Solved

Public folder replication not working on Exchange 2007?

Posted on 2008-06-24
76
5,399 Views
Last Modified: 2011-10-19
I believe the reason i am still getting the (0x8004010F) (OAB error) is becasue public folder replication is not working on the Exchange serve, below is the error i get when i click on update OAB Version2 in the public folder management console, how can i troubleshoot this?

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
Action 'Update Content' could not be performed on object 'OAB Version 2'.

OAB Version 2
Failed
Error:
Cannot start content replication against public folder '\NON_IPM_SUBTREE\OFFLINE ADDRESS BOOK\/o=ROM Group Limited/cn=addrlists/cn=oabs/cn=Address book\OAB Version 2' on public folder database 'APPLE\Public Folders\Public Folder Database'.

MapiExceptionNoReplicaAvailable: StartContentReplication failed. (hr=0x80004005, ec=1129)
Diagnostic context:
    Lid: 1494    ---- Remote Context Beg ----
    Lid: 31229   Error: 0x0
    Lid: 21970   StoreEc: 0x8004010F PropTag: 0x66980102
    Lid: 9206    StoreEc: 0x469    
    Lid: 9206    StoreEc: 0x469    
    Lid: 9206    StoreEc: 0x469    
    Lid: 9206    StoreEc: 0x469    
    Lid: 9206    StoreEc: 0x469    
    Lid: 1267    StoreEc: 0x469    
    Lid: 19865   StoreEc: 0x469    
    Lid: 27225   StoreEc: 0x469    
    Lid: 1750    ---- Remote Context End ----
    Lid: 26322   StoreEc: 0x469    




--------------------------------------------------------
OK
--------------------------------------------------------
0
Comment
Question by:Mandev23
  • 42
  • 32
  • 2
76 Comments
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
are you using outlook 2003 or older ?
you could try to reconfigure the OAB generation on the server & see if it works..

are you replicating the oab from an 2003 server?
0
 

Author Comment

by:Mandev23
Comment Utility
I am using both outlook 2003 and 2007... but Exchange server 2007.

How do i reconfigure OAB generation..?

- i think this is the problem, and the reason why i am getting the offline address book error (0x8004010F)
0
 

Author Comment

by:Mandev23
Comment Utility
Do i need to do anything with the command shell below? -  internal/external url's

[PS] C:\Documents and Settings\bossman\Desktop>Get-autodiscovervirtualdirectory |fl


Name                          : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://apple.romgroup.com/W3SVC/1/ROOT/Autodiscover
Path                          : D:\Exchange\ClientAccess\Autodiscover
Server                        : APPLE
InternalUrl                   :
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=APPLE,CN=Servers,C
                                N=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN
                                =ROM Group Limited,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=romg
                                roup,DC=com
Identity                      : APPLE\Autodiscover (Default Web Site)
Guid                          : 9287ac26-8d92-47b4-ac2f-15dbd64a5266
ObjectCategory                : romgroup.com/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 20/06/2008 20:33:30
WhenCreated                   : 20/06/2008 20:33:22
OriginatingServer             : plane.romgroup.com
IsValid                       : True
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
;) don't mix up the issues...
if you'll need autodiscover help i will be more then happy to assist!

test outlook 2003 first.

EWS will be easy to setup once you'r sure the base configuration works .. keep us posted
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
** to reconfigure the OAB , under organization , check the offline address book tab to see which server does generation
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz
i just thought autodiscover might be related to OAB.

Can we test with outlook 2007 please? i'm using outlook 2007.

our exchange server name is apple. Apple is doing the offline line address book generation under organization...
0
 
LVL 35

Expert Comment

by:rakeshmiglani
Comment Utility
is your OAB enabled for web generaton?
0
 

Author Comment

by:Mandev23
Comment Utility
yes it is enabled, public folder replication is also ticked...

for outlook 2003 and later (version 3/4) - we are using a global address list in outlook...
0
 
LVL 35

Expert Comment

by:rakeshmiglani
Comment Utility
you can check http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23488191.html
It has quite a lot of steps that you can check.
0
 

Author Comment

by:Mandev23
Comment Utility
Hi rakeshmiglani

I have followed the below link and set the diagnostic logging to 'expert', and typed in Update-OfflineAddressBook Identity Default Offline Address List, with no errors, but outlook clients still fail to download the OAB with error 0x8004010F when configuring cached mode:...??

http://blogs.msdn.com/dgoldman/archive/2007/05/09/after-installing-an-exchange-2007-server-in-to-a-mixed-site-the-oab-generation-fails-with-error-9342-and-outlook-clients-fail-to-download-the-oab-with-error-0x8004010f.aspx

i'm still sure it is to do with the error originally stated when opening the question (above) how else can this be rectified...? - i get the 0x8004010F error when configuring outlook in cached mode/offline mode
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
online mode doesnt download oab.. it doesn't need it ;)
as for the outlook 2007 issues, as i said it's a diffrent topic.
one thing you might try is to re-select the offline address book , when viewing properties on the respective user's databse..


please confirm that in outlook 2003 , the behavior is the same.
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

online mode its fine, its only when i configure cache mode users experience this outlook 0x8004010F error. As far as i am aware it is happening for outlook 2007 users.

As originally posted, please can you guide me on solving the public folder error, as i believe it is the reason why users are getting this outlook OAB error..?

0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
ok, so as i see it it's just a matter of a few cmdlets..
i'll keep it simple , and leave you to read on how it works :)
http://technet.microsoft.com/en-us/library/bb332063.aspx

if you have configured a single cas that is facing the internet (with no isa2006) you probably have created already a certificate that matches your owa.domain.com address.

i found the following to be the most simple method to fix it and here's the commands:
one guideline - all clients must resolve webmail.lab.com & be able to authenticate , ntlm is more "nice" for lan experience..

hope it works.

1. Change the SCP in activedirectory :

Set-clientaccessserver id ex2k7 AutoDiscoverServiceInternalUri https://webmail.lab.com/autodiscover/autodiscover.xml
 

2. configure OAB external url

Set-OABVirtualDirectory -identity "ex2k7\OAB (Default Web Site)" -externalurl https://webmail.lab.com/OAB -internalurl https://webmail.lab.com/OAB -RequireSSL:$true
 

3. configure the EWS external url

Set-WebServicesVirtualDirectory -identity "SERVER\EWS (Default Web Site)" -externalurl https://webmail.lab.com EWS/Exchange.asmx -internalurl https://webmail.lab.com EWS/Exchange.asmx 

Open in new window

0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

You want me to change internal/external URL's for the above directories to point to the external CAS address? will this not cause autodiscover issues for internal users? - i guess i firstly need a SAN cert which authenticates to the below addresses first?

our internal OWA address: https://apple.romgroup.com/owa
our external OWA address: https://apple.romgroup.co.uk/owa
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
well , as i said autodiscover issues is somthing eles :)

i assumed you use a single all-in-one server , are you ?
do you use isa 2006 to publish the exchange ? or are you using NAT on an external firewall to publish your exchange to the internet ?

as for the urls , do you use "split dns" configuration ? do you hold the romgroup.co.uk zone in your internal dns ? (even if its not published to the internet) ?
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
** if you do use a SAN cert , then we should do somthing eles..
im using the single CN cert example...
0
 

Author Comment

by:Mandev23
Comment Utility
Hi

Yes we are using an all in one server with all the roles. We dont use isa, we are using iis 6.0. I have NAT'd exchange servers public ip address, and had it pointed to https://apple.romgroup.co.uk/owa, for OWA access. I would have liked to use apple.romgroup.com but we didnt own the domain.

I have a zone in windows DNS for romgroup.com and another for rom.co.uk, shall i create a zone for romgroup.co.uk ..?

Thanks for your help, i hope we can sort this, i will continue to check this forum today.
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
yes , and create all the relevant records you have on the domain in the "real world"
that is , your www, any other server you have outside of lan.

when you create the A records , create them using the LAN IP , so that client will not go thru the firewall.
this will allow you to use the same name for inside/outside lan.

then the suggestion i explained will work :)
have fun
0
 

Author Comment

by:Mandev23
Comment Utility
If you can tell me how to point our internal/external users to apple.romgroup.com/owa (or a similar website), that would be ideal? and if it makes this process easier... then maybe we can use a single cert (CN)..?

Just as a note, we dont configure our public DNS, a 3rd party company does that for us...
0
 

Author Comment

by:Mandev23
Comment Utility
Shall i change the URL's for the three virtual directories as stated first...?

0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
as soon as you create the DNS zone . yes
then test from client outlook 2007.
0
 

Author Comment

by:Mandev23
Comment Utility
What entry shall i include in this DNS zone for romgroup.co.uk....?



Thanks
0
 

Author Comment

by:Mandev23
Comment Utility
Just to confirm:

1. in the romgroup.co.uk Zone i need to create a New Alias for 'www' and point it to Exchange's internal IP address?
2. What A record's or other records do i need?
3. Then point the URL's for the virtual directories above to the external OWA address

My concerns are the certificate on the server is pointing to the servers FQDN? I'm going to need another certificate... the reason i ask is i'm still confused on how to use 1 OWA website for both internal and external...

Appologies i dont know much about DNS
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
"create all the relevant records you have on the domain in the "real world"
that is , your www, any other server you have outside of lan."

by that i've ment for the following example:
nslookup www.romgroup.co.uk = 81.3.74.50
this should happend now , and the answer is non-authorative. that means your DC does NOT hold the zone , and it preformed a recrusive lookup and got it from the "real dns" that holds it .. probably your ISP.

by creating the roomgroup.co.uk zone in your your dns , your DC will hold the zone , and by that will be authorative. that means that asking your DC with nslookup www.romgroup.co.uk , will result in no answer.
this is why i've asked you to create any relevant records you do hold on the real world in the new zone you created. so clients will continue to resolve www.romgroup.co.uk = 81.3.74.50 , within the lan.

on the other hand , we need to create an A record for webmail so it will point to the INTERNAL ip of the server , and not the external , so we could bypass firewall and save us trouble.

you should recreate your SSL certificate so the Common name will be just webmail.romgroup.co.uk , then all the settings will be vaild , within the lan , and outside :)
0
 

Author Comment

by:Mandev23
Comment Utility
hi ilantz

Thanks for the response. We dont hold any records in our windows DNS for the real world, it is just an internal DNS and has nothing to do with the outside world. An external company hosts our website e.g. www.rom.co.uk..

i have created an A record for romgroup.co.uk which points to internally 200.200.100.112 (exchange)

You mentioned changing the cert on the server, but i thought the cert on the server had to match the FQDN of the server?
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

i havent changed the URL's for the virtual directories yet. So far i have created the romgroup.co.uk internal DNS zone, added an A record for romgroup.co.uk which points to the internal IP of Exchange, is this correct?

if anything needs to be added in the public DNS, please let me know...

What is the next step in solving this..? are we going to continue to have two URL's for OWA, 1 for internal and another for external then...
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
you wont have 2 url's that's the fun of split dns .

please read again my last comment regarding any records.
if you did created the zone internally , then i guess you cannot access www.romgroup.co.uk :) if you do access it , i guess you understood .

execute the cmdlets i've wrote before for the change of url's.
run iisreset , after you finish.

you'll be good to go.
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

www.romgroup.co.uk is accessible, but it goes directl;y to one part of our company website... how do i get it to reach OWA...?

We seem to have two issues;  1. OWA access via one URL   2. Public folder replication issue

i'm getting confused on what we are trying to accomplish. I previously pointed the URL's for the virtual directories you stated to the external address, but public folder replication was still not working....i get the same error on the server....? i dont get no errors in the event viewer when the OAB is generated, but the replication is not working.... i still believe this is the reason i am still getting the (0x8004010F) (OAB error)
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
office 2007 works via web services when exchange 2007 is used.
by that you must ensure the OAB is available with HTTPS , not public folders.

that's the real problem.
the number 2 error is happening because the 2007 doesnt holds a replica of the oab version 2 folder..
you could try to fix , but it's not a must..

try to see that you receive vaild data in the autodiscover response by , hold CTRL, right click on the taskbar outlook icon, and click "test- e-mail autoconfiguration" .

as far as i see it you have only issue with the webservices of exchange 2007.

all the best.
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz
thanks for the clarification, i thought error number 2 was directly related to this OAB error, i read on the web one of the reasons it doesnt work is to do with local replica's on the server not working... but as you said i can concentrate on the https side of things....

Going back to the virtual directory URL changes, i have the internal/external URL's to point to the external OWA address (https://apple.romgroup.co.uk) - successful.

1. However when i change the clientaccessserver autodiscoverserviceinternaluri to point to the external address, outlook 2007 clients get a security alert saying the name of the cert does not match...? does this mean i need some kind of SAN cert which supports both domain names (FQDN of server; apple.romgroup.com and apple.romgroup.co.uk).....?

2. Test email configuration while on the networks seems to give me a response.. (see attached)



test-emailconfig2.doc
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
you should make sure that every url you see there is https://apple.romgroup.co.uk , i see that internal OAB address is incorrect.

besides that you could recreate the certificate to be a single name CN : apple.romgroup.co.uk , you'll be good.

* make sure you run all the commands i wrote back up..
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

URGENT - After changing the internal url's to point externally, outlook clients could no longer sucessfully complete a send/recieve..? i had to change the internal url's (for oab/web services) to point back to the internal server name, the send/recieve kept hanging around 50-60%..?

as with the previous post, the url for the clientaccessserver i havent changed at the moment because of the security alerts outlook clients were facing...

????
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

when i pointed the internal url for the oab, outlook clients got the (0x8004010F) internally, this i think is because apple.romgroup.co.uk is not accessible inside the network as it is a NAT'd address, the it wont find it... i've had to change it back to point to the FQDN of the server...

?
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

see attached for details of from the exchange mangement console, i believe the cert for the cert needs to be pointing to the server name, not apple.romgroup.co.uk - therefore i dont think i am supposed to change the cert name to its external name, unless i use a SAN..  ? correct me if i'm wrong

NOT WORKING FOR CACHE USERS:
changing the internal url's for oab and web services was not succesful this morning...I FOUND IT WAS NOT WORKING FOR USERS WHO HAVE CACHE MODE/OFFLINE MODE CONFIGURED why is this happening?? bearing in mind i havent changed the url for the clientaccessserver autodiscoverserviceinternaluri yet because of the security alerts we are getting.... are these internal url's meant to be pointing to external url's....??


EMC.doc
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
"this i think is because apple.romgroup.co.uk is not accessible inside the network as it is a NAT'd address, the it wont find it... i've had to change it back to point to the FQDN of the server..."

this is my friend exactly the reason why i've instructed you to create a split dns configuration.
and you should have created an a record for apple , and fill in the LAN ip of the server.

a single name certificate & single naming on the server is my best practice for all-in-one.
i rather go that way, to keep it simple. all functions works inside/out and same url's.
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

Appologies, in my windows DNS i have now added an A record in the romgroup.co.uk zone which points to the LAN ip of exchange... maybe now i can try revert the url's to point to apple.romgroup.co.uk and test when i am next in the office...

this still brings me to the question of the cert name on the server which is currently pointing to the FQDN.. i ran the below syntax in EMC to create a cert with multiple names:

New-ExchangeCertificate -DomainName apple.romgroup.com, apple.romgroup.co.uk, autodiscover.rom.co.uk, autodiscover.rom-tech.co.uk, autodiscover.rfa-tech.co.uk, -FriendlyName
 RomGroup -GenerateRequest:$True -Keysize 1024 -path c:\romgroup.req -privatekeyExportable:$true -subjectName "c=uk, o=Rom, CN=apple.romgroup.com"

how shall i solve this cert issue? a friend of mine is going to show me how to use 1 url (FQDN) for OWA internally/externally, maybe then this will be a way forward?


0
 

Author Comment

by:Mandev23
Comment Utility
once dns has replicated i will test again, after i have changed the url's for oab and web services to point externally... i'm reluctant to change the url destination for the clientaccessserver url until i'm certain outlook clients will not get the autodiscover security alert when they open outlook 2007... this co-insides with the cert name... i just need some advice on what to do with the cert, i know on one hand it needs to match the FQDN of the server and secondly OWA external address...

?

would be good to contact you directly via telephone:)
Thanks for all your help so far...
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
New-ExchangeCertificate -DomainName apple.romgroup.co.uk -FriendlyName RomGroup -GenerateRequest:$True -Keysize 1024 -path c:\romgroup.req -privatekeyExportable:$true

run this. single name certificate. ;)
then import & enable-services ..

no sweat happy to assist it's a good practice

p.s to get the autodiscover services & web services outside the lan , create an SRV record in the public DNS , with the following info:
host: apple.romgroup.co.uk
protocol: tcp
port: 443

all outlook 2007 clients should be sp1 updated.. very easy.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Mandev23
Comment Utility
I dont have access to our public DNS, a 3rd party company control our public dns, but i can get that arranged... when you mean outside the LAN do you mean via VPN?

before i add the apple.romgroup.co.uk cert, internally users access OWA via https://apple.romgroup.com, the certificate wont match...? which brings me to my earlier question of needing syntax for a SAN cert...? unless there is anothe way users internally should be accessing OWA  (internally https://apple.romgroup.co.uk/owa is NAT'd therefore not accessible...)
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
with no VPN, over HTTPS (if you opened your firewall to the server via 443).

you'll have a single URL this way. clean and simple..
and as i said , apple.romgroup.co.uk , should be resolved to the server LAN ip , not the firewall NAT ip it has. that's the hope point.
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

quick update. I have now configured OWA to point to https://apple.romgroup.com/owa internally and externally with 1 cert in IIS pointing to the FQDN of the server.. i hope this is a positive step... i was able to do this because we now own the romgroup.com domain..

internally: https://apple.romgroup.com/owa  >> internal address
externally: https://apple.romgroup.com/owa >> external address (87.86.13.54)

1. shall i now point the virtual server directory url's all to romgroup.com...? and re-test?



0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
why can't you stick with the plan ?
let me know how your tests are going because we've went over the stages like 5 times already :)
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

As we have been working on this for a while i just wanted re-clarify and make you aware, the (0x8004010F)  error is only affecting outlook 2007 clients who are configured to use cache mode.... they experience this error.

the firewall is open on 443

i am more than happy to stick with your method...  i havent changed nothing to affect what we were doing, only another external OWA address.

(ilantz)"..and as i said , apple.romgroup.co.uk , should be resolved to the server LAN ip , not the firewall NAT ip it has. that's the hope point..."

-This doesnt seem to be working still, i have a split windows DNS with a zone for romgroup.co.uk - an A record for apple.romgroup.co.uk pointing to exchange server
-all the virtual directory url's pointing to apple.romgroup.co.uk
-cert name is the fqdn of server

- outlook 2007 clients still get the OAB error (0x8004010F)

i have tested whilst on the VPN, which is the same as being on the network, i can test in the office on Monday... as i posted earlier i'm worried because outlook 2007 clients who were configured to use cache mode, their send/recieive status was not completing after changing the url destinations... maybe the addition of the A record will sort this...

see attached for my IIS directories...
iis.doc
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
i'm sorry then.. maybe try turning outlook logging & check out why its failing.
all the issues i've met with this problem were solved out with url's / certs / nat -firewall  fixes.
0
 

Author Comment

by:Mandev23
Comment Utility
Please see attached, which shows details of the virtual directories in the exchange management shell:

i will give you feedback on monday about this, when i can test in the office like i did Friday. Thats when 2007 cache mode users experienced the difficulties with send/recieve status; when i changed these url's  

an immediate result would be if users no longer get the autodiscover security alert, as all URL's including the clientaccessserver url is pointing to apple.romgroup.co.uk.  i hope the the DNS A record change will take affect...  i also included an A record for autodiscover which points to the LAN IP

Doc2.doc
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
make sure you use the correct certificate on iis. check it with the gui or powershell.
and iisreset, after changes.
0
 

Author Comment

by:Mandev23
Comment Utility
the certificate in IIS points to its FQDN -   apple.romgroup.com
i've never changed it... that why i was asking if i had to use a SAN as i'm dealing with two domain names; apple.romgroup.com and apple.romgroup.co.uk....

?
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
you said owa from outside is apple.romgroup.co.uk , and the solution is single cn. it must be apple.romgroup.co.uk  .
0
 

Author Comment

by:Mandev23
Comment Utility
internally OWA is accessed via https://apple.romgroup.com/owa, that means if i change the cert to romgroup.co.uk they will get a cert authentication error...

unless there is another way they can access it...

0
 

Author Comment

by:Mandev23
Comment Utility
but correct externally it is https://apple.romgroup.co.uk/owa  

0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
so internal will be same url. once you change it.
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

i've mentioned this before, internally https://apple.romgroup.co.uk/owa is not accesible as it is a NAT'd address and not accessible inside the firewall...
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

RESULT via HTTPS:
going back to one of your eariler posts of getting it work using HTTPS, that part seems to work. My outlook can connect to exchange via the web, i dont get the (0x8004010F) error, i only have two autodiscover security alerts, which i believe maybe solved when i create the SRV records in the public DNS? This worked when on exchange i set the internal URL's for oab/clientaccessserver/web services to the internal address and the external url's to apple.romgroup.co.uk ...so it is recognising apple.romgroup.co.uk as the external URL and pulling the information into Exchange (so this works!!?).  This did not work when i set all the url's to point to apple.romgroup.com or apple.romgroup.co.uk, i had to specifically state different internal/external url's...

i guess the problem is through the VPN. I have to ammend the local host file to recognise exchange server's IP (200.200.100.112 - apple.romgroup.com), otherwise it cannot resolve and connect to exchange. i have to ammend the host file for all servers i want to connect to. Would this host file entry have anything to do with it? i dont think it should because, we are on the network, and the internal url is set to apple.romgroup.com -  so i shouldnt get no OAB errors....?
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
hey , i'm glad somthing worked at last ;)

i didn't get you fully.
please confirm each step you've made so i could understand exactly what you've done and not ...
the autodiscover service inside lan , should be okay once you've ran the set-clientaccess cmdlet with the information i've wrote.

IIS reset is a must , dont skip this phase.
let me know what comes up.
0
 

Author Comment

by:Mandev23
Comment Utility
i tested connecting to exchange via https (formerly known as rpc over http):

HTTPS
1. -In outlook went to Tools, Account settings, More settings, connection, clicked on connect to microsoft exchange using http, in connection settings entered apple.romgroup.com, ticked the below boxes and selected Basic authentication (see attached). This worked and gave me no errors, other than an autodiscover alert (autodiscover.rom.co.uk..)... i had no offline address book errors.
-In exchange server i set the internal url's for oab/web services/clientaccess to point to apple.romgroup.com and external url's to apple.romgroup.co.uk... >> this worked...
-i removed any entries in the local host file which resembled apple.romgroup.com

VPN
2. On the other hand i was trying to explain to you how we connect to resources via the VPN. This is done by adding entries to the local host file on the computer, so we can connect to mstsc sessions, use outlook etc. It is through the VPN i get the (0x8004010F) error. If i do not add the entry apple.romgroup.com 200.200.100.112 in the host file outlook does not connect through the VPN. i think it is clear the external url is working as i didnt get no send/recieve errors when connecting via https (above), the problem is through the VPN...

are we making some improvement?
HTTPS.doc
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
yes !
good to hear, as i see your already managed to get the principle of the cas config...

you should  set the outlook anywhere to the external owa address as well btw.
autodiscover alert will be resolved once you configure the srv record as i wrote (outlook 2007 sp1)

as for vpn you should try testing and monitoring your firewall ... could be just that.
follow name resolution as debug always :)


good luck !
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

Good to hear from you... do you understand what i wrote? Outlook anywhere is set to the external address...  i will have created the public dns entries tommorrow...

just like you said, the VPN cannot resolve IP > Names unless specified in the host file...

the firewall is open for all services via the VPN... do you think it is anything to with local replica's on the server not working? as per my original post...? because i just cant get rid of this OAB error - i'm desperate to get it sorted....
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
no you wrote : "-In outlook went to Tools, Account settings, More settings, connection,clicked on connect to microsoft exchange using http, in connectionsettings entered apple.romgroup.com " :) while all the ews/oab is set to .co.uk !

if the clients in the vpn are able to route to the internal ip of the exchange and use full mapi , then they should resolve only the .com names.

you can always use the outlook logging it really helps ! and double check the connections the client makes with : netstat -ano

i'm sure you'll catch it, and you'll be more then satisfied when you will !hehe the poweshell does it to ya.
0
 

Author Comment

by:Mandev23
Comment Utility
good point, i set the ews/oab external url's to point to .co.uk -  the cert on the server is .com, bingo! that will explain the reason why i am getting the first security alert 'apple.romgroup.co.uk'  when opening outlook 2007 via https... i need a SAN cert here to accomodate the .com and .co.uk addresses, i cant have one or the other .... correct?

as for the autodiscover security alert which is('autodiscover.rom.co.uk') -  i've already had setup a public record which points to exchanges external ip, is this not right?

how can i make use of outlook logging? where is this functionality...

i cant believe how difficult outlook 2007 is, i've had so many issues with autodiscover and OAB, which i still havent resolved properly :-(

0
 

Author Comment

by:Mandev23
Comment Utility
i should really focus on getting it working through the VPN, we wont be using it via https only, the clients will always be connecting though the VPN. I have no autodiscover alerts via the VPN just that horrible (0x8004010F) error when setting up cache mode...

thinking about this logically... when on the VPN, i am on the network, so outlook will be communicating with exchange via the .com URL not .co.uk... so it must be an internal setting in DNS or on exchange that is not working correctly... what you think?

i have a romgroup.com zone, in which there is an A record for apple.romgroup.com pointing to internal IP.... there is alot of information out there to with the problem originally posted with this question, i'm thinking it must be to do with replica on the server not working....look at the below link: http://msexchangeteam.com/archive/2007/04/19/437902.aspx
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
well if from lan & outside it works, then only vpn is issue , check the rules.

0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

good point, it does work via https... (when i remove the POP account and the host file entry)

i noticed when i use a proxy address in internet options, i cant send/recieve succesfully in outlook 2007, it hands between 50-80%.....

what could be preventing the OAB downloading through the VPN? i will re-check the rules, but we dont control the VPN, and the last i spoke with the company, everything was open and accessible. it should be pulling the OAB while on the VPN from https://apple.romgroup.com/oab , remember there is also an entry in the host file for apple.romgroup.com which points to the internal IP so we can connect to exchange....
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
can you open the out of office assistance while in VPN ?
if not its quite possible that https is not allowed from vpn to lan.

the send/recieve get stuck because in this process it also check the oab , so it stuck.. it cannot find it :)
0
 

Author Comment

by:Mandev23
Comment Utility
VPN:
i can't access out of office assistance in the vpn (see attached)... what shall i found out from the company who setup our VPN? the last we spoke all services were open...  has this got anything to do with the below section...

HTTPS:
ilantz i've been thinking about this. I have to remove the local host file entry for apple.romgroup.com > 200.200.100.112 otherwise outlook does not connect. This is because it is trying to connect to .com via https which is pointing to 87.86.13.54, so when i remove the host file entry it works. But i get a 'apple.romgroup.co.uk' security alert and autodiscover.rom.co.uk security alert... which i believe will be solved when i ask to have public records (SRV) for autodiscover and apple.romgroup.co.uk

shall i create the apple.romgroup.co.uk public dns record and point to external ip?
i already have a public dns record for autodiscover.rom.co.uk which also points to external ip, but i still get the security alert, i think this is because the cert on the server is .com, and the clientaccessserver url is pointing to .com. the clientaccessserver also needs to be pointing to .co.uk and the server needs to authenticate to this...

correct??
Out-of-hours-via-vpn.doc
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
just make sure resolution works. it's too confusing already :)
sort it simple , inside names & ip's & outside.

same nameing for inside/out = easy life.
you contiune to make it hard on your self :)
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

sorry i was just trying to explain the reason for the host file entry.

i have been told there are NO restrictions on the VPN....

i cant get it to work with the same names inside/out, i mentioned this to you before, and as explained there are a number of reasons why. You said to change all URLs to point to .co.uk, below were the results:

1. cert name error when i change the clientacccess url to point to .co.uk (.co.uk/.com) - i would need a SAN

2. when i change all the virtual directory urls to point to .co.uk - outlook clients cannot succesfully send/receive..

3. i think i will have to stick with using the 2 URL's, which i know works... except via the VPN!!!!?
0
 
LVL 6

Accepted Solution

by:
ilantz earned 500 total points
Comment Utility
its only name resolution or access rules as i see it.

single name/multi (san) , as you like , no must here.
just concentrate on the diffrente resolution while in vpn.

nothing more on exchange side as i see it.
0
 

Author Comment

by:Mandev23
Comment Utility
correct, i'm glad we got that cleared, i'm sure the URL's are set correctly...

i think the problem is name resolution? the VPN does not do this unless we fill in the host file for the services we want to connect to... we cannot just ping a server, it has to be specified in this file

i have to remove this entry for outlook to work via HTTPS... it must have something to do with it...

is there any other way i can get outlook to connect via VPN without ammending the host file? -  am i along the right lines?
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
if it has full access.. just use MAPI not outlook anywhere :)
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

I THINK IT MIGHT BE SORTED! THE VPN policy was set to their DNS, i asked why? i told them we shouldnt have to add everything to the host file in order to connect to resources, i askedm them to change the vpn to point to our internal DNS! and its worked! i dont get the OAB error through the VPN....

i will test further later this evening...... but seems fine :-)
0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
;) told ya !
glad your got it set.

Exchange 2007 rox.
0
 

Author Comment

by:Mandev23
Comment Utility
iliantz

my outlok seems to be working ok, along with a few others. But some are getting a (0x80072F0D) error in outlook (uknown error) ...? when clicking on send/receive...

i've created new profiles, unchecked 'download offline address book' just in case from tools, send and receive, send recieive settings, define send recieve groups..

??
0
 
LVL 6

Assisted Solution

by:ilantz
ilantz earned 500 total points
Comment Utility
http://support.microsoft.com/kb/927465/en-us
and also , http://raller.wordpress.com/2008/07/10/the-error-0x80072f0d-is-received-when-sendingreceiving-from-outlook-2007-connected-to-exchange-2007/

it's for windows mobile.. but fits here :) you need to trust the CA in client computers..
you could add the CA to the trust root authorites in a GPO and apply to all, if its not working correctly today.

been busy ;) hope you'll manage.
0
 

Author Comment

by:Mandev23
Comment Utility
ilantz

Good to hear from you... installing the cert onto the client PC and turning off the firewall worked, so i'm sure this procedure will work for the rest of the clients. We seem to be sorted.

The next thing i am desperate to get working is sync windows mobile 6 with Exchange, i have posted a question on this, but not had much luck... i'll give you the 500 points you deserve for helping me, thanks alot.. maybe you could assist with this sync error >>  i keep geting "Your account in microsoft Exchange server does not have permissions to synchronise with your account..."

0
 
LVL 6

Expert Comment

by:ilantz
Comment Utility
im on it .
glad to assist.
0
 

Author Closing Comment

by:Mandev23
Comment Utility
ilantz you were brilliant!!!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now