Setting up Autodiscover for SBS 2011 10

Post to Twitter Post to Facebook Post to StumbleUpon

This is a refresh of an article I wrote earlier for SBS 2008, with a few minor updates.

If you are using Exchange 2007 or Exchange 2010 (SBS or non-SBS) and are using a single-name certificate, this article is for you.

When you migrate to SBS 2008 or SBS 2011 and you already have a domain name, you don’t need to use the built-in domain registration wizard that is included in the SBS setup process.

This is well and good, but it has a downside worth knowing about. You probably didn’t know it, but something that Microsoft does when they set up your new domain name at the registrar is create a custom SRV record for your domain so that Autodiscover will work properly for external client auto-configuration. This is because you are using a single-name cert, which isn’t what Exchange 2007/2010 was designed to use. If you already have a domain name registered and are able to create your own DNS SRV records (some DNS hosts don’t allow SRV record creation), it would be a good idea to create an Autodiscover SRV record to make it easier for Outlook 2007/2010 clients to autoconfigure themselves for Outlook Anywhere (RPC-over-HTTPS) and ActiveSync.

The details on how to set this record up are all in KB940881, but I’ll briefly summarize it here:

1. Get rid of any CNAME or A records for “autodiscover”, and any wildcard “*” records in the public DNS zone. This is a critical step, so don’t just drift past it.
2. Build the SRV record to look like this:

Service: _autodiscover
Protocol: _tcp
Port Number: 443

Weight and priority should normally both be set to zero.

Why do you need to do this for Autodiscover to work? Well when you feed an Outlook client an email address, it tries to autoconfigure itself, and it does this by trying to contact a series of hosts as follows:


After failing these steps, it will look for an SRV record, and if you haven’t created one, there won’t be one. We’ll come back to this point shortly.

Because your certificate is tied to a single name:, any https connection to the autodiscover URL will fail. If you want to create an A or CNAME record for ‘autodiscover’ that points to your server’s public IP and allow port 80 to your server, autodiscover will work, but you would then have allowed port 80 traffic to your server.

An alternate option, still using SSL, is what this article is about. This method takes advantage of a feature that was added in Outlook 2007 SP1 that allows it to look for an SRV record and use the SRV record to find the “real” autodiscover host. In this case, the SRV record is pointing to, which is the name covered by the cert, so a secure connection to that server to get Autodiscover information will succeed.

Got it? Great!

BTW, if you have a single-name cert on a non-SBS Exchange 2007 or Exchange 2010 server, you still want to use an SRV record as described above, but there will be other changes you will need to make to your environment as well, primarily resetting the URLs on most of your Exchange virtual directories so that they all point to the name that is on your certificate. This is something that the SBS wizards take care of automagically.

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.

10 thoughts on “Setting up Autodiscover for SBS 2011

  • Pingback: SBS 2008 / 2011 adding an SSL certificate « LAN-Tech Network Management

  • Yelena

    Thank you so much for the great article. It is cocsnie and works perfect. Every time I connected to the company’s VPN I would get a BSOD (different problem) and manually configuring Outlook Anywhere still wasn’t working. Setting this up allowed me to connect to the SBS 2011 with a self-signed certificate and do what I needed to. Thanks again!

  • Zach Bowman

    First you say to get rid of any A records for autodiscover then after describing the manual creation you mention that it might be beneficial to add an A record for autodiscover.

    I think you accidentally a thing.

    • Dave Shackelford

      Yelena, glad that helped.

      Zach, I didn’t say it would be beneficial, I said if it was done, it could work as long as port 80 was open, but that’s frequently not an acceptable configuration. My approach is to leave port 80 closed and proceed as described above, with a purely SSL solution. I think that I was trying to anticipate a counter-argument when I included that comment about port 80.

  • Pingback: How Do I Reconfigure Exchange Autodiscover? | Click & Find Answer !

  • Ed Mah

    Great article. It worked for me and so necessary with Office 2016. Exchange configuration now requires a proper auto discover setup.

    • Erin

      How did you get it working for Outlook 2016? I still haven’t had any luck. Connecting to SBS 2011. I’ve tried everything from this and 100 other websites lol. Any help would be appreciated.


  • Alex

    It doesn’t seem to work. Running SBS 2011 Standard. Gives security/SSL related errors both on Outlook and mobile devices (android). Any ideas? I have SSL on one main domain.