Service Connection Point (SCP) In Exchange 2010…

MS Exchange

Every Exchange administrator will have heard the term “Service Connection Point” or SCP when autodiscover is mentioned. What is SCP and where can I find it? What is it used for? These are some of the questions that need clarification.

Whenever a client access server is installed, a new service connection point (SCP) Active Directory object is created for that server. The SCP object is used by domain joined clients to locate the Autodiscover service. Where can I find SCP? You can view the SCP object using Active Directory Sites and Services, after you have enabled the “View Services Node” option from the “View” tab.

SCP object in Sites and Services

You will have a list of SCPs if you have more than one CAS server in your environment. If you right click and take the properties of the SCP object (Attribute Editor tab), it contains two two pieces of information which is of interest, the “serviceBindingInformation” attribute and thekeywords” attribute.

The “serviceBindingInformation” attribute has the Fully Qualified Domain Name (FQDN) of the Client Access server in the form of https://hewexch.hew.local/autodiscover/autodiscover.xml, where hewexch.hew.local is the FQDN of the CAS server. This url is mostly changed to one that is covered by the SAN/UCC certificate. It is this url which internal Outlook client uses to connect to the mailbox and other Exchange features published using autodiscover.

ServiceBindingInfo

The “keywords” attribute specifies the Active Directory sites to which this SCP record is associated. By default, this attribute specifies the Active Directory site to which the Client Access server belongs.

Keywords

When using a domain joined client, Outlook 2007+ client authenticates to Active Directory and tries to locate the SCP objects by using the user’s credentials. After the client obtains and enumerates the instances of the Autodiscover service, it connects to the first Client Access server in the enumerated list and obtains the profile information in the form of XML data that is needed to connect to the user’s mailbox and available Exchange features.

Please let me know if you have any questions in the comments section.

Other Popular Articles


MS Exchange

Scripting Agent Initialization Failed: “File is not found” Error During Exchange 2016 Setup

MS Exchange

EAC Access While Co-Existing Exchange 2013 With 2010

MS Exchange

Delete All Calendar Entries In An Exchange 2010 Mailbox

  1. Hello Rajith,
    Very informative Post thanks for sharing.
    I have a query let me explain you my topology
    SITE1 | SITE2
    | | |
    DC1 | DC2
    | | | | |
    CAS1 CAS2 | CAS3 CAS4
    | | | | |
    MBX1 MBX2 | MBX3 MBX4
    USER1=MBX4
    All CAS servers are 2010 version
    User1 mailbox is in SITE2/DC2/CAS4/MBX4
    User1 is in location SITE1
    User1 trying to configure outlook for first time. He gets all CAS servers in-site list from Site1
    In this scenario User1 will get two list of FQDN of 4 CAS servers URLs
    Outlook first will query Best CAS server near to him in Site A lets take CAS1
    Lets take outlook queries CAS1 first. My question to you is…….Will CAS1 provides him information of CAS4 where User1’s mailbox is “MBX4” or Outlook will check for each URL in the in-site list and each URLs in out-of-site list till it finds CAS4 in the out-of-site list URLs.
    Second question
    If I change all 4 URLs to common URL by Set-ClientAccessServer -AutoDiscoverServiceInternalUri CMDlet
    This will response with 4 common URLs to OUTlook in insite and out-of-site list
    The first URL if it queries in the in-site list will that CAS provide his location of Mailbox in which site CAS has it. Or it will go through all URLs till it reach CAS4

    My point what I’m trying to understand will first URL outlook queries that CAS provide information of user’s Mailbox location in which Site CAS belongs or it has to go through all URLs till it finds mailbox CAS
    Please clarify my doubts…

    Thanks in Advance

    Reply
    • Hi Saleem,

      Outlook sorts the CAS list based on which one is in the same site and which is out of site. It picks the first CAS in the same site and if it is reachable, that CAS handles the traffic from then on – either proxying to the mailbox server or re-directing depending on where the mailbox is hosted. Outlook only picks the next CAS server in the list if the first one is not reachable.

      Hope that helps.

      Thanks,
      Rajith.

      Reply
  2. @Sameer

    You can disable the Autodiscover using the below cmdlet
    Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $null

    Or Disable on client from the registry

    HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0OutlookAutoDiscover]
    “ExcludeScpLookup”=dword:00000001

    Reply
  3. You Sir are awesome, pointed me in the right direction and resolved an issue I’ve been struggling with that has stalled a migration. I’m very graeteful

    Reply
  4. Very informative article and I really appreciate the time you took to post. Very helpful as I am trying to figure a system that crashed and was recreated by another Sys Admin. The Out of Office functionality is currently not working for domain users, along with MailTips, etc. I am attempting to learn Exchange 2010 and troubleshoot at the same time.

    Reply
  5. Hi Rajith,

    How do i exclude a CAS server from participating in SCP lookup?Planning to install a new CAS server and i do not want my outlook client’s discover my new server in its SCP lookup.

    Reply
  6. Really informative Article. Thanks and please keep sharing / posting such Article. Alsp please share / post EWS Article in the same way.

    Reply
  7. Hi Rajith,

    I found your blog whilst trying to better understand the autodiscover feature, particularly in a split-DNS environment as we have. I wonder if you can help?

    Our internal name is company.local and externally it is company.co.uk We have split-DNS working well internally. We have a single Exchange 2010 server with all roles and no TMG or reverse proxy. Within EMC 2010 > Server Configuration > Client Access > All URL’s appear the same for external and internal access.

    I recently renewed our Exchange UCC SSL certificate. The renewal could no longer contain the FQDN of our internal Exchange server (exchange1.company.local) as this was not permitted. Instead, the certificate just contained webmail.company.co.uk and autodiscover.company.co.uk

    Since applying the certificate, domain-joined Outlook users receive warnings saying the certificate name does not match the server name. I am now trying to figure out what is referencing exchange1.company.local as I believe solving that will remove the certificate warnings.

    When I run ‘test email auto-configuration’ from Outlook internally, I get the following

    Protocol: Exchange RPC
    Server: exchange1.company.local
    login name: first.last
    availability service URL: https://exchange1.company.local/EWS/Exchange.asmx
    OOF URL: https://exchange1.company.local/EWS/Exchange.asmx
    OAB URL: Public Folder
    Unified Message Service URL: https://exchange1.company.local/EWS/UM2007/Legacy.asmx
    …etc…

    (Further down, under ‘Protocol Exchange HTTP’ all FQDN’s are webmail.company.co.uk)

    Switching to the ‘Log’ tab shows

    Attempting URL: https://exchange1.company.local/autodiscover/autodiscover.xml found through SCP
    Autodiscover to https://exchange1.company.local/autodiscover/autodiscover.xml Succeeded

    Following the steps in your blog, I see ServiceBindingInformation = https://exchange1.company.local/autodiscover/autodiscover.xml

    When I run Get-ClientAccessServer | fl *uri*, I get

    AutodiscoverServiceInternalUri: https://exchange1.company.local/autodiscover/autodiscover.xml

    Would changing this to webmail.company.co.uk fix my Outlook certificate errors?

    Many thanks

    Reply
    • Dear Rajith,

      I have installed O365 with license. I have a WS2008.
      When I am on DC profile I cannot access nor my MS Lync neither Other application except Outlook. On simple computer profile, I amable to access everythings. Is it something relarted to DSync or it’s anychange I have to perform to come across this situation?
      Thanks in advance.

      Reply
  8. Great article! Thank you.

    I have no entries for SCPs. A prior netadmin changed ‘autodiscover’ to ‘remote’ for some reason. How can I recreate the SCP records for the Exchange server without risking mayhem? Thank you.

    Reply
      • Hi Rajith,

        We have an exchange domain abc.com and desktop user login domain is xyz.com

        we had obsrved one primary dns zone named (ABC.com) in XYZ.com domain.

        After removed this primary dns zone from Xyz.com .all desktop users getting certicate error.

        Reply
  9. Hi Rajith,
    I have two exchange 2013 servers ex1 and ex2 with both holding mailbox and CAS roles. They are not in a DAG. I moved all the mailboxes from the ex1 to ex2. I need to uninstall ex1 (its a VM snapshot and so I need to remove it), but the problem is that all the clients hit ex1. If I disconnect the ex1 interface nothing works on outlook (connection, autodiscover etc) even though the send and receive connectors work for ex2 and ex2 has the same cert as ex1, the srv and dns points to ex2 . My questions are if I remove ex1 will the clients work with ex2 and will all traces of ex1 be erased, will there be downtime for clients or any other disruptions like client not connecting. Is there a way to get the clients to point to ex2 without uninstalling ex1 , even though ex1 is older. Why does the autodiscover not move down the list when I disable ex1 interface.
    Thanks

    Raza

    Reply
    • Hi Atallah,

      Do you have a CAS server installed?
      Run Get-ClientAccessServer | fl name, *uri and paste the output here.

      Reply
  10. Rajith, Is there a way to recreate the ServiceBindingInformation attribute of the SCP if one has accidentally removed the address via the string attribute editor?

    Reply
    • Hi Charles,

      Just run Set-ClientAccessServer -server servername -AutodiscoverServiceInternalUri “url”

      Reply
  11. HI, what is the FQDN of the CAS server is change to comman name of the certfificate , is there any problem for internal users to connect to exchange.
    Thanks

    Reply
    • Hi Haricharan,

      Best practice is not to use server names, even if you have only one server and no load balancing. Use something like mail.domain.local or .com if you have split-dns and use that in cert and let DNS resolve it to the CAS server.

      Reply
      • Today, I have 4 exchange servers in the same forest. sv03 is in the root domain A and is exchange 2010. sv08 is in the root domain A and is Exchange 2016.
        sv16 is in domain B in same forest as domain A and is exchange 2010. sv33 is in domain B in same forest as domain A and is exchange 2016.

        I have multiple clients that have connection issues. In active directory, the Servers are listed in sequential order, sv03, sv08, sv16, sv33. Will the clients try connecting to sv03 first? How can I get my clients to connect to only sv33 which is fourth in the list?

        Reply
  12. Is there a way to have an isolated CAS server, one that users can’t access, or at least only a couple of people can? I have 4 multi-role servers (hub/cas/mb) that host everything but have a need for a standalone CAS server to host about 50 POP3 mailboxes; management doesn’t want POP active on the main prod CAS servers, so I was going to install a single server with CAS only, but don’t want anything but the POP3 mailboxes hitting it. Can this be done? My thought was just leaving it out of the load balancer pool, but was told that with the SCP it might not be that easy, though I can’t really find anyone with a good answer on how I would go about doing what I’m trying to do. Thanks for any insight.

    Reply
    • Hi Daryn,

      You can have a single CAS out of the load balancer. Make sure none of the database haev its RPCCLientAccessServer entry pointed to that. It should be to the load balancer. That way, all mailboxes will hit your load balancer and your POP3 clients can have a different manual config.

      Reply
  13. Interestingly, I don’t see an SCP listed for me when I drill down to my CAS. Nothing in there at all. I started looking because my Outlook 2010 client wasn’t automatically picking up my profile, even though the autodiscover test passed fine. Investigating…

    Reply
  14. Agree, by default, this attribute specifies the Active Directory site to which the Client Access server belongs. The “keywords” attribute specifies the Active Directory sites to which this SCP record is associated.

    Reply

Leave a Comment

Disable Windows Copilot Using Intune

Windows Copilot is Microsoft’s take on making life easier for Windows users using the power of AI. This article explains how to disable the feature using Intune, if your organization is not ready yet to walk into the AI world.

Disable Windows Copilot Using Intune

We need to create a Configuration Profile for Windows devices in the Intune portal to disable Windows Copilot. Below are the steps that we need to create the profile.

Launch the Intune Portal and login as a Global Admin or Intune Admin.

Navigate to Devices -> Windows -> Configuration Profiles.

Windows Configuration Profile Intune

Click on Create -> New Policy.

Select Windows 10 & later as the platform and Settings Catalog as the profile type & click on the Create button.

Settings Catalog Intune CoPilot

Give the policy a meaningful name & description and click Next.

Policy Name Disable CoPilot

Within the configuration settings, click on the Add Settings option.

Add Settings Disable CoPilot

Search for ‘copilot’, Windows AI will come up as the category. Click on Windows AI and the Turn off Copilot in Windows (User) setting will come up. Check the box and click Next.

Turn off CoPilot Setting Intune
Turn off CoPilot Setting Intune Summary 1

Specify scope tags if required and click Next.

Select tags CoPilot Intune

Select who this policy should apply to in the Assignments section. I have selected to add all users. If you want to test the setting, you can create a test group and select that group here.

Similarly, you can also exclude certain group from disabling AI (say IT team) if required.

Add all users disable copilot intune

A summary of selected settings will be displayed. Click on the Create button to setup the policy to disable Windows Copilot.

Create configuration policy disable CoPilot Intune 1

Wait for the replication to complete in the cloud backend and login to your machine. Your chatty Copilot should now be disabled.

Disable Windows Copilot On Windows 11 Pro

Follow the steps below to disable Copilot on a personal Windows 11 Pro machine (say your own laptop).

Search for ‘group’ in Windows 11 and click on Edit Group Policy option.

Group Policy Windows 11 Disable Copilot

Navigate to User Configuration -> Administrative Templates -> Windows Components -> Windows Copilot.

Windows Copilot GPO setting

Double click on Turn off Windows Copilot setting on the right pane.

Select Enabled and click OK.

Turn off copilot gpo Windows 11 Pro 1

Close the Group Policy Editor. This will disable Windows Copilot on a Windows 11 Pro machine.

Summary

We have learned to disable Windows Copilot using Intune and Group Policy on Windows 11 machines.

Please let me know if you have any questions in the comments section.

Promote Windows Server 2025 To Domain Controller

Domain controllers are the backbone of any Active Directory domains in the Microsoft world. Any Windows server can be promoted to be a domain controller. In this article, we will go through the steps of promoting a Windows 2025 Server to be a domain controller.

Windows Server 2025

The latest version of the server operating system has been named Windows Server 2025. You can start with a 2025 Server & create an AD domain or you can promote a member server that is already a part of a domain.

The Windows Server 2025 needs to be installed on a machine before it can be promoted to be a domain controller.

Promote Windows Server 2025 To Domain Controller

If you have been working with Windows servers long enough, everything starts with the Server Manager app. Promoting a server to a domain controller is no different.

Launch ‘Server Manager’ & click on Add roles and features.

Windows 2025 Server Manager

You land on the summary page that explains what is required to run this wizard successfully. Click Next.

Windows Server 2025 Add Remove Roles

Select Role-based or Feature-based installation and click Next.

Windows Server 2025 Role Based Install

Select the server that needs to be promoted and click Next.

Windows Server 2025 Destination Server

Select Active Directory Domain Services (second option) and click on Add Features.

Windows Server 2025 AD Domain Services

Go with the default options for features that need to be installed.

Windows Server 2025 AD Domain Services Features

A summary of AD DS pops up next, click next to continue.

Windows Server 2025 AD DS

Select Restart the server automatically if required and click Install.

Windows Server 2025 AD Restart Server

You get to keep an eye on the progress of the installation.

Windows Server 2025 AD Install Progress

Once the role has been installed, you will find an exclamation mark on the top right corner of the Server Manager. Click on that and select Promote this server to be a domain controller.

Windows Server 2025 AD Install Continue

You get an error straight away (which you have never seen before) – Error determining whether the target server is already a domain controller. Role change is in progress or this computer needs a restart.

Windows Server 2025 Domain Controller Setup Error

We never needed to restart the server after installing the role in the DC promotion process. Given that it is an insider build of Server 2025, I am hoping that this will get fixed before the public release.

Restart the server, launch Server Manager and click on the Promote this server to be a domain controller option again.

Windows Server 2025 AD Install Continue 1

I am setting up a brand new AD forest and hence I select the third option (Add a new forest) and enter my root domain name.

Windows Server 2025 Add a forest

Next window brings the option to set your forest & domain functional level and the DSRM password. In the insider build, it shows what looks like a variable (the Windows server version on which the you are working).

Windows Server 2025 Forest Functional Level

You can leave the default options in the DNS options wizard and click next.

Windows Server 2025 DNS Options

Enter the netbios name of the domain in the next window and click next.

Windows Server 2025 Netbios Domain Name

You can stick with the default paths for the AD database, log & sysvol folder or pick a location of your choice.

Windows Server 2025 AD Paths

Review the selections that you have made so far and click next.

Windows Server 2025 Options Review

Wait for the green check mark on the prerequisites page and click next.

Windows Server 2025 Pre reqs Check

Click Install in the final window & wait for the magic to happen. Once the machine gets restarted (which it will do automatically), you will have a brand new domain controller based on Windows Server 2025.

Windows Server 2025 AD Snap In

Summary

Promoting a Server 2025 to a domain controller follows pretty much the same steps as previous operating systems. The Insider build has few errors that needs to be fixed, but hey, it is an insider build!

Please let me know if you have any questions in the comments section.

Install Windows Server 2025 – Full Guide

Microsoft has released an insider preview of it’s next server operating system named Windows Server 2025. We will have a look at the installation steps involved in setting up a 2025 server.

Windows Server 2025

Microsoft has gone with the same look and feel of Windows 11 operating system in it’s current server operating system – Windows Server 2025. As the product is in insider preview, there might be slight changes before it hits the public shelves.

It is refreshing to see a ‘modern’ feel in the installation process of a server operating system. Gone are the days where the installation of a consumer based OS felt much better compared to it’s server counterpart.

Installing Windows Server 2025

Let’s take a look at the steps involved in setting up a Windows Server 2025 machine. First step is to download the ISO from the Windows Insider portal.

Next step is to boot the virtual / physical machine from the ISO which will kick off the installation of Server 2025.

First option to select is the language settings. Pick the one based which relates to you and click next.

Windows Server 2025 language settings

Select the keyboard settings in the next screen and click next.

Windows Server 2025 keyboard

You get the option to select whether you want to Install Windows Server or Repair the installation. The bottom left corner also has the option to go to the previous version of setup.

Windows Server 2025 setup option

You are asked to enter the product key, which is available in the Windows Insider portal.

Windows Server 2025 product key

Next option to choose is the type of image you want to install – Windows 2025 core or full blown desktop experience.

Windows Server 2025 Desktop

You need to agree to the licensing terms to move forward in the next step.

Windows Server 2025 Agreement License

Select the partition on which the server OS should be installed and click next. You also have the option to slice the partitions the way you see fit in the same screen.

Windows Server 2025 Disk Partitions

The Ready to Install window comes up, click the install button.

Windows Server 2025 Install 1

Installation of Server 2025 is underway and you get to see the progress.

Windows Server 2025 Install Progress

Once the installation is complete, you need to enter an administrator password of your choice to finalize the setup.

Windows Server 2025 Password

And there you go! You see a Windows 11 login screen staring at you ;-)

Windows Server 2025 Login Screen

After logging in, you get to set the options around sending diagnostic data to Microsoft, which I always set as ‘required only’.

Windows Server 2025 Diagnostic Data

The Windows Server 2025 desktop looks similar, doesn’t it? ;-)

Windows Server 2025 Desktop Feel scaled

Now that the server is up and running, you can promote it to be a domain controller.

Summary

The Windows Server 2025 has the same look and feel as a Windows 11 operating system. The installation options also provide that modern ‘feel’ and makes it a bit soothing to the eyes!

Please let me know if you have any questions in the comments section.