stever1884
asked on
Autodiscover Not working, thus not able to download the GAL
We are having an issue with Exchange 2007, Migrated from Exchange 2003. It's a Windows 2003 64bit server with IIS 6.0.
Our issue is that we cannot download the Global Address List and, because of that, it's generating sync errors in Outlook.
When running "test-outlookwebservices" from the Exchange Shell, this is the output:
Id : 1003
Type : Information
Message : About to test AutoDiscover with the e-mail address Administrator@externaldoma in.com.
Id : 1007
Type : Information
Message : Testing server email.domain.local with the published name https://email.domain.local/EWS/Exchange.asmx & .
Id : 1019
Type : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover
URL on this object is https://email.externaldomain.com
Id : 1013
Type : Error
Message : When contacting https://email.externaldomain.com/ received the error
The remote server returned an error: (404) Not Found.
Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted.
When running a test email configuration from a newly created profile, this is the output received:
Attempting URL https://email.externaldomain.com/ found through SCP
Autodiscover to https://email.externaldomain.com/ starting
Autodiscover request completed with http status code 404
Autodiscover to https://email.externaldomain.com/ FAILED (0x80004005)
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml starting
Received certificate error with no error context. Failing with cert error.
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local Autodiscover for externaldomain.com starting
Local Autodiscover for externaldomain.com FAILED (0x8004010F)
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml starting
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x80072EE7)
Srv Record lookup for externaldomain.com starting
Srv Record lookup for externaldomain.com FAILED (0x8004010F)
Our current setup incorporates a trusted SSL certificate for the email.externaldomain.com in order to utilize Outlook Anywhere.
We also have a re-direct for all http traffic to forward to the https://email.externaldomain.com which might be the issue.
It seems as though the lookup internally should look up via an internal address not the external address, but I can't seem to change it, could it be related to the redirect?
I had previous issues with the GAL actually getting generated to the folders located in D:\Exchange_Data\ExchangeO AB\b14572a 0-9281-4c9 d-a715-aeb 9c1ef598d and now there are files in that location. Had to recreate the GAL and the Exchange OAB folder and restart services in order for it to generate.
Under D:\Exchange_Data\ClientAcc ess\OAB\b1 4572a0-928 1-4c9d-a71 5-aeb9c1ef 598d there are also the GAL files as well.
Under the OAB (Default Web Site) Properties in the ESM under Client Access, the URLs are set to the following:
Internal: http://email.domain.local/OAB
External: https://email.externaldomain.com
I appreciate all help in regards to this issue.
Thanks!
Our issue is that we cannot download the Global Address List and, because of that, it's generating sync errors in Outlook.
When running "test-outlookwebservices" from the Exchange Shell, this is the output:
Id : 1003
Type : Information
Message : About to test AutoDiscover with the e-mail address Administrator@externaldoma
Id : 1007
Type : Information
Message : Testing server email.domain.local with the published name https://email.domain.local/EWS/Exchange.asmx & .
Id : 1019
Type : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover
URL on this object is https://email.externaldomain.com
Id : 1013
Type : Error
Message : When contacting https://email.externaldomain.com/ received the error
The remote server returned an error: (404) Not Found.
Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted.
When running a test email configuration from a newly created profile, this is the output received:
Attempting URL https://email.externaldomain.com/ found through SCP
Autodiscover to https://email.externaldomain.com/ starting
Autodiscover request completed with http status code 404
Autodiscover to https://email.externaldomain.com/ FAILED (0x80004005)
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml starting
Received certificate error with no error context. Failing with cert error.
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local Autodiscover for externaldomain.com starting
Local Autodiscover for externaldomain.com FAILED (0x8004010F)
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml starting
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x80072EE7)
Srv Record lookup for externaldomain.com starting
Srv Record lookup for externaldomain.com FAILED (0x8004010F)
Our current setup incorporates a trusted SSL certificate for the email.externaldomain.com in order to utilize Outlook Anywhere.
We also have a re-direct for all http traffic to forward to the https://email.externaldomain.com which might be the issue.
It seems as though the lookup internally should look up via an internal address not the external address, but I can't seem to change it, could it be related to the redirect?
I had previous issues with the GAL actually getting generated to the folders located in D:\Exchange_Data\ExchangeO
Under D:\Exchange_Data\ClientAcc
Under the OAB (Default Web Site) Properties in the ESM under Client Access, the URLs are set to the following:
Internal: http://email.domain.local/OAB
External: https://email.externaldomain.com
I appreciate all help in regards to this issue.
Thanks!
Is this using a self-signed certificate?
ASKER
@cchris15: This article seems like it would fix our issue. Because the current redirect redirects ALL traffic to https://email.externaldomain.com, it would create an issue when trying to hit that Default Website and forward autodiscover traffic there as well, wouldn't it? Which means we'd have to disable our current redirect?
@UBICU: We are using a certificate issued from GoDaddy.com issued for email.externaldomain.com
@UBICU: We are using a certificate issued from GoDaddy.com issued for email.externaldomain.com
When you do get-exchangecertificate is it listed with the correct permissions?
Also, is IIS running and is OWA accessible? The GAL is accessed via HTTP.
ASKER
It's listed with the following:
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule}
CertificateDomains : {email.externaldomain.com, www.email.externaldomain.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
thority, OU=http://certificates.godaddy.com/repository, O=
"GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 2/20/2015 3:01:20 PM
NotBefore : 2/20/2010 3:01:20 PM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 03FC047F791DB5
Services : IIS
Status : Invalid
Subject : CN=email.externaldomain.co m, OU=Domain Control Validated,
O=email.externaldomain.com
Thumbprint : FEC3233DE2562DD1AC68948FBA B53D0DA587 0C1F
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule }
CertificateDomains : {email, email.domain.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=email
NotAfter : 2/19/2011 6:11:19 PM
NotBefore : 2/19/2010 6:11:19 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 184112BE21C5DDBD46DF1B2665 328881
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=email
Thumbprint : AED86A22F761A2AC00B6BE3983 084EFF212D D1F7
IIS is running and OWA is accessible.
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {email.externaldomain.com,
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
thority, OU=http://certificates.godaddy.com/repository, O=
"GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 2/20/2015 3:01:20 PM
NotBefore : 2/20/2010 3:01:20 PM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 03FC047F791DB5
Services : IIS
Status : Invalid
Subject : CN=email.externaldomain.co
O=email.externaldomain.com
Thumbprint : FEC3233DE2562DD1AC68948FBA
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {email, email.domain.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=email
NotAfter : 2/19/2011 6:11:19 PM
NotBefore : 2/19/2010 6:11:19 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 184112BE21C5DDBD46DF1B2665
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=email
Thumbprint : AED86A22F761A2AC00B6BE3983
IIS is running and OWA is accessible.
Not to ask a stupid question, but you're replacing your domain with "externaldomain.com", right?
I see you're not using the certificate in IIS. Try issuing the following command:
Enable-ExchangeCertificate -Thumbprint AED86A22F761A2AC00B6BE3983 084EFF212D D1F7 -Services IMAP,POP,IIS,SMTP
I see you're not using the certificate in IIS. Try issuing the following command:
Enable-ExchangeCertificate
ASKER
Correct, I'm replacing the domain with "externaldomain.com"
I issued the command, re-opened Outlook and got a new certificate pop-up asking for acceptance. Tried to re-download the address book, generated a new sync error in Outlook that the server URL could not be located.
11:27:37 Microsoft Exchange offline address book
11:27:37 Not downloading Offline address book files. A server (URL) could not be located.
11:27:37 0X8004010F
I issued the command, re-opened Outlook and got a new certificate pop-up asking for acceptance. Tried to re-download the address book, generated a new sync error in Outlook that the server URL could not be located.
11:27:37 Microsoft Exchange offline address book
11:27:37 Not downloading Offline address book files. A server (URL) could not be located.
11:27:37 0X8004010F
Sweet.
Read this:
http://msexchangeteam.com/archive/2007/04/19/437902.aspx
and especially this:
http://technet.microsoft.com/en-us/library/bb288905%28EXCHG.80%29.aspx
Read this:
http://msexchangeteam.com/archive/2007/04/19/437902.aspx
and especially this:
http://technet.microsoft.com/en-us/library/bb288905%28EXCHG.80%29.aspx
Do you have the URL for OAB fille din int he exchange server?
ASKER
I'm assuming you mean this output by giving the command "Get-oabvirtualdirectory"?
Name : OAB (Default Web Site)
PollInterval : 480
OfflineAddressBooks : {\Offline Address List}
RequireSSL : False
MetabasePath : IIS://email.domain.local/W 3SVC/1/ROO T/OAB
Path : D:\Exchange_Data\ClientAcc ess\OAB
Server : EMAIL
InternalUrl : http://email.domain.local/OAB
InternalAuthenticationMeth ods : {WindowsIntegrated}
ExternalUrl : https://email.externaldomain.com
ExternalAuthenticationMeth ods : {WindowsIntegrated}
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols ,
CN=EMAIL,CN=Servers,CN=Exc hange Administrative
Group (FYDIBOHF23SPDLT),CN=Admin istrative Group
s,CN= ,CN=Microsof
t Exchange,CN=Services,CN=Co nfiguratio n,DC=,DC=, DC=
Identity : EMAIL\OAB (Default Web Site)
Guid : b2f843f1-2c80-497c-8426-9e d3ff4bd600
ObjectCategory : domain.local/Configuration /Schema/ms -Exch-OAB
-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualD
irectory}
WhenChanged : 3/9/2010 1:40:19 PM
WhenCreated : 2/19/2010 6:13:54 PM
OriginatingServer : dc.domain.local
IsValid : True
Name : OAB (Default Web Site)
PollInterval : 480
OfflineAddressBooks : {\Offline Address List}
RequireSSL : False
MetabasePath : IIS://email.domain.local/W
Path : D:\Exchange_Data\ClientAcc
Server : EMAIL
InternalUrl : http://email.domain.local/OAB
InternalAuthenticationMeth
ExternalUrl : https://email.externaldomain.com
ExternalAuthenticationMeth
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols
CN=EMAIL,CN=Servers,CN=Exc
Group (FYDIBOHF23SPDLT),CN=Admin
s,CN= ,CN=Microsof
t Exchange,CN=Services,CN=Co
Identity : EMAIL\OAB (Default Web Site)
Guid : b2f843f1-2c80-497c-8426-9e
ObjectCategory : domain.local/Configuration
-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualD
irectory}
WhenChanged : 3/9/2010 1:40:19 PM
WhenCreated : 2/19/2010 6:13:54 PM
OriginatingServer : dc.domain.local
IsValid : True
Should be (Not that it matters much for your problem):
InternalUrl : http://email.domain.local/OAB
ExternalUrl : https://email.externaldomain.com/OAB
On your internal DNS server though, Have you defined email.externaldomain.com to point to the the email.domain.local IP? Because the certificate you have installed for exchange doesn't reference the internal domain at all.
InternalUrl : http://email.domain.local/OAB
ExternalUrl : https://email.externaldomain.com/OAB
On your internal DNS server though, Have you defined email.externaldomain.com to point to the the email.domain.local IP? Because the certificate you have installed for exchange doesn't reference the internal domain at all.
Actually, I missed that there were 2 certificates you have installed.
What is the result of
get-exchangecertificate | fl now?
What is the result of
get-exchangecertificate | fl now?
ASKER
I have not. the internal domain can connect to OWA via the Public address, so I saw that as a non-issue. Is that something you recommend?
And yes, it doesn't reference the internal domain, which I believe to be the issue.
And yes, it doesn't reference the internal domain, which I believe to be the issue.
ASKER
Two different thumbprints now. The previous one and now an internal one. Do you need the information?
Do you have an internal certificate authority?
ASKER
Just the server itself. It's SelfSigned.
Does the default website in IIS have OAB listed? I think the OAB problem is a result of the previous E2k3 install. You should follow those links above and get that working.
I'm gonna have to dwell on the autodiscover problem.
I'm gonna have to dwell on the autodiscover problem.
It's also possible if you re-create your Outlook profile that GAL will start working.
ASKER
IIS has OAB listed.
I agree that it's most likely an issue from 2K3 as well.
It's a new Outlook profile, I've actually recreated a whole new GAL (As it wasn't generating the files needed in the OAB directories), and followed the MS steps for the server removal as well. I'm leaning to believe that I'll have to create a separate Public IP for autodiscover as well as changing the way it redirects as cchris stated above. I'll have to try that today and see what I come up with.
I agree that it's most likely an issue from 2K3 as well.
It's a new Outlook profile, I've actually recreated a whole new GAL (As it wasn't generating the files needed in the OAB directories), and followed the MS steps for the server removal as well. I'm leaning to believe that I'll have to create a separate Public IP for autodiscover as well as changing the way it redirects as cchris stated above. I'll have to try that today and see what I come up with.
You do not have to have an additional public ip i believe you can just add a DNS entry to the autodiscover.yourcompayurl .com and it will work. Here is my reference material http://www.ditii.com/2007/04/30/exchange-2007-autodiscover-and-certificates/ & http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx. I'm including an overview picture of exchange so you can visually wrap your mind around this issue. This is a pdf i reference quite frequently.
Michael Christly
ExchangePoster.pdf
Michael Christly
ExchangePoster.pdf
ASKER
Reading up on this, it says I can use a local share (The ExchangeOAB share I'm guessing). How can I tell the clients for the internal address to point to that shared folder?
This will allow us to keep the current redirection and have all the internal clients get the OAB (External have no issues).
This will allow us to keep the current redirection and have all the internal clients get the OAB (External have no issues).
In the reference material I post for technet check out the section labled "How the Autodiscover Service Works with Clients ". To test this from a client you just hold control and right click on the outlook icon. Then choose send test email from there just enter your password you log on to windows with and you can test your autodiscovery.
Michael Christly
Michael Christly
ASKER
I already had tested the autodiscover service, the results are posted at the top of the thread.
I'll read through Microsoft's documentation a bit more and see what I might be able to gather from it.
I'll read through Microsoft's documentation a bit more and see what I might be able to gather from it.
Was that test from a client PC i looked through the post and couldn't find it.
ASKER
I've copied and pasted it from above. This was the Log Output of the testing Autodiscover from a newly created Outlook profile:
When running a test email configuration from a newly created profile, this is the log output received:
Attempting URL https://email.externaldomain.com/ found through SCP
Autodiscover to https://email.externaldomain.com/ starting
Autodiscover request completed with http status code 404
Autodiscover to https://email.externaldomain.com/ FAILED (0x80004005)
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml starting
Received certificate error with no error context. Failing with cert error.
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local Autodiscover for externaldomain.com starting
Local Autodiscover for externaldomain.com FAILED (0x8004010F)
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml starting
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x80072EE7)
Srv Record lookup for externaldomain.com starting
Srv Record lookup for externaldomain.com FAILED (0x8004010F)
When running a test email configuration from a newly created profile, this is the log output received:
Attempting URL https://email.externaldomain.com/ found through SCP
Autodiscover to https://email.externaldomain.com/ starting
Autodiscover request completed with http status code 404
Autodiscover to https://email.externaldomain.com/ FAILED (0x80004005)
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml starting
Received certificate error with no error context. Failing with cert error.
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local Autodiscover for externaldomain.com starting
Local Autodiscover for externaldomain.com FAILED (0x8004010F)
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml starting
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x80072EE7)
Srv Record lookup for externaldomain.com starting
Srv Record lookup for externaldomain.com FAILED (0x8004010F)
ASKER
Ok, so I set up a point externally for autodiscover.externalurl.c om and now the GAL downloads successfully.
The only issue now is that there's a certificate warning EVERYTIME Outlook starts up. I need this to go away and without purchasing another certificate. I'll research this a bit as well to see what I can come with with. BTW, there's two certificate pop-ups: one for autodiscover.externalurl.c om and for email.domain.local. Both pop up every time Outlook is started.
The only issue now is that there's a certificate warning EVERYTIME Outlook starts up. I need this to go away and without purchasing another certificate. I'll research this a bit as well to see what I can come with with. BTW, there's two certificate pop-ups: one for autodiscover.externalurl.c
ASKER
I got it down to one certificate error and that's the autodiscover.externalurl.c om. Is there a way that I can make the autodiscover service into it's own website with the header autodiscover? This way, I can create a self-signed certificate that will get saved into a workstation.
Right now, it won't save the certificate because the autodiscover.externaldomai n.com does not match what's on the certificate (email.externaldomain.com) .
Right now, it won't save the certificate because the autodiscover.externaldomai
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I believe i posted that the first post.
Michael Christly