1. I've never seen this work.. does Outlook prompt the user to log onto the domain (they would be typically in "offline" mode when on the road)
2. When using DHCP to assign the primary DNS suffix - does the DHCP Server Option 015 for DNS Suffix apply to the primary DNS suffix or the connection specific suffix?
3. Our Global Catalog server (one only - no NLB) is not published, nor is there an entry in the External DNS for the gcservername.internal.net. I believe that only the ISA internal NIC preferred DNS server setting, which is set to the internal IP of the internal DNS server, is used to find the GC. Is there anything that needs to be done for the GC/DC - i.e. published or filters for RPC to work?
4. a) The GC registry setting you referred to is required on every Outlook client machine? b) is there a Group Policy template (computer template) that you know of that can be used to distribute this automatically, without having to touch every machine? c) If they already have a working Outlook profile is this an issue?
5. If the DC/GC/internal DNS server's default gateway is not ISA's internal IP, will this create a problem for any of the Exchange Publishing rules, especially RPC?
We are phasing out an expensive dedicated Internet connection and converting to an ISA/ADSL connection (less than 100 users - 10% remote at any one time), therefore in this phase we have no current plan to change the default gateway setting on the domain controller/global catalog server/Internal DNS server - that server's default gateway is outbound through a router, not back through ISA. So far, ISA is publishing web servers, TSAC and FTP and all is fine - now.
6. A distinction between home users Outlook config and laptop users would be very useful. In particular the DNS configuration. (Min. Win2K machines - none older).
For example the laptop user roams with the same computer... it belongs to the domain and has all the DNS settings you have recommended. The only thing we need to do to make this work is to add the Exchangeservername.internal.net to the External DNS and it should just work for the laptops.
On the other hand, home computer users (not laptops) don't belong to our domain, probably their own workgroup or home domain via their Windows Internet Connection Firewall. They use any ISP and probably don't have any primary or connection specific suffix. How can we change the home user's config to just work? Just add the Primary DNS suffix to their computer Network ID properties?
7. A brief discussion of how this works for "hosting" company domains would be very useful. Can DNS alias's work in a hosting scenario so you can have user friendly URLs for the hosted companies?
We host two organizations and any number of different virtual domain names, all in a single Win2K domain model. At this time we have a split DNS, but it uses different domain names on the internal and external DNS servers. That is our "real" domain "internal.net" has no entries in the External DNS - but we're pretty much forced into it now... and this involves retraining users with a new URL.
For example, External DNS http:\\webmail.hostedcompanydomain/exchange has to be changed to: https:\\actualmailservername.internal.net/exchangeso that we can use the same SSL certificate for all virtual dirs in the Exchange Server's Default Web Site, which also includes \CertSrv.
Thank you so much for this article and this discussion feedback.
1. You configure Outlook to log on to the user account, which includes the user's domain credentials in most cases
2. That sounds like the correct DHCP option
3. You don't need to publish the GC, you just need to make sure the name resolves to the IP address used in the RPC publishing rule
4. The hard coded GC requirement is for OL2000 only, AFAIK. I believe you can use the Office Deployment kit to create the required profiles with the right regentries
5. Only the published server needs to be a SecureNAT client
6. Home users and laptop users are the same in this scenario, they'll use the external DNS zone to access the site
7. A split DNS isn't really an issue with a hosting company, because the users don't roam between the internal and external network. However, the required DNS entries must be available for name resolution, as mentioned in the article
Sorry to ask so many questions! You are like my mentor and you don't even know it.
Your response: 3. You don't need to publish the GC, you just need to make sure the name resolves to the IP address used in the RPC publishing rule.
?Question for Clarification: the GC needs to have an external DNS entry that resolves to the External IP address of ISA server that Exchange is using to publish RPC? We've never had to put our servers.internal.net in the External DNS before so I'm a bit gun shy and have to justify this to the powers that be.
Your response: 7. A split DNS isn't really an issue with a hosting company, because the users don't roam between the internal and external network. However, the required DNS entries must be available for name resolution, as mentioned in the article.
My response: Actually in our case, the hosted company is a hosted subsidiary, with their own UPN and their own web and email domain names. They reside in the same building and are on the same LAN, so they do roam between internal and external. They are treated as a separate company. We have a single domain with hosted company Organizational Units. They are segregated in every way by Active Directory and NTFS permissions, they even have their own private Global Address List in Exchange.
This is why it's so difficult to piece everything together, because it seems like our scenario is not very common. But, it's coming together for me.
Thank you so much again for your responses - I very much appreciate them.
* Thanks! I did't know I was your mentor, but that's cool
* You don't publish the GC, you just need to make sure that the FQDN of the DC resolves to the address you used in the RPC Server Publsihing Rule (for remote clients). You don't need to do anything special to support GC access for internal clients because they can already contact the AD DNS objects
* OK, your users move between the internal and external network. That's fine. The split DNS will make things a million times easier for you.
Question for Clarification: the GC needs to have an external DNS entry that resolves to the External IP address of ISA server that Exchange is using to publish RPC?
* So your answer is YES? the GC's FQDN (servername.internal.net) has to be on the External DNS Server, the address record resolves to the External IP address of ISA server that Exchange is using to publish RPC - it just doesn't have to be published.
We're just getting used to the idea that the servernames.internal.net have to be on the External DNS server. My boss did not want any internal.net entries on the External DNS - but now it can't be avoided.
Ah yes, I remember we discussed this very subject a while ago...
I have not completely read the article yet but am quite thrilled by seeing it is available.
As you may recall, I am the guy who ended up with an AD envorinment of company.local, whereas the external DNS is company.com. At the time I built the network split dns were not in favor.....then ISA came around....
At any rate, the idea of adding suffix instead of rebuilding the entire domain is quite thrilling.
I would like, however, to figure out how to add the suffix automagically through a registry edit (or something!).
From: London, UK
I recently bought an IPAQ Pocket PC (Windows Mobile 2003) which I can use to access the Internet while on the move over Wi-Fi or GPRS. It also has the ability to sync with Exchange Server so I want to be able to do that while on the move.
Your article has got me fixed up so my laptop can do it with Outlook 2003 - syncing seamlessly both inside and outside the ISA server. However the pocket PC only works inside the ISA server.
From outside the pocket PC can surf the net seeing sites published by the ISA server and those on the wider Internet (ie no general connectivity / dns problem).
I wonder if it is an authentication issue as changing the settings on ISA for this changes the error message but none of them seem to work.
The other thing is that ActiveSync looks like an HTTP service. I've even tried a Web Publishing Rule to just push everything that comes to http://mymailserver.xxx.xxx to the exchange box and I still get an INTERNET_2 error on the pocket PC. (I realise https it the way to go eventually but I want to get something working so I'm trying the basic version first!)