Setting up an external Autodiscover record for SBS 2008 or SBS 2011 22


Post to Twitter Post to Facebook Post to StumbleUpon

If you are using Exchange 2007 or Exchange 2010 (SBS or non-SBS) and are using a single-name certificate, this article is for you.

When you migrate to SBS 2008 or SBS 2011 and you already have a domain name, you don’t need to use the built-in domain registration wizard that is included in the SBS setup process.

This is well and good, but it has a downside worth knowing about. You probably didn’t know it, but something that Microsoft does when they set up your new domain name at the registrar is create a custom SRV record for your domain so that Autodiscover will work properly for external client auto-configuration. This is because you are using a single-name cert, which isn’t what Exchange 2007/2010 was designed to use. If you already have a domain name registered and are able to create your own DNS SRV records (some DNS hosts don’t allow SRV record creation), it would be a good idea to create an Autodiscover SRV record to make it easier for Outlook 2007/2010 clients to autoconfigure themselves for Outlook Anywhere (RPC-over-HTTPS) and ActiveSync.

The details on how to set this record up are all in KB940881, but I’ll briefly summarize it here:

1. Get rid of any CNAME or A records for “autodiscover”, and any wildcard “*” records in the public DNS zone. This is a critical step, so don’t just drift past it.
2. Build the SRV record to look like this:

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: remote.smallbizco.net

Why do you need to do this for Autodiscover to work? Well when you feed an Outlook client an email address, it tries to autoconfigure itself, and it does this by trying to contact a series of hosts as follows:

- https://domainname.com/autodiscover/autodiscover.xml
- https://autodiscover.domainname.com/autodiscover/autodiscover.xml
- http://autodiscover.domainname.com/autodiscover/autodiscover.xml

Because your certificate is tied to a single name: remote.domainname.com, any https connection to the autodiscover URL will fail. If you want to create an A or CNAME record for ‘autodiscover’ that points to your server’s public IP and allow port 80 to your server, autodiscover will work, but you would then have allowed port 80 traffic to your server.

An alternate option, still using SSL, is what this article is about. This method takes advantage of a feature that was added in Outlook 2007 SP1 that allows it to look for an SRV record and use the SRV record to find the “real” autodiscover host. In this case, the SRV record is pointing to remote.smallbizco.net, which is the name covered by the cert, so a secure connection to that server to get Autodiscover information will succeed.

Got it? Great!

BTW, if you have a single-name cert on a non-SBS Exchange 2007 or Exchange 2010 server, you still want to use an SRV record as described above, but there will be other changes you will need to make to your environment as well, primarily resetting the URLs on most of your Exchange virtual directories so that they all point to the name that is on your certificate. This is something that the SBS wizards take care of automagically.


So who wrote this blog and what do they do for a living anyway?

We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN


Leave a Comment

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

WP-SpamFree by Pole Position Marketing

22 thoughts on “Setting up an external Autodiscover record for SBS 2008 or SBS 2011

  • Dominic Bolger

    Hi Susan

    I did the above and it resolved and issue downloading the address book, but now I am left with an issue whereby everytime I log-in to Outlook I now get a prompt saying that the certificate is not valid for autodiscover.domain.com

    I have a valid cert for remote.domain.com and everything else works fine. it is more of an irritation than an issue, but any ideas/pointers on how to resolve would be appreciated.

    thanks

    • Arlene

      Hi SusanI did the above and it resolved and issue doawolnding the address book, but now I am left with an issue whereby everytime I log-in to Outlook I now get a prompt saying that the certificate is not valid for autodiscover.domain.comI have a valid cert for remote.domain.com and everything else works fine. it is more of an irritation than an issue, but any ideas/pointers on how to resolve would be appreciated.thanks

  • Dave Shackelford

    Sounds like you still have an A-record for remote.domain.com. You need to remove that. Only names that exist in your cert should be used, and if you create an autodiscover A-record, it will use that, and you’re getting the error since that name is not in the cert.

    Or it could be that the system with Outlook still has some way of resolving the ‘autodiscover.domain.com’ record to an IP address, and that will cause the issue. Did you add that to the local hosts file?

  • Dave Shackelford

    Whoops, I meant you still have an A-record for ‘autodiscover.domain.com’. You need to remove that, which is step one in my walkthrough.

  • R. Holden

    You may also want to check your A records for a wild card setting for your main domain.

    Ex: *.yourdomain.com –> IP address of your website host (not necessarily the same host for exchange).

    HTH!

  • M.Rudkin

    Thanks for the help on this. I thought it was Certificate related and was going to purchase a wildcard cert.

    My problem was having a * record in my external DNS. This was pushing autodiscover through port 80 instead of using the SRV record.

    After deleting the * record and waiting for DNS to propagate the autodiscover no longer showed the security certificate message when connecting Outlook 2007 / 2010.

    As a side note my client also wanted to use an existing certificate called mail.mydomain.co.uk This caused me a whole world of grief breaking out of office and several other features. I had manualy tried to alter the settings in DNS / IIS.

    With SBS it’s a very simple process of running through the Internet Address wizard and at the point you enter your domain click on the Advanced link. You can simply change remote to whatever you like.

    For me these two problems where both tied together. I found Dave’s Train Signal SBS video fantastic but didn’t really get to understand the above. Perhaps he did mention all of this, I just didn’t take it all in.

    However as with most things this has been a true headache, but now I feel like a better engineer.

    Shackdaddy rocks ;-)

  • jgus

    So you say that Outlook 2007 SP1 is needed in order to use the SRV record to find its way. What about Outlook 2003? Does Outlook Anywhere on Outlook 2003 have any issues using the SRV record and a single-name cert? Or would Outlook 2003 require me to go ahead with a multi-domain cert and adding the autodiscover DNS record?

    • Ken Sheppard

      Thanks for your article. Unfortunately, my DNS host will not allow me to create SRV records. I can create MX, text, CNAME and A records but not SRV. So if I want to use a single cert with my SBS 2011 install and still use autodiscover.domain.com and remote.domain.com, should I simply purchase a wildcard cert or a SAN cert from GoDaddy?

      Thanks for any suggestions.

      Ken

      • dave Post author

        Ken, you are going to want a SAN cert. The GoDaddy one would be fine. Several consultants I work with consolidate their DNS management with providers that don’t support SRV records yet, so they’ve always had to issue multi-name certs when they deploy SBS 2008.

        Here’s what you want on the certificate:
        Common name: remote.domain.com (or whatever you want users to hit when they access OWA)
        Subject Alternative names:
        autodiscover.domain.com
        server.domain.local (internal FQDN)
        server (internal netbios name)

        The process of generating a cert request for a multiname cert is not something that’s handled in the SBS 2008 GUI (although it is in the Exchange 2010 GUI), so you want to use this wizard at Digicert to generate a powershell script that you’d subsequently execute on your SBS 2008 server: https://www.digicert.com/easy-csr/exchange2007.htm

        Once you have your certificate, you’d install that with an import-exchangecertificate command and then enable it for services with the enable-exchangecertificate command.

    • dave Post author

      Jeff, Outlook 2003 doesn’t support Autodiscover at all, so it has nothing to do with the number of names on a cert or DNS records. Outlook 2003 just needs to be configured manually for RPC-over-HTTPS, and can use either single-name or multiname cert, as long as the common name on the cert is the same name used for the RPC Proxy setting in Outlook. Typically that would not be “autodiscover.domain.com” but would be “remote.domain.com” or “mail.domain.com”.

      As far as Outlook 2007, it was only with SP1 that it started to support querying SRV records for Autodiscover. Before that, it only looked for Autodiscover.domainname.com or just domainname.com. Because of that, you really want to have SP1 loaded for SBS 2008\2010 clients, since they will usually be using a single-name cert alongside an SRV record.

      • Gricko

        GoDaddy has a section for SRV, but it also asks for:name = This is the daomin name for which the record is valid.priority = 0-65535 (0 being having the most priority)Weight = 0-65535 (The higher the value, the more weight a service is given)I set it up as:Service: _autodiscoverProtocol: _tcpName: @Priority: 0Weight: 65535Port Number: 443Target: remote.domainname.comTTL: 1 hourI also deleted autodiscover cname.Does the above appear to be correct? Having problems with blackberries. Our certificate is associated with remote.domainname.com.Thank you

  • Adrian

    Great article!

    Thanks for the tip on the _autodiscover_tcp.domain.com SRV record…
    I kept running tests on my autodiscovery and realized once reading your article that I had the wrong url in the SRV record and it was causing my tests to fail.

    Changed the SRV record and hey presto! Works like a charm!

  • Michael

    GoDaddy has a section for SRV, but it also asks for:
    name = This is the domain name for which the record is valid.
    priority = 0-65535 (0 being having the most priority)
    Weight = 0-65535 (The higher the value, the more weight a service is given)

    I set it up as:
    Service: _autodiscover
    Protocol: _tcp
    Name: @
    Priority: 0
    Weight: 65535
    Port Number: 443
    Target: remote.domainname.com
    TTL: 1 hour

    I also deleted autodiscover cname.

    Does the above appear to be correct? Having problems with blackberries. Our certificate is associated with remote.domainname.com.

    Thank you

  • Zyzyxx

    Thank you so much for the great article. It is concise and works perfect. Every time I connected to the company’s VPN I would get a BSOD (different problem) and manually configuring Outlook Anywhere still wasn’t working. Setting this up allowed me to connect to the SBS 2011 with a self-signed certificate and do what I needed to. Thanks again!

  • casey

    Okay so we have 21 certs in our exchange server. Most seem to be duplicates. remote.domain.com and mail.domain.com, there is one or two that are WSM and mail.example.local our domain name is mywebsite.com and our server name is MAIL and our internal domain is myweb.local (in other words our domain name is longer then what SBS would allow by one letter). Sorry, my point is. We have a working email connection mail flows in and out no problem.

    The problem is OOF works on some but not all computers in and out of the network. So my question is can I remove all certs and just click on configure internet address in the SBS wizard and will this reconfigure the cert to allow things to flow smoothly with OOF, autodiscover etc.. Or can I with out removing the certs just click on the configure internet address that fix my issue? when I run test autoconfiguration on those who can’t get OOF the log shows autodiscover.domain.com failed. However on the machines that do have OOF the test autoconfiguration are getting remote.domain.com

    so I am not sure why there are some computers are getting it and others are not.

    • Liliana

      Hi,I have Enterprise version of Microsoft 365 Online as it was free with my Partner with Microsoft or I would have pikecd Small Business Professional.It appears from your details on cPanel that they match with MX records and mine work the same.With LyncProfessional what you are using now 2 SRV entriesEnterprise 1 SRV and 2 CNAME but I can’t find any reference to how to enter them in cPanel/WHM I have guessed a few times but no luck.Currently I have (commas just to seperate fields)_sipfederationtls._tcp, 3600, SRV, 100, 1, 5061, sipfed.online.lync.com.mydomain.net.ausip.mydomain.net.au, 3600, CNAME, sipdir.online.lync.com.lyncdiscover.mydomain.net.au, 3600, CNAME, webdir.online.lync.com.Not working.

  • IT MVP

    Thanks this helped to resolve a nagging certificate error. I usually issue UCC SSL Certs from go daddy for new exchange clients but for the single server SSL Cert this is one of the best guides I’ve seen. You should have a link to the exchange cmdlets you need to run to get your exchange server to only want one ssl cert:

    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

    Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)” -InternalUrl https://mail.contoso.com/ews/exchange.asmx

    Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)” -InternalUrl https://mail.contoso.com/oab

    Set-UMVirtualDirectory -Identity “DCROOT\unifiedmessaging (SBS Web Applications)” -InternalUrl https://autodiscover.rjwatson.com/unifiedmessaging/service.asmx

  • Hemantha

    Thanks for your article. Unfortunately, my DNS host will not allow me to crtaee SRV records. I can crtaee MX, text, CNAME and A records but not SRV. So if I want to use a single cert with my SBS 2011 install and still use autodiscover.domain.com and remote.domain.com, should I simply purchase a wildcard cert or a SAN cert from GoDaddy?Thanks for any suggestions.Ken

  • Mike

    Is there a way to test this externally? I am setting this up for a client and will not be able to go on-site for another week or so to test internally, and I only have access to the server remotely.

    I have tried the Exchange Analyzer tool on the web, but it keeps coming back as failed. I have made sure there are no wildcards or autodiscover entries anywhere.

    I am also running a spam filter, so do I need to point the SRV record to my spam filter or the firewall with 443 forwarded to the SBS 2008 box?

    Thank you for the awesome write up!

  • Pingback: Connecting a Windows Phone to Exchange |