Comments on: Setting up an external Autodiscover record for SBS 2008 or SBS 2011

By: Nathan

Nathan — Thu, 15 Dec 2011 21:31:01 +0000

So then is a UC certificate (as opposed to plain SSL certificates) necessary if we’re using SRV record for the autodiscover service?

By: casey

casey — Sat, 13 Aug 2011 03:25:59 +0000

Okay so we have 21 certs in our exchange server. Most seem to be duplicates. remote.domain.com and mail.domain.com, there is one or two that are WSM and mail.example.local our domain name is mywebsite.com and our server name is MAIL and our internal domain is myweb.local (in other words our domain name is longer then what SBS would allow by one letter). Sorry, my point is. We have a working email connection mail flows in and out no problem.

The problem is OOF works on some but not all computers in and out of the network. So my question is can I remove all certs and just click on configure internet address in the SBS wizard and will this reconfigure the cert to allow things to flow smoothly with OOF, autodiscover etc.. Or can I with out removing the certs just click on the configure internet address that fix my issue? when I run test autoconfiguration on those who can’t get OOF the log shows autodiscover.domain.com failed. However on the machines that do have OOF the test autoconfiguration are getting remote.domain.com

so I am not sure why there are some computers are getting it and others are not.

By: Zyzyxx

Zyzyxx — Thu, 28 Jul 2011 23:04:19 +0000

Thank you so much for the great article. It is concise and works perfect. Every time I connected to the company’s VPN I would get a BSOD (different problem) and manually configuring Outlook Anywhere still wasn’t working. Setting this up allowed me to connect to the SBS 2011 with a self-signed certificate and do what I needed to. Thanks again!

By: Anil choubey

Anil choubey — Thu, 28 Jul 2011 13:26:14 +0000

Awesome blog for understanding the pupose of Autodiscover for outlook clients..post some videos as well..cheers:)

By: Michael

Michael — Sat, 23 Jul 2011 19:53:04 +0000

GoDaddy has a section for SRV, but it also asks for:
name = This is the domain name for which the record is valid.
priority = 0-65535 (0 being having the most priority)
Weight = 0-65535 (The higher the value, the more weight a service is given)

I set it up as:
Service: _autodiscover
Protocol: _tcp
Name: @
Priority: 0
Weight: 65535
Port Number: 443
Target: remote.domainname.com
TTL: 1 hour

I also deleted autodiscover cname.

Does the above appear to be correct? Having problems with blackberries. Our certificate is associated with remote.domainname.com.

Thank you

By: Adrian

Adrian — Sun, 26 Jun 2011 11:31:57 +0000

Great article!

Thanks for the tip on the _autodiscover_tcp.domain.com SRV record…
I kept running tests on my autodiscovery and realized once reading your article that I had the wrong url in the SRV record and it was causing my tests to fail.

Changed the SRV record and hey presto! Works like a charm!

By: dave

dave — Wed, 02 Mar 2011 20:48:32 +0000

Ken, you are going to want a SAN cert. The GoDaddy one would be fine. Several consultants I work with consolidate their DNS management with providers that don’t support SRV records yet, so they’ve always had to issue multi-name certs when they deploy SBS 2008.

Here’s what you want on the certificate:
Common name: remote.domain.com (or whatever you want users to hit when they access OWA)
Subject Alternative names:
autodiscover.domain.com
server.domain.local (internal FQDN)
server (internal netbios name)

The process of generating a cert request for a multiname cert is not something that’s handled in the SBS 2008 GUI (although it is in the Exchange 2010 GUI), so you want to use this wizard at Digicert to generate a powershell script that you’d subsequently execute on your SBS 2008 server: https://www.digicert.com/easy-csr/exchange2007.htm

Once you have your certificate, you’d install that with an import-exchangecertificate command and then enable it for services with the enable-exchangecertificate command.

By: dave

dave — Wed, 02 Mar 2011 20:39:54 +0000

Jeff, Outlook 2003 doesn’t support Autodiscover at all, so it has nothing to do with the number of names on a cert or DNS records. Outlook 2003 just needs to be configured manually for RPC-over-HTTPS, and can use either single-name or multiname cert, as long as the common name on the cert is the same name used for the RPC Proxy setting in Outlook. Typically that would not be “autodiscover.domain.com” but would be “remote.domain.com” or “mail.domain.com”.

As far as Outlook 2007, it was only with SP1 that it started to support querying SRV records for Autodiscover. Before that, it only looked for Autodiscover.domainname.com or just domainname.com. Because of that, you really want to have SP1 loaded for SBS 2008\2010 clients, since they will usually be using a single-name cert alongside an SRV record.

By: Ken Sheppard

Ken Sheppard — Wed, 02 Mar 2011 19:56:50 +0000

Thanks for your article. Unfortunately, my DNS host will not allow me to create SRV records. I can create MX, text, CNAME and A records but not SRV. So if I want to use a single cert with my SBS 2011 install and still use autodiscover.domain.com and remote.domain.com, should I simply purchase a wildcard cert or a SAN cert from GoDaddy?

Thanks for any suggestions.

Ken

By: jgus

jgus — Sat, 26 Feb 2011 05:32:57 +0000

So you say that Outlook 2007 SP1 is needed in order to use the SRV record to find its way. What about Outlook 2003? Does Outlook Anywhere on Outlook 2003 have any issues using the SRV record and a single-name cert? Or would Outlook 2003 require me to go ahead with a multi-domain cert and adding the autodiscover DNS record?