asked on

Autodiscover Not working, thus not able to download the GAL

We are having an issue with Exchange 2007, Migrated from Exchange 2003. It's a Windows 2003 64bit server with IIS 6.0.

Our issue is that we cannot download the Global Address List and, because of that, it's generating sync errors in Outlook.

When running "test-outlookwebservices" from the Exchange Shell, this is the output:

Id : 1003
Type : Information
Message : About to test AutoDiscover with the e-mail address Administrator@externaldomain.com.

Id : 1007
Type : Information
Message : Testing server email.domain.local with the published name https://email.domain.local/EWS/Exchange.asmx & .

Id : 1019
Type : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover
URL on this object is https://email.externaldomain.com

Id : 1013
Type : Error
Message : When contacting https://email.externaldomain.com/ received the error
The remote server returned an error: (404) Not Found.

Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted.

When running a test email configuration from a newly created profile, this is the output received:

Attempting URL https://email.externaldomain.com/ found through SCP
Autodiscover to https://email.externaldomain.com/ starting
Autodiscover request completed with http status code 404
Autodiscover to https://email.externaldomain.com/ FAILED (0x80004005)
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml starting
Received certificate error with no error context. Failing with cert error.
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local Autodiscover for externaldomain.com starting
Local Autodiscover for externaldomain.com FAILED (0x8004010F)
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml starting
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x80072EE7)
Srv Record lookup for externaldomain.com starting
Srv Record lookup for externaldomain.com FAILED (0x8004010F)

Our current setup incorporates a trusted SSL certificate for the email.externaldomain.com in order to utilize Outlook Anywhere.

We also have a re-direct for all http traffic to forward to the https://email.externaldomain.com which might be the issue.

It seems as though the lookup internally should look up via an internal address not the external address, but I can't seem to change it, could it be related to the redirect?

I had previous issues with the GAL actually getting generated to the folders located in D:\Exchange_Data\ExchangeOAB\b14572a0-9281-4c9d-a715-aeb9c1ef598d and now there are files in that location. Had to recreate the GAL and the Exchange OAB folder and restart services in order for it to generate.

Under D:\Exchange_Data\ClientAccess\OAB\b14572a0-9281-4c9d-a715-aeb9c1ef598d there are also the GAL files as well.

Under the OAB (Default Web Site) Properties in the ESM under Client Access, the URLs are set to the following:
Internal: http://email.domain.local/OAB
External: https://email.externaldomain.com

I appreciate all help in regards to this issue.

Thanks!

Michael Christly

I see that your pointing your autodiscover to the wrong location & your internal address is also wrong. Please read this http://msexchangeteam.com/archive/2007/04/30/438249.aspx & http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-outlook-2007-exchange-server-2007.html

Michael Christly

UBIFCU

Is this using a self-signed certificate?

stever1884

ASKER

@cchris15: This article seems like it would fix our issue. Because the current redirect redirects ALL traffic to https://email.externaldomain.com, it would create an issue when trying to hit that Default Website and forward autodiscover traffic there as well, wouldn't it? Which means we'd have to disable our current redirect?

@UBICU: We are using a certificate issued from GoDaddy.com issued for email.externaldomain.com

UBIFCU

When you do get-exchangecertificate is it listed with the correct permissions?

UBIFCU

Also, is IIS running and is OWA accessible? The GAL is accessed via HTTP.

stever1884

ASKER

It's listed with the following:

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {email.externaldomain.com, www.email.externaldomain.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
thority, OU=http://certificates.godaddy.com/repository, O=
"GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 2/20/2015 3:01:20 PM
NotBefore : 2/20/2010 3:01:20 PM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 03FC047F791DB5
Services : IIS
Status : Invalid
Subject : CN=email.externaldomain.com, OU=Domain Control Validated,
O=email.externaldomain.com
Thumbprint : FEC3233DE2562DD1AC68948FBAB53D0DA5870C1F

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {email, email.domain.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=email
NotAfter : 2/19/2011 6:11:19 PM
NotBefore : 2/19/2010 6:11:19 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 184112BE21C5DDBD46DF1B2665328881
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=email
Thumbprint : AED86A22F761A2AC00B6BE3983084EFF212DD1F7

IIS is running and OWA is accessible.

UBIFCU

Not to ask a stupid question, but you're replacing your domain with "externaldomain.com", right?

I see you're not using the certificate in IIS. Try issuing the following command:

Enable-ExchangeCertificate -Thumbprint AED86A22F761A2AC00B6BE3983084EFF212DD1F7 -Services IMAP,POP,IIS,SMTP

stever1884

ASKER

Correct, I'm replacing the domain with "externaldomain.com"

I issued the command, re-opened Outlook and got a new certificate pop-up asking for acceptance. Tried to re-download the address book, generated a new sync error in Outlook that the server URL could not be located.

11:27:37 Microsoft Exchange offline address book
11:27:37 Not downloading Offline address book files. A server (URL) could not be located.
11:27:37 0X8004010F

UBIFCU

Sweet.

Read this:

http://msexchangeteam.com/archive/2007/04/19/437902.aspx

and especially this:

http://technet.microsoft.com/en-us/library/bb288905%28EXCHG.80%29.aspx

UBIFCU

Do you have the URL for OAB fille din int he exchange server?

stever1884

ASKER

I'm assuming you mean this output by giving the command "Get-oabvirtualdirectory"?

Name : OAB (Default Web Site)
PollInterval : 480
OfflineAddressBooks : {\Offline Address List}
RequireSSL : False
MetabasePath : IIS://email.domain.local/W3SVC/1/ROOT/OAB
Path : D:\Exchange_Data\ClientAccess\OAB
Server : EMAIL
InternalUrl : http://email.domain.local/OAB
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalUrl : https://email.externaldomain.com
ExternalAuthenticationMethods : {WindowsIntegrated}
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,
CN=EMAIL,CN=Servers,CN=Exchange Administrative
Group (FYDIBOHF23SPDLT),CN=Administrative Group
s,CN= ,CN=Microsof
t Exchange,CN=Services,CN=Configuration,DC=,DC=,DC=
Identity : EMAIL\OAB (Default Web Site)
Guid : b2f843f1-2c80-497c-8426-9ed3ff4bd600
ObjectCategory : domain.local/Configuration/Schema/ms-Exch-OAB
-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualD
irectory}
WhenChanged : 3/9/2010 1:40:19 PM
WhenCreated : 2/19/2010 6:13:54 PM
OriginatingServer : dc.domain.local
IsValid : True

UBIFCU

Should be (Not that it matters much for your problem):

InternalUrl : http://email.domain.local/OAB
ExternalUrl : https://email.externaldomain.com/OAB

On your internal DNS server though, Have you defined email.externaldomain.com to point to the the email.domain.local IP? Because the certificate you have installed for exchange doesn't reference the internal domain at all.

UBIFCU

Actually, I missed that there were 2 certificates you have installed.

What is the result of

get-exchangecertificate | fl now?

stever1884

ASKER

I have not. the internal domain can connect to OWA via the Public address, so I saw that as a non-issue. Is that something you recommend?

And yes, it doesn't reference the internal domain, which I believe to be the issue.

stever1884

ASKER

Two different thumbprints now. The previous one and now an internal one. Do you need the information?

UBIFCU

Do you have an internal certificate authority?

stever1884

ASKER

Just the server itself. It's SelfSigned.

UBIFCU

Does the default website in IIS have OAB listed? I think the OAB problem is a result of the previous E2k3 install. You should follow those links above and get that working.

I'm gonna have to dwell on the autodiscover problem.

UBIFCU

It's also possible if you re-create your Outlook profile that GAL will start working.

stever1884

ASKER

IIS has OAB listed.

I agree that it's most likely an issue from 2K3 as well.

It's a new Outlook profile, I've actually recreated a whole new GAL (As it wasn't generating the files needed in the OAB directories), and followed the MS steps for the server removal as well. I'm leaning to believe that I'll have to create a separate Public IP for autodiscover as well as changing the way it redirects as cchris stated above. I'll have to try that today and see what I come up with.

Michael Christly

You do not have to have an additional public ip i believe you can just add a DNS entry to the autodiscover.yourcompayurl.com and it will work. Here is my reference material http://www.ditii.com/2007/04/30/exchange-2007-autodiscover-and-certificates/ & http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx. I'm including an overview picture of exchange so you can visually wrap your mind around this issue. This is a pdf i reference quite frequently.

Michael Christly
ExchangePoster.pdf

stever1884

ASKER

Reading up on this, it says I can use a local share (The ExchangeOAB share I'm guessing). How can I tell the clients for the internal address to point to that shared folder?

This will allow us to keep the current redirection and have all the internal clients get the OAB (External have no issues).

Michael Christly

In the reference material I post for technet check out the section labled "How the Autodiscover Service Works with Clients ". To test this from a client you just hold control and right click on the outlook icon. Then choose send test email from there just enter your password you log on to windows with and you can test your autodiscovery.

Michael Christly

stever1884

ASKER

I already had tested the autodiscover service, the results are posted at the top of the thread.

I'll read through Microsoft's documentation a bit more and see what I might be able to gather from it.

Michael Christly

Was that test from a client PC i looked through the post and couldn't find it.

stever1884

ASKER

I've copied and pasted it from above. This was the Log Output of the testing Autodiscover from a newly created Outlook profile:

When running a test email configuration from a newly created profile, this is the log output received:

Attempting URL https://email.externaldomain.com/ found through SCP
Autodiscover to https://email.externaldomain.com/ starting
Autodiscover request completed with http status code 404
Autodiscover to https://email.externaldomain.com/ FAILED (0x80004005)
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml starting
Received certificate error with no error context. Failing with cert error.
Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local Autodiscover for externaldomain.com starting
Local Autodiscover for externaldomain.com FAILED (0x8004010F)
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml starting
Redirect check to http://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x80072EE7)
Srv Record lookup for externaldomain.com starting
Srv Record lookup for externaldomain.com FAILED (0x8004010F)

stever1884

ASKER

Ok, so I set up a point externally for autodiscover.externalurl.com and now the GAL downloads successfully.

The only issue now is that there's a certificate warning EVERYTIME Outlook starts up. I need this to go away and without purchasing another certificate. I'll research this a bit as well to see what I can come with with. BTW, there's two certificate pop-ups: one for autodiscover.externalurl.com and for email.domain.local. Both pop up every time Outlook is started.

stever1884

ASKER

I got it down to one certificate error and that's the autodiscover.externalurl.com. Is there a way that I can make the autodiscover service into it's own website with the header autodiscover? This way, I can create a self-signed certificate that will get saved into a workstation.

Right now, it won't save the certificate because the autodiscover.externaldomain.com does not match what's on the certificate (email.externaldomain.com).

ASKER CERTIFIED SOLUTION

stever1884

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Michael Christly

I believe i posted that the first post.