How can I read Exchange Autodiscover configuration information to obtain the domain controller's computer name?

To read configuration information, send a POST request to `/autodiscover/autodiscover.xml` with NTLM authentication and include the user's email in the `X-Anchormailbox` header. The response (gzip compressed) contains elements like `LegacyDN` and `AutoDiscoverSMTPAddress`. For Exchange 2013 and earlier, the `AD` (domain controller computer name) is included. For Exchange 2016, use a more universal method: send a SOAP request to `/autodiscover/autodiscover.svc` requesting `ActiveDirectoryServer` in the user settings. This is covered in detail in the original article Penetration Basics - Using Exchange Autodiscover.