White Paper: Exchange 2007 Autodiscover Service

Page 1 of 41

©2010 Microsoft Corporation. All rights reserved.

White Paper: Exchange 2007 Autodiscover Service
Topic Last Modified: 2009-12-23 Joey Masterson, Technical Writer, Microsoft Exchange Server; Joe Turick, Support Engineer, Microsoft Enterprise Messaging Support; and Ross Smith IV, Technology Architect, Microsoft Exchange Server. November 2007

Summary
This white paper provides detailed information about the Microsoft Exchange Autodiscover service. It also includes information about how to configure this service in various deployment scenarios. Use the conceptual information and procedures in this white paper to help you deploy the Autodiscover service.
Note:

To print this white paper, click Printer Friendly Version in your Web browser.

Applies To
Microsoft Exchange Server 2007 Table of Contents Introduction How the Autodiscover Service Works with Clients How Outlook 2007 and Autodiscover Interoperate Autodiscover and Certificates Understanding the Exchange Setup Self-Signed Certificate Supported Scenarios for Connecting to the Autodiscover Service from the Internet Scenario 1: Using a Certificate That Supports Multiple DNS Names Scenario 2: Using One Single-Name Certificate Scenario 3: Using Two Single-Name Certificates Scenario 4: Using the Autodiscover Service with Redirection Summary of Supported Scenarios for Connecting to the Autodiscover Service from the Internet How to Configure the Autodiscover Service for Internet Access Scenario 1: How to Use a Certificate That Supports Multiple DNS Names Scenario 2: How to Use One Single-Name Certificate Scenario 3: How to Use Two Single-Name Certificates Scenario 4: How to Use a Single SSL Certificate and the Autodiscover Redirect Web Site Optional Deployment Information for a Large-Scale Hosted Environment Additional Deployment Scenarios and Considerations for the Autodiscover Service Configuring the Autodiscover Service to Use Site Affinity for Internal Communication How to Configure the Autodiscover Service to Use Site Affinity Configuring the Autodiscover Service for Multiple Forests How to Configure the Autodiscover Service When You Use Multiple Forests

http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80,printer).aspx

3/2/2010

White Paper: Exchange 2007 Autodiscover Service

Page 2 of 41

Managing the Autodiscover Service How to Configure the Autodiscover Service for Cross Forest Moves How to Configure Exchange Services for the Autodiscover Service Autodiscover and ISA Server 2006 Conclusion

Introduction
Microsoft Exchange Server 2007 includes a new Microsoft Exchange service named the Autodiscover service. The Autodiscover service configures and maintains server settings for client computers that are running Microsoft Office Outlook 2007. The Autodiscover service can also configure supported mobile devices. An important function of the Autodiscover service is to provide access to Microsoft Exchange features for Outlook 2007 clients that are connected to your Microsoft Exchange messaging environment. These features include the Web-based offline address book (OAB), the Availability service, and Unified Messaging (UM). The Autodiscover service must be deployed and configured correctly for Outlook 2007 clients to automatically connect to Microsoft Exchange features. For more information about how to configure Exchange features, see How to Configure Exchange Services for the Autodiscover Service later in this white paper.

How the Autodiscover Service Works with Clients
When you install the Client Access server role on a computer that is running Exchange 2007, a new virtual directory named Autodiscover is created under the Default Web Site in Internet Information Services (IIS). This virtual directory handles Autodiscover service requests from Outlook 2007 clients in the following circumstances: When a new Outlook profile is configured or updated When a client periodically checks for changes to the Exchange Web Services URLs When underlying network connection changes occur in your Exchange messaging environment Additionally, a new service connection point (SCP) Active Directory object is created for each server where the Client Access server role is installed. The SCP object is used by domain-connected clients to locate the Autodiscover service. The SCP object contains two pieces of information, the serviceBindingInformation attribute and the keywords attribute. The serviceBindingInformation attribute has the Fully Qualified Domain Name (FQDN) of the Client Access server in the form of https://cas01.contoso.com/autodiscover/autodiscover.xml, where cas01.contoso.com is the fully qualified domain name (FQDN) for the Client Access server. The keywords attribute specifies the Active Directory sites to which this SCP record is associated. By default, this attribute specifies the Active Directory site to which the Client Access server belongs. When a domain-connected client connects to the Active Directory directory service, the Exchange 2007 client authenticates to Active Directory and tries to locate the Autodiscover SCP objects that were created during Setup by using the user's credentials. In deployments that include multiple Client Access servers, an Autodiscover SCP record is created for each Client Access server. By using the user credentials, the Outlook 2007 client authenticates to Active Directory and searches for the Autodiscover SCP objects. After the client obtains and enumerates the instances of the Autodiscover service, the client connects to the first Client Access server in the enumerated and sorted list and obtains the profile information in the form of XML data that is needed to connect to the user's mailbox and available Microsoft Exchange features. An Outlook 2007 client connects to the Autodiscover service as follows: 1. Outlook 2007 sends a Lightweight Directory Access Protocol (LDAP) query to Active Directory looking for all available SCP objects. Specifically, Outlook initializes the LDAP connection using the ldap_init() function and passes a NULL value for the hostname. When a particular global catalog server name (or domain name) is not specified, the operation searches for a global catalog server in the domain, based on the membership of the computer that is initializing the operation. 2. .Outlook 2007 sorts and enumerates the returned results based on the client's Active Directory site by using the keyword attribute of the SCP record. One of two lists is created, an in-site list or an out-of-site list. The in-site list provides the SCP records that have AutodiscoverSiteScope information. AutodiscoverSiteScope is a parameter that is set on the Client Access server by using the Set-ClientAccessServer cmdlet. The parameter specifies the site for which the Autodiscover

http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80,printer).aspx

3/2/2010

White Paper: Exchange 2007 Autodiscover Service

Page 3 of 41

service is authoritative. The AutodiscoverSiteScope information contained in the SCP records for the in-site list matches the Active Directory site for the Outlook client. If there are no in-site records, an out-of-site SCP record list will be generated. The list is not sorted in any particular order. Therefore, the list is approximately in the order of oldest SCP records (based on creation date) first.
Note:

In environments where Outlook 2007 is deployed in remote sites that do not have Exchange 2007 Mailbox and Client Access servers, you can use site affinity to configure the SCP objects for Outlook 2007 clients to use SCP objects that are physically closer. For more information, see How to Configure the Autodiscover Service to Use Site Affinity later in this white paper.
3. Outlook first tries to connect to each Autodiscover URL that it had previously generated from either an in-site list or an out-of-site list. If that doesn't work, Outlook will try to connect to the predefined URLs (for example, https://autodiscover.contoso.com/autodiscover/autodiscover.xml) by using DNS. If that fails also, Outlook will try the HTTP redirect method and, failing that, Outlook will try to use the SRV record lookup method. If all lookup methods fail, Outlook will be unable to obtain Outlook Anywhere configuration and URL settings. 4. The Autodiscover service queries Active Directory to obtain the connection settings and URLs for the Exchange services that have been configured. 5. The Autodiscover service returns an HTTPS response with an XML file that includes the connection settings and URLs for the available Exchange services. 6. Outlook uses the appropriate configuration information and connection settings to connect to your Exchange messaging environment. For more information about SCP objects, see Publishing with Service Connection Points [ http://go.microsoft.com/fwlink/?LinkId=72744 ] . The following figure illustrates how a client connects to a Client Access server the first time from inside the Exchange messaging organization. The Autodiscover service process for internal access

When Outlook 2007 is started on a client that is not domain-connected, it first tries to locate the Autodiscover service by looking up the SCP object in Active Directory. Because the client is unable to contact Active Directory, it tries to locate the Autodiscover service by using Domain Name System (DNS). In this scenario, the client will determine right side of the user’s e-mail address, that is, contoso.com, and check DNS by using two predefined URLs. For example, if your SMTP domain is contoso.com, Outlook will try the following two URLs to try to connect to the Autodiscover service: https://contoso.com/autodiscover/autodiscover.xml https://autodiscover.contoso.com/autodiscover/autodiscover.xml

http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80,printer).aspx

3/2/2010

White Paper: Exchange 2007 Autodiscover Service

Page 4 of 41

Important:

For Outlook to be able to locate the Autodiscover service by using DNS, there must be a host record in DNS for the Autodiscover service that maps the entry point, or public IP address, to the Client Access server where the Autodiscover service is hosted.
The following figure illustrates a simple topology with a client connecting from the Internet. The Autodiscover service process for external access

Another option related to DNS is made possible with an Outlook 2007 software update. When this software update is applied, Outlook 2007 clients will perform an additional check for a DNS SRV record to locate the Autodiscover service which does not require multiple Web sites and IP addresses or a new Unified Communications Secure Sockets Layer (SSL) certificate. Although this still requires that you add a DNS record in DNS for the Autodiscover service, you do not have to use a certificate that supports multiple DNS names and or have to administer a second Web site. For more information about this software update for Outlook 2007, see Microsoft Knowledge Base article 940881, A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service [ http://go.microsoft.com/fwlink/? linkid=3052&kbid=940881 ] . To obtain this update, see Microsoft Knowledge Base article 939184, Description of the update rollup for Outlook 2007: June 27, 2007 [ http://go.microsoft.com/fwlink/? linkid=3052&kbid=939184 ] . Return to top

How Outlook 2007 and Autodiscover Interoperate
The Autodiscover service makes it easier to configure and manage Outlook 2007. Earlier versions of Microsoft Exchange and Outlook required that you configure all user profiles manually to access Exchange. Extra work was required to manage these profiles if changes occurred to the messaging environment. Otherwise, the Outlook clients could stop functioning correctly. The Autodiscover service uses a user's e-mail address and domain account to automatically configure the user's profile. By using the e-mail address and domain account, the Autodiscover service can provide the following information to the client: The user’s display name Separate connection settings for internal and external connectivity The location of the user’s Mailbox server

http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80,printer).aspx

3/2/2010

Outlook 2007 automatically connects to the Autodiscover service under the following conditions: Every time that the application starts At intervals on a background thread Any time that the client's connection to an Exchange server fails There are two parts. How the Autodiscover Service Provides Settings to Outlook 2007 The connection settings that the Outlook client uses are translated into MAPI properties. the URLs for the available Exchange services are cached in the memory of the local computer. this occurs when the user is using a lowbandwidth network connection or when the user tries to open their mailbox after a mailbox move. If the client cannot connect to the Autodiscover service. The EXPR setting references the Exchange HTTP protocol that is used by Outlook Anywhere. the data is passed to the Autodiscover service. which then uses the Services Discovery API to retrieve the values in Active Directory. which returns the information to the client in an HTTP response. The setting for the Time to Live is 60 minutes or whenever an error occurs when Outlook 2007 tries to contact an Exchange 2007 server. this request may result in changes to the user's profile. as follows: The WEB setting contains the best URL for Outlook Web Access for the user to use. and the Web-based offline address book Outlook Anywhere server settings To start to communicate with the Exchange messaging infrastructure. This setting is not required for Exchange 2007. Outlook 2007 sends an HTTP POST command to the Autodiscover service.printer). By contrast. the MAPI layer connects to the Autodiscover service when there are errors connecting to the Exchange server by using the MAPI protocol. This command includes XML data that requests the connection settings and URLs for the Exchange services that are associated with the Outlook provider.microsoft. The first failure detected by the MAPI layer results in an initial Autodiscover service request. The EXCH setting references the Exchange RPC protocol that is used internally. The Autodiscover Service and the Outlook Provider The Autodiscover service sends the request to the Outlook provider. This initial Autodiscover service request is known as the free Autodiscover service request.aspx 3/2/2010 . the Out of Office Assistant. Additionally. This HTTP response contains the relevant values in XML. There are three Outlook provider settings. which are known as layers. http://technet. Unified Messaging. If no other failures occur after the first failure. the MAPI layer will perform an Autodiscover service request every 6 hours to update the user's profile settings. The Outlook layer begins operating when you open Outlook 2007 to retrieve the user profile settings. This information is created and stored in Active Directory both during Exchange 2007 Setup and when you configure your Exchange features by using the Exchange Management Shell or the Exchange Management Console.White Paper: Exchange 2007 Autodiscover Service Page 5 of 41 The URLs for various Outlook features that govern such functionality as Availability (free/busy) information. These properties are stored in the user's profile located in the registry on their local computer.com/en-us/library/bb332063(EXCHG. This setting includes port settings and the internal URLs for the Exchange services that you have enabled. If Outlook does not connect to the Autodiscover service. These settings are refreshed every time that the Time to Live (TTL) period is specified. the Outlook layer will reconnect every 5 minutes because the URLs for the available Exchange services are cached in memory on the local computer. which are used by clients that access Exchange from the Internet. However.80. Depending on the type of failure. the MAPI layer also connects to the Autodiscover service if the user creates a new Outlook profile. of Outlook 2007 that use the Autodiscover service: the Outlook layer and the MAPI layer. the user cannot use the available Exchange services until the specified URLs are obtained. For example. After the values have been returned. This setting includes the external URLs for the Exchange services that you have enabled.

For a certificate to be considered valid. you must have a valid SSL certificate installed. However. 4. click Tools.80. Outlook uses the initial Autodiscover "free" request that is performed at six-hour intervals. In this example. 3. Understanding the Exchange Setup Self-Signed Certificate When you install the Client Access server role. the Autodiscover service does not try to re-create the Outlook profile settings. On the E-mail Accounts page. The certificate is current and has not expired. If an SSL certificate is not found. Outlook 2007 is designed to ignore the first validity check in the previous list. 2. it must meet the following criteria for the Autodiscover service: The client can follow the certificate chain up to the trusted root. This is because all communication between Outlook clients and the Autodiscover service endpoint. on the E-mail tab. To do this. Outlook 2007 and the Autodiscover service are intended to provide a seamless experience for users. click Repair. in addition to communication between the Outlook client and Exchange services. Exchange 2007 setup determines whether an SSL certificate has already been installed on the server. there are instances when it may appear that the Autodiscover service is not functioning correctly. After enabling Outlook Anywhere. The following procedure describes how to force Outlook to update the user profile settings by using the Autodiscover service. This scenario occurs when the user's Outlook client runs continually. The administrator would also like to deploy Outlook Anywhere so that users can access their Exchange information and services from the Internet. the IT administrator for Contoso upgrades the users to Outlook 2007.com/en-us/library/bb332063(EXCHG. Exchange setup will create a self-signed SSL certificate in Internet Information Services (IIS) that meets validity tests for domain-connected clients. The self-signed certificate has a common name that maps to the NetBIOS name of the server. Because this scenario is possible. Outlook provides a method to force this update to occur. The self-signed certificate also includes the FQDN of the server as an additional DNS name that is stored in the certificate’s Subject Alternative Name field. To manually force the Autodiscover service to update the user's profile settings 1. Follow the steps in the Repair E-mail Account wizard. The following scenario is an example of when this might occur: After you deploy Exchange Server 2007 in the messaging environment of the Contoso company. In Outlook 2007.microsoft. and then click Account Settings. Because no failure was detected. The administrator then runs the test for the Autodiscover service by using the Test E-Mail AutoConfiguration feature in Outlook 2007. For this communication to occur without failing. The name matches the URL that the client is trying to communicate with.printer). the administrator configures and enables Outlook Anywhere for Exchange 2007. occurs over an SSL channel.aspx 3/2/2010 . Return to top Autodiscover and Certificates One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This enables domain- http://technet. the Outlook 2007 client successfully connects to the Mailbox server by using TCP/IP.White Paper: Exchange 2007 Autodiscover Service Page 6 of 41 Forcing Outlook 2007 to Update the User Profile Settings Under most circumstances. the administrator checks the Outlook profile settings on an Outlook 2007 client and notices that the RPC over HTTPS settings were not received by the client. This design enables Outlook 2007 to function without any certificate warnings when Outlook uses the self-signed certificate that is installed by Exchange 2007 Setup. Note: For domain-connected clients. Open Outlook 2007. The administrator is surprised to see that the Autodiscover service did not create the connection settings in the Outlook profile.

However.xml.509 v. the common name of the certificate must be in the form of a FQDN that maps to the external DNS namespace those clients will be connecting to. you must correctly configure your Exchange services.microsoft.com/en-us/library/bb332063(EXCHG. To summarize.com. if the user's e-mail address is kwekua@contoso.contoso. Outlook Anywhere clients and mobile device users who connect by using Exchange ActiveSync will be unable to connect when referencing a certificate whose common name is the NetBIOS name of the server. autodiscover. Additionally.xml or https://autodiscover. for the Autodiscover service to function correctly. this introduces a new challenge. Note: We recommend that you immediately replace the self-signed certificate with a commercially available Internet trusted certificate or a trusted internal public key infrastructure (PKI)-issued certificate. we do not recommend long-term use of this self-signed certificate because it was primarily intended to ease the urgency of obtaining a correct certificate so that Outlook 2007 clients can immediately start to use Exchange 2007 features. Because Outlook 2007 clients connect to the Autodiscover service by using SSL. These types of certificates are known as Unified Communications certificates.com/autodiscover/autodiscover.White Paper: Exchange 2007 Autodiscover Service Page 7 of 41 connected clients to successfully connect to the Autodiscover service without receiving any certificate warnings if the certificate has not expired and the FQDN of the server you are connecting to is stored in the Subject Alternative Name of the certificate. Which method that you choose should be decided after you weigh the advantages and disadvantages associated with the following methods.aspx 3/2/2010 .xml https://autodiscover.com. However. For example. Note: The Subject Alternative Name field is a special field that is available in X.com.contoso. the client locates the Autodiscover service on the Internet by using the right side of the user's e-mail address that was entered. such as mail.3 certificates that lets you add multiple DNS names to a single certificate.com. http://technet. for example.com/autodiscover/autodiscover. This means that you must add a host record for the Autodiscover service to your external DNS zone. When the client tries to connect to your Microsoft Exchange messaging environment.contoso. in addition to other externally published Exchange features such as Outlook Web Access or Exchange ActiveSync which might reference a different DNS namespace. Outlook 2007 clients must be able to resolve the DNS namespace. The Autodiscover service URL will be either of the following URLs: https://<smtp-address-domain>/autodiscover/autodiscover.printer). starting with the implementation of a Unified Communications certificate.contoso.xml. the self-signed certificate allows domain-connected Outlook 2007 clients to work immediately after Exchange setup as completed and without any security warnings. Supported Scenarios for Connecting to the Autodiscover Service from the Internet If you are providing external access to Microsoft Exchange by using Outlook Anywhere (formerly known as RPC over HTTP) you must install a valid SSL certificate on the Client Access server by using one of the following four scenarios. This can all be done by using an SSL certificate that supports Subject Alternative Names. the Autodiscover service should be located at either https://contoso. such as the Availability service. there are other solutions you can implement if you cannot deploy a certificate that supports Subject Alternative Names. before the Autodiscover service can provide the correct external URLs to clients. mail. There are several methods for configuring your Client Access server to support connections to the Autodiscover service from the Internet. this is the one validity test that is allowed when domain-connected clients connect to the Autodiscover service by using the self-signed certificate. Notice that. Instead. for example.80. Although the client is unable to validate the self-signed certificate up to the trusted root. Although using a certificate that supports Subject Alternative Names is a recommended solution. These scenarios and solutions are discussed in the following sections.<smtp-address-domain>/autodiscover/autodiscover. this must be the user's primary SMTP address.

this solution is the simplest and least expensive way to deploy Outlook Anywhere in hosted and non-hosted Exchange 2007 environments. see the following articles: ISA Server team blog article: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing [ http://go. Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: "The name of the security certificate is invalid or does not match the name of the site" [ http://go.White Paper: Exchange 2007 Autodiscover Service Page 8 of 41 Return to top Scenario 1: Using a Certificate That Supports Multiple DNS Names We recommend that you provide all the necessary DNS names in the same certificate by using a Unified Communications certificate that supports the Subject Alternative Name field. Although this may be the least expensive approach at first. Note: There are special considerations when you use Unified Communications certificates with Internet Security and Acceleration (ISA) Server 2004 and ISA Server 2006.microsoft. your Outlook Anywhere users must manually install the root certificate on their remote workstations and Exchange ActiveSync users must manually install the root certificate on their mobile devices. you must update the Autodiscover URL in the SCP object in Active Directory and the internal URLs for the Exchange services so that Outlook clients do not receive the following error: The name of the security certificate is invalid or does not match the name of the site. A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service [ http://go. as this kind of certificate can be more expensive than the single name certificates which you already may own. see Microsoft Knowledge Base article 940881.com/en-us/library/bb332063(EXCHG.printer).microsoft.com/fwlink/?linkid=3052&kbid=940881 ] .com/fwlink/?linkid=3052&kbid=939184 ] . This warning message. However. using a Unified Communications certificate may increase the cost. Using a Unified Communications certificate reduces the complexity of configuring and managing the Autodiscover service and Exchange services URLs. For more information.microsoft. is documented in Microsoft Knowledge Base article 940726.aspx 3/2/2010 . they are not required. Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007 [ http://go. 2007 [ http://go.com/fwlink/?LinkID=100584 ] Obtaining a Unified Communications Certificate A list of third-party certification authorities (CAs) that currently support Subject Alternative Names is documented in Microsoft Knowledge Base article 929395. and Microsoft Knowledge Base article 939184. Description of the update rollup for Outlook 2007: June 27. and how to correct it.microsoft.com/fwlink/?linkid=3052&kbid=940726 ] . Or. Important: In this scenario. you will incur the additional administrative overhead of distributing and maintaining the root certificates to your users so that clients that are not domain-connected can follow the certificate chain up to the trusted root certificate store. If your DNS provider supports SRV records. Return to top Scenario 2: Using One Single-Name Certificate and the Autodiscover SRV Record Although certificates that support Subject Alternative Names are highly recommended. Another recommended solution is to use one single-name certificate installed on the Default Web Site.80. For more information. Additionally.com/fwlink/? linkid=3052&kbid=929395 ] . http://technet. you could install Windows Certificate Services and create and install your own SSL certificate that includes multiple DNS names.microsoft.microsoft.

With this option. Using the Autodiscover service with redirection may be the ideal solution because some DNS providers do not support SRV records. this may occur if you want to replace the self-signed certificate with a preexisting certificate exported from an earlier version of Exchange. and may still be.printer). This option requires two separate Web sites and public IP addresses. the ideal solution to use in situations such as a hosted Exchange 2007 environment. For example. Outlook will try an additional method to connect to the Autodiscover URL by using HTTP (instead of HTTPS) and connect to the Autodiscover Web site and then be redirected to the Autodiscover service hosted under the Default Web Site. or if you have already purchased a new single-name certificate before fully understanding the certificate requirements for the Autodiscover service for Exchange 2007. you must advise your users to accept this warning message and allow Outlook to connect to this trusted URL. Return to top Summary of Supported Scenarios for Connecting to the Autodiscover Service from the Internet All the previous scenarios are supported by Microsoft but vary in complexity. The following table illustrates the pros and cons associated with each solution. for example autodiscover.microsoft. Return to top Scenario 4: Using the Autodiscover Service with Redirection Until the release of the update rollup for Outlook 2007. they will see a dismissible warning messaging asking them to verify that they are being redirected to a trusted URL.contoso.80. Note: Similar to using two single-name certificates. mail. One option is to obtain a second certificate and install it on a second Web site which will be specifically used for Autodiscover. If this describes your situation. In this case.contoso. Clients that connect from the Internet will at first be unable to find Autodiscover by using DNS. this kind of deployment can also be used for organizations that are not hosting multiple domains. The second certificate has a common name that references the FQDN for the Autodiscover service. When these Internetbased Outlook clients connect to this redirection site. this kind of deployment scenario was. one certificate is issued with the common name that is used as the entry point for clients that connect from the Internet. as described in How the Autodiscover Service Works earlier in this white paper. you install a single-name certificate on the Default Web Site and create another Web site that contains no certificate. this solution also requires a second public IP address which must be assigned to the second Web site. The effort involved in implementing and managing each solution over the long term may result in increased the total cost of ownership depending on your environment. for example. before failing to connect to the Autodiscover service.com. described in Microsoft Knowledge Base article 939184 and referred to in Scenario 2: Using One Single-Name Certificate earlier in this white paper.aspx 3/2/2010 . However.com/en-us/library/bb332063(EXCHG. Domain-connected clients continue to locate the Autodiscover service by using the SCP object and will not receive any security warnings as long as the URL for connecting to the Autodiscover service which is stored in the SCP object has been changed to refer to the FQDN of the certificate installed on the Default Web Site.White Paper: Exchange 2007 Autodiscover Service Page 9 of 41 Return to top Scenario 3: Using Two Single-Name Certificates Sometimes you cannot use a certificate that supports multiple DNS names. there are alternative solutions you can implement to address these types of scenarios which will ultimately give you the same level of functionality.com. However. The Default Web Site will host your primary Exchange features and services such as Outlook Web Access and Exchange ActiveSync while the second Web site will be used to host the Autodiscover service. In this scenario. Scenario Single certificate that supports Pros Easy to implement Cons Higher cost certificate type (Unified Communications certificate) http://technet.

printer). described in Microsoft Knowledge Base article 939184 Description of the update rollup for Outlook 2007: June 27.microsoft. Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an http://technet.80.microsoft.White Paper: Exchange 2007 Autodiscover Service Page 10 of 41 multiple DNS names Supports all client connections Microsoftrecommended best practice Easy to implement Supports all client connections Least expensive Ideal for hosters if DNS provider supports SRV records Requires additional configuration if used together with either ISA Server 2004 or ISA Server 2006 One singlename certificate and Web site Requires modification of SCP object and Exchange services URLs Requires Outlook 2007 update rollup. see Microsoft Knowledge Base article 940726.com/en-us/library/bb332063(EXCHG.com/fwlink/? linkid=3052&kbid=939184 ] . For more information about this security warning. 2007 [ http://go. your internal Outlook 2007 users may report that they receive the following security warning when they start Outlook: The name of the security certificate is invalid or does not match the name of the site.aspx 3/2/2010 . to support Autodiscover SRV record if also deploying Outlook Anywhere DNS provider may not support Autodiscover SRV record Requires an additional public IP address Complex to set up and maintain Two singlename certificates and Web sites Lower cost than using Unified Communications certificate Both sites are secured with SSL Can be done by using your existing certificate No additional cost Ideal for hosters if DNS provider does not support SRV records Smallest upfront costs Supports all client connections Single certificate with Redirect Requires an additional public IP address Somewhat complex to set up Single certificate generated by using Windows Certificate Services Highest total cost of ownership for administrators and end users Note: Whichever solution you implement to replace the default self-signed certificate.

autodiscover. Step 1: Create the Certificate Request http://technet.aspx 3/2/2010 .com.microsoft.contoso.printer). for example.contoso. Return to top How to Configure the Autodiscover Service for Internet Access This section describes how to configure the Autodiscover service in the following four scenarios: Scenario Scenario Scenario Scenario 1: 2: 3: 4: Using Using Using Using a certificate that supports multiple DNS names one single-name certificate two single-name certificates the Autodiscover service with redirection The following table outlines the various requirements for each scenario.com. Return to top Scenario 1: How to Use a Certificate That Supports Multiple DNS Names This section discusses how to configure the Autodiscover service that uses either a Unified Communications certificate or a certificate created internally by using Windows Certificate Services.microsoft.com/fwlink/?linkid=3052&kbid=940726 ] . The list of third-party certification authorities (CAs) that currently support Subject Alternative Names is documented in Microsoft Knowledge Base article 929395. The following procedures describe how to create a certificate request for submission to a third-party CA and when to use your own internal PKI by using Windows Certificate Services.80. for example. mail. We recommend that you use a Unified Communications certificate that supports Subject Alternative Names.com/en-us/library/bb332063(EXCHG.White Paper: Exchange 2007 Autodiscover Service Page 11 of 41 Exchange 2007-based server: "The name of the security certificate is invalid or does not match the name of the site" [ http://go. ** Must resolve to the FQDN for the Autodiscover service.microsoft. Requirements Scenario 1 Yes No Yes Scenario 2 Yes No Yes Scenario 3 Yes Yes Yes Scenario 4 Yes Yes Yes Primary IP address Secondary IP address Primary public IP resolving to Default Web Site* Secondary public IP resolving to Autodiscover Web site** # of certificates Modification of SCP object Modification of Web services URLs No No Yes Yes 1 No No 1 Yes Yes 2 Yes Yes 1 Yes Yes * Must resolve to the host name that users use to connect to Exchange services.com/fwlink/? linkid=3052&kbid=929395 ] . Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007 [ http://go.

CN=server01.microsoft. Step 1a (Optional) Install Windows Certificate Services and Request a Certificate You can use Windows Certificate Services to create and manage your own SSL certificates. open Exchange Management Shell and enter the following: Copy Code New-ExchangeCertificate -GenerateRequest -DomainName mail. server01 -FriendlyName contosoinc -KeySize 1024 -PrivateKeyExportable:$True -SubjectName "c=US o=contoso inc. see "Step 2: Install the Certificate" later in this section.contoso.com -FriendlyName contosoinc -KeySize 1024 PrivateKeyExportable:$True -SubjectName "c=US o=contoso inc. autodiscover.microsoft.contoso. server01. CN=server01. For additional details about how to manage your own Public Key Infrastructure for Windows Server 2003.com.com/fwlink/? LinkId=21763 ] Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure [ http://go.contoso. For example.com/fwlink/?LinkId=17800 ] The following procedure describes how to install Windows Certificate Services and request an SSL certificate. On the Client Access server. autodiscover.White Paper: Exchange 2007 Autodiscover Service Page 12 of 41 To create a certificate request for a third-party certification authority Create the certificate request for submission to your third-party certification authority (CA).contoso. To create a certificate request internally by using Windows Certificate Services http://technet.com" -Path c:\certrequest.contoso.txt Important: If your internal DNS namespace differs from your external namespace. you will want to add more DNS names to the DomainNames parameter. you might enter something similar to the following: Copy Code New-ExchangeCertificate -GenerateRequest -DomainName mail.contoso. see the following resources: Public Key Infrastructure for Windows Server 2003 [ http://go.com/en-us/library/bb332063(EXCHG.microsoft.com" -Path c:\certrequest.printer).local.aspx 3/2/2010 .80.com.txt Note: You may be asked to include additional parameters or may be confused about what to enter for the SubjectName. Confirm the required parameters and necessary information with the CA vendor.com.contoso. Important: Make sure to include the PrivateKeyExportable parameter and set the value to $true if you plan to use the certificate on additional Client Access servers and ISA Servers computers. After you request the certificate.

Exchange ActiveSync. Click Download certificate. machinename. Select the option to install an Enterprise CA and complete the wizard. 2. autodiscover. machinename. On a server that is running Windows Server 2003.txt Important: The first DNS name following the DomainName parameter will automatically become the common name associated with the certificate. Note: During installation of Certificate Services. autodiscover.contoso. On your Client Access server. click Advanced certificate request. you will be prompted to select the type of CA to install.com.aspx 3/2/2010 . that is. 3. c:\certnew. 5.txt file that you saved in step 3 in the Saved Request field. Copy the contents of the certreq. you will want to add more DNS names to the DomainNames parameter. To create the certificate request.com. 9. install Windows Certificate Services on a server that is running Windows Server 2003 in your messaging infrastructure. open Internet Explorer and enter the URL to connect to the Certificate Services administration Web page that is hosted on the server where you installed Certificate Services. on the Client Access server. http://CAS01/certsrv or https://CAS01/certsrv. 6.White Paper: Exchange 2007 Autodiscover Service Page 13 of 41 1. and then select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file. Note: If your internal DNS namespace differs from your external namespace. and then save the CER file to Drive C.txt 4. If you have not already done this.printer). Note: http://technet. Click Request a certificate.contoso. and Outlook Anywhere.80. For example. Click Submit. open Add/Remove Windows Components and install Certificate Services.com -PrivateKeyExportable:$True -Path c:\certreq.com. For example.local PrivateKeyExportable:$True -Path c:\certreq. 7.contoso.contoso. Select Web Server under Certificate Template. 8. The process is the same for each.cer. Be certain that you enter the FQDN that users will use to connect to services including Outlook Web Access.com/en-us/library/bb332063(EXCHG. Step 2: Install the Certificate The following procedure describes how to import and enable a third-party certificate or one that you created internally by using Windows Certificate Services. you might enter something similar to the following: Copy Code New-ExchangeCertificate -GenerateRequest -DomainName mail. open the Exchange Management Shell and enter the following: Copy Code New-ExchangeCertificate -GenerateRequest -DomainName mail.microsoft.contoso.

To install the SSL certificate on your Outlook 2007 clients 1. 3. In the Certificate dialog box.White Paper: Exchange 2007 Autodiscover Service Page 14 of 41 The Import-ExchangeCertificate cmdlet installs the certificate in the Personal certificate store on the server and the Enable-ExchangeCertificate cmdlet installs the certificate on the Web site. and then select Download a CA certificate option.com/en-us/library/bb332063(EXCHG. In the Select Certificate Store window. If you are running Windows Vista. you must install the latest version of the desktop ActiveSync application.com/fwlink/?LinkId=100605 ] . If domain-connected clients cannot automatically install the root certificate. 3. you can use the integrated Windows Mobile Device Center in Control Panel but you must first download the Windows Mobile Device Center application. To install and enable the SSL certificate by using the Exchange Management Shell To install and enable an SSL certificate. Distribute the CER file to your remote users by using e-mail.printer). you can manually configure a group to distribute certificates that will be trusted by all member computers of the domain.80. and then click Finish. 2. open the Exchange Management Shell on the Client Access server and run the following command: Copy Code Import-ExchangeCertificate -Path <full path to cert file> | EnableExchangeCertificate -Services iis Step 3: (Optional) Administering and Using Root Certificates for End Users Notice that domain-connected clients will typically obtain the root certificate automatically by using a Group Policy. Open Internet Explorer on a domain-connected computer. To install a certificate on a Windows Mobile device http://technet. 4. Click Next. and then enter the URL to connect to the Certificate Services administration Web page. 2. Select Place all certificates in the following store. Important: Installing a root certificate on a mobile device requires that you connect the device with your Windows operating system. click Next. Save the . To obtain the root certificate from Certificate Services 1. Select the Download a CA certificate. certificate chain or CRL option. an FTP site. click Install Certificate. and then click Browse. For more information about how to add a trusted root CA to a Group Policy object. select Trusted Root Certification Authorities. 4.cer file root.cer file to the desktop and name the .aspx 3/2/2010 . In the Certificate Import wizard. there are circumstances when this may not work correctly. If you are running Windows XP.microsoft. However. 5. 6. see Add a trusted root certification authority to a Group Policy object [ http://go.cer. Copy the root certificate to the desktop.microsoft. Double-click the root certificate. or other method. on the General tab. 7. and then click OK.

the domain-connected clients will reference the internal URLs for the Exchange services that were automatically set when the Client Access server role was installed. Step 4: Create the Necessary Host Records in DNS In most cases. 8.contoso. Right-click the folder where you want to copy the root certificate. Return to top Scenario 2: How to Use One Single-Name Certificate This section describes how to use one single-name certificate where the common name of the certificate references the host name users will use to connect to Exchange from the Internet.com. Exchange ActiveSync or Outlook Anywhere. you must configure your Exchange services for external access. 4. For more information. If your certificate includes all the necessary DNS names. and then click Copy. 6. close Windows Explorer. The first option describes how to use a preexisting certificate that you would export from an existing Exchange server that runs an earlier version of Exchange.printer). both domain-connected and non-domain-connected clients will be able to successfully connect to the Autodiscover service without receiving security warnings that result from mismatched names.contoso.80.com/en-us/library/bb332063(EXCHG. clients that are not domain connected will not locate the SCP object and will fail over to using DNS. http://technet. click Yes. you must add an additional host record so that Outlook 2007 clients can locate and connect to the Autodiscover service when they use the Outlook Anywhere feature from the Internet. Step 1: Install a Certificate on the Default Web Site The procedures in the following section assume that you already have obtained a valid third-party SSL certificate that uses the common name your users will be using to connect to your Exchange Messaging infrastructure. Double-click the Mobile Device icon to the view the folders on your device. Step 5: Configure the Exchange Services URLs Now that you have configured SSL for your Autodiscover service deployment scenario.microsoft. you will already have a host record in external DNS for the host name that your users will be using to connect to your Exchange messaging infrastructure by using Outlook Web Access. 5. Clients that are not domain-connected will connect by using the External URLs that you entered as part of this procedure. When you are prompted to install the certificate. Right-click the root certificate . open File Explorer and then locate the folder where you copied the root certificate. and then click Paste. Important: You will not receive a message to let you know that the installation was successful. Open Windows Explorer. Domain-connected clients will locate the Autodiscover service by referencing the SCP object. mail. The host record you create should map to the public IP address that will be used as the entry point to your Client Access server.aspx 3/2/2010 . The second option describes how to use a new third-party certificate. Select the root certificate. 2. 3.com. When the root certificate has been copied to the device. see How to Configure Exchange Services for the Autodiscover Service later in this white paper. For example. for example. Conversely.cer file on the local computer. and then locate My Computer. mail. 7.White Paper: Exchange 2007 Autodiscover Service Page 15 of 41 1. For the Autodiscover service to function correctly. On your device. Summary of Scenario 1 After you configure Exchange to use an SSL certificate that supports multiple DNS names and modify the Exchange services URLs as needed.

and then select the check box next to Mark this Key as Exportable. 4.pfx file that you copied to the Client Access server. Determine the Thumbprint attribute of the imported certificate.com/en-us/library/bb332063(EXCHG.printer). Right-click Personal. click Properties.aspx 3/2/2010 . and then click Next. Click Next and then click Finish. b.microsoft. Option 1: Using an Existing SSL Certificate The following procedures describe how to use an existing SSL certificate which you have already implemented for an earlier version of Exchange. select Personal Certificate Store. On the Web Server Certificate Wizard. c. expand the top-level Certificates (Local Computer). In the Certificates snap-in for MMC. Click Finish. Locate the certificate that you just imported. f. and then click Next. select the Export the current certificate to a . export the existing certificate in PFX format by following these steps. and then save it to a location that you will use later. Enter the password that you applied to the . To use an existing SSL certificate from an earlier versions version of Exchange 1. and then click Import. and then click Next. d. Click Server Certificate. Enter a password. 5. 8. 2. right-click Default Web Site. click Browse. copy the certificate’s thumbprint. To do this. Name the file. and then run the following command: Copy Code Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> Services iis Option 2: Using a New Single-Name Certificate Use the Exchange Management Shell on your Client Access server to install and enable your new thirdparty certificate. Using IIS Manager on your existing earlier version of Exchange. In IIS Manager.pfx file. 7. To use the Exchange Management Shell to install and enable a new third-party SSL certificate http://technet. and then click Next. Select Place all certificates in the following store. In the Certificate Import Wizard. 3. see "Step 2: Install the Certificate" in the Scenario 1: How to Use a Certificate That Supports Multiple DNS Names section earlier in this white paper. and then click the Directory Security tab.White Paper: Exchange 2007 Autodiscover Service Page 16 of 41 If you must create a certificate request. locate the .pfx file option. 6. Import the certificate to the Personal Store by following these steps: a. open the Exchange Management Shell and run the following command: Copy Code Get-ExchangeCertificate | fl 9. e.80. click All Tasks.

Description of the update rollup for Outlook 2007: June 27. To use the Exchange Management Shell to change the internal URL for the Autodiscover service In the Exchange Management Shell.microsoft. To obtain this update.printer).com/en-us/library/bb332063(EXCHG.contoso. open the Exchange Management Shell. see Microsoft Knowledge Base article 940881. For more information about this software update for Outlook 2007. and then run the following command: Copy Code Import-ExchangeCertificate -Path <full path to CER file> | EnableExchangeCertificate -Services iis Step 2: Modify the Service Connection Point By default. Step 4: Implementing the Autodiscover SRV Record for Outlook Anywhere Users Because this solution uses one single-name certificate. Summary of Scenario 2 In this scenario you installed a single-name certificate where the common name of the certificate references the host name users will use to connect to Exchange from the Internet. mail. You will use the Set-ClientAccessServer cmdlet to modify this URL so that it points to the new location (FQDN) for the Autodiscover service. for example.microsoft. Important: You must repeat this step for every Client Access server that is installed in your Exchange messaging infrastructure. clients that are not domain-connected that run Outlook 2007 will receive a security warning when they connect to the Autodiscover service. Outlook 2007 clients will perform an additional check for a DNS SRV record to locate the Autodiscover service that does not require multiple Web sites and IP addresses or a new Unified Communications SSL certificate.contoso. you can address this issue with an Outlook 2007 software update. you will not have to use a certificate that supports multiple DNS names or have to administer a second Web site. 2007 [ http://go. the URL for the Autodiscover service stored in the SCP object in Active Directory will reference the internal FQDN for the Client Access server during Exchange 2007 Setup.com.xml Step 3: Configure the Exchange Services URLs Now that you have configured SSL for your Autodiscover service deployment scenario. A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service [ http://go. If your external DNS provider supports Autodiscover SRV records.com/fwlink/? linkid=3052&kbid=939184 ] . you must configure your Exchange services for external and internal access.com/fwlink/? linkid=3052&kbid=940881 ] . see Microsoft Knowledge Base article 939184. This solution required that you modify the SCP and the internal URLs of the Exchange http://technet.White Paper: Exchange 2007 Autodiscover Service Page 17 of 41 On the Client Access server. run the following command: Copy Code Set-ClientAccessServer -identity <servername> AutodiscoverServiceInternalUri https://autodiscover. For more information. Although this still requires you to add a DNS record in DNS for the Autodiscover service.microsoft.com/autodiscover/autodiscover. When this software update is applied. see How to Configure Exchange Services for the Autodiscover Service later in this white paper.80.aspx 3/2/2010 .

Return to top Scenario 3: How to Use Two Single-Name Certificates This section describes how to use two single-name certificates. and then click Properties. This request will then fail over to the HTTP redirect algorithm. Step 1: Adding a Second IP Address to Your Network Adapter The first step in this process involves adding a second IP address to your network adapter on your Client Access server.xml and then https://autodiscover. 4.printer). enter an available IP address in the text box for the IP address. 2. If your external DNS provider supports SRV records. This solution is most efficient if the following conditions are true: You do not want the additional administrative overhead of managing multiple Web sites and IP addresses.microsoft. and the common name on the second certificate references the Autodiscover host name. In either case. Because the client cannot to contact Active Directory. http://technet. Select Internet Protocol. and then. This solution also requires an Outlook 2007 software update that supports Autodiscover SRV records.contoso. The existing certificate will typically be exported from a legacy Exchange server or will be a certificate that was recently purchased.com. the client will try one more method. for example: autodiscover. Under IP addresses. On the Exchange 2007 Client Access Server.80. and will also be unsuccessful. and then connect. as shown in the following figure. it will fail over and try to locate the Autodiscover service by using the following URLs using DNS: https://contoso. Click Advanced. It will check for an Autodiscover SRV record in DNS.com/en-us/library/bb332063(EXCHG. To add a second IP address to your network adapter 1.contoso. a client that is not domain-connected will first try to locate the Autodiscover service by using the SCP object.aspx 3/2/2010 . open the properties of your network adapter.com/autodiscover/autodiscover.White Paper: Exchange 2007 Autodiscover Service Page 18 of 41 services because the FQDN on the certificate differs from the FQDN referenced in the SCP and the internal URLs for the Exchange services. in the TCP/IP Address dialog box.com/autodiscover/autodiscover. click Add. you must obtain a second certificate for the Autodiscover Web site.xml. The certificate does not include a DNS name for the Autodiscover service. where the common name of one certificate references the host name users will use to connect to Exchange from the Internet. 3. Finally.

printer). and then create the host record within that zone.com. mail. Step 2: Create Required DNS Records In most cases. and then click New Host (A).com/en-us/library/bb332063(EXCHG.com. 3.aspx 3/2/2010 .contoso. To create the required host records in internal DNS 1. and then expand the Forward Lookup Zones container. 2. mail. Enter "mail" for the host name that is being used on the Default Web Site. Open DNS Manager. for example.contoso. for example.com. contoso. you must create an additional DNS zone that matches your external namespace. After you have entered an available IP address. You must also add an additional host record for the Autodiscover service so that Outlook 2007 clients can find and connect to the Autodiscover service when they use Outlook Anywhere from the Internet. The following procedure describes how to create the host record in internal DNS for the host name that is referenced in the common name of the certificate on the Default Web Site. for example. and then assign it the local IP address that is assigned to the Default Web Site.80.microsoft. This host record should map to a second public IP address that points to another entry point to your Client Access server.White Paper: Exchange 2007 Autodiscover Service Page 19 of 41 5. Right-click your DNS zone. click Add. Note: If your internal DNS namespace differs from your external namespace. http://technet. you will already have a host record in external DNS for the host name that users will be using to connect to Exchange from the Internet.

c. open Exchange Management Shell and run the following command: Copy Code Get-ExchangeCertificate | fl 9. Name the file and save it to a location that you will use later. Enter a password. b.com/en-us/library/bb332063(EXCHG. select All Tasks. select Personal Certificate Store. select the Export the current certificate to a .White Paper: Exchange 2007 Autodiscover Service Page 20 of 41 Step 3: Install a Certificate on the Default Web Site The procedures in the following section assume that you already have obtained a valid third-party SSL certificate that uses the common name your users will be using to connect to your Exchange Messaging infrastructure. In the Certificate Import Wizard.pfx file. and then click Next. Locate the certificate that you just imported. 3. and then click Next.printer). Select Place all certificates in the following store. Import the certificate to the Personal Store by following these steps: a. expand the top-level Certificates (Local Computer). Enter the password that you applied to the . and then run the following command: Copy Code Enable-ExchangeCertificate -Thumbprint <thumbprint_of_new_certificate> Services iis http://technet. Click Server Certificate. In IIS Manager.pfx file that you copied to the Client Access server. and then click Import. click Browse. see "Step 2: Install the Certificate" in the Scenario 1: How to Use a Certificate That Supports Multiple DNS Names section earlier in this white paper.microsoft.80. click Properties and then click the Directory Security tab. In the Certificates snap-in for MMC. On the Web Server Certificate Wizard. d. locate the . Click Finish. 5.aspx 3/2/2010 . f. To use an existing SSL certificate from an earlier version of Exchange 1. Click Next. 7. and then click Finish. Option 1: Using an Existing SSL Certificate The following procedures describe how to use an existing SSL certificate that you have already implemented for an earlier version of Microsoft Exchange. The second option describes how to use a new third-party certificate. Using IIS Manager on your earlier version of Exchange. 4. If you must create a certificate request. right-click Default Web Site. and then select the check box next to Mark this Key as Exportable. copy the thumbprint of the certificate. and then click Next. 6. The first option describes how to use a preexisting certificate that you would export from an existing Exchange server that is running an earlier version of Microsoft Exchange. Right-click Personal. 2. 8. export the existing certificate in PFX format by using the following procedure. To determine the Thumprint attribute of the imported certificate. and then click Next. e.pfx file option.

3. The following procedure describes this process.aspx 3/2/2010 .microsoft. Select your primary IP address and assign it to the Default Web Site. the IP address will be assigned to All Unassigned. click Edit.White Paper: Exchange 2007 Autodiscover Service Page 21 of 41 Option 2: Using a New Single-Name Certificate Use the Exchange Management Shell on your Client Access server to install and enable your new thirdparty certificate. 2. right-click Default Web Site. in the Exchange Management Shell. By default.printer). To configure the Default Web Site by using IIS Manager 1. run the following command: Copy Code Import-ExchangeCertificate -Path <full path to CER file> | EnableExchangeCertificate -Services iis Step 4: Configure the Default Web Site The next step in this process is to configure the Default Web Site by using IIS Manager. expand Web Sites. and then click Properties. In IIS Manager. Click Advanced. To use the Exchange Management Shell to install and enable a new third-party SSL certificate On the Client Access server. http://technet. and then change the IP assignment for port 443 to the primary IP address.com/en-us/library/bb332063(EXCHG.80.

"Autodiscover Web Site". and then select Web Site. enter the name of your Web site. click Next. right-click Web Sites. On the IP Address and Port Settings page. 2. and then click Next.printer). To configure the new Autodiscover Web site 1. click New. select the second IP address that you added from the drop-down list.microsoft.80.White Paper: Exchange 2007 Autodiscover Service Page 22 of 41 Step 5: Configure the Autodiscover Web Site The next step in this process is to configure the Autodiscover Web site by using IIS Manager. Click Next. For example.com/en-us/library/bb332063(EXCHG. in the Description field. http://technet. 3. When the Web Site Creation Wizard opens.aspx 3/2/2010 . The following procedure describes this process. 4. In IIS Manager. on the Web Site Description page. In the Web Site Creation Wizard.

On the Web Site Access Permissions page. When the Web Server Certificate Wizard opens. click Next. On the Server Certificate page. for example. right-click the Autodiscover Web Site.aspx 3/2/2010 . and then click OK. expand Web Sites. Step 6: Installing a Certificate on the Autodiscover Web Site The following procedure in this section assumes that you have already obtained a valid third-party certificate with the common name users will be using to connect to the Autodiscover service.80. click the Server Certificate button. enter the following command to import the second certificate into the Personal Certificate store on the server: Copy Code Import-ExchangeCertificate -path <full_path_to_CER_file> 2. 5. 6. and then click Finish. 4. In IIS Manager. and then click Properties. autodiscover. select Assign an existing certificate and then click Next. Leave the Anonymous access check box selected. 3. click Browse.White Paper: Exchange 2007 Autodiscover Service Page 23 of 41 5. http://technet.com/en-us/library/bb332063(EXCHG. you must use IIS Manager to install this certificate on the Autodiscover Web site.microsoft. Because the Enable-ExchangeCertificate command only works for certificates installed on the Default Web Site. accept the default setting for Read permission. On the Directory Security tab. select c:\Inetpub\wwwroot.contoso. To use the Exchange Management Shell and IIS Manager to install and enable a new third-party SSL certificate 1.com. click Next.printer). In the Exchange Management Shell. On the Web Site Home Directory page. and then click Next.

printer). you will use the Exchange Management Shell to create a new Autodiscover virtual directory. click Next and then click Finish to complete the Web Server Certificate Wizard. see How to Configure Exchange Services for the Autodiscover Service later in this white paper. non-domain-connected clients will locate the Autodiscover service by using DNS and connect to the Autodiscover service hosted under the second Web site. Summary of Scenario 3 After you configure Exchange to use two single-name certificates and Web sites. Because each http://technet.contoso. On the Available Certificates page. Conversely. For more information. On the SSL Port page.com/en-us/library/bb332063(EXCHG.aspx 3/2/2010 .White Paper: Exchange 2007 Autodiscover Service Page 24 of 41 6. On the Certificate Summary page. 7. select the certificate that was provided by your CA for the Autodiscover Web site and then click Next. To use the Exchange Management Shell to create a New Autodiscover virtual directory In the Exchange Management Shell. the URL for the Autodiscover service stored in the SCP object in Active Directory will reference the internal FQDN for the Client Access server during Exchange 2007 Setup. domain-connected clients will connect to the Autodiscover service that is hosted under the Default Web Site that is found by using the SCP object.xml Step 9: Configure the Exchange Services URLs Now that you have configured SSL for your Autodiscover service deployment scenario. To use the Exchange Management Shell to change the internal URL for the Autodiscover service In the Exchange Management Shell.80. run the following command: Copy Code Set-ClientAccessServer -identity <servername> AutodiscoverServiceInternalUri https://autodiscover. you must configure your Exchange services for external and internal access. accept the default setting of 443 and then click Next. run the following command: Copy Code New-AutodiscoverVirtualDirectory -WebSite "Autodiscover Web Site" Note: The name of the Web site that you enter is case-sensitive.com/autodiscover/autodiscover. Step 8: Modify the SCP Object By default. You will use the Set-ClientAccessServer cmdlet to modify this URL so that it points to the new location (FQDN) for the Autodiscover service. 8.microsoft. confirm the details are correct. Step 7: Create a New Autodiscover Virtual Directory After you have configured the new Autodiscover Web site in IIS. Important: You must repeat this step for every Client Access server that you install in your Exchange messaging infrastructure.

Click Advanced.com/en-us/library/bb332063(EXCHG. Return to top Scenario 4: How to Use a Single SSL Certificate and the Autodiscover Redirect Web Site The following section describes how to configure the Autodiscover service when you use one singlename certificate with an SSL Web site in addition to a second Web site responsible for redirecting incoming requests over port 80 to the Autodiscover virtual directory set to accept requests over port 443. 4. To add a second IP address to your network adapter 1.80. On the Exchange 2007 Client Access server.printer).aspx 3/2/2010 . 3. Note: These steps assume that you have already obtained a valid third-party certificate with the common name users will be using to connect to Exchange from the Internet which is installed on the Default Web Site of your Client Access server. all clients should be able to connect without receiving any security warnings.contoso. for example. review the optional information that appears after the following steps. open the properties of your network adapter. Step 1: Adding a Second IP Address to Your Network Adapter The first step in this process involves adding a second IP address to your network adapter on your Client Access server.White Paper: Exchange 2007 Autodiscover Service Page 25 of 41 Web site contains a valid certificate. Select Internet Protocol and then click Properties. http://technet. Note: If you are a large-scale hoster and unable to implement Scenario 2.microsoft.com. 2. mail. Under IP addresses. click Add and then enter an available IP address.

microsoft. 3. Right-click your DNS zone. The following procedure describes how to create the required host records in internal DNS.com.printer). contoso.contoso. and then click New Host (A).com. mail. You must also add an additional host record for the Autodiscover service so that Outlook 2007 clients can find and connect to the Autodiscover service when they use Outlook Anywhere from the Internet.aspx 3/2/2010 . for example. you will already have a host record in external DNS for the host name users will be using to connect to Exchange from the Internet. Enter "autodiscover" and the second IP address which you already assigned to your network adapter. To create the required host records in internal DNS 1. for example. Open DNS Manager and expand the Forward Lookup Zones container. 2. http://technet. This host record should map to a second public IP address that points to another entry point to your Client Access server.com/en-us/library/bb332063(EXCHG.80.White Paper: Exchange 2007 Autodiscover Service Page 26 of 41 Step 2: Create Required DNS Records In most cases.

In IIS manager. right-click the Default Web Site and then click Properties. Create an additional host record for the host name being used on the Default Web Site.printer).com/en-us/library/bb332063(EXCHG.com. Step 3: Configure the Default Web Site The next step in this process is to configure the Default Web site. Select your primary IP address and assign it to the Default Web Site. Click Advanced. To configure the Default Web Site 1. http://technet.contoso. and assign it the local IP address which is assigned to the Default Web Site. The following procedure describes this process. the IP address will be assigned to All Unassigned.microsoft. 2. for example.White Paper: Exchange 2007 Autodiscover Service Page 27 of 41 4.mail. By default.80. 3. and then click Edit and change the IP assignment for port 443 to the primary IP address.aspx 3/2/2010 .

enter the name of the Web site. Create a new blank text file. and then click Next. 2.xml. Step 5: Create the Autodiscover Redirect Web Site To use IIS Manager to create the Autodiscover redirect Web site 1.White Paper: Exchange 2007 Autodiscover Service Page 28 of 41 Step 4: Create a New Autodiscover Directory Structure The following procedure describes how to create a new Autodiscover directory structure which will be used by the Autodiscover redirect Web site that you create in the next step. select the second IP address that you added and then click Next.microsoft.aspx 3/2/2010 . In the New Web Site Wizard. 3.printer). right-click Web Sites. in the Description box. http://technet. 3.80. Create a new folder under c:\Inetpub named Autodiscover. and then locate C:\Inetpub. and then click New Web Site. In IIS Manager. In the IP Address and Port Settings window. 4. Create a subfolder under c:\Inetpub\Autodiscover named Autodiscover. and then name it autodiscover. 2. Autodiscover Web Site.com/en-us/library/bb332063(EXCHG. open a new Windows Explorer window. for example. To create a new Autodiscover directory structure 1. On the Client Access server.

6. for example.contoso. Select the A redirection to a URL option and enter the URL to the Autodiscover.xml file that is located under the Default Web Site by using the FQDN users will use to connect to Outlook Web Access. leave the Anonymous access check box selected.xml.White Paper: Exchange 2007 Autodiscover Service Page 29 of 41 4.printer). and then select Properties. In the right pane.com/autodiscover/autodiscover.com/en-us/library/bb332063(EXCHG. Expand the Autodiscover Web Site and select the Autodiscover virtual directory under the Web site. right-click the autodiscover.microsoft. In the Web Site Home Directory window.xml file. and then click Next. http://technet. browse and then select c:\Inetpub\autodiscover. https://mail. 7. Exchange ActiveSync and Outlook Anywhere.aspx 3/2/2010 .80. 5.

you should consider configuring the Autodiscover service so http://technet.com/en-us/library/bb332063(EXCHG.aspx 3/2/2010 .White Paper: Exchange 2007 Autodiscover Service Page 30 of 41 Step 6: Modify the Service Connection Point Object By default.80.xml Step 7: Configure the Web Services URLs Now that you have configured SSL for your Autodiscover service deployment scenario. see How to Configure Exchange Services for the Autodiscover Service later in this white paper.com/autodiscover/autodiscover. run the following command: Copy Code Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.printer). you must configure your Exchange services for external and internal access. For internal users who use Outlook 2007. To use the Exchange Management Shell to change the internal URL for the Autodiscover service In the Exchange Management Shell. If you expect heavy Web traffic.contoso. the URL for the Autodiscover service stored in the SCP object in Active Directory will reference the internal FQDN for the Client Access server during Exchange 2007 Setup. For more information. Return to top Optional Deployment Information for a Large-Scale Hosted Environment For large-scale hosted environments. you will use the Set-ClientAccessServer cmdlet to modify the URL so that it references the common name of the certificate on the Default Web Site.microsoft. using a single redirect Web site as discussed earlier may not be appropriate.

com/autodiscover/autodiscover.aspx 3/2/2010 . When the redirect happens. The following figure illustrates the Autodiscover service in a hosted environment. in IIS Manager. the domain named contoso.xml file so that it points to https://mail. clients that are not domainconnected will be unable to locate the SCP object and fail over to using DNS. you may even host the Autodiscover service on a dedicated Web server if you want.com/autodiscover/autodiscover.contoso. and the domain named contoso. configure redirection for each of your sites by modifying each Web site's autodiscover.microsoft.80.se.White Paper: Exchange 2007 Autodiscover Service Page 31 of 41 that incoming requests for the Autodiscover service are managed by individual Web sites for each domain.no. For example.se would be called autodiscover.xml.xml The clients will instead use an alternative method: an HTTP redirect. These clients will also be unable to locate Autodiscover by using the following URLs: https://contoso.printer). Also. When this occurs. The Autodiscover service in a hosted Exchange environment In this scenario. On the other hand.com/en-us/library/bb332063(EXCHG. After you configure Exchange to use an SSL certificate with redirection. In the site in the previous figure. Note: These sites should be configured only for HTTP (port 80) traffic.com/autodiscover/autodiscover. each with its corresponding DNS entries for each hosted e -mail domain. domain-connected clients will continue locating the Autodiscover service by using the SCP object and connect to the Autodiscover service that is hosted under the Default Web Site. you create separate Web sites.contoso.contoso. a warning message is displayed in Outlook 2007 that says: Allow this website to configure server settings? http://technet. These requests can then be redirected for each hosted domain to the Autodiscover virtual directory under the Default Web Site in Internet Information Services (IIS).no would be called autodiscover.xml https://autodiscover. the client will receive a redirect from the Autodiscover site to the site that is dedicated to handling e-mail.contoso. To configure this kind of scenario. there is no need for any virtual directories and you do not have to set up SSL certificates.

The US-contoso site is connected to the APAC-contoso site by using a low-speed connection. Finally.printer). Based on these connectivity factors. you must make sure that your Exchange organization meets the following requirements: You must have at least one Exchange 2007 Client Access server installed in each Active Directory site where user's mailboxes reside for your Exchange deployment. http://technet. Mailbox. see Microsoft Knowledge Base article 956528. The APAC-contoso site is connected to the Europe-contoso site by using a high-speed connection. For the Autodiscover service to function correctly for Outlook 2007. each Active Directory site has Client Access servers and Mailbox servers. This cmdlet lets you specify the preferred Active Directory sites for connecting to the Autodiscover service on a specific Client Access server. For Exchange features such as the Availability service and Unified Messaging. To do this. Or. The following example uses a topology that includes one forest with three sites: US-contoso A contoso site that is located in North America Europe-contoso A contoso site that is located in Europe APAC-contoso A contoso site that is located in Asia In this example. distributed organization that has Active Directory sites that are separated by low -bandwidth network connectivity. and users in the APAC-contoso site to use the Client Access servers in the APAC-contoso or the Europe-contoso site. After you configure site affinity for the Autodiscover service. Specifying which Active Directory sites are preferred is also known as configuring site scope.microsoft. You configure site affinity by using the Set-ClientAccessServer cmdlet. and Hub Transport server roles installed in the Exchange messaging environment. other considerations must be addressed when you configure the Autodiscover service to handle these types of Exchange deployments. To use site affinity. We recommend that you instruct users to turn off the warning message on their Outlook 2007 clients. Additionally.80. Return to top Additional Deployment Scenarios and Considerations for the Autodiscover Service If your topology includes multiple sites or forests. The UScontoso site is connected to the Europe-contoso site by using a high-speed connection. you can suppress the Autodiscover redirect warning for HTTP and SRV redirections. users in the Europe-contoso site to use any Client Access servers in the organization for the Autodiscover service requests. there are several steps in the Autodiscover deployment process that you will not have to perform. you might want to allow users in the US-contoso and Europecontoso sites to use either the Client Access servers in the US-contoso or the Europe-contoso sites. the Client Access servers can be reached by using a common internal namespace across all sites.microsoft. You cannot suppress the Autodiscover redirect warning in Outlook 2007 [ http://go. we recommend that you use site affinity for the Autodiscover service for intranet-based traffic.White Paper: Exchange 2007 Autodiscover Service Page 32 of 41 Outlook 2007 lets users turn off the option for this warning message to continue to appear. Configuring the Autodiscover Service to Use Site Affinity for Internal Communication If you manage a large.aspx 3/2/2010 . you specify which Active Directory sites are preferred for clients to connect to a particular Autodiscover service instance. if you are not providing external access to your Exchange messaging infrastructure.com/fwlink/?linkid=3052&kbid=956528 ] . you must also have the Unified Messaging. The following sections describe the scenarios and how to deploy the Autodiscover service in each of these scenarios. the client will connect to the Autodiscover service as you specified.com/en-us/library/bb332063(EXCHG.

the client will not try to use a US-CAS server for Autodiscover requests.com/en-us/library/bb332063(EXCHG. Additionally.com/autodiscover/autodiscover. Additionally. the Outlook client can select the SCP record from the list in which the site scope equals "us-contoso". the client will not try to use an APAC-CAS server for Autodiscover requests. http://technet.xml" -AutoDiscoverSiteScope "apac-contoso". you will want to make sure that users in either of those sites can use the Client Access servers in the Europe-contoso site. configure the Autodiscover site scope property as follows. To do this use the following command.aspx 3/2/2010 . In this case. To do this.com/autodiscover/autodiscover. "apac-contoso" The previous command ensures that Outlook 2007 clients that are members of the Europe-contoso Active Directory site use the Europe-CAS SCP record for Autodiscover service requests.contoso. If an Outlook 2007 client is a member of the Europe-contoso Active Directory site. it will use the US-CAS SCP record for its Autodiscover requests. Therefore. it can use the US-CAS SCP record for its Autodiscover requests. the client will either access a US-CAS server or a Europe-CAS server. If an Outlook 2007 client is a member of the Europe-contoso Active Directory site. "europe-contoso". the Outlook client can also use either the US-CAS SCP record or the APAC-CAS SCP record after you run the previous commands. it will use the APAC-CAS SCP record for its Autodiscover requests.com/autodiscover/autodiscover. Additionally. Copy Code Set-ClientAccessServer -Identity "apac-cas" -AutodiscoverServiceInternalURI "https://internal. because the Client Access servers in the Europe-contoso Active Directory site are connected to both the US-contoso and APAC-contoso sites by using a high-speed connection."europe-contoso" The previous command ensures the following: If an Outlook 2007 client is a member of the US-contoso Active Directory site.80. Copy Code Set-ClientAccessServer -Identity "us-cas" -AutodiscoverServiceInternalURI "https://internal. Copy Code Set-ClientAccessServer -Identity "europe-cas" -AutodiscoverServiceInternalURI "https://internal.xml" -AutoDiscoverSiteScope "us-contoso". if a user is located in the US-contoso site and tries to locate the Autodiscover service by using Outlook 2007.contoso. You can configure site scope for users in the APAC-contoso site by configuring the Autodiscover site scope property on the Client Access servers in the APAC-contoso site. To do this. Finally.xml" -AutoDiscoverSiteScope "us-contoso". it can use the APAC-CAS SCP record for its Autodiscover requests."europe-contoso" The previous command ensures the following: If an Outlook 2007 client is a member of the APAC-contoso Active Directory site.microsoft.printer). use the following command.White Paper: Exchange 2007 Autodiscover Service Page 33 of 41 You can configure site scope for users in the US-contoso site by configuring the Autodiscover site scope correctly on the Client Access servers in the US-contoso Active Directory site.contoso.

aspx ] .com/en-us/library/aa996881 (EXCHG. the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. user accounts reside in one forest (known as a user account forest) and Microsoft Exchange is deployed in a separate forest (known as a resource forest). or the US-CAS server. if you did not run the previous commands. you must create an Autodiscover SCP pointer record in Active Directory in the user account forest.printer). Return to top Configuring the Autodiscover Service for Multiple Forests You can deploy Microsoft Exchange by using multiple forests. and the rights that are required to administer Exchange 2007. Return to top How to Configure the Autodiscover Service to Use Site Affinity You can use the Set-ClientAccessServer cmdlet in the Exchange Management Shell to configure the Autodiscover service to use site affinity on a computer that is running Exchange 2007 that has the Client Access server role installed. the Outlook client will only use the Client Access servers in its local site (US-contoso. The Outlook client contacts Active Directory in the user account forest to locate the URL for the Autodiscover service.aspx 3/2/2010 . the following will occur: 1. a user in the US-contoso Active Directory site would potentially use the APACCAS server. For example. Before You Begin To perform the following procedure.com/en-us/library/bb125157(EXCHG. Two of the multiple forest deployment scenarios are the resource forest topology and the multiple trusted forest topology. delegating roles.White Paper: Exchange 2007 Autodiscover Service Page 34 of 41 If you do not alter the site-scope settings for the Autodiscover service.80. For more information about permissions. Because the service is hosted in the resource forest.80). In this scenario. Outlook will randomly select an SCP record for Autodiscover requests.xml" AutoDiscoverSiteScope "SiteName" For more information about syntax and parameters. on the other hand. see Permission Considerations [ http://technet. Europe-contoso. you delete the site-scope settings.com/en-us/library/bb332063(EXCHG. see Set-ClientAccessServer [ http://technet. Configuring the Autodiscover Service in a Resource Forest Topology If you use a resource forest topology. If. To do this.microsoft.aspx ] . The Autodiscover SCP pointer record includes the LDAP URL of the resource forest that the client will use to locate the Autodiscover service in the resource forest.microsoft.80). To use the Exchange Management Shell to configure site affinity for the Autodiscover service Run the following command: Copy Code Set-ClientAccessServer -Identity "ServerName" AutodiscoverServiceInternalURI "https://internalsitename/autodiscover/autodiscover. This could result in a poor experience for the end user because the request may go out of the user's Active Directory site and use a low quality network connection. APAC-contoso). The following sections describe how the Autodiscover service is used in these two deployment scenarios.microsoft. the Europe-CAS server. you must update Active Directory in the user account forest to include the information that Active Directory requires to enable the client to access the resource forest. http://technet.

The Outlook client connects to the URL that is specified in the SCP record that was obtained and retrieves the required user profile settings by using the Autodiscover service.com/fwlink/?LinkId=21177 ] . b. the Outlook client will retrieve an SCP record at random. Before You Begin To perform the following procedures. Depending on your SCP record configuration. http://technet. clicking Programs. Exchange 2007 features such as the Availability service and Unified Messaging rely on the Autodiscover service to access user accounts across forests. To do this. you must update Active Directory so that users who are running Microsoft Office Outlook 2007 in one forest can access the Client Access servers in the remote (or target) forest to use the Autodiscover service. Note: If you do not want to extend the schema in the user forest. 3. run the Export-AutoDiscoveryConfig cmdlet from each forest that has the Autodiscover service against each target forest where Microsoft Exchange is deployed. the Outlook client will retrieve an SCP record at random. the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. which requires Microsoft Identity Lifecycle Manager 2007 synchronization. you can manually create the root Autodiscover SCP record container in the user forest. Important: If you install Exchange 2007 Service Pack 1 (SP1). Note: To synchronize Active Directory sites between forests. Also.aspx 3/2/2010 . you must install the Windows Server 2003 Support Tools from the Windows Server 2003 CD. This scenario resembles the resource forest scenario.microsoft. the user accounts and Microsoft Exchange are deployed in multiple forests. Or. Return to top How to Configure the Autodiscover Service When You Use Multiple Forests If your Exchange deployment has two or more trusted forests. If the account forest Active Directory sites are in the resource forest. you will not have to extend the schema or manually create the Autodiscover SCP record container in the user forest. Outlook binds to the target forest by using the LDAP URL and retrieves the SCP records. After the Autodiscover SCP record container is installed. you must extend the schema in the user forest by running Exchange 2007 Setup with the /PrepareAD or /PrepareSchema switch. If the SCP records do not have a site scope that matches the Outlook client's site.White Paper: Exchange 2007 Autodiscover Service Page 35 of 41 2. This will configure the SCP information for the Autodiscover pointer in Active Directory. 4.printer). and then run the Export-AutodiscoverConfig cmdlet in the resource forest that contains the Client Access servers that provide the Autodiscover service against the target forests. the Outlook client will retrieve the SCP records for the Outlook client's Active Directory site. In this scenario. the Autodiscover service must be available to users across multiple trusted forests.80. you can access the Active Directory Service Interfaces (ADSI) Edit tool by going to the Start menu. if the Active Directory site topology is not being replicated between the user account forest and the resource forest. Configuring the Autodiscover Service in a Multiple Trusted Forest Topology In the multiple trusted forest scenario.com/en-us/library/bb332063(EXCHG. To configure the Autodiscover SCP object in the multiple forest topology. Note: If you will be manually creating the Autodiscover SCP record container. you can update DNS in the user forest with a host record that points to the internal IP address of the Client Access server in the resource forest where Autodiscover is hosted. see "Synchronizing Sites and Subnets" in Multiple Forest Considerations in Windows 2000 and Windows Server 2003 [ http://go. and then clicking Windows Support Tools.microsoft. except that the Autodiscover SCP object must be configured in all forests. Then select Support Tools Help. the following will occur: a.

microsoft.DC=<root domain>. Right-click CN=Services.printer). run the following command: Copy Code Export-AutoDiscoverConfig -DomainController DomainControllerName TargetForestDomainController TargetForestDomainControllerName TargetForestCredentials $a -MultipleExchangeDeployments $true For more information about syntax and parameters.microsoft.com /prepareschema Or.White Paper: Exchange 2007 Autodiscover Service Page 36 of 41 For more information about permissions.aspx ] .80). Return to top Managing the Autodiscover Service Managing the Autodiscover service for users includes performing tasks such as making sure that users will be able to use the Autodiscover service after their mailboxes are moved from one forest to another forest. select Container.aspx ] .com/en-us/library/aa996881 (EXCHG. see Export-AutoDiscoverConfig [ http://technet. and then click Next. On an Exchange 2007 Client Access server in the resource forest. delegating roles. enter the user name and password for the account that has the required permissions for the target forest in the variable "$a" by running the following command: Copy Code $a = Get-Credential 2. click New. and then select Object.80.com/en-us/library/aa998832(EXCHG. Click Finish. see Permission Considerations [ http://technet.80). enter "Microsoft Exchange Autodiscover". Expand CN=Configuration.com/en-us/library/bb332063(EXCHG.aspx 3/2/2010 . Expand the CN=Services container.microsoft. On an Exchange 2007 Client Access server in the resource forest. To use the Exchange Management Shell to configure the Autodiscover service for multiple forests 1. Next to Value. Expand the Configuration container. http://technet. create the "Microsoft Exchange Autodiscover" container in the user account forest by following these steps: Start ADSI Edit. and the rights that are required to administer Exchange 2007. To use ADSI Edit to extend the schema in the user forest Run Exchange 2007 Setup on a server in the user forest by using the following command: Copy Code Setup. and then click Next. Allow Active Directory replication to occur before you continue with the next step. Under Select a Class.

Depending on your deployment. This user originally resided in the forest named contoso.com and was moved to the forest named fourthcoffee.com by using the following command in the Exchange Management Shell.com/exchange/autodiscover/outlook/requestschema/2006">\r <Request>\r\n <EMailAddress>kwekua@contoso.com/exchange/autodiscover/outlook/res </Request>\r\n </Autodiscover> The Outlook 2007 client will receive the following redirect response from contoso.com.com.com and fourthcoffee.0" encoding="utf-8"?>\r\n <Autodiscover xmlns="http://schemas. the following request is sent to the Outlook 2007 client. contoso. trusted forests and the mailbox for a user is kwekua@contoso.White Paper: Exchange 2007 Autodiscover Service Page 37 of 41 The following sections describe the common management tasks for the Autodiscover service.contoso. when the user connects to contoso. <?xml version="1. For this example. Copy Code New-MailContact -ExternalEmailAddress 'SMTP:kwekua@fourthcoffee. some of these procedures may not have to be performed.com are separate.com and uses the contoso. When you configure a mail contact.com credentials.com.com/Users' -FirstName 'Kweku' Initials '' -LastName 'Ako Adjei' After you configure the contact.80. you must configure a mail contact in the original forest where the user's mailbox resided.contoso. <?xml version="1.contoso.com/exchange/autodiscover/outlook/responseschema/2006a"> http://technet. How to Configure the Autodiscover Service for Cross Forest Moves You can use the Exchange Management Shell to configure your Microsoft Exchange deployment to handle mailboxes that are moved from one forest to another for the Autodiscover service. you have to set a contact in mail1.com/exchange/autodiscover/responseschema/2006"><Response xmlns="http://schemas. the user will authenticate to the original forest where the mailbox resided. The client will then try to contact the Autodiscover service by using the new e-mail address against the new forest.0" encoding="utf-8" ?>\r\n <Autodiscover xmlns="http://schemas.aspx 3/2/2010 . For a cross-forest mailbox move. the two forests must be trusted.microsoft.com' -Name 'Kweku Ako Adjei' -Alias 'kwekua' -OrganizationalUnit 'contoso. For the Autodiscover service to handle this move. For example.printer).com/en-us/library/bb332063(EXCHG.contoso. and the user will receive a redirect that uses the new e-mail address.com</EMailAddress>\r\n <AcceptableResponseSchema>http://schemas.contoso.

and the rights that are required to administer Exchange 2007. This includes the URLs for the Availability service. Unified Messaging (UM).com</RedirectAddr>\r\n </Account>\r\n </Response></Autodiscover> The user will then be able to connect to the Autodiscover service by using this new e-mail address in the mail2. When you enable Outlook Anywhere.com' -Name 'Kweku Ako Adjei' -Alias 'kwekua' -OrganizationalUnit 'contoso.80).printer). they will be unable to use Exchange features such as Out of Office functionality. such as the Availability service.microsoft. you must also configure external access to Microsoft Exchange services for the Autodiscover service.80.contoso. for the Autodiscover service on a Microsoft Exchange 2007 computer that has the Client Access server role installed. see Permission Considerations [ http://technet. Return to top How to Configure Exchange Services for the Autodiscover Service This section explains how to configure Microsoft Exchange services.com/Users' FirstName 'Kweku' -Initials '' -LastName 'Ako Adjei' For more information about syntax and parameters.microsoft.microsoft. Unified Messaging. and the offline address book.com/en-us/library/bb332063(EXCHG. the Availability service.com/en-us/library/aa996881 (EXCHG. the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. If you do not configure the external URL values. delegating roles. They may be able to connect to their Microsoft Exchange mailbox. Before You Begin To perform the following procedure on an Exchange 2007 Client Access server. To use the Exchange Management Shell to create a new mail contact for the Autodiscover service to handle cross-forest mailbox moves Run the following command: Copy Code New-MailContact -ExternalEmailAddress 'SMTP:kwekua@fourthcoffee.80).White Paper: Exchange 2007 Autodiscover Service Page 38 of 41 <Account>\r\n <Action>redirectAddr</Action>\r\n <RedirectAddr>kwekua@fourthcoffee. However. see New-MailContact [ http://technet. Exchange Web Services.aspx ] .com forest.aspx ] . http://technet. or offline address book downloads.com/en-us/library/bb124519(EXCHG.aspx 3/2/2010 . the Autodiscover service information that is provided to the Microsoft Office Outlook 2007 client may be incorrect for clients that are connecting from outside your network. For more information about permissions.

aspx 3/2/2010 . see Permission Considerations [ http://technet. and encryption settings for the following Web services: Outlook Anywhere Offline address book Unified Messaging Exchange Web Services If you performed a custom installation of Exchange 2007 and you will not be using an Exchange service such as Unified Messaging. authentication. you will not have to complete the procedure to configure the external URL for Unified Messaging for the Autodiscover service later in this section.contoso. Before You Begin To perform the following procedures. see Enable-OutlookAnywhere [ http://technet.printer). you can safely ignore these procedures.com/ews/exchange. the internal URL is configured by Microsoft Exchange Setup and references the internal FQDN of the Client Access server. as discussed in Scenario 1: Using a Certificate That Supports Multiple DNS Names earlier in this white paper.contoso.com/en-us/library/bb332063(EXCHG.80.80).microsoft.asmx. For example. you must also modify the internal URL of each Exchange service so that the FQDN in the URL references the common name of the certificate on the Default Web Site.aspx ] .com" ExternalAuthenticationMethod "Basic" -SSLOffloading:$False For more information about syntax and parameters. If you have configured the Autodiscover service by following Scenario 2: Using One Single-Name Certificate or Scenario 3: Using Two SingleName Certificates.80).White Paper: Exchange 2007 Autodiscover Service Page 39 of 41 Generally. if you are not providing external access to your Exchange services. For more information about permissions. the external URL values are NULL and must be configured by using the virtual directory cmdlet for each component. Additionally. the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. delegating roles.contoso. you must set the internal URL to https://mail. In this section. To use the Exchange Management Shell to configure the external URL for the offline address book for the Autodiscover service Run the following command: Copy Code Set-OABVirtualDirectory -identity "CAS01\OAB (Default Web Site)" externalurl https://mail. you will configure external host name. and the rights that are required to administer Exchange 2007. Important: The following procedures assume that you are using a Unified Communications certificate that supports multiple DNS names.microsoft.com/en-us/library/aa996881 (EXCHG.com/OAB -RequireSSL:$true http://technet.microsoft. However.com/en-us/library/bb124993(EXCHG. To use the Exchange Management Shell to configure the external host name for Outlook Anywhere for the Autodiscover service Run the following command: Copy Code Enable-OutlookAnywhere -Server CAS01 -ExternalHostname "mail.aspx ] .

com/en-us/library/bb124335(EXCHG. Note: If Exchange 2007 will be deployed behind an ISA Server computer.80).aspx ] . see Set-OABVirtualDirectory [ http://technet.80. see the documentation about how to configure ISA Server in Publishing Exchange Server 2007 with ISA Server 2006 [ http://go.microsoft. you will typically create a Web Publishing rule for each application and use the same Web listener because listeners in ISA Server 2006 can handle multiple authentication methods.asmx BasicAuthentication:$True For more information about syntax and parameters.microsoft.printer).80).com/EWS/Exchange. Conclusion This white paper provides the necessary information to enable you to deploy and configure the Autodiscover service for your users.aspx 3/2/2010 . To use the Exchange Management Shell to configure the external URL for Unified Messaging for the Autodiscover service Run the following command: Copy Code Set-UMVirtualDirectory -identity "CAS01\UnifiedMessaging (Default Web Site)" -externalurl https://mail. see the following topics: http://technet.White Paper: Exchange 2007 Autodiscover Service Page 40 of 41 For more information about syntax and parameters. see Set-UMVirtualDirectory [ http://technet. see Set-WebServicesVirtualDirectory [ http://technet.com/UnifiedMessaging/Service.contoso.80). Return to top Autodiscover and ISA Server 2006 When an Exchange 2007 Client Access server is deployed with an advanced firewall server such as ISA Server 2006.com/en-us/library/bb124707(EXCHG.microsoft. To use the Exchange Management Shell to configure the external URL for Exchange Web Services for the Availability service and Out of Office services Run the following command: Copy Code Set-WebServicesVirtualDirectory -identity "CAS01\EWS (Default Web Site)" externalurl https://mail.aspx ] .microsoft. Use this information to help you define a deployment strategy for the Autodiscover service to provide your users with the Microsoft Exchange features that you enable. Notice that the rule you create for Outlook Anywhere has the option to include the Autodiscover virtual directory. Additional Information For more information about Exchange 2007 features.com/en-us/library/aa997233(EXCHG.microsoft.contoso.com/fwlink/?LinkId=80756 ] .aspx ] .com/en-us/library/bb332063(EXCHG.asmx BasicAuthentication:$True For more information about syntax and parameters.

microsoft.80).aspx ] Understanding Offline Address Books [ http://technet.aspx ] Planning for Client Access Servers [ http://technet.microsoft.microsoft.80).com/en-us/library/bb332063(EXCHG.com/en-us/library/bb232184 (EXCHG.White Paper: Exchange 2007 Autodiscover Service Page 41 of 41 Unified Messaging [ http://technet.com/en-us/library/bb232134 (EXCHG.80).microsoft.aspx ] Tags: autodiscover Community Content http://technet.com/en-us/library/bb123911(EXCHG.printer).microsoft.com/en-us/library/bb232155 (EXCHG.aspx 3/2/2010 .80).aspx ] Understanding the Availability Service [ http://technet.80.

Sign up to vote on this title
UsefulNot useful