Certificate warnings often pop-up in Outlook clients when new Exchange servers are introduced into an existing organization.  One of the causes for this that the AutoDiscoverServiceInternalUri value generated by the Exchange setup process uses the name of the server, e.g. https://NewCAS1.contoso.com/autodiscover/autodiscover.xml. This value is obtained by Outlook clients at startup and periodically when open by querying AD for serviceConnectionPoint (SCP) objects and, specifically, the serviceBindingInformation value for the AutoDiscover service. Outlook clients should use the SCP with the oldest creation date first, but this doesn't always seem to happen.  Unless the certificate is trusted and the name (including SANs) on the server matches the AutoDiscoverServiceInternalUri (serviceBindingInformation) value, Outlook with throw a certificate warning.  Essentially, this is a timing issue with newly created servers, as Exchange admins typically update the autodiscover and web services URLs as well as the certificate soon after setup.  The gap between when the new server's setup completes and when the Exchange admin sets the correct values is when the pop-ups can occur.

The attached script attempts to mitigate this problem by regularly polling for the creation of the SCP during Exchange setup and, when discovered, immediately sets the desired AutoDiscoverServiceInternalUri value by directly writing the information to AD.  The intention is to minimise the window when pop-ups can occur.

The script uses just the AD cmdlets and should be run on a server within the same site as the new Exchange server.

 

PowerShell
Edit|Remove
######################################################### 
# 
# Name: Set-AutoDiscoverSCPValue.ps1 
# Author: Tony Murray 
# Version: 1.0 
# Date: 12/01/2016 
# Comment: Polls AD for the creation of a new 
# autodiscover serviceConnectionpoint object and updates 
# the serviceBindingInformation (URL) value from default 
# (server name) to desired name, i.e. one that matches a 
# SAN on the digital certificate 
# 
 
# Run this on a DC or Exchange server in the same AD site 
# as the new Exchange server 
######################################################### 
 
### Set global variables  
 
# fqdn of the server you are installing  
$exsrvfqdn = "NewCAS1.contoso.com" 
# fqdn you want to use as part of the autodiscover URI (must match SAN on cert) 
$autodfqdn = "autodiscover.contoso.com" 
# the poll interval in seconds that we use to check for the new SCP 
$poll = 5  
 
###  
 
### Begin 
 
# Create the AutoDiscoverServiceInternalUri strings used by the script 
$exsrvuri = "https://" + $exsrvfqdn + "/autodiscover/autodiscover.xml" 
$autoduri = "https://" + $autodfqdn + "/autodiscover/autodiscover.xml"  
 
# Import the AD module (required on pre-Windows 2012 servers) 
ipmo ActiveDirectory  
# Find the configuration naming context 
$cnc = (Get-ADRootDSE).configurationNamingContext 
# Find the short name for the new Exchange server (needed for ldap search) 
$hostname = ($exsrvfqdn.split('.'))[0] 
# Specify the ldap search filter to find the AutoDiscover serviceConnectionPoint object 
$filter = "(&(objectclass=serviceConnectionPoint)(serviceClassName=ms-Exchange-AutoDiscover-Service)(serviceDNSName=$hostname))" 
# Enter loop to check for the creation of the SCP 
Do 
{ 
   # Find the serviceConnectionPoint object 
   $scpobj = Get-ADObject -LDAPFilter $filter -searchbase $cnc -pr serviceBindingInformation 
   # The serviceBindingInformation attribute holds the autodiscover URL value. Write this to a variable 
   $newscp = $scpobj.serviceBindingInformation 
   # If the value is empty then keep trying at intervals 
   if ($newscp -eq $null) {     
        write-host "A serviceConnectionPoint object for $exsrvfqdn has not yet been created. Sleeping for $poll seconds" 
        sleep -Seconds $poll 
   } # end if 
} Until ($newscp -ne $null) 
 
# Once out of the loop we  have a serviceConnectionPoint object to work with 
Write-Host "A serviceConnectionPoint object for $exsrvfqdn has been found with a URL value of $newscp." 
Write-Host "We will now change the value to the desired name if required" 
# Replace the existing serviceBindingInformation value 
if ($newscp -ne $autoduri) { 
    Set-ADObject -Identity $scpobj -Replace @{serviceBindingInformation=$autoduri} 
} # end if 
else { 
    Write-Host "The new value already matches the desired value - nothing to do!" 
} # end else 
 
# Update the web services URLs with desired values 
 
 
### End