Wednesday, 11 November 2015

Exchange 2013, 2016 - Autodiscover SRV record

In this post, I’ll demonstrate how to configure Exchange 2013 or 2016 to use an autodiscover SRV record instead of an A record.


How does an SRV record work with Exchange and Outlook?


Outlook 2007 and higher will attempt a number of different methods to find the autodiscover settings for your particular domain. The methods are tried in the order below and once an autodiscover response is received, no further methods are tried. In this example, our domain is litwareinc.com:
  1. Attempt to connect to the Service Connection Point in Active Directory. (This is configured using the Set-ClientAccessServer and the AutodiscoverServiceInternalUri parameter and specifies the URL to the autodiscover.xml file. It only works for domain-joined computers)
  2. Attempt to connect to https://litwareinc.com/autodiscover/autodiscover.xml
  3. Attempt to connect to https://autodiscover.litwareinc.com/autodiscover/autodiscover.xml 
  4. Attempt to locate the autodiscover.xml URL using the SRV method. (NB: Outlook 2007 requires the June 2007 update rollup: https://support.microsoft.com/en-us/kb/940881)
If none of these methods provides a valid autodiscover response then autodiscover fails.


What is an SRV record?


An example of an SRV record for Exchange 2010, 2013 or 2016 is below. In this example, our Exchange server namespace is mail.litwareinc.com.

Service: _autodiscover
Protocol: ._tcp
Port Number: 443
Host: mail.litwareinc.com
Priority: 0
Weight: 0

The Service name specifies the name of the service. For Exchange Autodiscover, this must be _autodiscover.

The Protocol informs the client whether this service uses TCP or UDP.


The Port number informs the client which port to connect on. 


The Host informs the client of the hostname it should be connecting to for this particular service. 


The Priority specifies which target server the client should connect to first. If two target servers have the same priority then the client looks at the weight for each and decides which to connect to based on which has the highest weight.


The Weight specifies the relative weight when priorities are the same. Larger weights have proportionately higher probability of being selected.



Remove the autodiscover A record


Removing the autodiscover.litwareinc.com A record means that clients will not be able to connect to this address. This is helpful as we now no longer need autodiscover.litwareinc.com as a name on our certificate and can use a single name certificate for Exchange to cut costs and simplify the namespace. 


Do I need autodiscover names on my certificate?


No, as long as there is no autodiscover.litwareinc.com A record in internal or external DNS, there is no need for this name on the certificate. As the client cannot resolve the IP, there is no way it can connect using this name. The client will then use the next method in the search for the autodiscover settings.




How to create an SRV record


Before you do this, ensure that you have set up an A record for mail.litwareinc.com in your internal and external DNS.

You need to create an SRV record in both your internal and external DNS. Use your DNS provider documentation to get instructions on how to set this SRV record up in you external DNS.

To create an SRV record in internal DNS, go through the steps below:

1) Log into a domain controller which hosts the litwareinc.com zone

2) Right click on the litwareinc.com zone and select Other New Records

image

3) Select Service Location (SRV) from the list

image

4) Click Create Record, enter the details below then click OK:

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: mail.litwareinc.com
Priority: 0
Weight: 0

image

6) Check that your record appears by clicking on the _tcp subdomain under the litwareinc.com zone:

image

5) Check that your record was created successfully using nslookup

To do this, use the commands below:

nslookup
set q=srv
_autodiscover._tcp.litwareinc.com

image

Above, we can see that the SRV record exists and that it has provided the host mail.litwareinc.com.

Test Autodiscover


To check that it works, I have a client running Outlook 2013 that is not on the domain and we’ll go ahead and create a new Outlook profile:

image

image

image

We can see that we get this notification which states that we are redirected to mail.litwareinc.com which is as per our SRV record. 

image

We can select “Don’t ask me about this website again” so we are no longer prompted or you can add a registry entry to allow redirections to mail.litwareinc.com without prompting. See here for instructions on how to do that using regedit or deploy the setting using logon scripts or Group Policy.

image

This has worked and the account is set up correctly. We didn’t get an error to state that autodiscover.litwareinc.com is not on the certificate because this name is not used in the process.


Confirm settings using Outlook Test E-mail AutoConfiguration tool


To use this tool, see here. The results of the test can be seen below where we are getting a valid response:

image

If we click on the log tab, we can see the process that Outlook went through to get the autodiscover response. It fails on a number of different methods then eventually attempts the SRV record lookup and this provides the response.

image


6 comments:

  1. ok that works but then when setting up new profile via autodiscover I Get the following error "The action cannot be completed. The connection to Microsoft Exchange is Unavailable. Outlook must be online or connected to complete this action". ? any Ideas???

    ReplyDelete
  2. Thanks for the very detailed instructions Mark. They're easy to follow and super helpful for technologically-challenged people like me lol.

    Best,
    Writers Hub
    writershub.org

    ReplyDelete
  3. Not sure this completely applies but would like feedback as I'm new to exchange and wanted to share what I learned this week.
    I have learned that setting up URLs on autodiscover is not needed. I am using 2 CAS and have set no URLS for autodiscover on either CAS. Also learned on my Exchange 2013 dual CAS environment that the Virtual Directories need to point to different Internal URLs and I think External but not tested. I initially had both CAS Virtual Directory including Autodiscover URLs pointing to https://mail.mydomain.com/etc and http://autodiscover.mydomain.com/autodiscover/autodiscover.
    xml....This did work however EMC was very slow often taking several minutes to load settings. The second Exchange server when running EMS some command wouldn't lockup the EMS. So after reading some more I decided to change the URLs on the second installed CAS to something like:

    CAS 1 internal: http://localhost.mydomain.com/ect.
    CAS 2 Internal: http://mail.mydomain.com/etc.
    CAS 1 External: https://mail.mydomain.com/etc.
    CAS 2 External https://localhost.mydomain.com/etc.
    CAS 1 Autodiscover URLs: None
    CAS 2 Autodiscover URLs: None
    DNS: Server 1: 10.0.0.1 mail.mydomain.com
    DNS: Server 2: 10.0.0.2 localhost.mydomain.com
    DNS Server 1 10.0.0.1 autodiscover.mydomain.com
    (I'm using "localhost" but its common for people to use legacy.mydomain.com on second CAS especially if its a 2010,2008 exchange server. hope this helps. And if anyone has something to share please chime in...


    A SAN certificate with these DNS Entries needs to be created I used godaddy.

    ReplyDelete
  4. Hello!

    Our company has a problem with the Autodiscover feature, and I hope you can help us.

    We have multiple domains, so we set up an Srv record on one of our domains to point to the exchange server.
    The Srv record (_autodiscover._tcp.domain2.com) is pointing to the server, which is exchange.domain1.com.
    I checked with nslookup command and with the mxlookup.com site and it looks like the redirection is working.
    I checked testconnectivity.microsoft.com's Outlook Autodiscover function and the test was successfull, but when I try to set up accounts in Outlook it can't use autodiscover, we can only set it up manually, but in Outlook 2016 the manual exchange setup is missing.
    Using Outlook's Automatic email confiuration tester I get this in the log:
    Srv Record lookup for domain2.com FAILED (0x8004010F)

    Hope you can help with the issue.

    Thank you in advance!
    Daniel

    ReplyDelete