Monday, 16 November 2015

Exchange 2013, 2016 - Autodiscover with multiple domains and single name certificate

When setting up multiple email domains, you require a namespace for the Exchange CAS services such as OAB, EWS, Outlook Anywhere and you also need an A record for each domain that you require autodiscover for. In this post, I’ll demonstrate how you can configure Autodiscover for multiple domains while using only a single name on your certificate.

Background on the SRV autodiscover method

Outlook can use different methods to find the autodiscover response - see here. One of these methods uses an SRV record such as to provide the hostname of your Exchange server such as The Outlook client then retrieves the autodiscover XML file using the URL As you can see, there is no HTTPS connection made to and therefore there is no need for this name on the certificate.

Lab setup

In this demonstration, we have an Exchange 2013 and 2016 server in the organization. The accepted domains are below:


Our certificate only has a single name - and all virtual directories, our Service Connection Points (AutodiscoverServiceInternalUri) and Outlook Anywhere hostnames/URLs are all configured to use

Create the SRV records

For more information on how to create SRV records, see here. For our domains, we need to create the same SRV record in each of the forward lookup zones on our internal and external DNS servers. The SRV record we need is below:

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Priority: 0
Weight: 0

Confirm that the SRV records are set up correctly using nslookup

Run the below commands to check that the SRV record is created correctly:

set q=srv
server (this needs to be one of your internal DNS servers)


Repeat the above test but set the server to a public DNS server such as so that you can check your public SRV records are created successfully.

Remove the A records

Outlook clients will attempt to connect to before they attempt the SRV method. This will cause certificate errors as this name is not on the certificate. To prevent this, you need to remove the A records below:


Test autodiscover

To test autodiscover, we’ll use a mailbox that only has an email address in the domain. If the computer is joined to the domain then it will use the SCP which is and this should work. In this case, we want to test the SRV method so our computer needs to either be in a workgroup or outside the corporate network. In this case, it is inside the corporate network but is in a workgroup.

Below I’ll demonstrate that autodiscover works by creating a new Outlook profile:


We receive a notification that we will be redirected to to configure server settings. To prevent being prompted for this, select the “Don’t ask me about this website again” checkbox:



As you can see above, our Outlook profile has now been autoconfigured successfully.

Note that using this method means that your users will need to use for Outlook Web Access and that mobile devices need to be configured using


  1. Merci beaucoup. Je viens de régler mon problème avec cette configuration. Félicitations.

  2. Did you try this with an Outlook 2016? IMHO Outlook 2016 ignores the _autodiscover.. entry and searches only for the All older Outlooks did not have a problem with that.

    Can you confirm?

    1. I have a setup like this and it worked ok with outlook 2016

  3. great write up! I have a question that you might be able to help me out with
    we have domain1, and we are setting up domain2 with email. we want domain1 to be able to autodiscover domain2 email (we will have users of domain1 populated in domain2)
    is that possible? that if my pc is in domain1, outlook can autodiscover domain2 information for the user's account? or am I out of luck and either need to cutover users to domain2 or setup their outlook manually?

    thanks in advance!

  4. Nice one!
    I understand, this works only with Outlook as a client? Different mobile devices with random a app will not be able to use SRV record, am I right?