0

DNS or SRV Record For DNS Based Exchange Autodiscover

Posted on by Rhoderick Milne [MSFT]

For users and devices that need to use DNS to locate their Exchange Autodiscover endpoint, should I use a SRV record?

The above is a fairly common question, and it almost warrants the consultant’s answer.  It depends...

Multi Site Exchange 2010 CAS Namespaces

As discussed by Ross Smith IV in his introduction to Exchange 2013 CAS post, Exchange 2010 CAS Namespace planning typically requires multiple namespaces.  Ross gives the below example for a multi site Exchange 2010 deployment:

  1. Primary datacenter Internet protocol namespace  (mail.tailspintoys.com)
  2. Secondary datacenter Internet protocol namespace
  3. Primary datacenter Outlook Web App failback namespace
  4. Secondary datacenter Outlook Web App failback namespace
  5. Primary datacenter RPC Client Access namespace
  6. Secondary datacenter RPC Client Access namespace
  7. Autodiscover namespace
  8. Legacy namespace
  9. Transport namespace (if doing ad-hoc encryption or partner-to-partner encryption)

 

Single Site Exchange 2010 CAS Namespaces

Simplifying this to a single site deployment changes this to:

  • Primary datacenter Internet protocol namespace (mail.tailspintoys.com)
  • Autodiscover namespace
  • Legacy namespace
  • Transport namespace (if doing ad-hoc encryption or partner-to-partner encryption)

 

Single Exchange CAS Namespace

Some customers with only a single version of Exchange have deployed with even fewer names

  1. Primary datacenter Internet protocol namespace (mail.tailspintoys.com)

Since SSL/TLS certificates map directly to the planned CAS namespaces this would indicate that only a single name is required on the certificate.

While it is possible to deploy  Exchange 2007 or 2010 with a certificate that has a single name, this is not the recommended or normal practice.  Yes, it is possible that you can deploy with a single name on the TLS certificate.  That could be generating some frowns and expletives with that statement, but it is possible.  How could this be done?  Set every single URL and Namespace to be the same, and for DNS based Autodiscover use SRV record.

More Common Single Site Deployment

Typically most single site deployments will have multiple namespaces, at least the two basic ones.  That would be:

  1. Mail.Tailspintoys.com
  2. Autodiscover.Tailspintoys.com

Taking the SRV Autodiscover Path

Some Challenges For SRV Based Autodiscover

  • Some ActiveSync client implementations do not search for SRV records.  This means that such devices must be manually configured.
  • Several years ago some DNS providers did not support SRV records, though this should be minimal nowadays.
  • Exchange 2007 does not look for SRV based Autodiscover DNS records when using DNS to locate the Autodiscover endpoint in a remote forest.  Details are in here.
  • Outlook 2007 needs to have at least update 939184 installed.  This should be a non issue as that update was for the RTM build of Outlook 2007.  Customers now must be on Service Pack 3 for Outlook 2007 to be supported as documented in the Outlook 2007 support lifecycle policy.
  • Users get a redirection prompt.  More on this below.
  • At the time of writing there is an issue with Lync 2013 not locating Exchange Autodiscover via SRV record.  This is documented on the Lync 2013 known issues page.

Implementing SRV Record For Autodiscover

As documented in KB 940881, the process is pretty straightforward.  Well that is assuming your DNS supports SRV records.  To get clients to send their Autodiscover requests to Mail.Tailspintoys.com the Autodiscover DNS record must look like this:

Service: _autodiscover

Protocol: _tcp

Port Number: 443

Host: Mail.Tailspintoys.com

 

Or expressed differently:

Autodiscover._tcp.Tailspintoys.com. SRV 0 0 443 Mail.Tailspintoys.com

 

 

Check Autodiscover SRV Record

Please use this post to review the steps to check the Autodiscover SRV record.

 

Traffic Flow For SRV Record Based Autodiscover

This is the traditional Autiscover diagram showing internal clients leveraging the SCP to locate the Autodiscover endpoint.

Exchange Internal Autodiscover Flow

However, we are not using the SCP here, this post is all about the SRV record.

Following on from the above scenario where the users email address is user@Tailspintoys.com, lets see how their Outlook client gets to the Exchange Autodiscover endpoint.

Autodiscover does the following when the client tries to contact the Autodiscover service:

  1. Autodiscover posts to https://Tailspintoys.com/Autodiscover/Autodiscover.xml. This fails.
  2. Autodiscover posts to https://Autodiscover.Tailspintoys.com/Autodiscover/Autodiscover.xml. This fails.
  3. Autodiscover performs the following redirect check:GET http://Autodiscover.Tailspintoyscom/Autodiscover/Autodiscover.xml This fails.
  4. Autodiscover uses DNS SRV lookup for _autodiscover._tcp.Tailspintoys.com, DNS returns  "Mail.Tailspintoys.com"
  5. Outlook asks permission from the user to continue with Autodiscover to post to https://Mail.Tailspintoys.com/autodiscover/autodiscover.xml.
  6. Autodiscover's POST request is successfully posted to https://Mail.Tailspintoys.com/autodiscover/autodiscover.xml.

Rhoderick Milne [MSFT]

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *