||Active Directory Domain Naming Considerations
Cannot register new SSL requests or renwals for an exchange server that is part of a .local or .internal domain.
The reason that is given for the change is that the internal server names are not unique and therefore easy to falsify. With common names like server01 or webmail, the end user is never sure if it is actually dealing with the right party or with a malicious.
The changing legislation for SSL Certificates shall start on 1 November 2015. This means, from that date, the invalid Fully-Qualified Domain Names (hereafter called FQDN) will no longer be accepted at the standard of the CA/Browser Forum and after that date such certificates may no longer be issued. All certificates issued after 1 November 2015 and meet this qualification will be revoked upon discovery.
Users who are requesting a certificate on an invalid FQDN with an expiration date after 1 November 2015 should remember that their certificates will be revoked after 1 November 2015. After this date, no SAN SSL Certificate with a reserved IP address or internal server name will be issued either.
For new rollouts or migrations from 2003 to server 2012;
Setup the domain using a subdomain of the customers registered public domain. Example, datatech owns datatechitp.com. For the domain name we would set it up as CORP.DATATECHITP.COM this would be the FQDN. With this setup we will be able to register SSL certificates without running into a split DNS issue if we were to use just DATATECHITP.COM for the FQDN.
For customers not looking to Migrate you can make adjustments to the internal domain name of the exchange server so that it reports your public domain. Information on how to do that is below.
Many people use a SAN SSL Certificate for Microsoft Exchange 2007 or 2010. It is recommended that these certificates will be modified from an internal server name to an external server name as soon as possible. A manual how to modify this on Exchange 2007 can be found here: https://www.networking4all.com/en/support/ssl+certificates/manuals/microsoft/exchange+2007/modify+.local/
The Exchange 2010 manual can be found here: https://www.networking4all.com/en/support/ssl+certificates/manuals/microsoft/exchange+2010/modify+.local/
Another alternative would be to use an additional external name. This can be done by using a .net domain name (.net = network) like DC1.DATATECHITP.NET. This would require the ownership of the .NET public domain name along with your .COM. Many companies purchase .COM, .NET, & .ORG when registering their domain however there may be instances where the customer does not own the .NET domain in which case you'll want to use a subdomain of their .COM.
|You Tube Link
|Type Of Article