AutoDiscover DNS Settings - Exchange 2013

I will try to make this simple though it confuses me.

We have an Exchange 2013 enivironment, prior to that we had exchange 2003 so it was a big upgrade.  Since the upgrade I can no longer connect remote users who use Outlook to the server.  When it goes through AutoDiscover it tries to point Outlook to a hostgator server not our exchange server, hostgator is where we host our website so if you go to www.ourdomain.com you get our website but that is hosted on HostGator off site.  

How do I tell Outlook to look use AutoDiscover to find my exchange server?  Do I have to add a Cname or A record on my DNS host?

Also if I VPN in and I am connected to the network, it still doesn't work ,shouldn't it get the info automatically from the exchange server?  Even if I type in the server in the account set up in outlook it doesn't work.   I use \\servername, IP Address, external IP address and crm.domain.com which is pointed to our exchange, none of them will connect.

All the computers in the office are functioning fine and previously set up laptops that are now remote are functioning fine using HTTP over RPC.  However I cannot get the remote computers to connect to Exchange.

OWA works fines for them but they really like Outlook.

They are home based Windows with Outlook 2013, which has never been a problem before.

Thanks
LVL 1
FosterThomasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joshua GrantomSenior Systems AdministratorCommented:
Do you have your exchange server setup as an MX record both externally and internally? Make sure you have removed the default webmail MX records that HostGator adds to your external DNS.

Does the new exchange server have a different internal IP address than the Exchange 2003?
0
Gareth GudgerCommented:
The fact that it is defaulting to Hostgator probably means external DNS is not configured correctly.

You either need to create an A record for autodiscover or an SRV record at your external DNS provider.

The A record is normally the easiest to configure. Just point autodiscover.mydomain.com to the public IP of your CAS server. I assume Outlook Web App is already working? If not, then you may have firewall/SSL work to do as well.

Then you need to confirm that your SSL certificate includes autodiscover.mydomain.com.

If you do it with the SRV record then you don't need to have autodiscover.mydomain.com on your SSL cert. But not all DNS providers support the creation of SRV records.

More info here on how to configure DNS, certificates and URLs in your Exchange environment.
http://supertekboy.com/2014/07/08/designing-simple-namespace-exchange-2013/
0
FosterThomasAuthor Commented:
It does have a new internal IP it went from .98 to .94, on my A records on network solutions I have an @fosterthomas.com that was pointed to host gator servers, I changed that to my external exchange IP but that was two days ago and hasn't made it work.

Last night I created a CName for autodiscover and pointed it to crm.domain.com which is my external address for my exchange server and how OWA is reached https://crm.domain.com/xxx etc.  That is also the address you use in the HTTP over RPC box for laptops with OUtlook that function correctly.

I am just running out of ideas of why it worked on old exchange and not new exchange
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

FosterThomasAuthor Commented:
I just pinged autodiscover.domain.com and it still goes to the Host Gator server and when I ping autodiscover.crm.domain.com it says can't be found
0
Joshua GrantomSenior Systems AdministratorCommented:
i pinged it and it pointed to crm.domain.com, it may take some time for the DNS records to propagate everywhere.
0
FosterThomasAuthor Commented:
which did you ping autodiscover.domain.com or autodiscover.crm.domain.com
0
Joshua GrantomSenior Systems AdministratorCommented:
autodiscover.domain.com

trying to ping autodiscover.crm.domain.com returns invalid hostname.
0
FosterThomasAuthor Commented:
that is what I am wondering, which I should set it up as since crm.domain.com is the address of the exchange server

in network solutions I made a Cname for autodiscover to point to crm.domain.com but it seems to take the crm. part off of it
0
Joshua GrantomSenior Systems AdministratorCommented:
you do not need an autodiscover for that. The autodiscover should be under the domain you use for your email address.

@domain.com so autodiscover should be

autodiscover.domain.com pointing to crm.domain.com

It will take some time for it to update everywhere depending on what the TTL is set to.
0
FosterThomasAuthor Commented:
I dont' understand TTL so I just kept it at 7200
0
Joshua GrantomSenior Systems AdministratorCommented:
TTL is easy. It tells other DNS servers how long before they need to check to see if the record has changed. It is in seconds.

7200 seconds = 120 minutes = 2 hours.

Not all DNS servers follow these instructions though and sometimes have hard coded update intervals set by there administrators.
0
FosterThomasAuthor Commented:
Thanks!  I will close the questions with your answer after it works hopefully this afternoon
0
FosterThomasAuthor Commented:
How do I confirm my SSL Certificate has autodiscover.domain.com?

Is that on the server or is that somewhere on GoDaddy where I bought the certificate?
0
Joshua GrantomSenior Systems AdministratorCommented:
when you setup the certificate request you should have put autodiscover.domain.com as a SAN for the certificate.

Your certificate request should include

domain.local (local domain name)
domain.com
crm.domain.com
crm.comain.local
autodiscover.domain.com

If you are going through GoDaddy, they call it a Multiple Domain (UCC) SSL Certificate
https://support.godaddy.com/help/category/599/ssl-certificates-ucc-certificates
0
FosterThomasAuthor Commented:
if it was requested with out it what do I do?
0
Joshua GrantomSenior Systems AdministratorCommented:
I would call GoDaddy and see if they can help you switch it over to a UC SSL Certificate. You will have to install the new certificate on your exchange as well.
0
FosterThomasAuthor Commented:
So I am on my network so if I ping autodiscover.domain.com it continues to point to hostgator, but everyone off the network points correctly

Is that because I am on my internal network?
0
Joshua GrantomSenior Systems AdministratorCommented:
your internal network does not have the correct autodiscover record setup. Under your Internal DNS what IP does autodiscover record point to?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FosterThomasAuthor Commented:
Where do I check that?
0
FosterThomasAuthor Commented:
I made a new CName on DC to point autodiscover.domain.com to crm.domain.com   there was no autodiscover set up currently so I added a new one
0
Joshua GrantomSenior Systems AdministratorCommented:
does it work after creating the record?
0
FosterThomasAuthor Commented:
Now I get a pop up "the application experienced an internal error loading the SSL libraries"  if I hit Ok

Another pop up comes up with two checks and an x

two checks "certificate is from a trusted certifying authority"
"certificate date is valid"

X
"The name on the security certificate is invalid or does not match the name of the site"

Then you hit Proceed, get a pop up asking for username and password I type domain\username and password and it says an encyrpted connection to your mail server is not available, click next to try unencrypted
0
Joshua GrantomSenior Systems AdministratorCommented:
this is happening because your SSL certificate does not have your internal exchange server name as a SAN. You will need to correct your SSL certificate before any other troubleshooting can be done.
0
FosterThomasAuthor Commented:
Then I get to where I can manually set it up, the first question is server.

I don't know what to put there. I've tried everything I can think of, ft-exchange.domain.local, the local IP, servername etc

What doesn't make sense to me is this works perfectly on Pro versions of windows once joined to the domain.   This is only an issue for Home based windows.

All mobile and tablets work properly with crm.domain.com as the server, laptops work with HTTP over RPC with crm.domain.com, it's only Home based windows with outlook that is having the issue.

If it was a certificate error wouldn't all computers face that issue?
0
Joshua GrantomSenior Systems AdministratorCommented:
Are the home based computers connected to your internal network through a VPN or are they trying to access exchange by the public IP address.
0
Simon Butler (Sembee)ConsultantCommented:
Sorry to say, you have been given out of date information.

This list isn't going to work for you:

domain.local (local domain name)
 domain.com
 crm.domain.com
 crm.comain.local
 autodiscover.domain.com

The SSL certificate will have all of the .local host names removed from it. This is because the SSL providers are no longer issuing certificates that are dated after November 2015 with internal addresses on it. Therefore no .local, or IP addresses or names like "intranet".

You will need to setup a split DNS system so that the names resolve to the correct place, and then adjust the host names in Exchange.

http://semb.ee/hostnames2013

For home systems, ensure that they are fully patched, as GoDaddy changed their root certificate last year and a Windows Update is required to ensure the certificates are trusted.

However the prompt could be coming from elsewhere. Web hosts also use Autodiscover.

Check if the following URL works:
https://example.com/Autodiscover/Autodiscover.xml 
(ie nothing in front of your domain)

If it does, then you need to speak to your web host and get them to turn the Autodiscover feature off.

Simon.
0
FosterThomasAuthor Commented:
I physically brought one of the laptops in and plugged it into the network to test
0
FosterThomasAuthor Commented:
So I tried it again on more time just for the hell of it and it worked, I don't know if it just took time after creating the Cname internally or what, it connected and automatically found the HTTP over RPC settings

I do get a certificate error the same as the two checks and one x above but if you hit accept it works anyway.  So I am happy for now.
0
Joshua GrantomSenior Systems AdministratorCommented:
Im glad it is working but Simon is very right. I haven't had to manage an exchange certificates in 2 years so my info is out of date in regards to the SSL SAN's.
0
FosterThomasAuthor Commented:
If I just have them accept that pop up every time they open Outlook which is only once a day there should be no issues correct?
0
Joshua GrantomSenior Systems AdministratorCommented:
There should be no issues with their connection but the SSL Certificate still needs to be corrected and replaced.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.