[Today’s post comes to us courtesy of Rituraj Choudhary and Shawn Sullivan]
After the completion of SBS 2008 setup and the Internet Address Management Wizard (IAMW), Exchange 2007 is configured to accept both internal and external Outlook 2007 SP1 and Windows Mobile 6.1 Autodiscover requests. These requests are handled by the Exchange Autodiscover service, which in turn provide the following information to connecting clients:
- The user’s display name as read from Active Directory.
- Separate connection settings for internal and external connectivity
- Location of the user’s mailbox (this is why Outlook 2007 is automatically able to find a mailbox that has been moved to another Mailbox server).
- Location information for free/busy, Out of Office assistant, web-distributed Offline Address Book (gives Windows Mobile 6.1 the capability of GAL lookups from the internet), …
- Outlook Anywhere (RPC/HTTP) server settings.
This information is combined to automatically configure the user’s profile, requiring no input from them other than their email address.
When configured properly, the Exchange Autodiscover truly is automatic. However, the technology is complex in the fact that its implementation spans several other technologies across multiple locations. In general, the following items need to be in place:
- External DNS records (Host A and SRV) must be correct.
- The IAMW creates a zone for the external Fully Qualified Domain Name (FQDN) that you choose on internal DNS. It points this name to the internal IP address of the server to service internal connections to the namespace.
- Requirement for Outlook 2007 SP1 or Windows Mobile 6.1.
- Properly configured Autodiscover virtual directory under the SBS Web Applications site.
- Properly configured internal and external URL on the Autodiscover virtual directory in Exchange 2007.
- Properly configured service connection point (SCP) in Active Directory for the Client Access (CAS) server.
- Properly configured SSL certificate installed in Exchange 2007 and the SBS Web Applications site, with the correct Fully Qualified Domain Name (FQDN). Important: Use the “IAMW” to either create the self-signed certificate or use the “Add a Trusted Certificate” wizard to install a 3rd party trusted certificate.
- If you are deploying a self-signed certificate created by the IAMW, you must install the certificate distribution package to your non-domain joined Outlook clients or Mobile 6.1 devices: http://blogs.technet.com/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx
Domain-joined Outlook 2007 connections
A service connection point (SCP) object is created in Active Directory during the installation of the Client Access (CAS) role. Domain-joined clients will query this object and read the following attributes:
- serviceBindingInformation – Returns the Fully Qualified Domain Name (FQDN) of the CAS server. This will match the public URL that you have chosen in the IAWM. The Autodiscover virtual directory’s internal URL setting must match this value and the SBS server must be able to query the zone for the public domain in its DNS to return the internal IP address of the server.
- keywords – Returns the Active Directory site which the CAS server belongs to. Exists specifically for when you have multiple CAS servers in different AD sites.
To find its location in ADSIEDIT, go here:
CN=Servername,CN=Autodiscover,CN=Protocols,CN=Servername,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CONTOSO,DC=local
Where Servername is the name of your server, OrganizationName is the name of the Exchange Org and CONTOSO.local is the domain name.
The clients will retrieve the URL from an ldap query for the SCP, and retrieve the IP address from internal DNS. It will then connect to the server through the proper URL to the Autodiscover virtual directory.
- The client belonging to the contoso.local domain queries AD and retrieves https://remote.contoso.com/autodiscover/autodiscover.xml from the serviceBindingInformation attribute on the SCP.
- The client resolves remote.contoso.com to the internal IP address of the SBS 2008 server. This is because the IAMW has created a zone for remote.contoso.com in DNS and has pointed it to the internal IP of the server.
- A request is sent to https://remote.contoso.com/autodiscover/autodiscover.xml
Note: Non-domain joined clients may not be able to connect internally to the Autodiscover service.
Remote Clients and Windows Mobile 6.1 devices
Remote Outlook 2007 SP1 clients and Windows Mobile 6.1 devices query the DNS SRV record at the DNS registrar to locate the URL for the CAS server, according to the email address that you have specified. This record is either created/maintained automatically (if you choose a partner registrar during the IAMW) or manually (if you choose to maintain the domain yourself in the IAMW).
Port Number: 443
Important: Outlook 2007 without SP1 does not query for this SRV record, which causes Autodiscover to fail in default SBS 2008 deployments where the domain name has a prefix, like remote.contoso.com.
- User enters an email address of firstname.lastname@example.org
- The Outlook client or mobile device queries _autodiscover._tcp.contoso.com and remote.contoso.com is returned
- The client or device resolves remote.contoso.com to the external IP address of the SBS 2008 server.
- The request is sent to https://remote.contoso.com/autodiscover/autodiscover.xml
The auto-discover feature for a user can be checked using the command:
Test-OutlookWebServices -Identity <User Name>
For full details on the Exchange 2007 Autodiscover service, please see: http://technet.microsoft.com/en-us/library/bb332063.aspx