I have seen this a few times recently so thought I would put down the definitive command that will allow you to change the internal autodiscover URL for you Exchange 2013 and Exchange 2010 servers (most likely Exchange 2016 also).
First a bit of background to when you may see this message, I have seen this when a client has changed there certificates within Exchange. They may have done this as they started using “split DNS” as you can no longer put SAN (subject alternative names) on certificates for domains that you do not own. When they have added the nice new shiny certificate to Exchange they have forgotten to change the path to Autodiscover to match the new SAN. For example:
Old Certificate
The old certificate would normally have the following SANs configured, but now we can no longer add the internal domains names.
Autodiscover.externaldomain.com Mailserver.externaldomain.com autodiscover.internaldomain.com mailserver.interlandomain.com OWA.internaldomain.com OWA.externaldomain.com
New Certificate
We do not need any internal SANs so we just put the required external SANs and create a DNS zone with the external a records that point to the internal servers.
Autodiscover.externaldomain.com mailserver.externaldomain.com OWA.externaldomain.com
Forgetting to Change the Internal Autodiscover URL
The problem with the above is when you users fire up outlook the will get the following certificate error.
To resolve this issue first make sure this is indeed the issue, lets check that the urls are incorrect. To do so run the following command.
Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
If it lists any url that does not match the SANs on your certificate then we need to change those urls. We do so with the following command.
Set-ClientAccessServer -Identity OLD_SERVER -AutodiscoverServiceInternalUri https://correct_Autodiscover_URL
Also yes that is NOT a typo it says “URi” !