Exchange Autodiscover The Active Directory SCPIn a previous post I explained how you can use a SRV record to resolve certificate issues with Autodiscover when your Internal domain isnt the same as your Email domain.This time, Im going to explain how to fix things by making changes to Exchange and Active Directory that will allow things to function normally without having to use a SRV record or any DNS records at all, for that matter.But only if the computers that access Exchange are members of your Domain and you configure Outlook using userdomain.Password writeback allows you to configure Azure AD to write passwords back to your onpremises Active Directory.It removes the need to set up and manage a.This is how Exchange hands out Autodiscover configuration URLs by default without any DNS or SRV records.However, if you have an Private Domain Name in your AD environment, which you should try to avoid when youre building new environments now, you will always get a Certificate Error when you use Outlook because SSL certificates from third party CA providers wont do private domains on SAN certificates anymore.To fix this little problem, I will first give you a little information on a lesser known feature in Active Directory called the Service Connection Point SCP.Service Connection Points.SCPs play an Important role in Active Directory.They are basically entries in the Active Directory Configuration Partition that define how domain based users and computers can connect to various services on the domain.Hence the name Service Connection Point.These will typically show up in one of the Active Directory tools that a lot of people overlook, but is extremelyimportant in Exchange since 2.Active Directory Sites and Services ADSS.This is a Canonical Question about Active Directory domain naming.After experimenting with Windows domains and domain controllers in a virtual environment, Ive.ADSS is typically used to define replication boundaries and paths for Active Directory Domain Controllers, and Exchange uses the information in ADSS to direct users to the appropriate Exchange server in large environments with multiple AD Sites.But what you can also do is view and make changes to the SCPs that are set up in your AD environment.You do this with a feature that is overlooked even more than ADSS itself, the Services node in ADSS.This can be exposed by right clicking the Active Directory Sites and Services object when you have ADSS open, selecting view, then clicking Show Services Node like this Once you open the services node, you can see a lot of the stuff that AD uses in the back end to make things work in the domain.Our focus here, however, is Exchange, so go into the Microsoft Exchange node.Youll see your Exchange Organizations name there, and you can then expand it to view all of the Service Connection Points that are related to Exchange.I wouldnt recommend making any changes in here unless you really know what youre doing, since this view is very similar to ADSIEdit in that it allows you to examine stuff that can very rapidly break things in Active Directory.Changing the Exchange Autodiscover SCPIf we look into the Microsoft Exchange services tree, you first see the Organization Name.Expand this, then navigate to the Administrative Group section.In any Exchange version that supports Autodiscover, this will show up as First Administrative Group FYDIBOHF2.SPDLT. Voices For Natural Reader Cracked on this page. If the long string of letters confuses you, dont worry about it.Thats just a joke the developers of Exchange 2.Its a 1 Caesar Cipher that means EXCHANGE1.ROCKS when decoded.WA.png' alt='Meaning Of Active Directory Sites' title='Meaning Of Active Directory Sites' />Programmers dont get much humor in life, so well just have to forgive them for that and move on.Once you expand the administrative group node, youll be able to see most of the configuration options for Exchange that are stored in AD.Most of these shouldnt be touched.For now, expand the Servers node.This is the section that defines all of your Exchange servers and how client systems can connect to them.If you dig around in here.Mostly you just see folders, but if you right click on any of them and click Properties, you should be able to view an Attributes tab in Windows 2.ADSIEdit to expose the attributes involved in the Services for ADSS.There are lots of cool things you can do in here, like change the maximum size of your Transaction Log files, implement strict limits on number of databases per server, change how much the database grows when there isnt enough space in the database to commit a transaction, and other fun things.What were focusing on here is Autodiscover, though, so expand the Protocols tree, then go to Autodiscover, as seen below.Now that were here, we see each one of the Exchange CAS servers in our environment.Cougar Fuel Pump Driver Module Location '>2002 Cougar Fuel Pump Driver Module Location .Mine is called Exchange.I am an incredibly creative individual Except when naming servers.Again, you can right click the server name and then select Properties, then go to the Attribute Editor tab to view all the stuff that you can control about Autodiscover here.It looks like a lot of stuff, right Well, youll really only want to worry about two attributes here.The rest are defined and used by Exchange to doExchangey stuff Technical term.And youll really only ever want to change one of them.The two attributes you should know the purpose of are keywords and service.Binding.Information.This attribute, as you may have noticed, defines the Active Directory Site that the CAS server is located in.This is filled in automatically by the Exchange subsystem in AD based on the IP address of the server.If you havent created subnets in ADSS and assigned them to the appropriate site, this value will always be the Default site.If you change this attribute, it will get written over in short order, and youll likely break client access until the re write occurs.The urposeof this value is to allow the Autodiscover Service to assign a CAS server based on AD site.So, if you have 2 Exchange Servers, one in site A and another in site B, this value will ensure that clients in site A get configured to use the CAS server in that site, rather than crossing a replication boundary to view stuff in site B.Binding.Information Heres the value we are most concerned with in this postThis is the value that defines where Active Directory Domain joined computers will go for Autodiscover Information when you enter their email address as usernamedomain.AD environment.By default, this value will be the full FQDN of the server, as it is seen in the Active Directory Domains DNS forward lookup zone.So, when domain joined computers configure Outlook using userdomain.Autodiscover, SRV, or other records that exist in DNS for the internal DNS zone.Note If your email domain is different from your AD domain, you may need to use your AD domain as the email domain when configuring Outlook for the SCP lookup to occur.If you do not want to use the AD Domain to configure users, you will want to make sure there is an Autodiscover DNS record in the DNS zone you use for your EMail Domain.Now, since we know that the service.Binding.Information value sets the URL that Outlook will use for Autodiscover, we can change it directly through ADSS or ADSIEdit by replacing whats there with https servername.AutodiscoverAutodiscover.Once you do this, internal clients on the domain that use userdomain.Outlook will be properly directed to a value that is on the certificate and can be properly configured without certificate errors.Now, if youre a little nervous about making changes this way, you can actually change the value of the service.Binding.Information attribute by using the Exchange Management Shell.You do this by running the following command get clientaccessserver set clientaccessserver autodiscoverserviceinternaluri https servername.AutodiscoverAutodiscover.This will directly modify the Exchange AD SCP and allow your clients to use Autodiscover without getting certificate errors.Not too difficult and you dont have to worry about split DNS or SRV records.Note, though, that like the SRV record you will be forcing your internal clients to go out of your network to the Internet to access your Exchange server.To keep this from happening, you will have to have an Internal version of your External DNS zone that has Internal IPs assigned in all the A records.There just is no way around that with private domain names any longer.Final Note.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |