question

Ramki-5805 avatar image
1 Vote"
Ramki-5805 asked Ramki-5805 commented

Autodiscover Concern in Exchange 2016 Hybrid

Hello Team

i looking for the correct auto discover setup on my current exchnage 2016 hybrid environment.

In my external DNS (godaddy) Auto Discover is pointing to Autodiscover.outlook.com

i dont have any any other records in internal DNS with respect to Auto Discover

is this correct setup?

when ever i am connecting my outlook(On-prem) both domain joined machine and non domain joined machine (Open network) and getting security alert

exchangeservername. mytestdomain.xyz

information you exchange with this site cannot be viewed or changed by others.however there is a prolem with site's security certficate.

blaha.....

looks there is is something issue related to on-prem autodiscover?

how do i setup correct auto discover in my hybrid environment?

office-exchange-server-administrationoffice-exchange-online-itprooffice-exchange-server-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

Are all the mailboxes in 365? If so, then what you have set is correct but ensure you have cleared out the internal autodiscover record:

 Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null

If you still any user mailboxes still on-prem, then you need to set the autodiscover records ( Both externally and internally) back to your on-premises Exchange Server

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AshokM-8240 avatar image
0 Votes"
AshokM-8240 answered

Hi @Ramki-5805 ,

Usually, we will also create internal DNS record with autodiscover.domain.com and point to the load balancer if there are multiple servers for high availability. This autodiscover.domain.com should be set on the AutoDiscoverServiceInternalUri value on the Get-ClientAccessServer which is the Autodiscover SCP for internal clients.

For the certificate prompt while connecting through outlook, please share the screenshot by covering your personal information to provide the suggestions as this can be of various reasons like certificate is not binded correctly in IIS, virtual directories are not configured with the URL matching the certificate, certificate validity, etc. Also, for external client prompt, possibility could be that the certificate can be fetched from any of the network devices in between like load balancer, etc

In Exchange hybrid environment, we need point autodiscover record to On-premise Exchange server.
For On-premise mailbox, it remain use previous autodiscover lookup behavior to find endpoint and access to Exchange.
For migrated mailbox, autodiscover service will redirect On-premise autodiscover record to Office 365 (autodiscover-s.outlook.com), and access to Office 365.

If the above suggestion helps, please click on "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered

Hi @Ramki-5805 ,
1.Agree with above. It depends on the location of your mailbox.

1)If all mailboxes has been migrated to Exchange online. You could set up the Autodiscover DNS records point to Exchange online instead of to on-premises. And run the following command to remove the Servcie Connection Point(SCP) values on your Exchange servers.

 Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null

For more information, please refer to the scenario two in this article: How and when to decommission your on-premises Exchange servers in a hybrid deployment

2)If there are mailboxes located on the on-premises Exchange server. We need point autodiscover record to On-premise Exchange server. For On-premise mailbox, it remain use previous autodiscover lookup behavior to find endpoint and access to Exchange. For migrated mailbox, autodiscover service will redirect On-premise autodiscover record to Office 365 (autodiscover-s.outlook.com), and access to Office 365.

2.Regarding the certificate error. Generally, there are three types of certificate errors, and the reasons for each type of error are different. Please share the specific information of your certificate error. It should be noted that please cover your personal privacy information.
In addition, you could refer to this article to check whether your certificate meets the requirements of hybrid environment: Certificate requirements for hybrid deployments



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ramki-5805 avatar image
0 Votes"
Ramki-5805 answered Ramki-5805 commented

Thanks @AshokM-8240 anonymous userDavid @LucasLiu-MSFT - All

Yes. as i told currently my autodiscover is pointing to Exchange online in external DNS and Thanks for correcting me to have a autodiscover point to onprem exchange server in a hybrid environment. so Migrated mailbox will redirect the auto discover to exchange online

Here is my current screens shot of the auto discover inernalURI

99075-image.png



AutodiscoverServiceinternaluri is HTTPS://cmex01.cloudmonkeys.xyz/autodiscover/autodiscover.xml

so the next action is set the auto discover to the below link as Cloudmonkeys.xyz is certificate domain name pointing to my exchange server

AutodiscoverServiceinternaluri : is HTTPS://cloudmonkeys.xyz/autodiscover/autodiscover.xml

Delete the Auto discover CNAME record in the go daddy and

create a new autodiscover record point to Onprem exchange server server in godaddy

is that correct Steps? ..Please correct me if anything am wrong






image.png (59.9 KiB)
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are all your mailboxes in 365?
If so, then clear in the internal SCP, you dont need it with the command I listed above:
Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null
99173-image.png




If all the mailboxes are in 365, you dont redirect autodiscover from on-prem to 365, you set your autodiscover record as a CNAME to office 365 both externally and externally:

autodiscover.yourdomain.com as a CNAME to Autodiscover.outlook.com






0 Votes 0 ·
image.png (34.5 KiB)

Hello Andy

My users are available on both exchange servers and exchange onlie 365.

so i have modified my autodiscover like HTTPS://cloudmonkeys.xyz/autodiscover/autodiscover.xml in onprem servers and created a SRV recond in external DNS
99233-image.png



As a hybrid environment, Onprem server will redirect the autoD query request to exchange online(o365) who migrated the mailbox from on-prem server

0 Votes 0 ·
image.png (6.0 KiB)

Correct, if they need to. Outlook will check 365 first.

Now just fix the certificate on-prem so it has a subject name that matches the FQDN and you should be good to go

0 Votes 0 ·
Show more comments