Monday, 16 November 2015

Exchange 2013, 2016 - Autodiscover with multiple domains and single name certificate

When setting up multiple email domains, you require a namespace for the Exchange CAS services such as OAB, EWS, Outlook Anywhere and you also need an autodiscover.domain.com A record for each domain that you require autodiscover for. In this post, I’ll demonstrate how you can configure Autodiscover for multiple domains while using only a single name on your certificate.

Background on the SRV autodiscover method


Outlook can use different methods to find the autodiscover response - see here. One of these methods uses an SRV record such as _autodiscover._tcp.domain.com to provide the hostname of your Exchange server such as mail.litwareinc.com. The Outlook client then retrieves the autodiscover XML file using the URL https://mail.litwareinc.com/autodiscover/autodiscover.xml. As you can see, there is no HTTPS connection made to https://autodiscover.domain.com and therefore there is no need for this name on the certificate.

Lab setup


In this demonstration, we have an Exchange 2013 and 2016 server in the organization. The accepted domains are below:

  • litwareinc.com
  • litwareinc-marketing.com
  • litwareinc-sales.com

Our certificate only has a single name - mail.litwareinc.com and all virtual directories, our Service Connection Points (AutodiscoverServiceInternalUri) and Outlook Anywhere hostnames/URLs are all configured to use mail.litwareinc.com.

Create the SRV records


For more information on how to create SRV records, see here. For our domains, we need to create the same SRV record in each of the forward lookup zones on our internal and external DNS servers. The SRV record we need is below:

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: mail.litwareinc.com
Priority: 0
Weight: 0

Confirm that the SRV records are set up correctly using nslookup


Run the below commands to check that the SRV record is created correctly:

nslookup
set q=srv
server 10.2.0.10 (this needs to be one of your internal DNS servers)
_autodiscover._tcp.litwareinc.com
_autodiscover._tcp.litwareinc-marketing.com
_autodiscover._tcp.litwareinc-sales.com

image

Repeat the above test but set the server to a public DNS server such as 8.8.8.8 so that you can check your public SRV records are created successfully.

Remove the autodiscover.domain.com A records


Outlook clients will attempt to connect to https://autodiscover.domain.com/autodiscover/autodiscover.xml before they attempt the SRV method. This will cause certificate errors as this name is not on the certificate. To prevent this, you need to remove the A records below:

  • autodiscover.litwareinc.com
  • autodiscover.litwareinc-marketing.com
  • autodiscover.litwareinc-sales.com

Test autodiscover


To test autodiscover, we’ll use a mailbox that only has an email address in the litwareinc-marketing.com domain. If the computer is joined to the domain then it will use the SCP which is mail.litwareinc.com and this should work. In this case, we want to test the SRV method so our computer needs to either be in a workgroup or outside the corporate network. In this case, it is inside the corporate network but is in a workgroup.

Below I’ll demonstrate that autodiscover works by creating a new Outlook profile:

image

We receive a notification that we will be redirected to https://mail.litwareinc.com/autodiscover/autodiscover.xml to configure server settings. To prevent being prompted for this, select the “Don’t ask me about this website again” checkbox:

image

image

As you can see above, our Outlook profile has now been autoconfigured successfully.

Note that using this method means that your users will need to use https://mail.litwareinc.com/owa for Outlook Web Access and that mobile devices need to be configured using mail.litwareinc.com.











5 comments:

  1. Merci beaucoup. Je viens de régler mon problème avec cette configuration. Félicitations.

    ReplyDelete
  2. Did you try this with an Outlook 2016? IMHO Outlook 2016 ignores the _autodiscover.. entry and searches only for the autodiscover.domain.com.. All older Outlooks did not have a problem with that.

    Can you confirm?

    ReplyDelete
    Replies
    1. I have a setup like this and it worked ok with outlook 2016

      Delete
  3. great write up! I have a question that you might be able to help me out with
    we have domain1, and we are setting up domain2 with email. we want domain1 to be able to autodiscover domain2 email (we will have users of domain1 populated in domain2)
    is that possible? that if my pc is in domain1, outlook can autodiscover domain2 information for the user's account? or am I out of luck and either need to cutover users to domain2 or setup their outlook manually?

    thanks in advance!

    ReplyDelete
  4. Nice one!
    I understand, this works only with Outlook as a client? Different mobile devices with random a app will not be able to use SRV record, am I right?

    ReplyDelete