC/SAN certificate considerations

    7. Related Links

     

     

    ==================================================================

    Preface: AD Design Considerations

    Should I choose the same AD DNS domain name as my external public domain name (also called split-zone), choose a sub domain name of my public name, or should I choose a completely different name such as .local or .net?

    I must say this is a classic question that has arisen on numerous occasions starting with the beginning days of AD.

    Choosing a name for your internal AD DNS domain name can be based on a number of things, whether technical or political, or previous administrative experience. This has been highly discussed (not debated) in the past.

    Whatever decision you make for an AD DNS FQDN domain name, just understand the ramifications. Actually I’m not going to try to get into any sort of debate, for there is really nothing to debate, nor help someone decide on what is ‘right’ or ‘wrong’ but rather just state the ramifications and implications of a name that you do decide on and how to get around them, no matter what the decision was based on.

     

    Discussion on what name to choose

    This discussion was between myself and Todd J. Heron, MVP, during the Summer of 2003.

    Classic question:

    “Which are the advantages of naming my domain with domain.com rather than domain.local? I have a domain.com registered for my Company that i use for my e-mail and Site Internet.”

    There are different answers to this classic question and while these answers ultimately depend upon company preference, much of the direction will be based upon administrator experience.  The three basic scenarios outlined below are the most commonly given answers to the question, sometimes altogether and sometimes not.   Some company networks use a combination of these scenarios.  When explaining it to a relative beginner asking the question, many responses omit explanatory detail about all the scenarios, for fear of causing more confusion.

    All three approaches will have to take both security and the end-user experience into perspective.  This perspective is colored by company size, budget, and experience of personnel running Active Directory and the network infrastructure (mostly with respect to DNS and VPN).  No one approach should be considered the best solution under all circumstances.  For any host name that you wish to have access from both your internal network and from the external Internet you need scenario 1, although it is the most DNS-intensive over time.   If you do not select this option and go with scenario 2, 3 or 4, consideration will have to be given to the fact that company end-users will need to be trained on using different names under different circumstances (based on where they are (at work, on the road or at home).

    Since our discussion, I’ve expanded the Scenarios to include considerations when obtaining an Exchange 2007 or 2010 UC/SAN certificate. The certificate authorities will check all of the names for their registered owner. If you choose an internal name that just happens to be a real public domain name that you weren’t aware of, and owned by someone else, the certificate authorities will reject the certificate request. See Scenario 3 for more information.

     

    ==================================================================

    Scenario 1 – Same Name as your external name (Split-Zone)

    Choosing the same name internal/external (spilt-zone, or split-brain, whatever you want to call it) has the most administrative overhead. Why chosen?

    Either because a misunderstanding of the pros/cons, political, or for ease of use.

    Pros:

    1. Their email address is their logon name. Easier to remember.

    2.  Security.  Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet.

    3.  Short namespace.  Users don’t have to type in (or see) a long domain name when accessing company resources either internally or externally.  Names are “pretty”.

    Cons:

    1. Administrative overhead. If trying to get to your externally hosted website, it won’t resolve because a DNS server will not forward or resolve outside for what a zone that it hosts. You can overcome resolving the www.domain.com dilemma by using a delegation. Right-click your zone, new delegation, type in ‘www’ and provide the public SOAs for the name server(s). This way it will send the resolution request to the SOA and resolve that way. As for http://domain.com, that is difficult and would instruct all users to only use www.domain.com. This is because of the LdapIpAddress, the record that shows up as (same as parent), which EACH domain controller registers. So if you type http://domain.com, you will round robin between the DCs. To overcome that, on EACH DC, install IIS, then under the default website properties, redirect it to www.domain.com and let the delegation handle it.

    Now if you were to be using SharePoint services, or something else that connects to the default website (no sub folders or virtual directories), then it becomes a problem. I know numerous installations setup with this and have operated fine for years.

    2. Security.  Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet.

    3.  Any changes made to the public DNS zone (such as the addition or removal of an important IP host such as a web server, mail server, or VPN server) must added manually to the internal AD/DNS zone if internal users will be accessing these hosts from inside the network perimeter (a common circumstance).

    4.  VPN resolution is problematic at best.  Company users accessing the network from the Internet will easily be able to reach IP hosts in the public DNS zone but will not easily reach internal company resources inside the network perimeter without special (and manual) workarounds such as maintaining hosts files on their machines (which must be manually updated as well every time there is a change to an important IP host in the public zone), entering internal host data on the public zone (such as for printers, SRV records for DCs, member server hosts, etc.), which exposes what internal hosts exist, or they must use special VPN software (usually expensive), such as Cisco, Netscreen, etc., which is more secure and reliable anyway.

    For further reading on this scenario:
    http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html
    http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon-common-server-names.html

    With a Split-Zone, You may los the ability to access your website or other resources:

    If you choose the same name, and you can’t access your internal website, or an external resource with the same name, you need to understand how to handle this with DNS. Read the following for specifics and a how-to.

    Split Zone or no Split Zone – Can’t Access Internal Website with External Name
    Published by AceFekay on Sep 4, 2009 at 12:11 AM  1278  0
    http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx

     

    ==================================================================

    Scenario 2 – Sub domain name of the public domain name

    Choosing a child name or delegated sub domain name of the public zone.

    Examples:  Name such as ‘ad.domain.com’, or ‘corp.microsoft.com’. The AD DNS domain name namespace starts at corp.domain.com and has nothing to do with the domain.com zone.

    Pros:

    1. Minimal administrative overhead.

    2. Forwarding will work.

    3. The NetBIOS name will be ‘AD’ or ‘CORP’, depending on what you chose and what the users will see in the three-line legacy security logon box.

    4.  Like Scenario 1, this method also isolates the internal company network but note this at the same time is also a disadvantage (see below).

    5. Better than Scenario 1, internal company (Active Directory) clients can resolve external resources in the public DNS zone easily, once proper DNS name resolution mechanism such as forwarding, secondary zones, or delegation zones are set up.

    6. Better than Scenario 1, DNS records for the public DNS zone do not need to be manually duplicated into the internal AD/DNS zone.

    7. Better than Scenario 1, VPN clients accessing the internal company network from the Internet can easily navigate into the internal subdomain. It is very reliable as long as the VPN stays connected.

    Cons:

    1. Confusion on users if they decide on using their UPN.

    2.  While there is security in an isolated subdomain, there is potential for exposure to outside attack.  The potential for exposure of internal company resources to the outside world, lies mainly in the fact that because when the public zone DNS servers receives a query for subdomain.externaldnsname.com, they will return the addresses of the internal DNS servers which will then provide answers to that query.

    3. Longer DNS namespace.  This may not look appealing (or “pretty”) to the end-users.

    4. Security. We are assuming that we can only access the internal servers thru a VPN and assuming they are in a private subnet, they won;’t be accessible. Also assuming to secure the VPN with an L2TP/IPSec solution and not just a quick PPTP connection. If this is all so, we can assume it is secure and not accessible from the outside world.

    The scenario is the recommendation from the Windows Server 2003 Deployment Guide.  It states to the external registered name and take a sub zone from that as  the DNS name for the Forest Root Domain:
    http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/default.asp

     

    ==================================================================

    Scenario 3 – Choosing a TLD Variation of your Public Domain, such as “.net”

    Example: Public domain name is domain.com, and you choose “domain.net” as your public name.

    This choice has been made by many companies.

    Pros:

    1. Easy to implement with minimal administrative overhead. Requires minimal action on administrators.

    2. Prevents name space conflicts with external domain name. No one else owns it on the internet.

    3. Forwarding works.

    Cons

    1. Domain name may look unprofessional. But this has nothing to do with anything on the public side (the internet).

    2. VPN resolution difficult (like option 1) if DNS is not setup properly. That can be a sticky issue and depending on the VPN client will dictate whether it will work or not. I know one of the other MVPs (Dean Wells) created a little script to populate a user’s laptop or home PC’s hosts file with the necessary resources and would remove them once the VPN is dissolved.

    3. Exchange HELO name must be altered in the SMTP properties (Exchange 2000 using MetaEdit, or SMTP properties in Exchange 2003), or in the Hub Transport properties (Exchange 2007) to accommodate anti-spam, SPF, and RBL software.

    4. Obtaining a UC/SAN certificate for Exchange 2007 & 2010 may be a challenge if you haven’t registered the “.net” version of your public domain name. This is because the Certificate Authorities will check all names in the UC/SAN cert you are requesting, including Exchange’s internal FQDN in the certificate request. This is used by the AutoDiscover feature in Exchange 2007 and 2010 and needs to be in the certificate. Read more on it here:

    Exchange 2007 & Exchange 2010 UC/SAN Certificate
    http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx

    ==================================================================

    Scenario 4 – Choosing a private TLD such as “.local”

    Note: UCC/SAN “.Local” and other private TLDs will no longer be supported

    When you choose an internal name, it won’t matter, because you can configure Exchange’s internet URLs to be identical as the external URLs. This will help with configuring clients internally and externally with the same name.

    More info:

    Global changes in legislation regarding SAN SSL Certificates
    http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/

    Choosing a private name

    Choosing a different TLD: Choosing a private TLD, such as domain.local, domain.corp, domain.abc, etc. This option is easy for either beginners or the expert, because it’s the easiest to implement primarily because it prevents name space conflicts from the very beginning with the public domain and requires no further action on your part with that respect.

    The only caveat is that you must configure Exchange URLs to the external URLs to support the certificate requirements.

    Pros:

    1. Easy to implement with minimal administrative overhead. Requires minimal action on administrators.

    2. Prevents name space conflicts with external domain name. No one else owns it on the internet.

    3. Forwarding works.

    Cons

    1. Domain name may look unprofessional. But this has nothing to do with anything on the public side (the internet).

    2. VPN resolution difficult (like option 1) if DNS is not setup properly. That can be a sticky issue and depending on the VPN client will dictate whether it will work or not. I know one of the other MVPs (Dean Wells) created a little script to populate a user’s laptop or home PC’s hosts file with the necessary resources and would remove them once the VPN is dissolved.

    3. Exchange HELO name must be altered in the SMTP properties (Exchange 2000 using MetaEdit, or SMTP properties in Exchange 2003), or in the Hub Transport properties (Exchange 2007) to accommodate anti-spam, SPF, and RBL software.

    4. You won’t have any problems obtaining an Exchange 2007 & 2010 UC/SAN certificate since the internal name is not a public name and there’s nothing to check registration-wise by the Certificate Authorities when requesting the certificate with the internal Exchange FQDN.

     

    ==================================================================

    Exchange 2007, 2010 and 2013 UC/SAN certificate considerations

    More things to consider concerning the internal AD DNS domain name and if using Exchange 2007

    If you choose a TLD, be sure to not choose one that is already in use by another entity. Reason is it will cause due confusion, and will create problems if you were to get an Exchange 2007 UCC/SAN certificate and adding a name for the internal namespace on the certificate. Here are some existing TLDs that you do not want to choose if the name does not belong to your entity:

    So it would be a bad choice for the complications that will arise, if you name the internal domain is registered by others.

    As far as choosing what name to use internally, there are pros and cons of using your public TLD (whether the same namespace or not), or a private TLD. I prefer a private TLD. You also have to take into consideration if you will be using Exchange 2007 and expect to purchase a UC/SAN certificate. This type of cert has multiple names, and the internal Exchange server’s private FQDN will be part of it. So for instance, your company is called “A Big Company”, and your external name is abc.com. You decide to make your internal name abc.net. However you never purchased abc.net from the registrar, and someone else did. So the Exchange server internal name is exchange.abc.net. In such a case, the CA will not approve it because A Big Company is not the registered owner of abc.net at the registrar (when you do a WHOIS) and is owned by someone else.

    Technically speaking, you can also use the same name for the internal domain and the external domain. Just understand the ramifications. You may encounter the following possible issues that you may have to perform a domain rename in the future.

    1.  If the internal domain name that you chose is the same as your Internet public domain name, internal clients may get the domain external IP but routers and firewalls will not respond from an internal request to the external interface. Some refer to this as a U-Turn, and firewalls, routers and NATs cannot handle U-Turns for port forwarded services.

    2. Worse, if the internal name you chose was registered by another entity.

    Generic top-level domains:

    biz .com .info .name  .net  .org  .pro  .aero  .asia  .cat  .coop .edu 
    gov .int  .jobs  .mil .mobi  .museum   .tel  .travel

    Country-Code Top-Level Domains

    You must be careful choosing, especially if someone else owns it on the internet. You’ll never get the cert approved if it is owned by someone else, despite the argument that “it’s my internal domain name…”

    ac  .ad  .ae  .af  .ag  .ai  .al  .am  .an  .ao  .aq  .ar  .as  .at  .au 
    aw  .ax  .az  .ba  .bb  .bd  .be  .bf  .bg  .bh  .bi  .bj  .bm  .bn  .bo 
    br  .bs  .bt  .bw  .by  .bz  .ca  .cc  .cd  .cf  .cg  .ch  .ci  .ck  .cl 
    cm  .cn  .co  .cr  .cu  .cv  .cx  .cy  .cz  .de  .dj  .dk  .dm  .do  .dz 
    ec  .ee  .eg  .er  .es  .et  .eu  .fi  .fj  .fk  .fm  .fo  .fr  .ga  .gd 
    ge  .gf  .gg  .gh  .gi  .gl  .gm  .gn  .gp  .gq  .gr  .gs  .gt  .gu  .gw 
    gy  .hk  .hm  .hn  .hr  .ht  .hu  .id  .ie  .il  .im  .in  .io  .iq  .ir 
    is  .it  .je  .jm  .jo  .jp  .ke  .kg  .kh  .ki  .km  .kn  .kp  .kr  .kw 
    ky  .kz  .la  .lb  .lc  .li  .lk  .lr  .ls  .lt  .lu  .lv  .ly  .ma  .mc 
    me  .md  .mg  .mh  .mk  .ml  .mm  .mn  .mo  .mp  .mq  .mr  .ms  .mt  .mu 
    mv  .mw  .mx  .my  .mz  .na  .nc  .ne  .nf  .ng  .ni  .nl  .no  .np  .nr 
    nu  .nz  .om  .pa  .pe  .pf  .pg  .ph  .pk  .pl  .pn  .pr  .ps  .pt  .pw 
    py  .qa  .re  .ro  .rs  .ru  .rw  .sa  .sb  .sc  .sd  .se  .sg  .sh  .si 
    sk  .sl  .sm  .sn  .sr  .st  .sv  .sy  .sz  .tc  .td  .tf  .tg  .th  .tj 
    tk  .tl  .tm  .tn  .to  .tr  .tt  .tv  .tw  .tz  .ua  .ug  .uk  .us  .uy 
    uz  .va  .vc  .ve  .vg  .vi  .vn  .vu  .wf  .ws  .ye  .za  .zm  .zw

     

     

    ==================================================================

    Related Links

    For a broad overview of this topic, read some of the links below.

    Creating Internal and External Domains
    http://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx

    DNS Namespace Planning
    http://support.microsoft.com/default.aspx?scid=kb;en-us;254680

    Assigning the Forest Root Domain Name:
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbc_logi_kqxm.asp

     

    =================================================================

    Summary

    I hope this helps in your endeavor.

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP – Directory Services

    clip_image002[6] clip_image004[6] clip_image006[6] clip_image008[6] clip_image010[6] clip_image012[6] clip_image014[6]

     

    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Suggestions, comments and corrections welcomed!