Solved

AUTODISCOVER - Almost there but need help

Posted on 2013-11-11
17
202 Views
Last Modified: 2015-02-05
Hi everyone..

Here's what I have:

Exchange 2007 - multi-domain hosted setup
Outlook 2007 SP3
Single SSL Certificate (not wildcard)
I have a _autodiscover DNS record created for the domain in question.  I do not have an autodiscover.domainname.com A record yet.

The Problem:
Out Of Office.. when you select it on my hosted domain clients, it complaints the server isn't available.  

What I've tried:
https://testconnectivity.microsoft.com - it reports everything is ok, except it errors out here:

"ErrorInvalidWatermark: The watermark is invalid.
Elapsed Time: 305 ms."

This whole thing works if I use HTTP Redirection and point it at the server.domainname.com that handles the email for the domain - however, since the certificate doesn't match the domain name for the email address, it pops up the certificate warning complaining that the name doesn't match.  If I tell the warning to continue anyway, Out of office pops up and seems to be happy - but if I say no, then it complains the server is unavailable.  Thoughts?

Thanks!!
0
Comment
Question by:TimFarren
  • 10
  • 6
17 Comments
 
LVL 18

Expert Comment

by:suriyaehnop
ID: 39640423
Hold CTRL and right click on Outlook icon on taskbar and choose test email configuration.

Select only use autodiscover after key in email address and password, click on run test.

Verify your OOF URL is accessible?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 39644502
If you are doing multiple domain then you need to use either redirect or SRV records for Autodiscover. It is important that Autodiscover.example.com does not resolve - so no wildcards in the public DNS records.

The fact that you are getting a certificate error would tend to suggest that the host name is resolving.

Also check that https://example.com/Autodiscover/Autodiscover.xml doesn't work - note the S on the URL.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39652038
Simon -

Autodiscover.companyname.com doesn't resolve (company domain redacted).  There are no host records for it at the moment.  There's only a SRV record.  Having that record is causing prompts asking folks if the cert can be trusted.  The SRV record is pointing to the A record for my mail server that hosts the email.  The only way I've been able to make these warnings go away is to remove the SRV record / autodiscover A record.  Then email works, but things like downloading the addressbook fail with an error as well as the out of office wizard complains that the server is not available.  With the SRV in place, when the warning pops up, if we allow it to continue, then the OOF works - I'll admit I haven't tested the adressbook function but I suspect it works.  Maybe not.

Simon, do you believe the other suggestion is worth trying as well?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39653082
Do you have a trusted SSL certificate in place?
If not then you need to get that corrected.
If you do, then you shouldn't get prompts about the certificate as long as the host name being used internally and externally is the same as on the SSL certificate.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39653213
I do have a trusted certificate. It's not a wildcard cert though. Are you saying it shouldn't matter that the email domain that I am hosting doesn't match the domain in my SRV record? The SRV in their DNS references mail.nydomainname.com, not their domain.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39653678
Correct. As long as the SRV record points to the correct host name, then it should work.
That is how hosted Exchange providers work - they have a single certificate and point all clients to it - otherwise it would get very expensive.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39653827
Then I am confused about why my clients get these warnings.   What could I possibly be doing wrong?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 39657982
You have to ensure that
a. Autodiscover.example.com does NOT resolve anywhere.
b. The SSL certificate is trusted
c. SRV record is completely correct with the full FQDN that matches the SSL certificate.

Simon.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Author Comment

by:TimFarren
ID: 39666175
I just setup a new domain on my server, with brand new users, and a brand new datastore.  I followed those guidelines listed above.  The autodiscover worked (it autodetected the mailbox settings) however, turning on out of office produces the error, "Your automatic reply settings cannot be displayed because the server is currently unavailable.  Please try again later".

Very frustrating.  I've been chasing this issue for months now.  Any other ideas?
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39666194
Side note - I logged in over OWA, turned on out of office, and sent the user a test.  I received the out of office reply.  So at least that works - but remote outlook users can't see the settings.  Ugh..
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39668332
OWA sets the OOTO message in a different way.
The primary reason for OOTO not working is SSL certificate issues. Very little else causes a problem. You must have an error in the configuration of either the SRV record or the DNS records for the hosted domain somewhere.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39668633
Ok, I setup the new domain just yesterday and bought the domain name from godaddy. I actually removed the @ record to ensure autodiscover wouldn't resolve to anything. The only other records I created was an SPF and mx records and then the SRV record.  Which is as follows:

Let's say my server is mail.server.com and their domain is client.com. The certificate is for mail.server.com. The SRV record is:

_autodiscover  _tcp  
Port=443
Name=@
Priority / weight I think is both 10
Host : mail.server.com

How else should these records be setup?  Does there need to be anything set in the server's local DNS?  Our internal domain is something like server.local.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39674393
You don't need anything in your internal DNS unless you are going to have clients using that email domain on your internal DNS server (so on your internal network).

If you do an nslookup on the SRV record, do the correct results come back. Wouldn't be the first time DNS records fail to apply correctly.

Simon.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39674553
Yes they do come back correctly. In fact when you setup a new profile in outlook (offsite) and put the users email address and name in, autodiscover finds all the rest and sets up the account. Still the OOTO is broken and that is really what I am trying to fix.
0
 
LVL 2

Author Comment

by:TimFarren
ID: 39674563
Did I mention that I do not get the error if I use an A record for autodiscover.domainname.com and do a http redirect to my server?  The OOTO error goes away but then the silly certificate mismatch warning persistently pops up for my users.
0
 
LVL 2

Accepted Solution

by:
TimFarren earned 0 total points
ID: 40581670
I have implemented a workaround that I came up with myself.  I've not seen this posted anywhere, but it seems to work.

1.  Create in DNS (externally - godaddy for example) a record called autodiscover.domainname.com that points to 127.0.0.1.  Why?  Because a lot of web hosting companies supply the address of the webserver to the @ record, making autodiscover incorrectly resolve to the wrong host.

2.  Create a SRV record pointing _TCP _Autodiscover to the correct host (e.g. https://remote.domainname.com)

Alternative to #2 is to create url subdomain forwarding record.  Point autodiscover.domainname.com to remote.domainname.com for example as a redirect.  These methods seem to solve my problem.
0
 
LVL 2

Author Closing Comment

by:TimFarren
ID: 40590658
More info needed, I provided.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
how to add IIS SMTP to handle application/Scanner relays into office 365.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now