Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

AUTODISCOVER - Almost there but need help

Hi everyone..

Here's what I have:

Exchange 2007 - multi-domain hosted setup
Outlook 2007 SP3
Single SSL Certificate (not wildcard)
I have a _autodiscover DNS record created for the domain in question.  I do not have an autodiscover.domainname.com A record yet.

The Problem:
Out Of Office.. when you select it on my hosted domain clients, it complaints the server isn't available.  

What I've tried:
https://testconnectivity.microsoft.com - it reports everything is ok, except it errors out here:

"ErrorInvalidWatermark: The watermark is invalid.
Elapsed Time: 305 ms."

This whole thing works if I use HTTP Redirection and point it at the server.domainname.com that handles the email for the domain - however, since the certificate doesn't match the domain name for the email address, it pops up the certificate warning complaining that the name doesn't match.  If I tell the warning to continue anyway, Out of office pops up and seems to be happy - but if I say no, then it complains the server is unavailable.  Thoughts?

Thanks!!
0
TimFarren
Asked:
TimFarren
  • 10
  • 6
3 Solutions
 
suriyaehnopCommented:
Hold CTRL and right click on Outlook icon on taskbar and choose test email configuration.

Select only use autodiscover after key in email address and password, click on run test.

Verify your OOF URL is accessible?
0
 
Simon Butler (Sembee)ConsultantCommented:
If you are doing multiple domain then you need to use either redirect or SRV records for Autodiscover. It is important that Autodiscover.example.com does not resolve - so no wildcards in the public DNS records.

The fact that you are getting a certificate error would tend to suggest that the host name is resolving.

Also check that https://example.com/Autodiscover/Autodiscover.xml doesn't work - note the S on the URL.

Simon.
0
 
TimFarrenAuthor Commented:
Simon -

Autodiscover.companyname.com doesn't resolve (company domain redacted).  There are no host records for it at the moment.  There's only a SRV record.  Having that record is causing prompts asking folks if the cert can be trusted.  The SRV record is pointing to the A record for my mail server that hosts the email.  The only way I've been able to make these warnings go away is to remove the SRV record / autodiscover A record.  Then email works, but things like downloading the addressbook fail with an error as well as the out of office wizard complains that the server is not available.  With the SRV in place, when the warning pops up, if we allow it to continue, then the OOF works - I'll admit I haven't tested the adressbook function but I suspect it works.  Maybe not.

Simon, do you believe the other suggestion is worth trying as well?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Simon Butler (Sembee)ConsultantCommented:
Do you have a trusted SSL certificate in place?
If not then you need to get that corrected.
If you do, then you shouldn't get prompts about the certificate as long as the host name being used internally and externally is the same as on the SSL certificate.

Simon.
0
 
TimFarrenAuthor Commented:
I do have a trusted certificate. It's not a wildcard cert though. Are you saying it shouldn't matter that the email domain that I am hosting doesn't match the domain in my SRV record? The SRV in their DNS references mail.nydomainname.com, not their domain.
0
 
Simon Butler (Sembee)ConsultantCommented:
Correct. As long as the SRV record points to the correct host name, then it should work.
That is how hosted Exchange providers work - they have a single certificate and point all clients to it - otherwise it would get very expensive.

Simon.
0
 
TimFarrenAuthor Commented:
Then I am confused about why my clients get these warnings.   What could I possibly be doing wrong?
0
 
Simon Butler (Sembee)ConsultantCommented:
You have to ensure that
a. Autodiscover.example.com does NOT resolve anywhere.
b. The SSL certificate is trusted
c. SRV record is completely correct with the full FQDN that matches the SSL certificate.

Simon.
0
 
TimFarrenAuthor Commented:
I just setup a new domain on my server, with brand new users, and a brand new datastore.  I followed those guidelines listed above.  The autodiscover worked (it autodetected the mailbox settings) however, turning on out of office produces the error, "Your automatic reply settings cannot be displayed because the server is currently unavailable.  Please try again later".

Very frustrating.  I've been chasing this issue for months now.  Any other ideas?
0
 
TimFarrenAuthor Commented:
Side note - I logged in over OWA, turned on out of office, and sent the user a test.  I received the out of office reply.  So at least that works - but remote outlook users can't see the settings.  Ugh..
0
 
Simon Butler (Sembee)ConsultantCommented:
OWA sets the OOTO message in a different way.
The primary reason for OOTO not working is SSL certificate issues. Very little else causes a problem. You must have an error in the configuration of either the SRV record or the DNS records for the hosted domain somewhere.

Simon.
0
 
TimFarrenAuthor Commented:
Ok, I setup the new domain just yesterday and bought the domain name from godaddy. I actually removed the @ record to ensure autodiscover wouldn't resolve to anything. The only other records I created was an SPF and mx records and then the SRV record.  Which is as follows:

Let's say my server is mail.server.com and their domain is client.com. The certificate is for mail.server.com. The SRV record is:

_autodiscover  _tcp  
Port=443
Name=@
Priority / weight I think is both 10
Host : mail.server.com

How else should these records be setup?  Does there need to be anything set in the server's local DNS?  Our internal domain is something like server.local.
0
 
Simon Butler (Sembee)ConsultantCommented:
You don't need anything in your internal DNS unless you are going to have clients using that email domain on your internal DNS server (so on your internal network).

If you do an nslookup on the SRV record, do the correct results come back. Wouldn't be the first time DNS records fail to apply correctly.

Simon.
0
 
TimFarrenAuthor Commented:
Yes they do come back correctly. In fact when you setup a new profile in outlook (offsite) and put the users email address and name in, autodiscover finds all the rest and sets up the account. Still the OOTO is broken and that is really what I am trying to fix.
0
 
TimFarrenAuthor Commented:
Did I mention that I do not get the error if I use an A record for autodiscover.domainname.com and do a http redirect to my server?  The OOTO error goes away but then the silly certificate mismatch warning persistently pops up for my users.
0
 
TimFarrenAuthor Commented:
I have implemented a workaround that I came up with myself.  I've not seen this posted anywhere, but it seems to work.

1.  Create in DNS (externally - godaddy for example) a record called autodiscover.domainname.com that points to 127.0.0.1.  Why?  Because a lot of web hosting companies supply the address of the webserver to the @ record, making autodiscover incorrectly resolve to the wrong host.

2.  Create a SRV record pointing _TCP _Autodiscover to the correct host (e.g. https://remote.domainname.com)

Alternative to #2 is to create url subdomain forwarding record.  Point autodiscover.domainname.com to remote.domainname.com for example as a redirect.  These methods seem to solve my problem.
0
 
TimFarrenAuthor Commented:
More info needed, I provided.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 10
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now