Details about Service Connection Point for Exchange Autodiscover
2011-06-04 Initial Post
(I don't know why WordPress isn't spacing the paragraphs correctly, and I don't have the patience to mess with this anymore so that's why this post is all jumbled together.)
Summary
The Autodiscover service is not a separate Windows service—it’s a Web-based service that runs under Default Web Site. The Autodiscover Service Connection Point (SCP) data in AD is what internal Outlook 2007 and newer clients use to find information about the Exchange configuration such as the Availability Service URL. Each Exchange CAS server has an SCP object under its Exchange server object. The SCP object uses the CAS server’s name (I think it’s the NetBIOS computer name). The serviceBindingInformation property of the SCP object contains the value of the Autodiscover service’s internal URI/URL. That URL is what clients use to connect to.
Details
This has been bugging me for the last two months that I've been working in-depth with Exchange 2010. I've read through a few articles but never got a good understanding of SCPs. From most of what I've read, it would make one think that there's a single SCP entry in AD that has a list of all Autodiscover URLs. Well, that's not the case—there are actually multiple SCP entries.
When a new Client Access Server (CAS) role is installed, Exchange will create an SCP object under that CAS server's Exchange server object (this is not the same as the server’s AD computer object that’s found in the domain naming context). In my test Exchange org, the full path to the SCP object of my CAS server is this:
CN=CHH-EXCCH-01,CN=Autodiscover,CN=Protocols,CN=CHH-EXCCH-01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company-Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company-ad,DC=sysadmin-e,DC=com
Notice that “CN=CHH-EXCCH-01” is listed twice. The first instance (from the right) is the Exchange server object itself. After you expand that and go to Autodiscover --> Protocols, you’ll see the name of the server again (the second “CN=CHH-EXCCH-01”). This second instance of “CN=CHH-EXCCH-01” is the actual SCP object.
The keywords property of the SCP object will have the associated AD site name in its value. This helps clients determine which servers are in their site so they can use those servers.
The serviceBindingInformation property of the SCP object contains the same value as the CAS server’s AutodiscoverServiceInternalUri property, which would be https://chh-excch-01.company-ad.sysadmin-e.com/Autodiscover/Autodiscover.xml, based on the SCP object in my example.
[PS] C:\>Get-ClientAccessServer chh-excch-01 | FL *uri*
AutoDiscoverServiceInternalUri : https://chh-excch-01.company-ad.sysadmin-e.com/Autodiscover/Autodiscover.xml
In a nutshell, under normal circumstances, this is how an internal Outlook 2007/2010 client interacts with the Autodiscover SCPs:
The client queries AD for the Autodiscover SCPs, the client gets back a list of ALL Autodiscover SCPs (one for every CAS role in the Exchange org). Assuming that the CAS servers are all correctly associated with their respective AD sites, the client will choose the first CAS server in its site and connect to the Autodiscover service of that server. This is one reason why it’s very important to have your Exchange servers/roles associated with the correct AD sites. I ran into an issue in Exchange 2007 where clients had issues with the Availability service and would sometimes not be able to see free/busy data. The issue was because one CAS server wasn’t associated with any AD site at all.
Per http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html: The Autodiscover process for Exchange 2007 and Outlook 2007 is practically the same as for Exchange 2010 and Outlook 2010.
So since that’s the case, the excerpt below from MS TechNet would apply to both Exchange 2007 and 2010. From http://technet.microsoft.com/en-us/library/bb332063%28EXCHG.80%29.aspx:
Howthe Autodiscover Service Works with Clients
2. Outlook 2007 sorts and enumerates the returned results based on the client's Active Directory site by using the keyword attribute of the SCP record. One of two lists is created, an in-site list or an out-of-site list. The in-site list provides the SCP records that have AutodiscoverSiteScope information. AutodiscoverSiteScope is a parameter that is set on the Client Access server by using the Set-ClientAccessServer cmdlet. The parameter specifies the site for which the Autodiscover service is authoritative. The AutodiscoverSiteScope information contained in the SCP records for the in-site list matches the Active Directory site for the Outlook client. If there are no in-site records, an out-of-site SCP record list will be generated. The list is not sorted in any particular order. Therefore, the list is approximately in the order of oldest SCP records (based on creation date) first.
Additional Details
The SCP object’s objectCategory value is this:
CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=company-ad,DC=sysadmin-e,DC=com
The SCP object’s objectClass value is this:
top; leaf; connectionPoint; serviceConnectionPoint
top; leaf; connectionPoint; serviceConnectionPoint
The SCP object’s distinguishedName value:
CN=CHH-EXCCH-01,CN=Autodiscover,CN=Protocols,CN=CHH-EXCCH-01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company-Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company-ad,DC=sysadmin-e,DC=com
CN=CHH-EXCCH-01,CN=Autodiscover,CN=Protocols,CN=CHH-EXCCH-01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company-Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company-ad,DC=sysadmin-e,DC=com
These images should help clarify what I mentioned above:
^ Each CAS server object has an Autodiscover SCP object under its AD Exchange server object (not its regular AD computer object). The SCP object name is the same as the CAS server computer name.
^ The serviceBindingInformation property of the SCP object contains the same value as the CAS server’s AutodiscoverServiceInternalUri property, which is https://chh-excch-01.company-ad.sysadmin-e.com/Autodiscover/Autodiscover.xml in this example.
^ The keywords property of the SCP object has the AD site name in its value. This helps clients determine which servers are in their site. Note that this value is a multi-valued string, so there’s some other value in there, which I’m not sure exactly what it’s for. It looks like you can associate this CAS server with multiple sites, hence the multi-value string.
March 21st, 2012 at 6:05 PM
hi,
i see you gat some detials on Exch 2010, i have been trying to get my outlook anywhere to connect with no success
can you be of help?
regards
March 25th, 2012 at 8:20 AM
Hi, Thanks for checking out my blog. This post is about internal connectivity to Exchange. There should be a bunch of articles elsewhere about setting up Outlook Anywhere. Check out the Outlook Anywhere (RPC over HTTP) test at https://www.testexchangeconnectivity.com.
September 4th, 2012 at 6:41 PM
I have been looking everywhere for some information about creating this SCP record. For some reason, my Exchange implementation has no SCP record. I was wondering if there was a way to programatically add one. I know I should be able to load a new CAS server, but was hoping there was a simple command to do it. Can you export all the values and permissions to a text file for me so I can manually create the record if there is not a command to do it automatically?
September 9th, 2012 at 8:40 PM
Hi Bob:
Thanks for checking out my site. I don't think it's a good idea to manually add the SCP record. Something wasn't done correctly for the SCP to not be there, so there are probably are (or will be) other issues that might cause more problems. I'm not sure if MS would even support adding that in manually. I've been busy at work, but if you still need me to take a look at this, I'll try to get to it this week.
March 3rd, 2016 at 3:29 PM
Just to note, I have the same second GUID keyword "77378F46-2C66-4aa9-A6A6-3E7A48B19596". I'm guessing it translates to the default "Exchange Administrative Group (FYDIBOHF23SPDLT)".