Exchange AutoDiscover Errors – Creating an AutoDiscover SRV Record

Advertisement

KB ID 0001184 Dtd 12/05/16

Problem

Ages ago I wrote the following article;

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

You used to see this error a lot if your internal, and external domain names were different, and the 'public' domain name was on the certificate, in those cases I'd also setup split DNS like so;

Windows – Setting Up Split DNS

But you can simply create a DNS SRV record that your clients will use for Autodiscover.

Solution

Note: Before proceeding MAKE SURE you DON'T have an A record in your domain, for "autodiscover.{your-domain}". or a CNAME record for autodiscover that points back to your Exchange. We want an SRV record ONLY.

Within your domain DNS, create a new 'Other' record.

SRV record Autodiscover

Choose service location (SRV) > Create Record.

SRV Record Exchange Autodiscover

Your domain name will be entered automatically, set the following;

  • Service: _autodiscover
  • Protocol: _tcp
  • Port number: 443
  • Host offering this service: {The FQDN of your CAS/Exchange server}.

SRV Record Fix Autodiscover Errors

You will need to expand the _tcp folder to see the record.

SRV Record _Autodiscover

I Use Split DNS?

No problem, in your internal DNS, the forward lookup zone (that matches you public address space.) Create an SRV record as well, when you are finished, (if you have set it up properly,) you will see a tcp sub folder appear below the forward lookup zone.

What About My Public DNS Settings?

Exactly the same! Remove any A or CNAME records, and create an SRV record, how you do this, varies from DNS host to DNS host. Some oddities I've found;

  • Some public DNS vendors wont let you set a priority of '0' Zero, on an SRV record, just use 1 (unless you have multiple ones!)
  • Some public DNS vendors SRV records don't work, unless you put a 'full stop' at the end of the domain name. (In fact all domain names have a full stop at the end of them, it's just you can't normally see them!)

I've got Multiple Public E-Mail Domain names running from the same Server?

Again not a problem, for each domain, delete the A and CNAME records for autodiscover. Then point your SRV record to the DNS name that is actually presented by the Exchange server. (even if thats with another DNS vendor).

Why Does This work?

Well I'm glad you asked! When outlook looks for Autodiscover the first thing it does is look for the Autodiscover SCP point in your Active Directory. You can see this in your  'AD sites and services', (you need to add in the Service node from the view options before you can see it).

SCP Autodiscover Domain Sites and Services

If it can't get a response from there, it takes your domain name and tries the following locations;

https://{domain-name}/autodiscover/autodiscover".fileExtension
AND
https://autodiscover.{domain-name}/autodiscover/autodiscover".fileExtension

Note: The file extension is usually .xml but it can be .svc

If it STILL cant get a response it tries the following;

http://autodiscover.{domain-name}/autodiscover/autodiscover.xml

Note: If you are wondering that the difference is, that's on port 80 not port 443.

If it STILL can't get an answer then to looks for the SRV record in DNS you created above.

How To Test the AutoDiscover SRV Record

It's a DNS record so we can query it with nslookup to make sure its OK.

nslookup -q=srv _autodiscover._tcp.{domain-name}
OR

nslookup
set q=srv (or you can use SET TYPE=SRV)
_autodiscover._tcp.{domain-name}

Like this;

Testing  SRV Record _Autodiscover

Why Do I have to remove my A and CNAME Records for Autodiscover

 If they exist they will get used before the SRV record, you may thing thats fine but it may lead to all sorts of horrible Outlook Setups and errors about certificate names. 

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

Related Articles, References, Credits, or External Links

Outlook - Constantly Prompts for a Password

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *