KB ID 0001184
Problem
Ages ago I wrote the following article;
You used to see this error a lot if your internal, and external domain names were different, and the ‘public’ domain name was on the certificate, in those cases I’d also setup split DNS like so;
Windows – Setting Up Split DNS
But you can simply create a DNS SRV record that your clients will use for Autodiscover.
Solution
Note: Before proceeding MAKE SURE you DON’T have an A record in your domain, for “autodiscover.{your-domain}”. or a CNAME record for autodiscover that points back to your Exchange. We want an SRV record ONLY.
Within your domain DNS, create a new ‘Other‘ record.
Choose service location (SRV) > Create Record.
Your domain name will be entered automatically, set the following;
- Service: _autodiscover
- Protocol: _tcp
- Port number: 443
- Host offering this service: {The FQDN of your CAS/Exchange server}.
You will need to expand the _tcp folder to see the record.
I Use Split DNS?
No problem, in your internal DNS, the forward lookup zone (that matches your public address space.) Create an SRV record as well, when you are finished, (if you have set it up properly), you will see a tcp sub folder appear below the forward lookup zone.
What About My Public DNS Settings?
Exactly the same! Remove any A or CNAME records, and create an SRV record, how you do this, varies from DNS host to DNS host. Some oddities I’ve found;
- Some public DNS vendors wont let you set a priority of ‘0’ Zero, on an SRV record, just use 1 (unless you have multiple ones!)
- Some public DNS vendors SRV records don’t work, unless you put a ‘full stop’ at the end of the domain name. (In fact all domain names have a full stop at the end of them, it’s just you can’t normally see them!)
As an example, here’s me creating an SRV record on my DNS hosting provider (Vidahost)
So when it’s created it will look like this;
I’ve got Multiple Public E-Mail Domain names running from the same Server?
Again not a problem, for each domain, delete the A and CNAME records for autodiscover. Then point your SRV record to the DNS name that is actually presented by the Exchange server (even if that’s with another DNS vendor).
Why Does This work?
Well I’m glad you asked! When outlook looks for Autodiscover the first thing it does is look for the Autodiscover SCP point in your Active Directory. You can see this in your ‘AD sites and services’, (you need to add in the Service node from the view options before you can see it).
If it can’t get a response from there, it takes your domain name and tries the following locations;
[box]
https://{domain-name}/autodiscover/autodiscover".fileExtension AND https://autodiscover.{domain-name}/autodiscover/autodiscover".fileExtension
[/box]
Note: The file extension is usually .xml but it can be .svc
If it STILL can’t get a response it tries the following;
[box]
http://autodiscover.{domain-name}/autodiscover/autodiscover.xml
[/box]
Note: If you are wondering that the difference is, that’s on port 80 not port 443.
If it STILL can’t get an answer then to looks for the SRV record in DNS you created above.
How To Test the AutoDiscover SRV Record
It’s a DNS record so we can query it with nslookup to make sure its OK.
[box]
nslookup -q=srv _autodiscover._tcp.{domain-name} OR nslookup set q=srv (or you can use SET TYPE=SRV) _autodiscover._tcp.{domain-name}
[/box]
Like this;
Or if you use macOS or Linux;
Why Do I have to remove my A and CNAME Records for Autodiscover
If they exist they will get used before the SRV record, you may think that’s fine but it may lead to all sorts of horrible Outlook Setups and errors about certificate names.
Related Articles, References, Credits, or External Links
Outlook – Constantly Prompts for a Password
Original article written: 12/05/16