This is a refresh of an article I wrote earlier for SBS 2008, with a few minor updates.
If you are using Exchange 2007 or Exchange 2010 (SBS or non-SBS) and are using a single-name certificate, this article is for you.
When you migrate to SBS 2008 or SBS 2011 and you already have a domain name, you don’t need to use the built-in domain registration wizard that is included in the SBS setup process.
This is well and good, but it has a downside worth knowing about. You probably didn’t know it, but something that Microsoft does when they set up your new domain name at the registrar is create a custom SRV record for your domain so that Autodiscover will work properly for external client auto-configuration. This is because you are using a single-name cert, which isn’t what Exchange 2007/2010 was designed to use. If you already have a domain name registered and are able to create your own DNS SRV records (some DNS hosts don’t allow SRV record creation), it would be a good idea to create an Autodiscover SRV record to make it easier for Outlook 2007/2010 clients to autoconfigure themselves for Outlook Anywhere (RPC-over-HTTPS) and ActiveSync.
The details on how to set this record up are all in KB940881, but I’ll briefly summarize it here:
1. Get rid of any CNAME or A records for “autodiscover”, and any wildcard “*” records in the public DNS zone. This is a critical step, so don’t just drift past it.
2. Build the SRV record to look like this:
Port Number: 443
Weight and priority should normally both be set to zero.
Why do you need to do this for Autodiscover to work? Well when you feed an Outlook client an email address, it tries to autoconfigure itself, and it does this by trying to contact a series of hosts as follows:
After failing these steps, it will look for an SRV record, and if you haven’t created one, there won’t be one. We’ll come back to this point shortly.
Because your certificate is tied to a single name: remote.domainname.com, any https connection to the autodiscover URL will fail. If you want to create an A or CNAME record for ‘autodiscover’ that points to your server’s public IP and allow port 80 to your server, autodiscover will work, but you would then have allowed port 80 traffic to your server.
An alternate option, still using SSL, is what this article is about. This method takes advantage of a feature that was added in Outlook 2007 SP1 that allows it to look for an SRV record and use the SRV record to find the “real” autodiscover host. In this case, the SRV record is pointing to remote.smallbizco.net, which is the name covered by the cert, so a secure connection to that server to get Autodiscover information will succeed.
Got it? Great!
BTW, if you have a single-name cert on a non-SBS Exchange 2007 or Exchange 2010 server, you still want to use an SRV record as described above, but there will be other changes you will need to make to your environment as well, primarily resetting the URLs on most of your Exchange virtual directories so that they all point to the name that is on your certificate. This is something that the SBS wizards take care of automagically.