Configure DNS records
Estimated time to complete: 15 to 20 minutes
Now that you've configured your pre-existing Exchange servers and new Exchange 2016 servers, it's time to change your DNS records to direct connections to your new Exchange 2016 servers. You'll move the host names (for example, mail.contoso.com) users have been using to connect to Outlook Web Access (now known as Outlook on the web in Exchange 2016), Autodiscover, and so on, from your pre-existing Exchange servers to your Exchange 2016 server. When a user whose mailbox is on a pre-existing Exchange servers tries to open their mailbox, the Exchange 2016 server will proxy the request and communicate with the Exchange server that hosts the mailbox. Configuring DNS includes the following:
Change the primary host names, such as mail.contoso.com, autodiscover.contoso.com, and owa.contoso.com (if used), to point to the external, publicly accessible IP address of the Internet-facing Exchange 2016 Mailbox server with your public DNS provider.
Change the primary host names, such as mail.contoso.com (or internal.contoso.com if you're using different internal host names) and owa.contoso.com (if used), to point to the internal machine name of the Exchange 2016 Mailbox server on your internal DNS servers.
Important
Read this topic completely before starting.
You might need to make changes to your firewall to support the new Exchange 2016 server. You also might need to add new firewall rules, add an external IP address for your Exchange 2016 server, or make other configuration changes. If your organization has a network management group, a security review process, or change management process, you may need to request permission to perform these changes or have someone else make them for you.
How do I configure my public DNS records?
To send users to your Internet-facing Exchange 2016 Mailbox server, you need to configure the existing DNS host (A) record with your external DNS provider. The public DNS records should point to the external IP address or FQDN of your Internet-facing Exchange 2016 Mailbox server and use the externally accessible FQDNs that you've configured on your Mailbox server. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.
Note
Instead of changing the DNS records to point your public DNS records to a new external IP address for your Exchange 2016 Mailbox server, you can reconfigure your firewall to route connections for the original IP address to the Exchange 2016 server instead of the Exchange 2010 server. The pre-existing Exchange Client Access server no longer needs to be accessible from the Internet because all connections will be proxied by the Exchange 2016 server. If you choose to reconfigure your firewall, you don't need to change your public DNS records.
Important
Before you make any changes to your DNS records, we strongly recommend that you reduce the time to live (TTL) values of each DNS record you want to change to its minimum interval. The TTL value determines how long a DNS record stays cached on DNS servers. A smaller interval, such as 5 or 10 minutes, will allow you to reverse any changes faster in the event you need to revert back to your original configuration. If you do need to change the TTL of your DNS records, don't make any other changes until the original TTL interval has passed.
| FQDN | DNS record type | Value |
|---|---|---|
contoso.com |
MX |
Mail.contoso.com |
mail.contoso.com |
A |
172.16.10.11 |
owa.contoso.com |
CNAME |
Mail.contoso.com |
autodiscover.contoso.com |
A |
172.16.10.11 |
How do I configure my internal DNS records?
You choose whether you want users to use the same URL on your intranet and on the Internet to access your Exchange server or whether they should use a different URL. What you choose depends on the addressing scheme you already have in place or that you want to implement. If you’re implementing a new addressing scheme, we recommend that you use the same URL for both internal and external URLs. Using the same URL makes it easier for users to access your Exchange server because they only have to remember one address. Regardless of the choice you make, you need to make sure you configure a private DNS zone for the address space you configure. For more information about administering DNS zones, see Administering DNS Server.
Configure internal and external URLs to be the same
To send users to your Exchange 2016 Mailbox server, you need to configure the existing DNS host (A) record on your internal DNS servers. The internal DNS records should point to the internal host name and IP address of your Exchange 2016 Mailbox server. The internal host names you use should match the external host names, for example, mail.contoso.com and owa.contoso.com. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.
Important
Before you make any changes to your DNS records, we strongly recommend that you reduce the time to live (TTL) values of each DNS record you want to change to its minimum interval. The TTL value determines how long a DNS record stays cached on DNS servers. A smaller interval, such as 5 or 10 minutes, will allow you to reverse any changes faster in the event you need to revert back to your original configuration. If you do need to change the TTL of your DNS records, don't make any other changes until the original TTL interval has passed.
| FQDN | DNS record type | Value |
|---|---|---|
mail.contoso.com |
CNAME |
Ex2016.corp.contoso.com |
owa.contoso.com |
CNAME |
Ex2016.corp.contoso.com |
autodiscover.contoso.com |
A |
192.168.10.10 |
Configure different internal and external URLs
To send users to your Exchange 2016 Mailbox server, you need to configure the existing DNS host (A) record on your internal DNS servers. The internal DNS records should point to the internal host name and IP address of your Exchange 2016 Mailbox server. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.
Important
Before you make any changes to your DNS records, we strongly recommend that you reduce the time to live (TTL) values of each DNS record you want to change to its minimum interval. The TTL value determines how long a DNS record stays cached on DNS servers. A smaller interval, such as 5 or 10 minutes, will allow you to reverse any changes faster in the event you need to revert back to your original configuration. If you do need to change the TTL of your DNS records, don't make any other changes until the original TTL interval has passed.
| FQDN | DNS record type | Value |
|---|---|---|
internal.contoso.com |
CNAME |
Ex2016.corp.contoso.com |
autodiscover.contoso.com |
A |
192.168.10.10 |
How do I know this worked?
To verify that you successfully configured your public DNS records, do the following:
Open a command prompt and run
nslookup.exe.Change to a DNS server that can query your public DNS zone.
In
nslookup, look up the record of each FQDN you created. Verify that the value that's returned for each FQDN is correct.
Now verify that you can access your Exchange 2016 server using your primary host name. Using a computer outside of your internal network, open your favorite browser and browse to the Outlook on the web URL of the Exchange 2016 server, for example, https://mail.contoso.com/owa. Perform the two following three tests:
Log into an Exchange 2016 mailbox Log into an Exchange 2016 mailbox and verify that you can access the contents of the mailbox without any certificate warnings or other errors. Log out and close your browser. If you need to create a new Exchange 2016 mailbox, see Create user mailboxes.
{#Text:E16Ex2010Mailbox#}
Log into an Exchange 2010 mailbox Log into an Exchange 2010 mailbox. When you log into this mailbox, you will be proxied to your Exchange 2010 Client Access server (the URL in the browser address bar stays the same). Verify that you are logged in, that you can access the contents of the mailbox, and that you don't receive any certificate warnings or other errors.
{#Text:E16Ex2013Mailbox#}
Log into an Exchange 2013 mailbox Log into an Exchange 2013 mailbox. When you log into this mailbox, the Exchange 2016 Mailbox server will open the mailbox directly, without the need to be proxied through an Exchange 2013 Client Access server. Verify that you are logged in, that you can access the contents of the mailbox, and that you don't receive any certificate warnings or other errors.
Test inbound and outbound mail flow Send a message from an external mail provider, such as outlook.com, to Exchange 2016 and pre-existing mailboxes. Verify that the message is received successfully. Reply to the message from each mailbox and verify that the external recipient receives the message. You can also use the Message Analyzer in the Microsoft Remote Connectivity Analyzer to examine the message headers of the messages you sent and received to verify the path the message took.
With the exception of the mail flow test, repeat the previous tests from a computer inside your network to test your internal DNS configuration. If you've configured your internal DNS records to use the same host names as your external DNS, attempt to access an Exchange 2016 and pre-existing mailbox using those host names, for example mail.contoso.com or owa.contoso.com. If you've configured your internal DNS records to use a different host name, attempt to access an Exchange 2016 and pre-existing mailbox using the internal host name, for example, internal.contoso.com.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server, Exchange Online, or Exchange Online Protection.