Setting up an external Autodiscover record for SBS 2008
ByWhen you migrate to SBS 2008 and you already have a domain name, you don’t need to use the domain registration wizard that is built into the SBS 2008 Setup process.
This is well and good, but it has a downside worth knowing about. You probably didn’t know it, but something that Microsoft does when they set up your new domain name at the registrar is create a custom SRV record for your domain so that Autodiscover will work properly for external client autoconfiguration. If you already have a domain name registered and are able to create your own DNS SRV records (some DNS hosts don’t allow SRV record creation), it would be a good idea to create an Autodiscover SRV record to make it easier for Outlook 2007 clients to autoconfigure themselves for Outlook Anywhere (RPC-over-HTTPS).
The details on how to set this record up are all in KB940881, but I’ll briefly summarize it here:
1. Get rid of any CNAME or A records for “autodiscover”
2. Build the SRV record to look like this:
Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: remote.smallbizco.net
Why do you need to do this for Autodiscover to work? Well when you feed an Outlook client an email address, it tries to autoconfigure itself, and it does this by trying to contact a series of hosts as follows:
- https://domainname.com/autodiscover/autodiscover.xml
- https://autodiscover.domainname.com/autodiscover/autodiscover.xml
- http://autodiscover.domainname.com/autodiscover/autodiscover.xml
Because your cert is tied to a single name: remote.domainname.com, any https connection to the autodiscover URL will fail. If you want to create an A or CNAME record for ‘autodiscover’ that points to your server’s public IP and allow port 80 to your server, autodiscover will work, but you would then have allowed port 80 traffic to your server. An alternate option, still using SSL, is what this article is about. This method takes advantage of a feature that was added in Outlook 2007 SP1 that allows it to look for an SRV record and use the SRV record to find the “real” autodiscover host. In this case, the SRV record is pointing to remote.smallbizco.net, which is the name covered by the cert, so a secure connection to that server to get Autodiscover information will succeed.
Got it? Great!
—
So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Get Support 
Blog 
Twitter 
Facebook 
LinkedIN
4 Comments
August 24th, 2009 at 3:55 pm
Hi Susan
I did the above and it resolved and issue downloading the address book, but now I am left with an issue whereby everytime I log-in to Outlook I now get a prompt saying that the certificate is not valid for autodiscover.domain.com
I have a valid cert for remote.domain.com and everything else works fine. it is more of an irritation than an issue, but any ideas/pointers on how to resolve would be appreciated.
thanks
August 25th, 2009 at 3:06 pm
Sounds like you still have an A-record for remote.domain.com. You need to remove that. Only names that exist in your cert should be used, and if you create an autodiscover A-record, it will use that, and you’re getting the error since that name is not in the cert.
Or it could be that the system with Outlook still has some way of resolving the ‘autodiscover.domain.com’ record to an IP address, and that will cause the issue. Did you add that to the local hosts file?
August 25th, 2009 at 3:10 pm
Whoops, I meant you still have an A-record for ‘autodiscover.domain.com’. You need to remove that, which is step one in my walkthrough.
June 16th, 2010 at 7:49 am
You may also want to check your A records for a wild card setting for your main domain.
Ex: *.yourdomain.com –> IP address of your website host (not necessarily the same host for exchange).
HTH!