Wednesday, 11 November 2015

Exchange 2013, 2016 - Autodiscover SRV record

In this post, I’ll demonstrate how to configure Exchange 2013 or 2016 to use an autodiscover SRV record instead of an A record.

How does an SRV record work with Exchange and Outlook?

Outlook 2007 and higher will attempt a number of different methods to find the autodiscover settings for your particular domain. The methods are tried in the order below and once an autodiscover response is received, no further methods are tried. In this example, our domain is
  1. Attempt to connect to the Service Connection Point in Active Directory. (This is configured using the Set-ClientAccessServer and the AutodiscoverServiceInternalUri parameter and specifies the URL to the autodiscover.xml file. It only works for domain-joined computers)
  2. Attempt to connect to
  3. Attempt to connect to 
  4. Attempt to locate the autodiscover.xml URL using the SRV method. (NB: Outlook 2007 requires the June 2007 update rollup:
If none of these methods provides a valid autodiscover response then autodiscover fails.

What is an SRV record?

An example of an SRV record for Exchange 2010, 2013 or 2016 is below. In this example, our Exchange server namespace is

Service: _autodiscover
Protocol: ._tcp
Port Number: 443
Priority: 0
Weight: 0

The Service name specifies the name of the service. For Exchange Autodiscover, this must be _autodiscover.

The Protocol informs the client whether this service uses TCP or UDP.

The Port number informs the client which port to connect on. 

The Host informs the client of the hostname it should be connecting to for this particular service. 

The Priority specifies which target server the client should connect to first. If two target servers have the same priority then the client looks at the weight for each and decides which to connect to based on which has the highest weight.

The Weight specifies the relative weight when priorities are the same. Larger weights have proportionately higher probability of being selected.

Remove the autodiscover A record

Removing the A record means that clients will not be able to connect to this address. This is helpful as we now no longer need as a name on our certificate and can use a single name certificate for Exchange to cut costs and simplify the namespace. 

Do I need autodiscover names on my certificate?

No, as long as there is no A record in internal or external DNS, there is no need for this name on the certificate. As the client cannot resolve the IP, there is no way it can connect using this name. The client will then use the next method in the search for the autodiscover settings.

How to create an SRV record

Before you do this, ensure that you have set up an A record for in your internal and external DNS.

You need to create an SRV record in both your internal and external DNS. Use your DNS provider documentation to get instructions on how to set this SRV record up in you external DNS.

To create an SRV record in internal DNS, go through the steps below:

1) Log into a domain controller which hosts the zone

2) Right click on the zone and select Other New Records


3) Select Service Location (SRV) from the list


4) Click Create Record, enter the details below then click OK:

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Priority: 0
Weight: 0


6) Check that your record appears by clicking on the _tcp subdomain under the zone:


5) Check that your record was created successfully using nslookup

To do this, use the commands below:

set q=srv


Above, we can see that the SRV record exists and that it has provided the host

Test Autodiscover

To check that it works, I have a client running Outlook 2013 that is not on the domain and we’ll go ahead and create a new Outlook profile:




We can see that we get this notification which states that we are redirected to which is as per our SRV record. 


We can select “Don’t ask me about this website again” so we are no longer prompted or you can add a registry entry to allow redirections to without prompting. See here for instructions on how to do that using regedit or deploy the setting using logon scripts or Group Policy.


This has worked and the account is set up correctly. We didn’t get an error to state that is not on the certificate because this name is not used in the process.

Confirm settings using Outlook Test E-mail AutoConfiguration tool

To use this tool, see here. The results of the test can be seen below where we are getting a valid response:


If we click on the log tab, we can see the process that Outlook went through to get the autodiscover response. It fails on a number of different methods then eventually attempts the SRV record lookup and this provides the response.



  1. ok that works but then when setting up new profile via autodiscover I Get the following error "The action cannot be completed. The connection to Microsoft Exchange is Unavailable. Outlook must be online or connected to complete this action". ? any Ideas???

  2. Not sure this completely applies but would like feedback as I'm new to exchange and wanted to share what I learned this week.
    I have learned that setting up URLs on autodiscover is not needed. I am using 2 CAS and have set no URLS for autodiscover on either CAS. Also learned on my Exchange 2013 dual CAS environment that the Virtual Directories need to point to different Internal URLs and I think External but not tested. I initially had both CAS Virtual Directory including Autodiscover URLs pointing to and
    xml....This did work however EMC was very slow often taking several minutes to load settings. The second Exchange server when running EMS some command wouldn't lockup the EMS. So after reading some more I decided to change the URLs on the second installed CAS to something like:

    CAS 1 internal:
    CAS 2 Internal:
    CAS 1 External:
    CAS 2 External
    CAS 1 Autodiscover URLs: None
    CAS 2 Autodiscover URLs: None
    DNS: Server 1:
    DNS: Server 2:
    DNS Server 1
    (I'm using "localhost" but its common for people to use on second CAS especially if its a 2010,2008 exchange server. hope this helps. And if anyone has something to share please chime in...

    A SAN certificate with these DNS Entries needs to be created I used godaddy.

  3. Hello!

    Our company has a problem with the Autodiscover feature, and I hope you can help us.

    We have multiple domains, so we set up an Srv record on one of our domains to point to the exchange server.
    The Srv record ( is pointing to the server, which is
    I checked with nslookup command and with the site and it looks like the redirection is working.
    I checked's Outlook Autodiscover function and the test was successfull, but when I try to set up accounts in Outlook it can't use autodiscover, we can only set it up manually, but in Outlook 2016 the manual exchange setup is missing.
    Using Outlook's Automatic email confiuration tester I get this in the log:
    Srv Record lookup for FAILED (0x8004010F)

    Hope you can help with the issue.

    Thank you in advance!


  4. Thanks!!! for posting this Blog. You Explained it really well with point text and images.

    I have also researched about DNS attacks and found that Today, the internet has turned into an integral part of our life. From communicating to banking to shopping to traveling, every aspect of our life is around the internet. Since the internet has been widely used, cybersecurity is a primary concern for most web users as every now and then we hear the news about cyber attacks and DNS Attacks.

    Learn More
    We are also providing classes for securing yourself from these kinds of attacks by making the cyber space more secure to surf

    Join us to secure yourself today ICSS India

  5. Would this help with a certificate error we get because our exhange is but our internal domain is name.local So when auto-discovery is looking for it sees the