?
Solved

Exchange 2013+6:  Where to point autodiscover?

Posted on 2016-09-20
10
Medium Priority
?
109 Views
Last Modified: 2016-09-21
Hi,

this time I'm not stuggeling with a client, but with my own setup.  We are running about 10 mailboxes off a 2013 Exchange server.  It has an external name and a single domain certificate.  Access is configured using split-brain DNS-configuration.  External autodiscover uses the SRV method.  All is well.

Even though I have migrated several Exchange 2010 to 2016, I have never migrated one from 2013.
I set up the new box, added it to the domain, installed Exchange 2016 and gave it a different external name, added that to the DNS also in split-brain configuration.

I migrated several boxes, all was well.  No changes were made to the configration of the old server.  OWA works on both servers just fine.

Outlook cannot access either machine anymore.  That's not completely right - it works off our RDP server using Outlook 2013 with exchange proxy values manually added.  I am getting several certificate errors on the local physical machine name, even though this has never ben the case in the past.  Outlook freezes if it connects at all.  New profiles don't find their way to the 2016 server using Outlook 2016 - the message says it could not log on to the server because the database is down (which it is not).  Smart phones work fine.

My question is this:
Where do I point the autodiscover SRV-record?  To the first or to the second server or does that not matter?
Where do I point the autodiscoverinternaluri-value?  Each server to itself?  That's the way I did it right now.

I can't find anything wrong and the logs are fine.  What can I do?  I hesitate to just migrate the remaining boxes and uninstall 2013 - I want to understand what is happening...

Thanks,
Ralph
0
Comment
Question by:Ralph Scharping
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 41807595
It's recommended that you point your SRV record to the highest version Exchange server in your environment. If mailboxes exist on the 2013 server, 2016 is able to proxy or redirect users to their mailboxes with ease. The autodiscoverinternaluri should usually be the same value for all servers in your setup. Preferable the 2016 server.

In addition, make sure the virtual directory internal and external URLs are set properly as well. The Virtual Directory URLs should point to the server that is hosting the Virtual Directory, using a name that exists on the certificate.
1
 
LVL 17

Expert Comment

by:Ivan
ID: 41807598
Hi,

Outlook clients running on domain joined computers are going to use autodiscover SCP record, before any DNS. Outlook 2016 is using autodiscover to configure account, and setting up multiple different values, don't sound like a good idea.

I would point autodiscoverinternaluri to Exchange 2016, as well as 443 port from internet, just like in 2010 migration. Let new exchange then decide what to do with traffic.

Regards,
Ivan.
0
 
LVL 2

Author Comment

by:Ralph Scharping
ID: 41807618
So you are saying point the external SRV record to the 2016 server.

Also the autodiscoverinternaluri should point to the 2016 server.  For the 2016 itself this is easy. On the 2013 box, the name of the destination URL on the 2016 server will not be included in the certificate on the 2013 server.  Is that a problem?

Where can I edit the autodiscover SCP settings?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 17

Expert Comment

by:Ivan
ID: 41807632
Hi,

for Exchange 2016, to see autodiscover SCP:
[PS] C:\>Get-ClientAccessService | Select AutodiscoverServiceInternalUri
To reconfigure it:
[PS] C:\>Set-ClientAccessService –identity 2016server -autodiscoverserviceinternaluri "https://mail.domain.com/autodiscover/autodiscover.xml" 

for Exchange 2013, to see autodiscover SCP:
[PS] C:\>Get-ClientAccessServer | Select AutodiscoverServiceInternalUri
To reconfigure it:
[PS] C:\>Set-ClientAccessServer –identity 2013server -autodiscoverserviceinternaluri "https://mail.domain.com/autodiscover/autodiscover.xml" 

Identity is NetBIOS, not FQDN.

PS: I would configure all services on Exchange 2016 to use the same name as on Exchange 2013. Then you can simple redirect DNS record to point to 2016, instead of 2013.

Regards,
Ivan.
0
 
LVL 2

Author Comment

by:Ralph Scharping
ID: 41807638
Hi Ivan,

okay, yes, I got that.  I was just unfamiliar with the term SCP.  Thanks.
Before I asked this, I pointed the autodiscover-record on each server to itself.  I just changed that.  Will wait a little while and try again.

Thanks,
Ralph
0
 
LVL 2

Author Comment

by:Ralph Scharping
ID: 41807655
No success so far.
When trying to access Exchange using Outlook with an existing profile, I keep getting the authentication dialogue, but the password is not accepted even when the username is entered in the domain\user syntax.
When I create a new profile, it finds the users name and mail address right away, then again prompts for credentials but is never satisfied.

Never had that before...
0
 
LVL 2

Author Comment

by:Ralph Scharping
ID: 41807682
What do I do with the other virtual directories?  For OWA surely each server must point to itself?  But what about the others?
0
 
LVL 17

Assisted Solution

by:Ivan
Ivan earned 500 total points
ID: 41807713
Hi,

how did you configure Outlook Anywhere on both servers, what security settings? Is it using NTLM or Bacis? It should be configured to support NTLM authentication, so if it is set for basic, configure it with Basic+NTLM

Run this command, and lets see how are both configured.

[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*15.*" -and $_.IsClientAccessServer} | Get-OutlookAnywhere | fl servername,*auth*
0
 
LVL 16

Accepted Solution

by:
Todd Nelson earned 1000 total points
ID: 41807823
Keep it simple.  In a small organization with Exchange in one AD site, you will (should) use the unbound namespace model with DNS records essentially using one FQDN--no matter how many servers there are.

I don't think I've needed to (or have used) an SRV record after Outlook 2013 and Exchange 2013 came out.  I just don't think it is valid or necessary any more.  I'm not stating that an SRV record is totally useless, because it is more or less a helper for Outlook clients if the autodiscover record is not configured, or functioning, properly.

In my opinion, in a small organization, the internal and external URLs should be configured with the same FQDN.  For example, if your OWA is https://mail.mydomain.com/owa and you only have a single name SSL cert, then use the FQDN (mail.mydomain.com) for all of your virtual directories, OA and the autodiscover SCP.

Use Paul Cunningham's script to set your URLs (see ExchangeServerPro reference below).

Once the new server has been configured, you essentially just need to point your firewall NATs for 25, 80, 443, 587 to the new server, and change IP address of the internal DNS A record for OWA to point to the new server.

This might sound like a bit more information than you want but it is important to set a consistent foundation for Exchange to function properly and provide users with a consistent experience.

In my opinion, this is what DNS should look like...

PUBLIC DNS
  • OWA (A Record) points to public IP address of firewall ... mail.mydomain.com >> x.x.x.x
  • Autodiscover (CNAME Record) points to OWA FQDN ... autodiscover.mydomain.com >> mail.mydomain.com
  • Autodiscover (SRV Record) points to OWA FQDN ... _autodiscover._tcp.mydomain.com >> mail.mydomain.com

INTERNAL DNS
  • OWA (A Record) points to internal IP address of new (or primary) Exchange server ... mail.mydomain.com >> x.x.x.x
  • Autodiscover (CNAME Record) points to OWA FQDN ... autodiscover.mydomain.com >> mail.mydomain.com
  • Autodiscover (SRV Record) points to OWA FQDN ... _autodiscover._tcp.mydomain.com >> mail.mydomain.com

Hope this helps.

References...
0
 
LVL 2

Author Closing Comment

by:Ralph Scharping
ID: 41809409
Cause of mayhem was:  MAPI over HTTPS was enabled on the 2016 box.  I did that, not thinking much, expecting that I was going to try it out.  Apparently this is frowned upon in a mixed environment.  As soon as I deactivated that, all was well again.
I did, however, set the virtual directories the way you guys recommended and I will come back to that when I do my next migration.

Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question