Autodiscover on SBS 2008

I'm running SBS 2008 Premium and i'm wondering what the default, out of box, setting for autodiscover is?  I've recently started to get autodiscover messages pop up in my Outlook 2013 client - this never happened before in the 4yrs this box has been running.

The popup I get is a security alert about the certificate being invalid.  In the popup I see that Outlook is trying to get a certificate from our company website hosted outside of our network (on a shared host).  What setting in DNS do I need to set to make it look internally?

I re-ran the SBS "Setup your Internet address" wizard and selecting the option to "manage the domain name myself" but that didn't fix the issue.
MedrxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
Download, install and run the latest version of SBS BPA - http://support.microsoft.com/kb/2673284

You should be able to trust the certificate even though it is external. Simply install the certificate on the local SBS, and then try these steps.

1.

Start the SBS Management Console. On the "Getting Started Tasks" panel, choose "Add a trusted certificate". You can also start the wizard on the Networking panel, under Connectivity, by choosing "Web Server Certificate" then "Add a trusted certificate".

2.

After choosing Next on the first screen, on the second screen select "I want to use a certificate that is already installed on the server." and click Next.

3.

A list of certificates that can be used are now shown. Choose the trusted certificate and select Next. The wizard is then imported.You can then test connectivity from here - https://testconnectivity.microsoft.com/
0
David Paris VicenteSystems and Comunications  Administrator Commented:
Hi probably you will need to create the SRV record in your DNS.

Take a look here and see if help.

Regards
0
MedrxAuthor Commented:
David,

Do I need to create this DNS SRV record on my internal DNS server or at the Hosting company DNS? or Both?  
I'm really not that interested in having autodiscover setup outside my network (ie internet).

Brad,  the certificate that outlook is trying to use is from the hosting company which leads me to believe autodiscover is not setup correctly.  How do I tell Outlook to look at the self-issued cert first?  I don't understand why its even trying to look for autodiscover at my hosting provider VS the internal SBS box?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
The SRV record should be created internally for the SBS server to utilize.
0
David Paris VicenteSystems and Comunications  Administrator Commented:
Hi Medrx,

You should create in the internal DNS and all your clients should point to the internal DNS.

But for a better understand Simon has a good explanation and how to here for the several scenarios.
0
Adam FarageEnterprise ArchCommented:
The SRV record is only really used by External clients, ones that are not domain joined and cannot query the SCP for AutoDiscover within AD. If that is the case for the client who is using Outlook 2013 (e.g: the Outlook 2013 user is using a non-domain joined machine, or a domain joined machine outside the office) then you can use an SRV record: http://support.microsoft.com/kb/940881/en-us

An internal client (Outlook 2007+) will first query the SCP object for AutoDiscover. I would open Exchange Management Shell and run the following to see where it actually points too...
Get-ClientAccessServer | Select Name, AutoDiscoverInternalUri

Open in new window


If this is pointing to his website, then that would probably the cause here. If it is a single server environment without split DNS, this can point to the Exchange 2007 server as long as that name exists on the SSL certificate that is assigned to IIS.

I honestly do not see the point most of the time to use the SRV record (which most folks dont use) but sometimes (like this) it might help.
0
MedrxAuthor Commented:
I have added the SRV entry on my internal DNS and deleted the autodiscovery A, and SRV records at bluehost DNS.  This appears to have fixed the issue on my client machine.

Adam,

I was getting the popup on my local workstation that is joined to the domain and connected to the work network.
Running your command returned this:
[PS] C:\Windows\system32>Get-ClientAccessServer | Select Name, AutoDiscoverInternalUri

Name                                                         AutoDiscoverInternalUri
----                                                         -----------------------
ODIN

Open in new window

0
David Paris VicenteSystems and Comunications  Administrator Commented:
You don´t have the the internal URL in place.

You will need to configure it.

Get-ClientAccessServer –Identity "Exchange server" | Set-ClientAccessServer
–AutodiscoverServiceInternalUri https://autodiscover.myExternalDomainNameInTheCertificate.com/autodiscover/autodiscover.xml

Open in new window

0
MedrxAuthor Commented:
What should I put in as the correct URI?

I do not have split DNS.  For example sake;

Internal Domain is:  contoso.lan
External website is: contoso.com

Do I then use:
https://remote.contoso.lan/Autodiscover/autodiscover.xml 
OR
https://remote.contoso.com/Autodiscover/autodiscover.xml

This being SBS and not wanting to break other things.
0
Adam FarageEnterprise ArchCommented:
In internal DNS I would create a new forward lookup zone for contoso.com, and then create an A record for autodiscover there that points to the CAS. From there you would do the following:

Get-ClientAccessArray | Set-ClientAccessArray -AutoDiscoverInternalUri https://remote.contoso.com/autodiscover/autodiscover.xml

Open in new window


From there then check the property as I provided above, and this should work for your clients.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.