Exchange AutoDiscover Errors – Creating an AutoDiscover SRV Record

KB ID 0001184

Problem

Ages ago I wrote the following article;

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

You used to see this error a lot if your internal, and external domain names were different, and the ‘public’ domain name was on the certificate, in those cases I’d also setup split DNS like so;

Windows – Setting Up Split DNS

But you can simply create a DNS SRV record that your clients will use for Autodiscover.

Solution

Note: Before proceeding MAKE SURE you DON’T have an A record in your domain, for “autodiscover.{your-domain}”. or a CNAME record for autodiscover that points back to your Exchange. We want an SRV record ONLY.

Within your domain DNS, create a new ‘Other‘ record.

SRV record Autodiscover

Choose service location (SRV) > Create Record.

SRV Record Exchange Autodiscover

Your domain name will be entered automatically, set the following;

  • Service: _autodiscover
  • Protocol: _tcp
  • Port number: 443
  • Host offering this service: {The FQDN of your CAS/Exchange server}.

SRV Record Fix Autodiscover Errors

You will need to expand the _tcp folder to see the record.

SRV Record _Autodiscover

I Use Split DNS?

No problem, in your internal DNS, the forward lookup zone (that matches your public address space.) Create an SRV record as well, when you are finished, (if you have set it up properly),  you will see a tcp sub folder appear below the forward lookup zone.

What About My Public DNS Settings?

Exactly the same! Remove any A or CNAME records, and create an SRV record, how you do this, varies from DNS host to DNS host. Some oddities I’ve found;

  • Some public DNS vendors wont let you set a priority of ‘0’ Zero, on an SRV record, just use 1 (unless you have multiple ones!)
  • Some public DNS vendors SRV records don’t work, unless you put a ‘full stop’ at the end of the domain name. (In fact all domain names have a full stop at the end of them, it’s just you can’t normally see them!)

As an example, here’s me creating an SRV record on my DNS hosting provider (Vidahost)

So when it’s created it will look like this;

I’ve got Multiple Public E-Mail Domain names running from the same Server?

Again not a problem, for each domain, delete the A and CNAME records for autodiscover. Then point your SRV record to the DNS name that is actually presented by the Exchange server (even if that’s with another DNS vendor).

Why Does This work?

Well I’m glad you asked! When outlook looks for Autodiscover the first thing it does is look for the Autodiscover SCP point in your Active Directory. You can see this in your  ‘AD sites and services’, (you need to add in the Service node from the view options before you can see it).

SCP Autodiscover Domain Sites and Services

If it can’t get a response from there, it takes your domain name and tries the following locations;

https://{domain-name}/autodiscover/autodiscover".fileExtension
AND
https://autodiscover.{domain-name}/autodiscover/autodiscover".fileExtension

Note: The file extension is usually .xml but it can be .svc

If it STILL can’t get a response it tries the following;

http://autodiscover.{domain-name}/autodiscover/autodiscover.xml

Note: If you are wondering that the difference is, that’s on port 80 not port 443.

If it STILL can’t get an answer then to looks for the SRV record in DNS you created above.

How To Test the AutoDiscover SRV Record

It’s a DNS record so we can query it with nslookup to make sure its OK.

nslookup -q=srv _autodiscover._tcp.{domain-name}
OR

nslookup
set q=srv (or you can use SET TYPE=SRV)
_autodiscover._tcp.{domain-name}

Like this;

Testing  SRV Record _Autodiscover

Or if you use macOS or Linux;

Why Do I have to remove my A and CNAME Records for Autodiscover

If they exist they will get used before the SRV record, you may think that’s fine but it may lead to all sorts of horrible Outlook Setups and errors about certificate names. 

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

Related Articles, References, Credits, or External Links

Outlook – Constantly Prompts for a Password

Original article written: 12/05/16

Author: PeteLong

Share This Post On

4 Comments

  1. Do I have to create record for my mail servers? I have two mail servers in DAG. They are CAS and MBX servers.

    Post a Reply
    • No, the the autodiscover URL for an Exchange org is probably the same for both?


      Get-AutodiscoverVirtualDirectory -Server SERVERNAME-1
      Get-AutodiscoverVirtualDirectory -Server SERVERNAME-2

      Will tell you 🙂

      Post a Reply
  2. Hi Pete – I followed the above and made a brand new fresh mailbox user – test.autodiscover1.

    I logged in as test.autodiscover1 on a domain PC. I opened Outlook and it immediately found the account – test.autodiscover1@example.com.

    I clicked through and it immediately took me to the ‘choose your server’ page (O365, Exch 2010-13, Exchange, IMAP etc)… it didn’t automatically detect Exchange 2016. If I clicked Exchange 2016, it goes through fine (sometimes asks for a password, but Kerberos is another thing here).

    If I saw the page with all the server options, I presume autodiscover is not working?

    If I manually open the autodiscover URL, I enter test.autodiscover1’s password (again, Kerberos for another day) but I get the following below.

    Thanks!
    Andrew

    This XML file does not appear to have any style information associated with it. The document tree is shown below.

    600
    Invalid Request

    Post a Reply
    • – trusted CA signed autodiscover.example.com in the domain
      – port 443 works fine
      – no a/cname records
      – nslookup for the srv record is fine
      – priority 10/weight 5 for the srv (contrary to your article; I read 10/5 somewhere else a few months back)

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *