Same usernames, internal vs. external domains, conflict when usingWebAccess

Similar Messages

• Same internal and external domain names - AGAIN!

  Hi all-
  Like many of you, I am confronting the problem of having the same FQDN for both my Active Directory domain and Internet domain.  For the sake of discussion, let's call the domain rlh.com.
  I need to access an externally-hosted website on the rlh.com domain.  The site is coded exclusively to use rlh.com and NOT
  www.rlh.com.  Therefore, the old trick of adding a static www A record on my internal DNS server will not work.
  It looks like another option is to install IIS on my DC and then configure some type of forwarding to the external site.  While this might work, frankly, I don't want IIS on my DC.  It's a DC, not a web server.
  Yet a third option, correct me if I'm wrong, looks to be using some type of "split DNS."  Though I have not read the particulars (yet) of this solution, I am suspicious of it causing DNS inefficiencies.
  All of these solutions look to me to be workarounds.  I am preparing to install a new DC (upgrading from 2003 to 2008 R2) and want to FIX the problem, not work around it.  That said, it looks like I have two options:
  1.  Rename my existing 2003 AD domain using rendom
  2.  Install the new 2008 R2 DC with the new domain name, setup domain trust between the old and new domains, and then use ADMT.
  Can someone please comment on my logic here?  Does anyone have experience with both of the two options?  Is one less painful than the other?
  As I preparatory step, I have migrated from my onsite Exchange 2003 server to Office 365.  Exchange is no longer present in my organization, though some slight "remnants" may remain in Active Directory.  Other than Exchange, I have a
  Hyper-V host, 2 SQL Servers, and 3 RDS servers present in my environment.
  Thanks.

  I realized this was answered, but I would like to add the following comprehensive blog on this subject.
  Can't Access Website with Same Name (Split Zone or no Split Brain)
  Published by Ace Fekay, MCT, MVP DS on Sep 4, 2009 at 12:11 AM  1278  0
  Note - In an AD same name as the external name (split zone) scenario, if you don't want to use WWW in front of URL, such as to access it by
  http://domain.com, then scroll down to "So you don't want to use WWW in front of the domain name"
  http://blogs.msmvps.com/acefekay/2009/09/03/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name/
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• How to Setup RDS custom property when internal and external domain name space is different

  Hi All
  I am setting up RDS for customer
  My internal domain name is domain.local and my external domain is domain.com
  I came across below PowerShell cmdlets on some blogs because my internal and external name space are different
  Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”
  In above command, remote.domain.com points to which host?
  Is it pointing to RD Session Broker
  OR
  Pointing to RD Session Host servers
  I am not sure what above command will do exactly ?
  Any help will be highly appreciated
  Thanks Best Regards Mahesh

  Hi,
  It all depends who is accessing the RDS Solution.
  If you have a large BYOD or large number of external users, it would be better to use a public certificate.
  Have a look at the following script which will simplyfy the configuration of the RDSH hosts with certificates.
  http://ryanmangansitblog.com/2014/05/20/rds-2012-rdsh-certificate-deployment-script/
  You can use a custom RDP property to hide the Session host names.
  Have a look at the following article on configuring certificates:
  http://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• Single URL for internal and external CRM access when using IFD

  Hello,
  At one of our client site I have setup IFD on CRM 2011. This IFD is behind TMG. My client is a big corporation therefore all CRM components including CRM, ADFS and SQL are on separate servers.
  I have configured IFD using single url https://orgname.contoso.com Their IT staff wants to know why can't they use single URL for internal and external access where internal users are nto prompted for authentication
  when logging on to the CRM server. I know you can do URL re-write in ADFS but they want to know the reason "why internal users can't use the same IFD URL and don't get prompted for their credentials". Text below is from their IT staff.

  There are several approaches to your question.  You need to set up both an internal and an external relying party trust. If you use the external URL, it will always direct you to the signin page, if you use the internal URL, it will resolve you single
  sign on.
  I've configured IFD for CRM multiple times, and this is how it works. CRM looks at the URL. If you use the external URL (org.domain.com), it will prompt for credentials. So what you are asking for, a single URL that works single sign on internally and prompts
  externally really isn't possible.
  What I recommend is:
  1. make the external URL available internally
  2. Configure all outlook clients against the external URL, that way you won't have to reconfigure when someone goes internal to external
  3. Have users who are primarily internal use the internal URL for the web client, which will resolve single sign on
  4. Have users who are primarily external use the external URL for the web client
  For #1, since you only need to enter the credentials when you first configure CRM, it is in all effects single sign on.
  One thing I haven't tried that may work is using IIS redirect internally to redirect the external URL to the internal URL. There is also a powershell script in the IFD guide that you can use to make the outlook client switch between the internal and external
  URL's, but nothing that will give you a single URL that works as the internal relying party trust when internal and the external relying party trust when you are external.

• Exchange 2013 DNS for internal and external domain

  Hi All,
  I have been assigned a task to implement Microsoft Exchange Server 2013. I need some help in setting up DNS namespaces and design a strategy to have same internal and external names. Let me share some details here.
  We have an Active Directory domain myinternaldomain.net, and we have a public domain
  mypublicdomain.com and we have setup email policy to have
  mypublicdomain.com as the SMTP domain for all the users. We have created another DNS zone in Active directory integrated DNS and created a records for
  mail.mypublicdomain.com and autodiscover.mypublicdomain.com which will point to CAS NLB IP. We have 2 CAS servers and 2 MBX servers, we have configured DAG for MBX High availability and planning to implement WNLB for CAS as
  hardware LB is out of scope due to budget constrains.
  We want to have same URLs for OWA, Autodiscover, ECP and other services from internal network as well as from public network. Users should not be bothered to remember two URLs, using one from internal and other from public networks. I also want to confirm
  that with this setup in place do i need to have myinternaldomain.net and server names in SAN certificate?
  Thanks

  Hi Sccmnb,
  You can easily achieve this using split DNS.
  Internal DNS hostname "mail.mypublicdomain.com" will be pointing to your internal CAS NLB IP and the external public DNS hostname"mail.mypublicdomain.com" will be pointing to the Network device or
  Reverse proxy server IP.
  Depending upon users access location(internal\external) the IPs would vary and they should be able to access the website with same name.
  The names that you would require on the certificate(Use EAC or powershell to raise the request) for client connectivity would be
  SN= mail.mypublicdomain.com
  SAN= autodiscover.mypublicdomain.com
  You don't need to have the active directory domain name present in the certificate.
  Additional  to this you need to update the AutodiscoverURI for all servers and OWA,ECP,Autodiscover Virtual Directories InternalURL and ExternalURL fields with appropiate public names.
  Some additional Info:
  *Internal vs. External Namespaces
  Since the release of Exchange 2007, the recommendation is to deploy a split-brain DNS infrastructure for the Internet-based client namespaces. A split-brain DNS infrastructure enables different IP addresses to be returned for a given namespace
  based on where the client resides – if the client is within the internal network, the IP address of the internal load balancer is returned; if the client is external, the IP address of the external gateway/firewall is returned.
  This approach simplifies the end-user experience – users only have to know a single namespace (e.g., mail.contoso.com) to access their data, regardless of where they are connecting. A split-brain DNS infrastructure, also simplifies the configuration of Client
  Access server virtual directories, as the InternalURL and ExternalURL values within the environment can be the same value.
  *Managing Certificates in Exchange Server 2013 (Part 2)
  *Nice step by step article
  Designing a simple namespace for Exchange 2013
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• CRM2015 IFD Internal and External Domains

  I am trying to setup CRM2015 with IFD. My internal domain is xr.local and external domain name is somethingelse.com. When going through the directions and searching through the forums I see similar questions regarding with no real information on the possibility.
  Am I able to set this up to support 2 different domains and where might I find some guidance to do so?
  Thanks...
  GY

  Hi David,
  Yes. the above setup should "do the trick" as the servers you put with blank DNS entry should be excluded in the NRPT table.
  You can confirm this by running at the client: netsh name show polocy
  at command line and see something like:
  Settings for da.domain.com
  Certification authority                 :
  DNSSEC (Validation)                     : disabled
  DNSSEC (IPsec)                          : disabled
  DirectAccess (DNS Servers)              :
  DirectAccess (IPsec)                    : disabled
  DirectAccess (Proxy Settings)           : Use default browser settings
  Settings for .domain.com
  Certification authority                 :
  DNSSEC (Validation)                     : disabled
  DNSSEC (IPsec)                          : disabled
  DirectAccess (DNS Servers)              : 1234:1234:1234:3333::1
  DirectAccess (IPsec)                    : disabled
  DirectAccess (Proxy Settings)           : Bypass proxy
  So in this scenario the .domain.com is using the DA while the specific entry (da.domain.com) is set as exclude and have emptry DNS ...
  Hope this helps,
  Ophir.

• Internal and external domain problem

  Host: oserver. sbsrv. local (internal address)
  Version: 10.1.2.0.2
  Installation Type: Portal and Wireless
  I have installed the oracle portal and works well in the internal network.
  The problem:
  When I try to access from public domain (www.mycompany.com) i get the welcome page from application server (fine) ,but if I press the link (log on to Oracle Application Server Portal) it redirects me to the internal address (http://oserver.sbsrv.local/portal/page?_pageid=0,1&_dad=portal&_schema=PORTAL)
  I edit httpd.conf (Apache) and i change the line from ServerName oserver.sbsrv.local to ServerName www.mycompany.com and i get something like, that : ??????: ??? ???? ?????? ? ???? ????????????? ??????? ??? ?? ???? ??????
  Question:
  How can I map the internal domain: oserver. sbsrv. local (IP 192.168. xx. xx) with public domain www. mycompany. com (IP 62. x. x. x) ?
  thanks.
  Message was edited by:
  user543368

  I did this 3 or 4 years ago and set up the Web-Cache to act as a reverse proxy. There is a paper on Metalink that explains how to set it up but I do not have the Doc ID.
  Also check out the White Paper that illustrates a different method. "Expose your Intranet Portal to the
  Outside World in a Secured Manner
  (aka. A Secured Inside/Outside Portal)" see http://www.oracle.com/technology/products/ias/portal/pdf/admin_security_1014_secured_inside_outside.pdf
  BG...

• Mail Service With Internal vs External Domain Question

  I have a SLS setup with a private domain ex: server.acmewidgets.private
  The local dns resolves correctly
  I have a static IP for this server and I would like it to handle the email for my domain which is ex: acmewidgets.com
  (Currently acmewidgets.com has been having it's website and email handled by an external source)
  Do I need to reinstall the SLS with the domain server.acmewidgets.com to get the email working correctly? Or do I simply just point the MX Records to the static IP of server.acmewidgets.private?
  If I do not need to reinstall, what needs to be done to create the flow of email in and out of the SLS?

  No need to re-install Snow Leopard Server, you will need however to configure a few things.
  First up you will need to configure the Mail service to accept mail for this external domain as at the moment it will be configured to only accept mail for your local domain.
  In *Server Admin*, go to the Mail section and click on Advanced, now click on Hosting. In the hosting section you can add as many domains as you like for the mail server to accept mail for, the simplest way is to add the domains as virtual hosts.
  Point your external MX records to the address for the server so that mail will be directed to your server. If your server is on a fixed external IP address then all done.
  If your server is behind a firewall and on a private IP address you will need to forward port 25 on your firewall to the Snow Leopard Server. If you are also running DNS you should create a new Zone for your external domain with MX records that point to your Snow Leopard Server as clients will need to know that your server is the final delivery destination for that domain. If your server really is on a live fixed external IP address this step is not necessary.

• Lync Implementation with different internal and external domain sync

  Hello Experts,
  Having Windows 2012r2 with Lync 2013 frontend and Edge 2012 server on Win2012. Internal domain name is test.local and Internet domain name is : tgroup.com. Internally all the clients are able to sync with frontend
  server using [email protected] or [email protected] Internal CA and External Digicert works fine. But only problem is with external clients who want to communicate through edge server. 
  Edge server has 3 LAN ip address (nat with public IP), 10.10.10.2, 10.10.10.3, 10.10.10.4 and another Internal network interface which has ip 10.10.20.3
  which uses that to communicate with front-end. 
  How to achieve this ?  We dont have reverse proxy configured and we have only two servers. 
  Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

  The reverse proxy is used to publish URL's like the meet and dialin url, the address book url and the lync mobile client (smart phones and tablets) urls. This doesn't impact the external desktop user access as thats via the edge server. There is more to
  it than that but for the sake of keeping this simple lets stick to that for now.
  As far as SIP domains go. Think of your Lync users as having a SIP address similar to email addresses. You wouldn't have a user with an internal email address but with a different external email address. In fact best practice is to have the Lync SIP address
  match the email address.
  My reccomendation is to use the ttgoup.com as a sip domain and not the test.local
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Lync Sorted blog

• Internal and external ranges...?

  Hi All,
  I have one question about internal and external ranges. When im sending some products data from source (200) Client to Target (202) Client. I have to find out its using internal or external updates.
  Pls give me sample code how to check that.
  Akshitha.

  Hi,
  I dont think a sample code can solve your problem. You can take help of your functional consultant while working with Number Ranges.
  Internal Number Ranges and External Number Ranges are used to generate sequetial numbers, which we can create in the SNRO transaction.
  Internal Number Ranges are Auto matically generates the numbers in the given ranges for the Object where as we can give certain number with the ranges given is the External Number Ranges. So External number Ranges are Obiviously useful for Data Transfer between two systems or Clients.
  Because the Masterdata should reflect same in both the system, with that only integrity stands there .,
  We can find this with debugging the corresponding program.
  Thanks,
  Naveen.I

• My mobile me expired and I want to use the same username for icloud. How?

  My mobile me expired and I want to use the same username for icloud. How?
  When I registered for me.com, they kept saying the my username is already taken which is true since I registered for [email protected] previously and the subscription has expired.
  How can I get apple to delete my mobile me account completely?

  http://howto.cnet.com/8301-11310_39-20119371-285/how-to-transfer-your-mobileme-a ccount-to-icloud/
  and
  http://www.apple.com/mobileme/transition.html
  should assist you in questions

• Best practises regarding Internal and External access to SIM

  Currently we have two separate Active Directories one internal and one in the DMZ and plan to have one SIM on an segmented network allowing access for our internal users directly to SIM UI and external users thru portlets that talks to SIM.
  The external AD hosts some internal users that also needs access to the DMZ applications so we can save efforts in managing to separate SIM environments in development, tests, upgrades, unique UID etc...
  What are the best practices on the market is this a preferred choice with only one SIM or with one SIM internally and one SIM in DMZ hosting suppliers, customers etc?
  With a single SIM environment are you allowing internal users accessing SIM from Internet to change internal AD password or have you restricted the functionality in some way for internal users accessing SIM from internet?
  How about challenge response questions are you allowing users to have the same both internally and externally or setup different for different user interfaces?
  Anyone willing to share how your environment is setup for internal and external access?

  Yes for handling the access to the SIM we probably need to look into some kind of access management solution to get it to work in a secure way.
  The question is a bit complex with many different factors controlling the outcome of the SIM implementation, but I hope to get some idées with this thread of how we can solve it.
  The question still remains if its common to have one or to SIM's and what internal users is allowed to do in SIM from Internet.
  Ex are internal users allowed to change their password in internal Active Directory thru SIM from Internet or what have others done to limit the functionality?

• TEM How to diffrentiate b/w internal and external events

  Hi experts,
          How do i distinguish b/w internal and external events ? When i try to create an event always by default it shows as internal in the top right above planned and firmly booked radio buttons. How do i create an external event which is held outside the company ?
  please help...
  Thanks & regards,
  Pavan

  Hi Pavan,
  If you create a business event with resources, it is automatically considered an "internal" event -as you cannot plan resources OUTSIDE of your company-.
  If you create a business event w/o resources, than system gives you the option of internal/external selection.
  Regards,
  Dilek

• Sending Mails to external domains

  Hi,
  Scenario:
  --I am having OCS 10g 10.1.2.3.0 on a singlebox RHEL ES Rel3 (taroon update4)
  --I have an Exchange Server on another box with Microsft Exchange Server
  --There is one more Proxy Server Box with firewalls having a proxy port to access the internet
  I was able to send mails from Oracle Workspaces to the OCS local domain but not to the external domains like yahoo.com, hotmail.com
  I was not able to ping the yahoo mail server or hotmail mail server, since the intenet connection is not a direct connection.
  Can i have any workaround for this.. or how can i configure the current system to facilitate sending mails from OCS to other email domains also..?
  Many Thanks in advance..,
  Regards,
  Prasant

  Hi,
  We are having the same problems (mail to external domains). I didn't catch what was done to correct the problem. Could you please repeat what was set.
  Thanks much,
  Kim

• My iPod is playing internal and external sound at the same time when my headphones are connected

  Hi, I have an iPod nano, 16 GB, 5th gen, that I've had for almost five years. It has never given me any problems before, but today when I plugged in my headphones the sound played not only inside the headphones but through the iPod's external speaker. When I turn the volume up or down only the external sound goes up or down, the headphones still play music at the same volume. I tried connecting the iPod to other headphones, and inserted and removed the headphone jack from the iPod about 20 times, the only thing I haven't tried is restoring because I don't know if that would make any difference and I would like to avoid restoring if I can. Thank you for your time.

  Thank you for the suggestion, but it didn't work.