This whole deployment has my head twisted.  We currently have an Exchange 2010 deployment that is completely misconfigured and I am wanting to solve the issues with the 2013 migration.  Here is what has me boggled:

Our internal domain is domain.int, our NETBIOS domain name is domain and our external domain is domain.org.  Does this classify as having a disjoint namespace?

Our internal DNS forward lookup zone only contains the records for .int, not .org.  If we do classify as having a disjoint namespace and we do add the .org DNS suffix to the Exchange and AD servers, are we still required to host our external domain records internally?

If our engineers are wanting to keep the external records out of our internal DNS, is it possible to cut a mail.domain.int cert from our internal CA and a mail.domain.org cert from a third party CA and assign services accordingly?

I would appreciate any feedback that you can provide.  I am really stumped at this point.  Thank you in advance,

--Scott

• Edited by slrobb 10 hours 39 minutes ago spelling and grammer

Hi Scott,

As long as you use an external DNS, you need not want to keep any forward look up records within your DNS. Just setup the internal DNS with .int records only. So, any external communication should be able to go to internet through the internal internet routing

You need to have a third party certificate for external email access like Outlook anywhere, mobile access etc.

So then our domain doesn't qualify as having a disjoint namespace?  So then, with what you are saying, I would just set the internal and external service URL's to mail.domain.org?  How does that affect the connection between our Outlook clients and the CAS server?

• Edited by slrobb 10 hours 17 minutes ago spelling and grammer

Since 3rd party trusted CA's will only give you a cert that contains domains that are routable and you actually own, you will not be able to get one with your domain.local addresses on them.  So in this case you will need to set your internal urls to be the same as your external domain.  Of course if you just do that then the traffic will leave the firewall and come back in the firewall which is not really an ideal connection experience from inside the network.  To avoid this, you can create a new dnszone for mail.domain.org with just A record that points to your Exchange Server/load balancer.  I understand that autodiscover should happen through the scp records, you should probably create a zone for autodiscover.domain.org as well.