Solved

Exchange 2013+6:  Where to point autodiscover?

Posted on 2016-09-20
10
56 Views
Last Modified: 2016-09-21
Hi,

this time I'm not stuggeling with a client, but with my own setup.  We are running about 10 mailboxes off a 2013 Exchange server.  It has an external name and a single domain certificate.  Access is configured using split-brain DNS-configuration.  External autodiscover uses the SRV method.  All is well.

Even though I have migrated several Exchange 2010 to 2016, I have never migrated one from 2013.
I set up the new box, added it to the domain, installed Exchange 2016 and gave it a different external name, added that to the DNS also in split-brain configuration.

I migrated several boxes, all was well.  No changes were made to the configration of the old server.  OWA works on both servers just fine.

Outlook cannot access either machine anymore.  That's not completely right - it works off our RDP server using Outlook 2013 with exchange proxy values manually added.  I am getting several certificate errors on the local physical machine name, even though this has never ben the case in the past.  Outlook freezes if it connects at all.  New profiles don't find their way to the 2016 server using Outlook 2016 - the message says it could not log on to the server because the database is down (which it is not).  Smart phones work fine.

My question is this:
Where do I point the autodiscover SRV-record?  To the first or to the second server or does that not matter?
Where do I point the autodiscoverinternaluri-value?  Each server to itself?  That's the way I did it right now.

I can't find anything wrong and the logs are fine.  What can I do?  I hesitate to just migrate the remaining boxes and uninstall 2013 - I want to understand what is happening...

Thanks,
Ralph
0
Comment
Question by:Ralph Scharping
10 Comments
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 125 total points
ID: 41807595
It's recommended that you point your SRV record to the highest version Exchange server in your environment. If mailboxes exist on the 2013 server, 2016 is able to proxy or redirect users to their mailboxes with ease. The autodiscoverinternaluri should usually be the same value for all servers in your setup. Preferable the 2016 server.

In addition, make sure the virtual directory internal and external URLs are set properly as well. The Virtual Directory URLs should point to the server that is hosting the Virtual Directory, using a name that exists on the certificate.
1
 
LVL 16

Expert Comment

by:Ivan
ID: 41807598
Hi,

Outlook clients running on domain joined computers are going to use autodiscover SCP record, before any DNS. Outlook 2016 is using autodiscover to configure account, and setting up multiple different values, don't sound like a good idea.

I would point autodiscoverinternaluri to Exchange 2016, as well as 443 port from internet, just like in 2010 migration. Let new exchange then decide what to do with traffic.

Regards,
Ivan.
0
 
LVL 2

Author Comment

by:Ralph Scharping
ID: 41807618
So you are saying point the external SRV record to the 2016 server.

Also the autodiscoverinternaluri should point to the 2016 server.  For the 2016 itself this is easy. On the 2013 box, the name of the destination URL on the 2016 server will not be included in the certificate on the 2013 server.  Is that a problem?

Where can I edit the autodiscover SCP settings?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 16

Expert Comment

by:Ivan
ID: 41807632
Hi,

for Exchange 2016, to see autodiscover SCP:
[PS] C:\>Get-ClientAccessService | Select AutodiscoverServiceInternalUri
To reconfigure it:
[PS] C:\>Set-ClientAccessService –identity 2016server -autodiscoverserviceinternaluri "https://mail.domain.com/autodiscover/autodiscover.xml

for Exchange 2013, to see autodiscover SCP:
[PS] C:\>Get-ClientAccessServer | Select AutodiscoverServiceInternalUri
To reconfigure it:
[PS] C:\>Set-ClientAccessServer –identity 2013server -autodiscoverserviceinternaluri "https://mail.domain.com/autodiscover/autodiscover.xml

Identity is NetBIOS, not FQDN.

PS: I would configure all services on Exchange 2016 to use the same name as on Exchange 2013. Then you can simple redirect DNS record to point to 2016, instead of 2013.

Regards,
Ivan.
0
 
LVL 2

Author Comment

by:Ralph Scharping
ID: 41807638
Hi Ivan,

okay, yes, I got that.  I was just unfamiliar with the term SCP.  Thanks.
Before I asked this, I pointed the autodiscover-record on each server to itself.  I just changed that.  Will wait a little while and try again.

Thanks,
Ralph
0
 
LVL 2

Author Comment

by:Ralph Scharping
ID: 41807655
No success so far.
When trying to access Exchange using Outlook with an existing profile, I keep getting the authentication dialogue, but the password is not accepted even when the username is entered in the domain\user syntax.
When I create a new profile, it finds the users name and mail address right away, then again prompts for credentials but is never satisfied.

Never had that before...
0
 
LVL 2

Author Comment

by:Ralph Scharping
ID: 41807682
What do I do with the other virtual directories?  For OWA surely each server must point to itself?  But what about the others?
0
 
LVL 16

Assisted Solution

by:Ivan
Ivan earned 125 total points
ID: 41807713
Hi,

how did you configure Outlook Anywhere on both servers, what security settings? Is it using NTLM or Bacis? It should be configured to support NTLM authentication, so if it is set for basic, configure it with Basic+NTLM

Run this command, and lets see how are both configured.

[PS] C:\>Get-ExchangeServer | Where {$_.AdminDisplayVersion -like "*15.*" -and $_.IsClientAccessServer} | Get-OutlookAnywhere | fl servername,*auth*
0
 
LVL 14

Accepted Solution

by:
Todd Nelson earned 250 total points
ID: 41807823
Keep it simple.  In a small organization with Exchange in one AD site, you will (should) use the unbound namespace model with DNS records essentially using one FQDN--no matter how many servers there are.

I don't think I've needed to (or have used) an SRV record after Outlook 2013 and Exchange 2013 came out.  I just don't think it is valid or necessary any more.  I'm not stating that an SRV record is totally useless, because it is more or less a helper for Outlook clients if the autodiscover record is not configured, or functioning, properly.

In my opinion, in a small organization, the internal and external URLs should be configured with the same FQDN.  For example, if your OWA is https://mail.mydomain.com/owa and you only have a single name SSL cert, then use the FQDN (mail.mydomain.com) for all of your virtual directories, OA and the autodiscover SCP.

Use Paul Cunningham's script to set your URLs (see ExchangeServerPro reference below).

Once the new server has been configured, you essentially just need to point your firewall NATs for 25, 80, 443, 587 to the new server, and change IP address of the internal DNS A record for OWA to point to the new server.

This might sound like a bit more information than you want but it is important to set a consistent foundation for Exchange to function properly and provide users with a consistent experience.

In my opinion, this is what DNS should look like...

PUBLIC DNS
  • OWA (A Record) points to public IP address of firewall ... mail.mydomain.com >> x.x.x.x
  • Autodiscover (CNAME Record) points to OWA FQDN ... autodiscover.mydomain.com >> mail.mydomain.com
  • Autodiscover (SRV Record) points to OWA FQDN ... _autodiscover._tcp.mydomain.com >> mail.mydomain.com

INTERNAL DNS
  • OWA (A Record) points to internal IP address of new (or primary) Exchange server ... mail.mydomain.com >> x.x.x.x
  • Autodiscover (CNAME Record) points to OWA FQDN ... autodiscover.mydomain.com >> mail.mydomain.com
  • Autodiscover (SRV Record) points to OWA FQDN ... _autodiscover._tcp.mydomain.com >> mail.mydomain.com

Hope this helps.

References...
0
 
LVL 2

Author Closing Comment

by:Ralph Scharping
ID: 41809409
Cause of mayhem was:  MAPI over HTTPS was enabled on the 2016 box.  I did that, not thinking much, expecting that I was going to try it out.  Apparently this is frowned upon in a mixed environment.  As soon as I deactivated that, all was well again.
I did, however, set the virtual directories the way you guys recommended and I will come back to that when I do my next migration.

Thanks!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question