Category: AutoDiscover

Checking SCP status during Exchange On-Premise rebuild

Scenario: You are going to build a new Exchange On-Premises server, and you want to monitor the Autodiscover SCP record that is created so you can $null it out BEFORE your customer Outlook email clients start discovering the default server and pulling in the incorrect configuration values for the email clients server settings.

Script: Here is a monitor script that you can use, or build off of, to identify when the SCP record is created and you can go directly into ADSI edit and $null out the ServiceBindingInformation:

Do{
$r = @()
$r += get-adobject “CN=ExServer1,CN=Autodiscover,CN=Protocols,CN=ExServer1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Enterprise Exchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com” -Properties * | Select CN, objectclass, ServiceBindingInformation
$r += get-adobject “CN=ExServer2,CN=Autodiscover,CN=Protocols,CN=ExServer2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Enterprise Exchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com” -Properties * | Select CN, objectclass, ServiceBindingInformation
$r
Sleep 10


Sleeping 10 Sec

}While($C -ne 1002)

Windows Security – Select a Certificate window opens when connecting to an Exchange IIS Virtual Directory

Scenario: You notice that when you attempt to connect to a Exchange Servers virtual directory, such as https://<my_exchange_namespace>/autodiscover/autodiscover.xml ,
you receive a prompt similar to this:

Select a Certificate
Site <domain name or server name> needs your credentials>
<Certificates listed to select>

In our case, Autodiscover was not working correctly via DNS lookups, but the SCP record was pulling settings just fine.

Cause: Check the SSL Settings on the Virtual Directory in the Internet Information Services (IIS) Manager. Example: Expand Server –> Sites –> Default Web Site –> select Autodiscover (or whatever the virtual directory giving you an issue is). In the IIS area, select SSL Settings and make sure your certificate is setup to Ignore. You may want to go a hierarchical level higher and make sure the SSL settings are set correctly on the Default Web Site.

Outlook’s Autodiscover Redirect Limit – Hybrid Autodiscover Breaking for Exchange Online Mailboxes / Remote On-Premises Mailboxes

Scenario:  After introducing additional Exchange On-Premises servers, we noticed that Autodiscover stopped working for our Exchange Online Hybrid mailboxes that were on computers internal to the domain. Using the ‘Test E-mail AutoConfiguration’ feature in Outlook, it would fail after the SCP/DNS autodiscover lookup.

Reason:  Outlook has an Autodiscover Redirect limit of 8-10 responses.  Being we had more than 10 servers in our Exchange Infrastructure, once it hit the response limit from each SCP lookup for each server, it would then fail all redirects thereafter. You do not need 100 SCP Failures if its going to fail after the first 10 servers.

Solution:  You can reduce the number of SCP lookup’s by performing any of the following.

  1. Set the AutoDiscoverSiteScope value on each Exchange server so it only serves requests for each  AD Site via the following command:  Set-ClientAccessServer ExSrv1 -autodiscoversitescope NewYork   (Or a combination NewYork,Baltimore,Tampa)
  2. Set the AutoDiscoverSiteScope to $null so it does not participate in SCP lookups via the following command: Set-ClientAccessServer ExSrv1 -AutodiscoverSiteScope $null
  3. Set the AutoDiscoverServiceInternalURI to $null so it does not participate in SCP lookups via the following command: Set-ClientAccessServer ExSrv1 -AutodiscoverServiceInternalURI $null