locked
Autodiscover with multiple AD sites and Outlook 2011 RRS feed

  • Question

  • What is the right configuration in our Exchange Organization for the best internal Autodiscover with Outlook 2011 clients?

    The current situation:
    One Active Directory domain with 4 sites. Every site has 1 Exchange2010 Server SP2 with the CAS, Mailbox and Hub role on it.
    Split DNS, example1.com = AD Domain, example2.com = the user’s primary SMTP domain, Wildcard Certificate for example1.com, DNS SRV Record for example2.com, the DNS SRV Record point to CAS in site 1.

    Unlike Outlook for Windows, Outlook for Mac does not support the LDAP Service Connection Point (SCP) method to obtain account settings. It uses only the predefined URLs, the HTTP redirect check, or the DNS SRV lookup method. This is similar to what Outlook uses when it runs Autodiscover service from outside the organization’s network.
    http://mac2.microsoft.com/help/office/14/en-us/admin/item/af2a88b0-bed1-412f-8304-36b3afbeef5c

    The problem:
    With Exchange 2010 and Outlook 2011 it is not possible to control what is put into the Directory Services Server field by Autodiscover. Autodiscover is going to use whichever domain controller the CAS server you are hitting is using at that time. If you change the server after the fact to something else, autodiscover will overwrite your changes the next time that it runs
    http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/7bd9a74d-62f3-4130-82b8-4dd1ab0a215d/

    Clients in site 2, site 3 or site 4 gets a DC from site1 in the Directory Services Server field.
    Outlook 2011 clients getting bad password prompt



    Workaround:

    tell application "Microsoft Outlook"
    set background autodiscover of exchange account 1 to false
    end tell

    But this workaround could not be the solution.

    I think we need a SAN certificate for every CAS, but I'm not sure.

    Monday, February 6, 2012 3:00 PM

Answers

  • The CAS doesn't need a certificate, just web services which you can publish with webmail.

    The only way I know of to do what you need is to have separate DNS zones in each site with webmail and autodiscover pointed to the server in that site.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Proposed as answer by Castinlu Wednesday, February 8, 2012 7:14 AM
    • Marked as answer by Juergen Kluge Wednesday, February 8, 2012 11:37 PM
    Wednesday, February 8, 2012 4:39 AM

All replies

  • Every CAS needs a certificate, and that certificate must contain all the hostnames for all URLs that it will be servicing.  In some cases, that will be just two, say webmail and autodiscover.  In other cases, that may be more hostnames depending on your implementation.  I can't tell you what has to be in your certificate based on what you've posted.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Monday, February 6, 2012 4:34 PM
  • Hi Ed,

    let’s say we have on all CAS a certificate with webmail.example2.com, autodiscover.example2.com and CASServer.example2.com.

    The user’s primary SMTP domain is example2.com.

    The DNS servers have for the zone example2.com an autodiscover Host A record, point to CAS in site 1 (more than 1 Host A record for autodiscover doesn’t work).

    How to get the Mac Outlook 2011 clients in site 2, site 3 or site 4 the right DC in the “Directory Services Server field” by Autodiscover?

    Thanks for Help

    Tuesday, February 7, 2012 12:08 AM
  • The CAS doesn't need a certificate, just web services which you can publish with webmail.

    The only way I know of to do what you need is to have separate DNS zones in each site with webmail and autodiscover pointed to the server in that site.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Proposed as answer by Castinlu Wednesday, February 8, 2012 7:14 AM
    • Marked as answer by Juergen Kluge Wednesday, February 8, 2012 11:37 PM
    Wednesday, February 8, 2012 4:39 AM
  • Not Active Directory-Integrated DNS zones in each site is the solution.

    Thank you!

    Thursday, February 9, 2012 10:00 PM
  • Right, AD-integrated zones wouldn't work unless each site has its own domain.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Thursday, February 9, 2012 10:46 PM