Introducing the Internet Address Management Wizard: Part 3 of 3

[Today's post comes to us courtesy of Ed Walters, Shawn Sullivan, and Justin Crosby]

Today we finish with part 3 of our 3 part series on the IAMW.  Part 1 can be found here and part 2 here.

What Changes Does the IAMW Make?

External DNS

If you choose“I want the server to manage the domain name for me” the following Internet DNS records are created by the wizard and registered at the partner registrar.

• A Record – maps remote.domain.com to the WAN address of your hardware/software firewall.
• MX Record – maps @domain.com to the A record specified above.
  • This directs email sent to users @domain.com to your public IP.
• TXT Record – used to define Sender Policy Framework (SPF) information
  • Text  =  “v=spf1 a mx ~all”
• SRV record – _autodiscover._tcp.FQDN points to the “A” record using port 443.
  • This is a service location record used with Outlook 2007 and Exchange 2007 in conjunction with the AutoDiscover service.

If you choose “I want to manage the domain myself”, you must manually create and maintain these records with your DNS registrar.

Internal DNS

The following DNS records are created locally on the SBS server. This is done in all scenarios.

• Forward lookup zone - remote. <domain>.com
  • (SOA) Start of Authority record – points to the internal SBS server’s Fully Qualified Domain Name (FQDN)
  • (NS) Name Service record - points to SBS server’s FQDN
  • Host record – points SBS server IP to SBS server’s FQDN

Dynamic DNS

SBS is able to keep external DNS records up-to-date by making a connection to the partner registrar that is hosting the customer’s domain name and DNS records.   SBS uses the “Dynamic DNS Client” service to query the partner registrar to see if the external domain IP address has changed (every 10 minutes by default).  If so, the service will use the new IP address in a second call to update the host A record for the domain.

The Dynamic DNS Service will ensure the following

• A Record – This contains the servers IP address, and is pointed to the FQDN FQDN.
• MX Record – This is pointed to the A record
• TXT Record – This is configured as if it were the IAMW wizard
• SRV record - _autodiscover._tcp.FQDN points to A record

After SBS 2008 setup completes, the Dynamic DNS Client service remains inactive until you choose to configure your domain with a partner registrar. Once you do, the service will be set to automatic and begin querying the registrar every ten minutes by default.

If the IP address hasn’t changed in 20 days, the service will refresh it at the registrar.  This will ensure the provider doesn’t shut down dynamic DNS updates without our knowledge.

If you have a static IP you can disable this service.

External Naming Conventions

In an effort to standardize the remote connection naming convention, SBS 2008 prefixes “remote” to the .domain.com as its standard naming configuration. Examples of this can be seen through the records created for applications like Remote Web Workplace and Outlook Web Access. The Self-Signed Certificate is also stamped using this naming convention as well.

• remote.domain.com - By default, SBS 2008 configures its remote applications (OWA, RWW, VPN, Active Sync) to use this address.
• SBS Certificate name – By default, the self signed certificate is created by the IAMW with the remote.domain.com naming convention.

IIS

The SBS Web Applications site’s host header value is stamped with the chosen domain name. A leaf SSL certificate is created and bound to the SBS Web Applications site on port 443 and to the SBS Sharepoint site on port 987.

For instance, if you have chosen the name “remote.constoso.com”, and external DNS records are correct, you would access the following resources as so:

• Outlook Web Access: https://remote.contoso.com/owa
• Remote Web Workplace: https://remote.contoso.com/Remote
• Companyweb: https://remote.contoso.com/:987

TS Gateway

• TS Gateway is configured to use the SSL certificate created by the wizard.

Exchange

• The banner of the Windows SBS Internet Send and Receive Connectors are stamped with the chosen domain name.
• The URLs for OWA, ActiveSync, and the OAB virtual directories are set according to the chosen domain name.
• An Accepted Domain and Email-Address Policy is created using the chosen domain name.
• An SSL certificate is configured for IMAP4, POP3, Web, and SMTP access. This is the same certificate that is bound to the SBS Web Applications and SBS Sharepoint sites and used by TS Gateway.

Certificate Distribution

A certificate distribution package is created the first time you run the IAMW for deployment to non-domain joined clients and mobile devices. For more information please see:

• How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?
• Introducing the “Add a Trusted Certificate Wizard” in SBS 2008