Autodiscover Not working, thus not able to download the GAL

We are having an issue with Exchange 2007, Migrated from Exchange 2003.  It's a Windows 2003 64bit server with IIS 6.0.

Our issue is that we cannot download the Global Address List and, because of that, it's generating sync errors in Outlook.

When running "test-outlookwebservices" from the Exchange Shell, this is the output:

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address Administrator@externaldomain.com.

Id      : 1007
Type    : Information
Message : Testing server email.domain.local with the published name https://email.domain.local/EWS/Exchange.asmx & .

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover
           URL on this object is https://email.externaldomain.com

Id      : 1013
Type    : Error
Message : When contacting https://email.externaldomain.com/ received the error
           The remote server returned an error: (404) Not Found.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.

When running a test email configuration from a newly created profile, this is the output received:

Attempting URL https://email.externaldomain.com/ found through SCP
Autodiscover to https://email.externaldomain.com/ starting
Autodiscover request completed with http status code 404
Autodiscover to https://email.externaldomain.com/ FAILED (0x80004005)
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml starting
Received certificate error with no error context.  Failing with cert error.
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local Autodiscover for externaldomain.com starting
Local Autodiscover for externaldomain.com FAILED (0x8004010F)
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml starting
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x80072EE7)
Srv Record lookup for externaldomain.com starting
Srv Record lookup for externaldomain.com FAILED (0x8004010F)

Our current setup incorporates a trusted SSL certificate for the email.externaldomain.com in order to utilize Outlook Anywhere.

We also have a re-direct for all http traffic to forward to the https://email.externaldomain.com which might be the issue.

It seems as though the lookup internally should look up via an internal address not the external address, but I can't seem to change it, could it be related to the redirect?

I had previous issues with the GAL actually getting generated to the folders located in D:\Exchange_Data\ExchangeOAB\b14572a0-9281-4c9d-a715-aeb9c1ef598d and now there are files in that location.  Had to recreate the GAL and the Exchange OAB folder and restart services in order for it to generate.

Under D:\Exchange_Data\ClientAccess\OAB\b14572a0-9281-4c9d-a715-aeb9c1ef598d there are also the GAL files as well.

Under the OAB (Default Web Site) Properties in the ESM under Client Access, the URLs are set to the following:
Internal: http://email.domain.local/OAB
External: https://email.externaldomain.com

I appreciate all help in regards to this issue.

Thanks!
LVL 1
stever1884Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael ChristlyCommented:
I see that your pointing your autodiscover to the wrong location & your internal address is also wrong. Please read this http://msexchangeteam.com/archive/2007/04/30/438249.aspx & http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-outlook-2007-exchange-server-2007.html

Michael Christly
0
UBIFCUCommented:
Is this using a self-signed certificate?
0
stever1884Author Commented:
@cchris15:  This article seems like it would fix our issue.  Because the current redirect redirects ALL traffic to https://email.externaldomain.com, it would create an issue when trying to hit that Default Website and forward autodiscover traffic there as well, wouldn't it?  Which means we'd have to disable our current redirect?

@UBICU:  We are using a certificate issued from GoDaddy.com issued for email.externaldomain.com
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

UBIFCUCommented:
When you do get-exchangecertificate is it listed with the correct permissions?
0
UBIFCUCommented:
Also, is IIS running and is OWA accessible? The GAL is accessed via HTTP.
0
stever1884Author Commented:
It's listed with the following:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {email.externaldomain.com, www.email.externaldomain.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
                     thority, OU=http://certificates.godaddy.com/repository, O=
                     "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 2/20/2015 3:01:20 PM
NotBefore          : 2/20/2010 3:01:20 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 03FC047F791DB5
Services           : IIS
Status             : Invalid
Subject            : CN=email.externaldomain.com, OU=Domain Control Validated,
                      O=email.externaldomain.com
Thumbprint         : FEC3233DE2562DD1AC68948FBAB53D0DA5870C1F

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {email, email.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=email
NotAfter           : 2/19/2011 6:11:19 PM
NotBefore          : 2/19/2010 6:11:19 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 184112BE21C5DDBD46DF1B2665328881
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=email
Thumbprint         : AED86A22F761A2AC00B6BE3983084EFF212DD1F7

IIS is running and OWA is accessible.
0
UBIFCUCommented:
Not to ask a stupid question, but you're replacing your domain with "externaldomain.com", right?

I see you're not using the certificate in IIS. Try issuing the following command:

Enable-ExchangeCertificate -Thumbprint AED86A22F761A2AC00B6BE3983084EFF212DD1F7 -Services IMAP,POP,IIS,SMTP
0
stever1884Author Commented:
Correct, I'm replacing the domain with "externaldomain.com"

I issued the command, re-opened Outlook and got a new certificate pop-up asking for acceptance.  Tried to re-download the address book, generated a new sync error in Outlook that the server URL could not be located.

11:27:37 Microsoft Exchange offline address book
11:27:37              Not downloading Offline address book files.  A server (URL) could not be located.
11:27:37       0X8004010F
0
UBIFCUCommented:
Do you have the URL for OAB fille din int he exchange server?
0
stever1884Author Commented:
I'm assuming you mean this output by giving the command "Get-oabvirtualdirectory"?

Name                          : OAB (Default Web Site)
PollInterval                  : 480
OfflineAddressBooks           : {\Offline Address List}
RequireSSL                    : False
MetabasePath                  : IIS://email.domain.local/W3SVC/1/ROOT/OAB
Path                          : D:\Exchange_Data\ClientAccess\OAB
Server                        : EMAIL
InternalUrl                   : http://email.domain.local/OAB
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalUrl                   : https://email.externaldomain.com
ExternalAuthenticationMethods : {WindowsIntegrated}
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,
                                CN=EMAIL,CN=Servers,CN=Exchange Administrative
                                Group (FYDIBOHF23SPDLT),CN=Administrative Group
                                s,CN= ,CN=Microsof
                                t Exchange,CN=Services,CN=Configuration,DC=,DC=,DC=
Identity                      : EMAIL\OAB (Default Web Site)
Guid                          : b2f843f1-2c80-497c-8426-9ed3ff4bd600
ObjectCategory                : domain.local/Configuration/Schema/ms-Exch-OAB
                                -Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchOABVirtualD
                                irectory}
WhenChanged                   : 3/9/2010 1:40:19 PM
WhenCreated                   : 2/19/2010 6:13:54 PM
OriginatingServer             : dc.domain.local
IsValid                       : True
0
UBIFCUCommented:
Should be (Not that it matters much for your problem):

InternalUrl                   : http://email.domain.local/OAB
ExternalUrl                   : https://email.externaldomain.com/OAB

On your internal DNS server though, Have you defined email.externaldomain.com to point to the the email.domain.local IP? Because the certificate you have installed for exchange doesn't reference the internal domain at all.
0
UBIFCUCommented:
Actually, I missed that there were 2 certificates you have installed.

What is the result of

get-exchangecertificate | fl now?
0
stever1884Author Commented:
I have not.  the internal domain can connect to OWA via the Public address, so I saw that as a non-issue.  Is that something you recommend?

And yes, it doesn't reference the internal domain, which I believe to be the issue.
0
stever1884Author Commented:
Two different thumbprints now.  The previous one and now an internal one.  Do you need the information?
0
UBIFCUCommented:
Do you have an internal certificate authority?
0
stever1884Author Commented:
Just the server itself.  It's SelfSigned.
0
UBIFCUCommented:
Does the default website in IIS have OAB listed? I think the OAB problem is a result of the previous E2k3 install. You should follow those links above and get that working.

I'm gonna have to dwell on the autodiscover problem.
0
UBIFCUCommented:
It's also possible if you re-create your Outlook profile that GAL will start working.
0
stever1884Author Commented:
IIS has OAB listed.  

I agree that it's most likely an issue from 2K3 as well.

It's a new Outlook profile, I've actually recreated a whole new GAL (As it wasn't generating the files needed in the OAB directories), and followed the MS steps for the server removal as well.  I'm leaning to believe that I'll have to create a separate Public IP for autodiscover as well as changing the way it redirects as cchris stated above.  I'll have to try that today and see what I come up with.
0
Michael ChristlyCommented:
You do not have to have an additional public ip i believe you can just add a DNS entry to the autodiscover.yourcompayurl.com and it will work.  Here is my reference material http://www.ditii.com/2007/04/30/exchange-2007-autodiscover-and-certificates/  & http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx.  I'm including an overview picture of exchange so you can visually wrap your mind around this issue.  This is a pdf i reference quite frequently.

Michael Christly
ExchangePoster.pdf
0
stever1884Author Commented:
Reading up on this, it says I can use a local share (The ExchangeOAB share I'm guessing).  How can I tell the clients for the internal address to point to that shared folder?

This will allow us to keep the current redirection and have all the internal clients get the OAB (External have no issues).
0
Michael ChristlyCommented:
In the reference material I post for technet check out the section labled  "How the Autodiscover Service Works with Clients ".  To test this from a client you just hold  control and right click on the outlook icon.  Then choose send test email from there just enter your password you log on to windows with and you can test your autodiscovery.


Michael Christly
0
stever1884Author Commented:
I already had tested the autodiscover service, the results are posted at the top of the thread.  

I'll read through Microsoft's documentation a bit more and see what I might be able to gather from it.
0
Michael ChristlyCommented:
Was that test from a client PC i looked through the post and couldn't find it.
0
stever1884Author Commented:
I've copied and pasted it from above.  This was the Log Output of the testing Autodiscover from a newly created Outlook profile:

When running a test email configuration from a newly created profile, this is the log output received:

Attempting URL https://email.externaldomain.com/ found through SCP
Autodiscover to https://email.externaldomain.com/ starting
Autodiscover request completed with http status code 404
Autodiscover to https://email.externaldomain.com/ FAILED (0x80004005)
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml starting
Received certificate error with no error context.  Failing with cert error.
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local Autodiscover for externaldomain.com starting
Local Autodiscover for externaldomain.com FAILED (0x8004010F)
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml starting
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x80072EE7)
Srv Record lookup for externaldomain.com starting
Srv Record lookup for externaldomain.com FAILED (0x8004010F)
0
stever1884Author Commented:
Ok, so I set up a point externally for autodiscover.externalurl.com and now the GAL downloads successfully.  

The only issue now is that there's a certificate warning EVERYTIME Outlook starts up.  I need this to go away and without purchasing another certificate.  I'll research this a bit as well to see what I can come with with.  BTW, there's two certificate pop-ups: one for autodiscover.externalurl.com and for email.domain.local.  Both pop up every time Outlook is started.
0
stever1884Author Commented:
I got it down to one certificate error and that's the autodiscover.externalurl.com.  Is there a way that I can make the autodiscover service into it's own website with the header autodiscover?  This way, I can create a self-signed certificate that will get saved into a workstation.  

Right now, it won't save the certificate because the autodiscover.externaldomain.com does not match what's on the certificate (email.externaldomain.com).
0
stever1884Author Commented:
I got the issue resolved.  It actually was just inputted the correct OABvirtualdirectory, webservicesdirectory, clientaccessserver, and umvirtualdirectory via Microsoft's Support KB 940726.

Here's the link to the steps I performed.  

http://support.microsoft.com/?kbid=940726

Thanks for your help guys!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael ChristlyCommented:
I believe i posted that the first post.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.