Service Connection Point (SCP) In Exchange 2010…

Every Exchange administrator will have heard the term “Service Connection Point” or SCP when autodiscover is mentioned. What is SCP and where can I find it? What is it used for? These are some of the questions that need clarification. Whenever a client access server is installed, a new service connection point (SCP) Active Directory…

Every Exchange administrator will have heard the term “Service Connection Point” or SCP when autodiscover is mentioned. What is SCP and where can I find it? What is it used for? These are some of the questions that need clarification.

Whenever a client access server is installed, a new service connection point (SCP) Active Directory object is created for that server. The SCP object is used by domain joined clients to locate the Autodiscover service. Where can I find SCP? You can view the SCP object using Active Directory Sites and Services, after you have enabled the “View Services Node” option from the “View” tab.

SCP object in Sites and Services

You will have a list of SCPs if you have more than one CAS server in your environment. If you right click and take the properties of the SCP object (Attribute Editor tab), it contains two two pieces of information which is of interest, the “serviceBindingInformation” attribute and thekeywords” attribute.

The “serviceBindingInformation” attribute has the Fully Qualified Domain Name (FQDN) of the Client Access server in the form of https://hewexch.hew.local/autodiscover/autodiscover.xml, where hewexch.hew.local is the FQDN of the CAS server. This url is mostly changed to one that is covered by the SAN/UCC certificate. It is this url which internal Outlook client uses to connect to the mailbox and other Exchange features published using autodiscover.

ServiceBindingInfo

The “keywords” attribute specifies the Active Directory sites to which this SCP record is associated. By default, this attribute specifies the Active Directory site to which the Client Access server belongs.

Keywords

When using a domain joined client, Outlook 2007+ client authenticates to Active Directory and tries to locate the SCP objects by using the user’s credentials. After the client obtains and enumerates the instances of the Autodiscover service, it connects to the first Client Access server in the enumerated list and obtains the profile information in the form of XML data that is needed to connect to the user’s mailbox and available Exchange features.

56 Comments

  1. SALEEM SHAIKH says:

    Hello Rajith,
    Very informative Post thanks for sharing.
    I have a query let me explain you my topology
    SITE1 | SITE2
    | | |
    DC1 | DC2
    | | | | |
    CAS1 CAS2 | CAS3 CAS4
    | | | | |
    MBX1 MBX2 | MBX3 MBX4
    USER1=MBX4
    All CAS servers are 2010 version
    User1 mailbox is in SITE2/DC2/CAS4/MBX4
    User1 is in location SITE1
    User1 trying to configure outlook for first time. He gets all CAS servers in-site list from Site1
    In this scenario User1 will get two list of FQDN of 4 CAS servers URLs
    Outlook first will query Best CAS server near to him in Site A lets take CAS1
    Lets take outlook queries CAS1 first. My question to you is…….Will CAS1 provides him information of CAS4 where User1’s mailbox is “MBX4” or Outlook will check for each URL in the in-site list and each URLs in out-of-site list till it finds CAS4 in the out-of-site list URLs.
    Second question
    If I change all 4 URLs to common URL by Set-ClientAccessServer -AutoDiscoverServiceInternalUri CMDlet
    This will response with 4 common URLs to OUTlook in insite and out-of-site list
    The first URL if it queries in the in-site list will that CAS provide his location of Mailbox in which site CAS has it. Or it will go through all URLs till it reach CAS4

    My point what I’m trying to understand will first URL outlook queries that CAS provide information of user’s Mailbox location in which Site CAS belongs or it has to go through all URLs till it finds mailbox CAS
    Please clarify my doubts…

    Thanks in Advance

    1. Rajith Jose Enchiparambil says:

      Hi Saleem,

      Outlook sorts the CAS list based on which one is in the same site and which is out of site. It picks the first CAS in the same site and if it is reachable, that CAS handles the traffic from then on – either proxying to the mailbox server or re-directing depending on where the mailbox is hosted. Outlook only picks the next CAS server in the list if the first one is not reachable.

      Hope that helps.

      Thanks,
      Rajith.

  2. SALEEM SHAIKH says:

    @Sameer

    You can disable the Autodiscover using the below cmdlet
    Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $null

    Or Disable on client from the registry

    HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0OutlookAutoDiscover]
    “ExcludeScpLookup”=dword:00000001

    1. Rajith Jose Enchiparambil says:

      Correct Saleem. Thanks for chipping in.

  3. Hi Ranjith ,

    How to Change SCP information to External URL address (https://domain.com/autodiscover/autodiscover.xml) after Split DNS Setup and 3rd party Certificate Installation ,So That the internal and external quiries will point to CAS server through DNS resolution

  4. Govind Verma says:

    Thanks Rajith It’s really very useful article.

    1. Rajith Jose Enchiparambil says:

      Glad it helped you Govind.

  5. You Sir are awesome, pointed me in the right direction and resolved an issue I’ve been struggling with that has stalled a migration. I’m very graeteful

    1. Rajith Jose Enchiparambil says:

      Glad to know that it helped Graeme

  6. Georgia Jaeger says:

    Very informative article and I really appreciate the time you took to post. Very helpful as I am trying to figure a system that crashed and was recreated by another Sys Admin. The Out of Office functionality is currently not working for domain users, along with MailTips, etc. I am attempting to learn Exchange 2010 and troubleshoot at the same time.

    1. Rajith Jose Enchiparambil says:

      Thanks Georgia.

  7. Hi Rajith,

    How do i exclude a CAS server from participating in SCP lookup?Planning to install a new CAS server and i do not want my outlook client’s discover my new server in its SCP lookup.

    1. Rajith Jose Enchiparambil says:

      Hi Azu,

      If you have a load balancing in place, just make sure that the new CAS is not in the config. This gives you time to change all the Exchange webservice urls. Once you are happy with the config, add the server to the LB rules.

  8. Diwakar Kumar says:

    Really informative Article. Thanks and please keep sharing / posting such Article. Alsp please share / post EWS Article in the same way.

    1. Rajith Jose Enchiparambil says:

      Thanks Diwakar

  9. Hi Rajith,

    I found your blog whilst trying to better understand the autodiscover feature, particularly in a split-DNS environment as we have. I wonder if you can help?

    Our internal name is company.local and externally it is company.co.uk We have split-DNS working well internally. We have a single Exchange 2010 server with all roles and no TMG or reverse proxy. Within EMC 2010 > Server Configuration > Client Access > All URL’s appear the same for external and internal access.

    I recently renewed our Exchange UCC SSL certificate. The renewal could no longer contain the FQDN of our internal Exchange server (exchange1.company.local) as this was not permitted. Instead, the certificate just contained webmail.company.co.uk and autodiscover.company.co.uk

    Since applying the certificate, domain-joined Outlook users receive warnings saying the certificate name does not match the server name. I am now trying to figure out what is referencing exchange1.company.local as I believe solving that will remove the certificate warnings.

    When I run ‘test email auto-configuration’ from Outlook internally, I get the following

    Protocol: Exchange RPC
    Server: exchange1.company.local
    login name: first.last
    availability service URL: https://exchange1.company.local/EWS/Exchange.asmx
    OOF URL: https://exchange1.company.local/EWS/Exchange.asmx
    OAB URL: Public Folder
    Unified Message Service URL: https://exchange1.company.local/EWS/UM2007/Legacy.asmx
    …etc…

    (Further down, under ‘Protocol Exchange HTTP’ all FQDN’s are webmail.company.co.uk)

    Switching to the ‘Log’ tab shows

    Attempting URL: https://exchange1.company.local/autodiscover/autodiscover.xml found through SCP
    Autodiscover to https://exchange1.company.local/autodiscover/autodiscover.xml Succeeded

    Following the steps in your blog, I see ServiceBindingInformation = https://exchange1.company.local/autodiscover/autodiscover.xml

    When I run Get-ClientAccessServer | fl *uri*, I get

    AutodiscoverServiceInternalUri: https://exchange1.company.local/autodiscover/autodiscover.xml

    Would changing this to webmail.company.co.uk fix my Outlook certificate errors?

    Many thanks

    1. Mano Mario says:

      Dear Rajith,

      I have installed O365 with license. I have a WS2008.
      When I am on DC profile I cannot access nor my MS Lync neither Other application except Outlook. On simple computer profile, I amable to access everythings. Is it something relarted to DSync or it’s anychange I have to perform to come across this situation?
      Thanks in advance.

  10. ACP Artical is very good.

    Thanks a lot Rajith

    1. Rajith Enchiparambil says:

      Thanks Babu

  11. Great article! Thank you.

    I have no entries for SCPs. A prior netadmin changed ‘autodiscover’ to ‘remote’ for some reason. How can I recreate the SCP records for the Exchange server without risking mayhem? Thank you.

    1. Rajith Enchiparambil says:

      The SCP records can be anything, it doesn’t have to be autodiscover (for internal traffic). Important point is that they have to point to the CAS or the load balancing solution via a DNS record and should be part of the certificate.

      Run Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml

      Mail entry can be anything

      1. Hi Rajith,

        We have an exchange domain abc.com and desktop user login domain is xyz.com

        we had obsrved one primary dns zone named (ABC.com) in XYZ.com domain.

        After removed this primary dns zone from Xyz.com .all desktop users getting certicate error.

  12. How can i a take priority of SCP! I would like to determine priorities itself.

    1. Rajith Jose Enchiparambil says:

      Hi Mbreti,

      I haven’t come across an option to do this.

      Thanks.

  13. Raza Usman says:

    Hi Rajith,
    I have two exchange 2013 servers ex1 and ex2 with both holding mailbox and CAS roles. They are not in a DAG. I moved all the mailboxes from the ex1 to ex2. I need to uninstall ex1 (its a VM snapshot and so I need to remove it), but the problem is that all the clients hit ex1. If I disconnect the ex1 interface nothing works on outlook (connection, autodiscover etc) even though the send and receive connectors work for ex2 and ex2 has the same cert as ex1, the srv and dns points to ex2 . My questions are if I remove ex1 will the clients work with ex2 and will all traces of ex1 be erased, will there be downtime for clients or any other disruptions like client not connecting. Is there a way to get the clients to point to ex2 without uninstalling ex1 , even though ex1 is older. Why does the autodiscover not move down the list when I disable ex1 interface.
    Thanks

    Raza

  14. Dear All

    I can’t find “serviceBindingInformatio” and “keywords” why?

    1. Rajith Jose Enchiparambil says:

      Hi Atallah,

      Do you have a CAS server installed?
      Run Get-ClientAccessServer | fl name, *uri and paste the output here.

  15. Rajith, Is there a way to recreate the ServiceBindingInformation attribute of the SCP if one has accidentally removed the address via the string attribute editor?

    1. Rajith Jose Enchiparambil says:

      Hi Charles,

      Just run Set-ClientAccessServer -server servername -AutodiscoverServiceInternalUri “url”

  16. Pål-Martin says:

    Just like to say thanks for the article! Really helped me out :-)

    1. Rajith Enchiparambil says:

      Thanks Pal.

  17. Haricharan says:

    HI, what is the FQDN of the CAS server is change to comman name of the certfificate , is there any problem for internal users to connect to exchange.
    Thanks

    1. Rajith Enchiparambil says:

      Hi Haricharan,

      Best practice is not to use server names, even if you have only one server and no load balancing. Use something like mail.domain.local or .com if you have split-dns and use that in cert and let DNS resolve it to the CAS server.

      1. steve swinney says:

        Today, I have 4 exchange servers in the same forest. sv03 is in the root domain A and is exchange 2010. sv08 is in the root domain A and is Exchange 2016.
        sv16 is in domain B in same forest as domain A and is exchange 2010. sv33 is in domain B in same forest as domain A and is exchange 2016.

        I have multiple clients that have connection issues. In active directory, the Servers are listed in sequential order, sv03, sv08, sv16, sv33. Will the clients try connecting to sv03 first? How can I get my clients to connect to only sv33 which is fourth in the list?

  18. Haricharan says:

    HI , I have the issue that for some users outlook asks password and does not accept, is it something to do with SPC.

  19. newground says:

    Regarding autodiscover, what step comes first? My understanding was that the first step is to look for https://domain.com/autodiscover/autodiscover.xml After reading about the SCP records it seems as if the outlook client should be looking for the SCP record first, is that correct?

    1. Rajith Enchiparambil says:

      Outlook always queries AD for SCP record and it succeeds if it is a domain joined machine.
      If not, it will fail to query AD and then go with the other steps of finding the xml file via the urls.

    2. Mark Hewitson says:

      Internal Domain-joined Outlook
      1) LDAP query AD for SCP
      2) Outlook sorts results based on client site. in-site list, and out-site list. AutoDiscoverSiteScope
      3) Outlook tries to connect to autodiscover URL generated from in-site list, if fails then…
      4) Outlook tries https://autodiscover.domain.com/autodiscover/autodiscover.xml using DNS, if fails then…
      5) Outlook tries HTTP redirect method, if fails then…
      6) Outlook tries SRV record lookup

      Internal Non domain-joined Outlook
      1) Outlook tries SCP object in AD, which will fail… then
      2) https://domain.com/autodiscover/autodiscover/xml
      3) https://autodiscover.domain.com/autodiscover/autodiscover.xml
      4) Outlook tries DNS SRV record

      External Outlook Anywhere
      1) https://domain.com/autodiscover.autodiscover.xml
      2) https://autodiscover.domain.com/autodiscover.autodiscover.xml

  20. Ahood Kappon says:

    Krishna You are absoulutly worng.

    You can add DC and sites to an SBS .

    Only limits are: no forest trusts and maximum of 75 usres.

  21. Is there a way to have an isolated CAS server, one that users can’t access, or at least only a couple of people can? I have 4 multi-role servers (hub/cas/mb) that host everything but have a need for a standalone CAS server to host about 50 POP3 mailboxes; management doesn’t want POP active on the main prod CAS servers, so I was going to install a single server with CAS only, but don’t want anything but the POP3 mailboxes hitting it. Can this be done? My thought was just leaving it out of the load balancer pool, but was told that with the SCP it might not be that easy, though I can’t really find anyone with a good answer on how I would go about doing what I’m trying to do. Thanks for any insight.

    1. Rajith Enchiparambil says:

      Hi Daryn,

      You can have a single CAS out of the load balancer. Make sure none of the database haev its RPCCLientAccessServer entry pointed to that. It should be to the load balancer. That way, all mailboxes will hit your load balancer and your POP3 clients can have a different manual config.

  22. I am on SBS2008 and I dont see Services listed under AD sites and Services. I only see Sites.

    Any thoughts?

    Jack-

    1. Rajith Enchiparambil says:

      HI Jack,

      I am not that good with SBS edition, someone here will be able to shed some light.

      Thanks

    2. It is by design of SBS2008 as SBS is standalone server edition and cannot be used with any other edition of Windows Server. Even you cannot bring in another DC or Site. Thats why.

      1. Rajith Enchiparambil says:

        Thanks Krishna.

    3. Alternatively, you can use Adsiedit.msc and load Configuration partition and browse to the Services as shown in the screenshot in this article

      1. Rajith Jose Enchiparambil says:

        Thanks for the tip Rafeeque.

  23. Thanks Rajith, short, concise and clear article. Exactly what I was looking for.

    1. Rajith Enchiparambil says:

      Thanks Zoltan.

  24. ahmed catic says:

    ignore my earlier comment, all clear now.

    1. Rajith Enchiparambil says:

      Nice to hear that Ahmed.

  25. ahmed catic says:

    Interestingly, I don’t see an SCP listed for me when I drill down to my CAS. Nothing in there at all. I started looking because my Outlook 2010 client wasn’t automatically picking up my profile, even though the autodiscover test passed fine. Investigating…

  26. Binoj Baburaj says:

    informative article…

    1. Rajith Enchiparambil says:

      Thanks Binoj.

  27. Agree, by default, this attribute specifies the Active Directory site to which the Client Access server belongs. The “keywords” attribute specifies the Active Directory sites to which this SCP record is associated.

    1. Rajith Enchiparambil says:

      Thanks Dunhill.

Leave a Reply

Your email address will not be published. Required fields are marked *