Exchange AutoDiscover Errors – Creating an AutoDiscover SRV Record

KB ID 0001184

Problem

Ages ago I wrote the following article;

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

You used to see this error a lot if your internal, and external domain names were different, and the ‘public’ domain name was on the certificate, in those cases I’d also setup split DNS like so;

Windows – Setting Up Split DNS

But you can simply create a DNS SRV record that your clients will use for Autodiscover.

Solution

Note: Before proceeding MAKE SURE you DON’T have an A record in your domain, for “autodiscover.{your-domain}”. or a CNAME record for autodiscover that points back to your Exchange. We want an SRV record ONLY.

Within your domain DNS, create a new ‘Other‘ record.

Choose service location (SRV) > Create Record.

Your domain name will be entered automatically, set the following;

  • Service: _autodiscover
  • Protocol: _tcp
  • Port number: 443
  • Host offering this service: {The FQDN of your CAS/Exchange server}.

You will need to expand the _tcp folder to see the record.

I Use Split DNS?

No problem, in your internal DNS, the forward lookup zone (that matches your public address space.) Create an SRV record as well, when you are finished, (if you have set it up properly),  you will see a tcp sub folder appear below the forward lookup zone.

What About My Public DNS Settings?

Exactly the same! Remove any A or CNAME records, and create an SRV record, how you do this, varies from DNS host to DNS host. Some oddities I’ve found;

  • Some public DNS vendors wont let you set a priority of ‘0’ Zero, on an SRV record, just use 1 (unless you have multiple ones!)
  • Some public DNS vendors SRV records don’t work, unless you put a ‘full stop’ at the end of the domain name. (In fact all domain names have a full stop at the end of them, it’s just you can’t normally see them!)

As an example, here’s me creating an SRV record on my DNS hosting provider (Vidahost)

So when it’s created it will look like this;

I’ve got Multiple Public E-Mail Domain names running from the same Server?

Again not a problem, for each domain, delete the A and CNAME records for autodiscover. Then point your SRV record to the DNS name that is actually presented by the Exchange server (even if that’s with another DNS vendor).

Why Does This work?

Well I’m glad you asked! When outlook looks for Autodiscover the first thing it does is look for the Autodiscover SCP point in your Active Directory. You can see this in your  ‘AD sites and services’, (you need to add in the Service node from the view options before you can see it).

If it can’t get a response from there, it takes your domain name and tries the following locations;

[box]

https://{domain-name}/autodiscover/autodiscover".fileExtension
AND
https://autodiscover.{domain-name}/autodiscover/autodiscover".fileExtension

[/box]

Note: The file extension is usually .xml but it can be .svc

If it STILL can’t get a response it tries the following;

[box]

http://autodiscover.{domain-name}/autodiscover/autodiscover.xml

[/box]

Note: If you are wondering that the difference is, that’s on port 80 not port 443.

If it STILL can’t get an answer then to looks for the SRV record in DNS you created above.

How To Test the AutoDiscover SRV Record

It’s a DNS record so we can query it with nslookup to make sure its OK.

[box]

nslookup -q=srv _autodiscover._tcp.{domain-name}
OR

nslookup
set q=srv (or you can use SET TYPE=SRV)
_autodiscover._tcp.{domain-name}

[/box]

Like this;

Or if you use macOS or Linux;

Why Do I have to remove my A and CNAME Records for Autodiscover

If they exist they will get used before the SRV record, you may think that’s fine but it may lead to all sorts of horrible Outlook Setups and errors about certificate names. 

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

Related Articles, References, Credits, or External Links

Outlook – Constantly Prompts for a Password

Original article written: 12/05/16

Windows – ‘The directory service has exhausted the pool of relative identifiers’

KB ID 0000797 

Problem

I got this error when attempting to bulk create users with CSVDE (see below). But you may simply see it when trying to create a user, or other AD object.

Unwilling To Perform
The server side error is “The directory service has exhausted the pool of relative identifiers.”

Solution

Well that is a scary looking error! Firstly make sure you can see all your FSMO role servers.

Locate your FSMO Role Servers

In my case, I tracked this down to an old DC that has been removed from the domain but was still referenced in DNS. Open your domain forward lookup zone, look in the _tcp container, for any SRV references to old/removed domain controllers and simply delete them.

Related Articles, References, Credits, or External Links

NA