Autodiscover Concern in Exchange 2016 Hybrid

Ramki 816 Reputation points
2021-05-22T06:33:44.383+00:00

Hello Team

i looking for the correct auto discover setup on my current exchnage 2016 hybrid environment.

In my external DNS (godaddy) Auto Discover is pointing to Autodiscover.outlook.com

i dont have any any other records in internal DNS with respect to Auto Discover

is this correct setup?

when ever i am connecting my outlook(On-prem) both domain joined machine and non domain joined machine (Open network) and getting security alert

exchangeservername. mytestdomain.xyz

information you exchange with this site cannot be viewed or changed by others.however there is a prolem with site's security certficate.

blaha.....

looks there is is something issue related to on-prem autodiscover?

how do i setup correct auto discover in my hybrid environment?

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,115 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,281 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 139.8K Reputation points MVP
    2021-05-23T12:30:16.963+00:00

    Are all the mailboxes in 365? If so, then what you have set is correct but ensure you have cleared out the internal autodiscover record:

    Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null
    

    If you still any user mailboxes still on-prem, then you need to set the autodiscover records ( Both externally and internally) back to your on-premises Exchange Server

    1 person found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Ashok M 6,501 Reputation points
    2021-05-23T05:59:17.62+00:00

    Hi @Ramki ,

    Usually, we will also create internal DNS record with autodiscover.domain.com and point to the load balancer if there are multiple servers for high availability. This autodiscover.domain.com should be set on the AutoDiscoverServiceInternalUri value on the Get-ClientAccessServer which is the Autodiscover SCP for internal clients.

    For the certificate prompt while connecting through outlook, please share the screenshot by covering your personal information to provide the suggestions as this can be of various reasons like certificate is not binded correctly in IIS, virtual directories are not configured with the URL matching the certificate, certificate validity, etc. Also, for external client prompt, possibility could be that the certificate can be fetched from any of the network devices in between like load balancer, etc

    In Exchange hybrid environment, we need point autodiscover record to On-premise Exchange server.
    For On-premise mailbox, it remain use previous autodiscover lookup behavior to find endpoint and access to Exchange.
    For migrated mailbox, autodiscover service will redirect On-premise autodiscover record to Office 365 (autodiscover-s.outlook.com), and access to Office 365.

    If the above suggestion helps, please click on "Accept Answer" and upvote it.

    2 people found this answer helpful.
    0 comments No comments

  2. Lucas Liu-MSFT 6,161 Reputation points
    2021-05-24T02:54:36.083+00:00

    Hi @Ramki ,
    1.Agree with above. It depends on the location of your mailbox.

    1)If all mailboxes has been migrated to Exchange online. You could set up the Autodiscover DNS records point to Exchange online instead of to on-premises. And run the following command to remove the Servcie Connection Point(SCP) values on your Exchange servers.

    Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null  
    

    For more information, please refer to the scenario two in this article: How and when to decommission your on-premises Exchange servers in a hybrid deployment

    2)If there are mailboxes located on the on-premises Exchange server. We need point autodiscover record to On-premise Exchange server. For On-premise mailbox, it remain use previous autodiscover lookup behavior to find endpoint and access to Exchange. For migrated mailbox, autodiscover service will redirect On-premise autodiscover record to Office 365 (autodiscover-s.outlook.com), and access to Office 365.

    2.Regarding the certificate error. Generally, there are three types of certificate errors, and the reasons for each type of error are different. Please share the specific information of your certificate error. It should be noted that please cover your personal privacy information.
    In addition, you could refer to this article to check whether your certificate meets the requirements of hybrid environment: Certificate requirements for hybrid deployments


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Ramki 816 Reputation points
    2021-05-24T12:37:41.367+00:00

    Thanks @Ashok M anonymous userDavid @Lucas Liu-MSFT - All

    Yes. as i told currently my autodiscover is pointing to Exchange online in external DNS and Thanks for correcting me to have a autodiscover point to onprem exchange server in a hybrid environment. so Migrated mailbox will redirect the auto discover to exchange online

    Here is my current screens shot of the auto discover inernalURI

    99075-image.png

    AutodiscoverServiceinternaluri is HTTPS://cmex01.cloudmonkeys.xyz/autodiscover/autodiscover.xml

    so the next action is set the auto discover to the below link as Cloudmonkeys.xyz is certificate domain name pointing to my exchange server

    AutodiscoverServiceinternaluri : is HTTPS://cloudmonkeys.xyz/autodiscover/autodiscover.xml

    Delete the Auto discover CNAME record in the go daddy and

    create a new autodiscover record point to Onprem exchange server server in godaddy

    is that correct Steps? ..Please correct me if anything am wrong