Solved

Exchange 2013+6:  Where to point autodiscover?

Posted on 2016-09-20
10
41 Views
Last Modified: 2016-09-21
Hi,

this time I'm not stuggeling with a client, but with my own setup.  We are running about 10 mailboxes off a 2013 Exchange server.  It has an external name and a single domain certificate.  Access is configured using split-brain DNS-configuration.  External autodiscover uses the SRV method.  All is well.

Even though I have migrated several Exchange 2010 to 2016, I have never migrated one from 2013.
I set up the new box, added it to the domain, installed Exchange 2016 and gave it a different external name, added that to the DNS also in split-brain configuration.

I migrated several boxes, all was well.  No changes were made to the configration of the old server.  OWA works on both servers just fine.

Outlook cannot access either machine anymore.  That's not completely right - it works off our RDP server using Outlook 2013 with exchange proxy values manually added.  I am getting several certificate errors on the local physical machine name, even though this has never ben the case in the past.  Outlook freezes if it connects at all.  New profiles don't find their way to the 2016 server using Outlook 2016 - the message says it could not log on to the server because the database is down (which it is not).  Smart phones work fine.

My question is this:
Where do I point the autodiscover SRV-record?  To the first or to the second server or does that not matter?
Where do I point the autodiscoverinternaluri-value?  Each server to itself?  That's the way I did it right now.

I can't find anything wrong and the logs are fine.  What can I do?  I hesitate to just migrate the remaining boxes and uninstall 2013 - I want to understand what is happening...

Thanks,
Ralph
0
Comment
Question by:Ralph Scharping
10 Comments
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 125 total points
Comment Utility
It's recommended that you point your SRV record to the highest version Exchange server in your environment. If mailboxes exist on the 2013 server, 2016 is able to proxy or redirect users to their mailboxes with ease. The autodiscoverinternaluri should usually be the same value for all servers in your setup. Preferable the 2016 server.

In addition, make sure the virtual directory internal and external URLs are set properly as well. The Virtual Directory URLs should point to the server that is hosting the Virtual Directory, using a name that exists on the certificate.
1
 
LVL 15

Expert Comment

by:Ivan
Comment Utility
Hi,

Outlook clients running on domain joined computers are going to use autodiscover SCP record, before any DNS. Outlook 2016 is using autodiscover to configure account, and setting up multiple different values, don't sound like a good idea.

I would point autodiscoverinternaluri to Exchange 2016, as well as 443 port from internet, just like in 2010 migration. Let new exchange then decide what to do with traffic.

Regards,
Ivan.
0
 
LVL 2

Author Comment

by:Ralph Scharping
Comment Utility
So you are saying point the external SRV record to the 2016 server.

Also the autodiscoverinternaluri should point to the 2016 server.  For the 2016 itself this is easy. On the 2013 box, the name of the destination URL on the 2016 server will not be included in the certificate on the 2013 server.  Is that a problem?

Where can I edit the autodiscover SCP settings?
0
 
LVL 15

Expert Comment

by:Ivan
Comment Utility
Hi,

for Exchange 2016, to see autodiscover SCP:
[PS] C:\>Get-ClientAccessService | Select AutodiscoverServiceInternalUri
To reconfigure it:
[PS] C:\>Set-ClientAccessService –identity 2016server -autodiscoverserviceinternaluri "https://mail.domain.com/autodiscover/autodiscover.xml"

for Exchange 2013, to see autodiscover SCP:
[PS] C:\>Get-ClientAccessServer | Select AutodiscoverServiceInternalUri
To reconfigure it:
[PS] C:\>Set-ClientAccessServer –identity 2013server -autodiscoverserviceinternaluri "https://mail.domain.com/autodiscover/autodiscover.xml"

Identity is NetBIOS, not FQDN.

PS: I would configure all services on Exchange 2016 to use the same name as on Exchange 2013. Then you can simple redirect DNS record to point to 2016, instead of 2013.

Regards,
Ivan.
0
 
LVL 2

Author Comment

by:Ralph Scharping
Comment Utility
Hi Ivan,

okay, yes, I got that.  I was just unfamiliar with the term SCP.  Thanks.
Before I asked this, I pointed the autodiscover-record on each server to itself.  I just changed that.  Will wait a little while and try again.

Thanks,
Ralph
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 2

Author Comment

by:Ralph Scharping
Comment Utility
No success so far.
When trying to access Exchange using Outlook with an existing profile, I keep getting the authentication dialogue, but the password is not accepted even when the username is entered in the domain\user syntax.
When I create a new profile, it finds the users name and mail address right away, then again prompts for credentials but is never satisfied.

Never had that before...
0
 
LVL 2

Author Comment

by:Ralph Scharping
Comment Utility
What do I do with the other virtual directories?  For OWA surely each server must point to itself?  But what about the others?
0
 
LVL 15

Assisted Solution

by:Ivan
Ivan earned 125 total points
Comment Utility
Hi,

how did you configure Outlook Anywhere on both servers, what security settings? Is it using NTLM or Bacis? It should be configured to support NTLM authentication, so if it is set for basic, configure it with Basic+NTLM

Run this command, and lets see how are both configured.

[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*15.*" -and $_.IsClientAccessServer} | Get-OutlookAnywhere | fl servername,*auth*
0
 
LVL 14

Accepted Solution

by:
Todd Nelson earned 250 total points
Comment Utility
Keep it simple.  In a small organization with Exchange in one AD site, you will (should) use the unbound namespace model with DNS records essentially using one FQDN--no matter how many servers there are.

I don't think I've needed to (or have used) an SRV record after Outlook 2013 and Exchange 2013 came out.  I just don't think it is valid or necessary any more.  I'm not stating that an SRV record is totally useless, because it is more or less a helper for Outlook clients if the autodiscover record is not configured, or functioning, properly.

In my opinion, in a small organization, the internal and external URLs should be configured with the same FQDN.  For example, if your OWA is https://mail.mydomain.com/owa and you only have a single name SSL cert, then use the FQDN (mail.mydomain.com) for all of your virtual directories, OA and the autodiscover SCP.

Use Paul Cunningham's script to set your URLs (see ExchangeServerPro reference below).

Once the new server has been configured, you essentially just need to point your firewall NATs for 25, 80, 443, 587 to the new server, and change IP address of the internal DNS A record for OWA to point to the new server.

This might sound like a bit more information than you want but it is important to set a consistent foundation for Exchange to function properly and provide users with a consistent experience.

In my opinion, this is what DNS should look like...

PUBLIC DNS
  • OWA (A Record) points to public IP address of firewall ... mail.mydomain.com >> x.x.x.x
  • Autodiscover (CNAME Record) points to OWA FQDN ... autodiscover.mydomain.com >> mail.mydomain.com
  • Autodiscover (SRV Record) points to OWA FQDN ... _autodiscover._tcp.mydomain.com >> mail.mydomain.com

INTERNAL DNS
  • OWA (A Record) points to internal IP address of new (or primary) Exchange server ... mail.mydomain.com >> x.x.x.x
  • Autodiscover (CNAME Record) points to OWA FQDN ... autodiscover.mydomain.com >> mail.mydomain.com
  • Autodiscover (SRV Record) points to OWA FQDN ... _autodiscover._tcp.mydomain.com >> mail.mydomain.com

Hope this helps.

References...
0
 
LVL 2

Author Closing Comment

by:Ralph Scharping
Comment Utility
Cause of mayhem was:  MAPI over HTTPS was enabled on the 2016 box.  I did that, not thinking much, expecting that I was going to try it out.  Apparently this is frowned upon in a mixed environment.  As soon as I deactivated that, all was well again.
I did, however, set the virtual directories the way you guys recommended and I will come back to that when I do my next migration.

Thanks!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
If you don't know how to downgrade, my instructions below should be helpful.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now