Solved

AutoDiscover DNS Settings - Exchange 2013

Posted on 2014-10-09
31
563 Views
Last Modified: 2014-10-09
I will try to make this simple though it confuses me.

We have an Exchange 2013 enivironment, prior to that we had exchange 2003 so it was a big upgrade.  Since the upgrade I can no longer connect remote users who use Outlook to the server.  When it goes through AutoDiscover it tries to point Outlook to a hostgator server not our exchange server, hostgator is where we host our website so if you go to www.ourdomain.com you get our website but that is hosted on HostGator off site.  

How do I tell Outlook to look use AutoDiscover to find my exchange server?  Do I have to add a Cname or A record on my DNS host?

Also if I VPN in and I am connected to the network, it still doesn't work ,shouldn't it get the info automatically from the exchange server?  Even if I type in the server in the account set up in outlook it doesn't work.   I use \\servername, IP Address, external IP address and crm.domain.com which is pointed to our exchange, none of them will connect.

All the computers in the office are functioning fine and previously set up laptops that are now remote are functioning fine using HTTP over RPC.  However I cannot get the remote computers to connect to Exchange.

OWA works fines for them but they really like Outlook.

They are home based Windows with Outlook 2013, which has never been a problem before.

Thanks
0
Comment
Question by:FosterThomas
  • 16
  • 13
  • +1
31 Comments
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40370578
Do you have your exchange server setup as an MX record both externally and internally? Make sure you have removed the default webmail MX records that HostGator adds to your external DNS.

Does the new exchange server have a different internal IP address than the Exchange 2003?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40370590
The fact that it is defaulting to Hostgator probably means external DNS is not configured correctly.

You either need to create an A record for autodiscover or an SRV record at your external DNS provider.

The A record is normally the easiest to configure. Just point autodiscover.mydomain.com to the public IP of your CAS server. I assume Outlook Web App is already working? If not, then you may have firewall/SSL work to do as well.

Then you need to confirm that your SSL certificate includes autodiscover.mydomain.com.

If you do it with the SRV record then you don't need to have autodiscover.mydomain.com on your SSL cert. But not all DNS providers support the creation of SRV records.

More info here on how to configure DNS, certificates and URLs in your Exchange environment.
http://supertekboy.com/2014/07/08/designing-simple-namespace-exchange-2013/
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40370592
It does have a new internal IP it went from .98 to .94, on my A records on network solutions I have an @fosterthomas.com that was pointed to host gator servers, I changed that to my external exchange IP but that was two days ago and hasn't made it work.

Last night I created a CName for autodiscover and pointed it to crm.domain.com which is my external address for my exchange server and how OWA is reached https://crm.domain.com/xxx etc.  That is also the address you use in the HTTP over RPC box for laptops with OUtlook that function correctly.

I am just running out of ideas of why it worked on old exchange and not new exchange
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40370656
I just pinged autodiscover.domain.com and it still goes to the Host Gator server and when I ping autodiscover.crm.domain.com it says can't be found
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40370690
i pinged it and it pointed to crm.domain.com, it may take some time for the DNS records to propagate everywhere.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40370696
which did you ping autodiscover.domain.com or autodiscover.crm.domain.com
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40370698
autodiscover.domain.com

trying to ping autodiscover.crm.domain.com returns invalid hostname.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40370704
that is what I am wondering, which I should set it up as since crm.domain.com is the address of the exchange server

in network solutions I made a Cname for autodiscover to point to crm.domain.com but it seems to take the crm. part off of it
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40370710
you do not need an autodiscover for that. The autodiscover should be under the domain you use for your email address.

@domain.com so autodiscover should be

autodiscover.domain.com pointing to crm.domain.com

It will take some time for it to update everywhere depending on what the TTL is set to.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40370716
I dont' understand TTL so I just kept it at 7200
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40370722
TTL is easy. It tells other DNS servers how long before they need to check to see if the record has changed. It is in seconds.

7200 seconds = 120 minutes = 2 hours.

Not all DNS servers follow these instructions though and sometimes have hard coded update intervals set by there administrators.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40370765
Thanks!  I will close the questions with your answer after it works hopefully this afternoon
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371003
How do I confirm my SSL Certificate has autodiscover.domain.com?

Is that on the server or is that somewhere on GoDaddy where I bought the certificate?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40371013
when you setup the certificate request you should have put autodiscover.domain.com as a SAN for the certificate.

Your certificate request should include

domain.local (local domain name)
domain.com
crm.domain.com
crm.comain.local
autodiscover.domain.com

If you are going through GoDaddy, they call it a Multiple Domain (UCC) SSL Certificate
https://support.godaddy.com/help/category/599/ssl-certificates-ucc-certificates
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371028
if it was requested with out it what do I do?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40371030
I would call GoDaddy and see if they can help you switch it over to a UC SSL Certificate. You will have to install the new certificate on your exchange as well.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371158
So I am on my network so if I ping autodiscover.domain.com it continues to point to hostgator, but everyone off the network points correctly

Is that because I am on my internal network?
0
 
LVL 16

Accepted Solution

by:
Joshua Grantom earned 500 total points
ID: 40371161
your internal network does not have the correct autodiscover record setup. Under your Internal DNS what IP does autodiscover record point to?
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371179
Where do I check that?
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371188
I made a new CName on DC to point autodiscover.domain.com to crm.domain.com   there was no autodiscover set up currently so I added a new one
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40371195
does it work after creating the record?
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371210
Now I get a pop up "the application experienced an internal error loading the SSL libraries"  if I hit Ok

Another pop up comes up with two checks and an x

two checks "certificate is from a trusted certifying authority"
"certificate date is valid"

X
"The name on the security certificate is invalid or does not match the name of the site"

Then you hit Proceed, get a pop up asking for username and password I type domain\username and password and it says an encyrpted connection to your mail server is not available, click next to try unencrypted
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40371212
this is happening because your SSL certificate does not have your internal exchange server name as a SAN. You will need to correct your SSL certificate before any other troubleshooting can be done.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371217
Then I get to where I can manually set it up, the first question is server.

I don't know what to put there. I've tried everything I can think of, ft-exchange.domain.local, the local IP, servername etc

What doesn't make sense to me is this works perfectly on Pro versions of windows once joined to the domain.   This is only an issue for Home based windows.

All mobile and tablets work properly with crm.domain.com as the server, laptops work with HTTP over RPC with crm.domain.com, it's only Home based windows with outlook that is having the issue.

If it was a certificate error wouldn't all computers face that issue?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40371226
Are the home based computers connected to your internal network through a VPN or are they trying to access exchange by the public IP address.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40371233
Sorry to say, you have been given out of date information.

This list isn't going to work for you:

domain.local (local domain name)
 domain.com
 crm.domain.com
 crm.comain.local
 autodiscover.domain.com

The SSL certificate will have all of the .local host names removed from it. This is because the SSL providers are no longer issuing certificates that are dated after November 2015 with internal addresses on it. Therefore no .local, or IP addresses or names like "intranet".

You will need to setup a split DNS system so that the names resolve to the correct place, and then adjust the host names in Exchange.

http://semb.ee/hostnames2013

For home systems, ensure that they are fully patched, as GoDaddy changed their root certificate last year and a Windows Update is required to ensure the certificates are trusted.

However the prompt could be coming from elsewhere. Web hosts also use Autodiscover.

Check if the following URL works:
https://example.com/Autodiscover/Autodiscover.xml
(ie nothing in front of your domain)

If it does, then you need to speak to your web host and get them to turn the Autodiscover feature off.

Simon.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371236
I physically brought one of the laptops in and plugged it into the network to test
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371245
So I tried it again on more time just for the hell of it and it worked, I don't know if it just took time after creating the Cname internally or what, it connected and automatically found the HTTP over RPC settings

I do get a certificate error the same as the two checks and one x above but if you hit accept it works anyway.  So I am happy for now.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40371276
Im glad it is working but Simon is very right. I haven't had to manage an exchange certificates in 2 years so my info is out of date in regards to the SSL SAN's.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 40371309
If I just have them accept that pop up every time they open Outlook which is only once a day there should be no issues correct?
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40371323
There should be no issues with their connection but the SSL Certificate still needs to be corrected and replaced.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now