Unable to download/update offline address book - Exchange/Outlook 2007 - 0x80190194

Also, in the event logs I have the error: Event ID: 9360 a few times. This seems to point to Exchange 2003 though, making me think the GAL is still there....

In addition to this, if I go to Exchange Management Console > Toolbox > Public Folder Management Console > System Public Folders > OFFLINE ADDRESS BOOK, there are 3 entries. If I right-click any of these and choose update, I get the error shown in the screengrab below.
3.png

I take it this is SBS 2008?

Some people have reported this being fixed by turning off "kernel mode authentication" in IIS:
Disable Kernel Mode authentication by using IIS Manager. To do this, follow these steps:
Click Start, click Run, type inetmgr.exe, and then click OK.
In IIS Manager, expand server name, expand Web sites, and then click the Web site that you want to change.
Double-click Authentication, click Windows Authentication to highlight it, and then click Advanced Settings in the Action pane.
Click to clear the Enable Kernel-mode authentication box.

Hello
First off all, your Public folder database is still on the SERVER2006.
that means that an OAB v3 or 4 is still distributed from the 2006, to Ooutlook 2003 clients or Outlook 2007 clients that cannot download for any reason, the oab through web services.

==> you should make sure replicate your PF to the 2010 server, and assign the 2010 database the default public folder database on the 2010.


After that :
Is the <Drive Letter>:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB folder existing on the CAS server ?
Do you have files in their (verify the modification dates) ?
Do you find in the eventvwr, the eventid 1008 ? (you should)


After that,

Hi both,

Thanks for the tips. Ok, here goes:

MegaNuk3 - I tried to find the folder you mentioned on the CAS. I don't see a V13 folder but I see ClientAccess\OAB and ExchangeOAB. I set read permissions for authenticated users on both these folders - still the same.

Regarding your second point about kernle-mode authentication...do you mean click on 'Default WebSite' root or click 'OAB' within default website? If I click 'Default WebSite' root, Windows authentication is disabled. Should this be enabled? If I click the OAB folder, Windows authentication is enabled, but kernel-mode authentication is already disabled.

seb_acker - I think you might have it here. If I look at Exchange System Manager on the SBS2003 box, I can see the three offline address books (under public folder instances) though the last time I looked in here it was empty! They are the only folders in there. I did a replicate now on the Public Folder store on the SBS 2003 box and they're now gone.

Even before I did that, the folder you mentioned does exist on the CAS. Modified dates are shown in attached screengrab.

In event viewer I have some 1008 entries (Source: Exchange Migration, Category: Move Mailbox) but these relate to failed mailbox moves that have now been resolved....so not too sure on that one.

And the error's on the client machines continue. :(

I thought getting those public folder onto the SBS 2008 box would fix it but it hasn't. Anything else I can try?
1.png
2.png

Also, on the offline address folders in Public Folder Management console (SBS 2008) I have only the SBS 2008 in the replication tab. I previously had SBS 2003 machine in there too. Should I add this?

You intend to migrate your users and PF to the sbs : so the public folderreplicas on the exchange 2003 are no more to be used.

Get-OfflineAddressbook | ft identity, publicfolderdatabase
(post the results please)
=> you should only see there "SBS 2008 server" public folderdatabase...
On wich server are your users located ?

after that, launch get-mailboxdatabase | ft name, *public*
and post the results
 
The dates seems a little bit old (13/04). Just to be sure.
Modify an user attribute (phone per exemple), then try get-offlineaddressbook | update-offlineaddressbook, and see after a few minutes, if the date of some of these files are current (only soime files should have a current date, as they will be the differential).

Hi seb,

Thanks again. Ok, so I ran: Get-OfflineAddressbook | ft identity, publicfolderdatabase and still it only shows the SBS 2003 server. Results:

Identity                                PublicFolderDatabase                  
--------                                --------------------                  
\Default Offline Address List           SERVER2006\First Storage Group\Publi...

Running get-mailboxdatabase | ft name, *public* gives me:

Name                                    PublicFolderDatabase                  
----                                    --------------------                  
Mailbox Database                        SERVER2010\Second Storage Group\Publ...

I updated a telephone number for a user in AD and ran get-offlineaddressbook | update-offlineaddressbook and the file now has a modified date of 5 minutes ago.

At the moment, all mailboxes etc. are on the new SBS 2008 server. The user accounts...well, I can modify them via the SBS 2008 box but they're not yet showing under the SBS Console (I understand there are some steps I need to carry out later in the migration for this happen.

I suppose the issue here is that the public folder database is still showing the old server...

Cheers,

Zak

ok
you did not replicate all the public folders...

launch the following :
go to c:\program files\microsoft\exchange\v14\scripts
.\AddReplicaToPFRecursive.ps1 -TopPublicFolder '\NON_IPM_SUBTREE' -ServerToAdd SERVER2010
please check the replication schedule on both public folders (server2006 and server2010), so that they always can replicate.

after a while, launch the command get-publicfolder '\NON_IPM_SUBTREE'  -server 2010 | get-publicfoderstatistics -server 2010, and post the results

Hi,

Ok, tried that command but got an error relating to permissions. Can you tell me what permissions I need to set? Don't want to go changing anything I'm not 100% sure about. Screengrab with error attached.

Cheers,

Zak

3.png

Also, because of this issue, should I add server2006 back in to the replication tab of the folders?

Folders on both servers are set to always replicate.

It's allright, you had to get permission errors.

launch
get-publicfolder "NON_IPM_SUBTREE" -Recurse | ft name, replicas
Post results (copy paste, no need to screenshot)

Ok. :)

Here are the results:

[PS] C:\windows\system32>get-publicfolder "NON_IPM_SUBTREE" -Recurse | ft name,
replicas
Get-PublicFolder : There is no existing PublicFolder that matches the following
 Identity: 'NON_IPM_SUBTREE'. Please make sure that you specified the correct P
ublicFolder Identity and that you have the necessary permissions to view Public
Folder.
At line:1 char:17
+ get-publicfolder <<<<  "NON_IPM_SUBTREE" -Recurse | ft name, replicas
    + CategoryInfo          : NotSpecified: (0:Int32) [Get-PublicFolder], Mapi
   OperationException
    + FullyQualifiedErrorId : 66AF8B3E,Microsoft.Exchange.Management.MapiTasks
   .GetPublicFolder

sorry
get-publicfolder "\NON_IPM_SUBTREE" -Recurse | ft name, replicas

Cool, here we go:

[PS] C:\windows\system32>get-publicfolder "\NON_IPM_SUBTREE" -Recurse | ft name,
 replicas

Name                                    Replicas
----                                    --------
NON_IPM_SUBTREE                         {}
EFORMS REGISTRY                         {}
Events Root                             {SERVER2010\Second Storage Group\Pub...
OFFLINE ADDRESS BOOK                    {}
/o=First Organization/cn=addrlists/c... {SERVER2010\Second Storage Group\Pub...
OAB Version 2                           {SERVER2010\Second Storage Group\Pub...
OAB Version 3a                          {SERVER2010\Second Storage Group\Pub...
OAB Version 4                           {SERVER2010\Second Storage Group\Pub...
EX:/o=First Organization/ou=Exchange... {SERVER2010\Second Storage Group\Pub...
EX:/o=First Organization/ou=first ad... {SERVER2010\Second Storage Group\Pub...
OWAScratchPad{332AB33A-453A-4D00-84B... {SERVER2010\Second Storage Group\Pub...
OWAScratchPad{8EE8E0A3-1B60-4E73-BCB... {SERVER2010\Second Storage Group\Pub...
SCHEDULE+ FREE BUSY                     {}
EX:/o=First Organization/ou=Exchange... {SERVER2010\Second Storage Group\Pub...
EX:/o=First Organization/ou=first ad... {SERVER2010\Second Storage Group\Pub...
schema-root                             {SERVER2010\Second Storage Group\Pub...
Default                                 {SERVER2010\Second Storage Group\Pub...
microsoft                               {SERVER2010\Second Storage Group\Pub...
exchangeV1                              {SERVER2010\Second Storage Group\Pub...
StoreEvents{332AB33A-453A-4D00-84BD-... {SERVER2010\Second Storage Group\Pub...
globalevents                            {SERVER2010\Second Storage Group\Pub...
internal                                {SERVER2010\Second Storage Group\Pub...
StoreEvents{8EE8E0A3-1B60-4E73-BCB4-... {SERVER2010\Second Storage Group\Pub...
globalevents                            {SERVER2010\Second Storage Group\Pub...
internal                                {SERVER2010\Second Storage Group\Pub...

Get-OfflineAddressbook | FL

[PS] C:\windows\system32>Get-OfflineAddressbook | FL


Server                          : SERVER2010
AddressLists                    : {\Default Global Address List}
Versions                        : {Version2, Version3, Version4}
IsDefault                       : True
PublicFolderDatabase            : SERVER2006\First Storage Group\Public Folder
                                  Store (SERVER2006)
PublicFolderDistributionEnabled : True
WebDistributionEnabled          : True
DiffRetentionPeriod             : 30
Schedule                        : {Sun.01:00-Sun.01:15, Mon.01:00-Mon.01:15, Tu
                                  e.01:00-Tue.01:15, Wed.01:00-Wed.01:15, Thu.0
                                  1:00-Thu.01:15, Fri.01:00-Fri.01:15, Sat.01:0
                                  0-Sat.01:15}
VirtualDirectories              : {SERVER2010\OAB (Default Web Site), SERVER201
                                  0\OAB (SBS Web Applications)}
ExchangeVersion                 : 0.1 (8.0.535.0)
AdminDisplayName                :
Name                            : Default Offline Address List
DistinguishedName               : CN=Default Offline Address List,CN=Offline Ad
                                  dress Lists,CN=Address Lists Container,CN=Fir
                                  st Organization,CN=Microsoft Exchange,CN=Serv
                                  ices,CN=Configuration,DC=columbus,DC=local
Identity                        : \Default Offline Address List
Guid                            : dd8107d5-8969-4820-8a90-89d34d05c998
ObjectCategory                  : columbus.local/Configuration/Schema/ms-Exch-O
                                  AB
ObjectClass                     : {top, msExchOAB}
WhenChanged                     : 14/04/2010 22:11:21
WhenCreated                     : 20/05/2005 16:25:15
OriginatingServer               : SERVER2010.columbus.local
IsValid                         : True

---------------

Still 2006 by the looks of things. :(

rrrr
second, i have to test a command line, to be sure

We will create a new oab, to see where it goes :

$a = Get-AddressList
New-OfflineAddressBook -Name "NewOfflineAddressBook" -Server Server2010.colombus.local -AddressLists $a



after that :

Get-OfflineAddressbook | FL

Ok, looks like that's gone on SERVER 2010. Here are my results:

[PS] C:\windows\system32>New-OfflineAddressBook -Name "NewOfflineAddressBook" -S
erver Server2010.columbus.local -AddressLists $a
WARNING: The offline address book has not been enabled for public folder
distribution or web distribution. Users will not be able to download the
content of the offline address book.

Name                Server              Versions            AddressLists
----                ------              --------            ------------
NewOfflineAddres... SERVER2010          {Version4}          {\All Rooms, \Pu...


[PS] C:\windows\system32>
[PS] C:\windows\system32>Get-OfflineAddressbook | FL


Server                          : SERVER2010
AddressLists                    : {\Default Global Address List}
Versions                        : {Version2, Version3, Version4}
IsDefault                       : True
PublicFolderDatabase            : SERVER2006\First Storage Group\Public Folder
                                  Store (SERVER2006)
PublicFolderDistributionEnabled : True
WebDistributionEnabled          : True
DiffRetentionPeriod             : 30
Schedule                        : {Sun.01:00-Sun.01:15, Mon.01:00-Mon.01:15, Tu
                                  e.01:00-Tue.01:15, Wed.01:00-Wed.01:15, Thu.0
                                  1:00-Thu.01:15, Fri.01:00-Fri.01:15, Sat.01:0
                                  0-Sat.01:15}
VirtualDirectories              : {SERVER2010\OAB (Default Web Site), SERVER201
                                  0\OAB (SBS Web Applications)}
ExchangeVersion                 : 0.1 (8.0.535.0)
AdminDisplayName                :
Name                            : Default Offline Address List
DistinguishedName               : CN=Default Offline Address List,CN=Offline Ad
                                  dress Lists,CN=Address Lists Container,CN=Fir
                                  st Organization,CN=Microsoft Exchange,CN=Serv
                                  ices,CN=Configuration,DC=columbus,DC=local
Identity                        : \Default Offline Address List
Guid                            : dd8107d5-8969-4820-8a90-89d34d05c998
ObjectCategory                  : columbus.local/Configuration/Schema/ms-Exch-O
                                  AB
ObjectClass                     : {top, msExchOAB}
WhenChanged                     : 14/04/2010 22:11:21
WhenCreated                     : 20/05/2005 16:25:15
OriginatingServer               : SERVER2010.columbus.local
IsValid                         : True

Server                          : SERVER2010
AddressLists                    : {\All Rooms, \Public Folders, \All Contacts,
                                  \All Groups, \All Users}
Versions                        : {Version4}
IsDefault                       : False
PublicFolderDatabase            :
PublicFolderDistributionEnabled : False
WebDistributionEnabled          : False
DiffRetentionPeriod             : 30
Schedule                        : {Sun.05:00-Sun.05:15, Mon.05:00-Mon.05:15, Tu
                                  e.05:00-Tue.05:15, Wed.05:00-Wed.05:15, Thu.0
                                  5:00-Thu.05:15, Fri.05:00-Fri.05:15, Sat.05:0
                                  0-Sat.05:15}
VirtualDirectories              : {}
ExchangeVersion                 : 0.1 (8.0.535.0)
AdminDisplayName                :
Name                            : NewOfflineAddressBook
DistinguishedName               : CN=NewOfflineAddressBook,CN=Offline Address L
                                  ists,CN=Address Lists Container,CN=First Orga
                                  nization,CN=Microsoft Exchange,CN=Services,CN
                                  =Configuration,DC=columbus,DC=local
Identity                        : \NewOfflineAddressBook
Guid                            : 0d3177d4-47e6-405b-bc91-ed8893feab5f
ObjectCategory                  : columbus.local/Configuration/Schema/ms-Exch-O
                                  AB
ObjectClass                     : {top, msExchOAB}
WhenChanged                     : 16/04/2010 13:04:18
WhenCreated                     : 16/04/2010 13:04:18
OriginatingServer               : SERVER2010.columbus.local
IsValid                         : True

Or in fact...has it not gone anywhere? "PublicFolderDatabase            :" :(

Oup s:) enable the publicfolder ditribution on the new oab ;)

Sorry, had to go to another job yesterday so just picking this up again now. So all I need to do now is enable public folder distribution on that new oab (under Exchange Management Console > Organisation > Mailbox > Offline Address Book)? Under Server Configuration > Mailbox > Database Management > Mailbox Database, i've also set the new OAB under the Client Settings tab. You think that should be? If so, you desrver several thousand points!

Still getting the error in Outlook, but I'm guessing it might just take time to propogate....?

I'm now back to getting: 0X8004010F. :(

Sorry for all the comments but, looking at the below, there is no entry for offline address book or schedule+ free busy...though free busy is still working. I thought I had it aswell. :(

[PS] C:\windows\system32>get-publicfolder "\NON_IPM_SUBTREE" -Recurse | ft name,
 replicas

Name                                    Replicas
----                                    --------
NON_IPM_SUBTREE                         {}
EFORMS REGISTRY                         {}
Events Root                             {SERVER2010\Second Storage Group\Pub...
OFFLINE ADDRESS BOOK                    {}
/o=First Organization/cn=addrlists/c... {SERVER2010\Second Storage Group\Pub...
OAB Version 2                           {SERVER2010\Second Storage Group\Pub...
OAB Version 3a                          {SERVER2010\Second Storage Group\Pub...
OAB Version 4                           {SERVER2010\Second Storage Group\Pub...
/o=First Organization/cn=addrlists/c... {SERVER2010\Second Storage Group\Pub...
OAB Version 2                           {SERVER2010\Second Storage Group\Pub...
OAB Version 3a                          {SERVER2010\Second Storage Group\Pub...
OAB Version 4                           {SERVER2010\Second Storage Group\Pub...
EX:/o=First Organization/ou=Exchange... {SERVER2010\Second Storage Group\Pub...
EX:/o=First Organization/ou=first ad... {SERVER2010\Second Storage Group\Pub...
OWAScratchPad{332AB33A-453A-4D00-84B... {SERVER2010\Second Storage Group\Pub...
OWAScratchPad{8EE8E0A3-1B60-4E73-BCB... {SERVER2010\Second Storage Group\Pub...
SCHEDULE+ FREE BUSY                     {}
EX:/o=First Organization/ou=Exchange... {SERVER2010\Second Storage Group\Pub...
EX:/o=First Organization/ou=first ad... {SERVER2010\Second Storage Group\Pub...
schema-root                             {SERVER2010\Second Storage Group\Pub...
Default                                 {SERVER2010\Second Storage Group\Pub...
microsoft                               {SERVER2010\Second Storage Group\Pub...
exchangeV1                              {SERVER2010\Second Storage Group\Pub...
StoreEvents{332AB33A-453A-4D00-84BD-... {SERVER2010\Second Storage Group\Pub...
globalevents                            {SERVER2010\Second Storage Group\Pub...
internal                                {SERVER2010\Second Storage Group\Pub...
StoreEvents{8EE8E0A3-1B60-4E73-BCB4-... {SERVER2010\Second Storage Group\Pub...
globalevents                            {SERVER2010\Second Storage Group\Pub...
internal                                {SERVER2010\Second Storage Group\Pub...

Hello
Your addres book are located under the OFFLINE Address BOOK tree : you have the entries you need there (EX:/o=First Organization/ou=Exchange...)

Now you've got a new adress book, can you get the results of : get-offlineaddressbook | fl  ?

Ah, ok. So the missing entries aren't needed then?

Here are the results:

[PS] C:\Windows\system32>get-offlineaddressbook | fl


Server                          : SERVER2010
AddressLists                    : {\Default Global Address List}
Versions                        : {Version2, Version3, Version4}
IsDefault                       : True
PublicFolderDatabase            : SERVER2006\First Storage Group\Public Folder
                                  Store (SERVER2006)
PublicFolderDistributionEnabled : True
WebDistributionEnabled          : True
DiffRetentionPeriod             : 30
Schedule                        : {Sun.01:00-Sun.01:15, Mon.01:00-Mon.01:15, Tu
                                  e.01:00-Tue.01:15, Wed.01:00-Wed.01:15, Thu.0
                                  1:00-Thu.01:15, Fri.01:00-Fri.01:15, Sat.01:0
                                  0-Sat.01:15}
VirtualDirectories              : {SERVER2010\OAB (Default Web Site), SERVER201
                                  0\OAB (SBS Web Applications)}
ExchangeVersion                 : 0.1 (8.0.535.0)
AdminDisplayName                :
Name                            : Default Offline Address List
DistinguishedName               : CN=Default Offline Address List,CN=Offline Ad
                                  dress Lists,CN=Address Lists Container,CN=Fir
                                  st Organization,CN=Microsoft Exchange,CN=Serv
                                  ices,CN=Configuration,DC=columbus,DC=local
Identity                        : \Default Offline Address List
Guid                            : dd8107d5-8969-4820-8a90-89d34d05c998
ObjectCategory                  : columbus.local/Configuration/Schema/ms-Exch-O
                                  AB
ObjectClass                     : {top, msExchOAB}
WhenChanged                     : 17/04/2010 10:50:51
WhenCreated                     : 20/05/2005 16:25:15
OriginatingServer               : SERVER2006.columbus.local
IsValid                         : True

Server                          : SERVER2010
AddressLists                    : {\Default Global Address List, \All Rooms, \P
                                  ublic Folders, \All Contacts, \All Groups, \A
                                  ll Users}
Versions                        : {Version3, Version4}
IsDefault                       : False
PublicFolderDatabase            : SERVER2010\Second Storage Group\Public Folder
                                   Database
PublicFolderDistributionEnabled : True
WebDistributionEnabled          : True
DiffRetentionPeriod             : 30
Schedule                        : {Sun.05:00-Sun.05:15, Mon.05:00-Mon.05:15, Tu
                                  e.05:00-Tue.05:15, Wed.05:00-Wed.05:15, Thu.0
                                  5:00-Thu.05:15, Fri.05:00-Fri.05:15, Sat.05:0
                                  0-Sat.05:15}
VirtualDirectories              : {SERVER2010\OAB (Default Web Site), SERVER201
                                  0\OAB (SBS Web Applications)}
ExchangeVersion                 : 0.1 (8.0.535.0)
AdminDisplayName                :
Name                            : NewOfflineAddressBook
DistinguishedName               : CN=NewOfflineAddressBook,CN=Offline Address L
                                  ists,CN=Address Lists Container,CN=First Orga
                                  nization,CN=Microsoft Exchange,CN=Services,CN
                                  =Configuration,DC=columbus,DC=local
Identity                        : \NewOfflineAddressBook
Guid                            : 0d3177d4-47e6-405b-bc91-ed8893feab5f
ObjectCategory                  : columbus.local/Configuration/Schema/ms-Exch-O
                                  AB
ObjectClass                     : {top, msExchOAB}
WhenChanged                     : 17/04/2010 10:50:51
WhenCreated                     : 16/04/2010 13:04:18
OriginatingServer               : SERVER2006.columbus.local
IsValid                         : True

---------------

Incidentally, for whatever reason, Outlook error has reverted back to 0x80190194. Possibly because I rebooted both servers today.

Cheers.

Your new OAB is correctly setup to the new Publicfolderdatabase. Strange thing is that server2006 is still the originatingserver (but that's not the problem, i just say it's strange, because you created a new OAB from the new server, so this server should be the originating one ^^)


Ok so now, your outlooks have error 0x80190194 again.
is c:\Program Files\Microsoft\Exchange Server\Client Access\OAB\0d3177d4-47e6-405b-bc91-ed8893feab5f populated with accurate files ?

You should find events 1008 (one for each adress book) in your eventvwr.. do you ?

Is your local REMOTE REGISTRY service enabled and started (on the exchange server) ?

Hi again,

Ok, I don't have any of the 1008 events in event viewer...what I did notice though, were several other events under the category "OAL Generator". Event ID's : 9337 (several), 9360, 9109, 9340. I've pasted some ones I thought might be relevant below:

"OALGen did not find any recipients in address list '\All Rooms'.  This offline address list will not be generated.
- NewOfflineAddressBook"

"OALGen encountered an error while generating the changes.oab file for version 2 and 3 differential downloads of address list '\Global Address List'.  The offline address list has not been updated so clients will not be able to download the current set of changes.  Check other logged events to find the cause of this error.
If the cause of the problem was intentional or cannot be resolved, OALGen can be forced to post a full offline address list by creating the DWORD registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters\OAL post full if diff fails' and setting it to 1 on this server.  When OALGen next generates the offline address list, clients will perform a full OAB download.  After that time, the registry key should be removed to prevent further full downloads.
- Default Offline Address List "

The above error is 9360. I've not yet followed what it says as I wanted to see your thoughts on it first. Do you think I should go ahead and make that registry change?

Also, REMOTE REGISTRY is enabled and started on the SBS 2008 box.

Cheers,

Zak

These errors are not really embarrassing, and could be normal.
The fact is that if you dont have any 1008 event, your OAB is not replicated by FDS to the distribution folder on your server.

please check again, following this article to better understand :
http://blogs.msdn.com/dgoldman/archive/2006/11/27/Error-0x80190194-when-using-an-outlook-2007-client-to-download-a-web-distribution-enabled-oab.aspx

I've had a good read at that link but still am no further forward. Is there any chance you could explain these steps in a bit more details please?

"1. Delete all of the OAB folders in the distrubition point.

2. Open both directories for the OAB and \Client Access\OAB

3. Change the polling interval to 2 minutes (this will speed up the test). Run Get-OabVirtualDirectory| Set-OabVirtualDirectory -pollinterval 2. (You will want to change this back after).

4. Rebuild your OAB and then watch to see if the folder gets replicated over."

Thanks,

Zak

Ok, I've figured out something else...maybe. If I look at the Outlook auto-configuration, the OAB URL (under Protocol: Exchange RPC) is: http://autodiscover.columbustelecom.com/oab/0d3177d4-47e6-405b-bc91-ed8893feab5f/

and under Protocol: Exchange HTTP it's: https://autodiscover.columbustelecom.com/oab/0d3177d4-47e6-405b-bc91-ed8893feab5f/

Should these point to https://autodiscover.columbustelecom.com/oab/0d3177d4-47e6-405b-bc91-ed8893feab5f/oab.xml (oab.xml on the end)?

Also, if I browse to
https://autodiscover.columbustelecom.com/oab/0d3177d4-47e6-405b-bc91-ed8893feab5f/oab.xml - I can see the file.

If I browse to https://autodiscover.columbustelecom.com/oab/0d3177d4-47e6-405b-bc91-ed8893feab5f/ I get access denied

If I browse to the address with or without OAB.xml on the end, I get a 404 error.

Any ideas?

Thanks again.

1) delete all folders under c:\program files\microsoft\exchange server\OAB
and c:\program files\microsoft\exchangeserver \clientaccess\OAB

2) open these two folders in background

3) launch Get-OabVirtualDirectory| Set-OabVirtualDirectory -pollinterval

4) launch get-offlineaddressbook | update-offlineaddressbook


And now see if both folders get populated within 10 minutes. if not, note exactly what happens, and describe it. (and look in the eventvwr)

Thanks Seb.

Just before I do, did you see my above note about the URL's? Just want to check they look right first.

Cheers.

Can you post the full result of your autodiscover process ?

they look right, but these are not the correct pathes...


just one thing : you're erros appears form inside your LAN, isn't it ?

can you post also the results of

get-oabvirtualdirectory | fl

Hi errors are from inside the LAN, yes. Here are my results below:

[PS] C:\Windows\system32>get-oabvirtualdirectory | fl


Name                          : OAB (SBS Web Applications)
PollInterval                  : 30
OfflineAddressBooks           : {\NewOfflineAddressBook, \Default Offline Addre
                                ss List}
RequireSSL                    : True
BasicAuthentication           : True
WindowsAuthentication         : True
MetabasePath                  : IIS://SERVER2010.columbus.local/W3SVC/3/ROOT/OA
                                B
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\OAB
Server                        : SERVER2010
InternalUrl                   : https://autodiscover.columbustelecom.com/OAB
InternalAuthenticationMethods : {Basic, WindowsIntegrated}
ExternalUrl                   : http://autodiscover.columbustelecom.com/OAB
ExternalAuthenticationMethods : {Basic, WindowsIntegrated}
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=OAB (SBS Web Applications),CN=HTTP,CN=Protoc
                                ols,CN=SERVER2010,CN=Servers,CN=Exchange Admini
                                strative Group (FYDIBOHF23SPDLT),CN=Administrat
                                ive Groups,CN=First Organization,CN=Microsoft E
                                xchange,CN=Services,CN=Configuration,DC=columbu
                                s,DC=local
Identity                      : SERVER2010\OAB (SBS Web Applications)
Guid                          : 3d341df8-a6f5-4b0d-a734-8625542f7554
ObjectCategory                : columbus.local/Configuration/Schema/ms-Exch-OAB
                                -Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchOABVirtualD
                                irectory}
WhenChanged                   : 14/04/2010 13:51:15
WhenCreated                   : 29/03/2010 13:17:13
OriginatingServer             : SERVER2010.columbus.local
IsValid                       : True

Name                          : OAB (Default Web Site)
PollInterval                  : 480
OfflineAddressBooks           : {\NewOfflineAddressBook, \Default Offline Addre
                                ss List}
RequireSSL                    : True
BasicAuthentication           : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SERVER2010.columbus.local/W3SVC/1/ROOT/OA
                                B
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\OAB
Server                        : SERVER2010
InternalUrl                   : https://autodiscover.columbustelecom.com/OAB
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalUrl                   : http://autodiscover.columbustelecom.com/OAB
ExternalAuthenticationMethods : {WindowsIntegrated}
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,
                                CN=SERVER2010,CN=Servers,CN=Exchange Administra
                                tive Group (FYDIBOHF23SPDLT),CN=Administrative
                                Groups,CN=First Organization,CN=Microsoft Excha
                                nge,CN=Services,CN=Configuration,DC=columbus,DC
                                =local
Identity                      : SERVER2010\OAB (Default Web Site)
Guid                          : 6fa84c8d-0c16-4f30-b645-fdb664b761c9
ObjectCategory                : columbus.local/Configuration/Schema/ms-Exch-OAB
                                -Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchOABVirtualD
                                irectory}
WhenChanged                   : 14/04/2010 13:51:26
WhenCreated                   : 14/04/2010 13:44:51
OriginatingServer             : SERVER2010.columbus.local
IsValid                       : True

Do the files exist under:
C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB or is it empty?

Hi,

There are files in that folder and they were updated within the last hour. Really not sure what else to try. As far as I can tell, everything should be working.  Any other ideas?

Also, for reference, if I try to connect to my mailbox from outside the lan, I get the credntials popup but after I enter my details, it still doesn't connect to Exchange. This is a side issue really though as it works through the VPN. My main concern is the OAB.

Any ideas would be greatly appreciated!

Cheers,

Zak

Can you post the results of an Outlook autoconfig test?

testing outlook autoconfig.
With outlook open do: Hold down the CTRL key and then right-click on the Outlook icon in the system tray(near the time on the bottom right-hand side of the screen)-->Test e-mail autoconfiguration-->enter a valid e-mail address and password-->make sure "Use AutoDiscover" is the only one ticked-->Press Test and then look in the Log for the OAB URL

can you ping autodiscover.yourinternaldomain (FQDN)?
Or do you have a an autodiscover (SRV) record in DNS?

I had a client that was getting the same error 0x80190194 because Outlook could not ping autodiscover.internaldomain

as a quick test you can add the autodiscover.yourinternaldomain to the workstation HOSTS file with an IP address of the CAS server and then open Outlook and see if you get the same error.

Hi,

I was unsure how to copy and paste the autodiscover results so I've added screengrabs below showing the results.

I can ping autodiscover.domain.com and it resolves to the CAS server. I have a DNS entry for this, yea. I tried adding the record you suggested to my hosts file but still get the same error. :(

Please see screengrabs attached.

Thanks,

Zak
1.png
2.png
3.png

Do
Get-Mailboxdatabase |ft name,OfflineAddressBook

you will probably find that it is empty

Hi there,

No, it does give a result...the new address book I created in an earlier step. :( Still not sure!

Thanks again,

Zak

Sorry, here's the result:


[PS] C:\Windows\system32>Get-Mailboxdatabase |ft name,OfflineAddressBook

Name                                    OfflineAddressBook
----                                    ------------------
Mailbox Database                        \NewOfflineAddressBook

hmmm on my SBS2008 the InternalURL of the OAB is
https://sites/OAB

but I am still using the self-signed cert...

If users ping autodiscover.columbustelecom.com from inside your LAN do they get the internal IP address or the external IP address? Maybe you need to add an internal zone/record for that so they don't try and contact the external IP address of your router.

can you publish the result for GET-CLIENTACCESSSevr | fl

Hi,

I pinged autodiscover.columbustelecom.com (having removed the entry from my hosts file) and it returns the internal IP of our server.

I take it the command you meant was: GET-CLIENTACCESSServer | fl ?

Here are the results:

[PS] C:\Windows\system32>GET-CLIENTACCESSServer | fl


Name                           : SERVER2010
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SERVER2010
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://autodiscover.columbustelecom.com/Autod
                                 iscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVER2010.columbus.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVER2010,CN=Servers,CN=Exchange Administr
                                 ative Group (FYDIBOHF23SPDLT),CN=Administrativ
                                 e Groups,CN=First Organization,CN=Microsoft Ex
                                 change,CN=Services,CN=Configuration,DC=columbu
                                 s,DC=local
Identity                       : SERVER2010
Guid                           : 06498858-0704-403e-84bd-9ba4d764cee5
ObjectCategory                 : columbus.local/Configuration/Schema/ms-Exch-Ex
                                 change-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 02/04/2010 14:16:45
WhenCreated                    : 29/03/2010 13:13:41

really strange
Everything seems allright.

:( To the best of my knowledge, that's what I thought too. What would you do if  you were me now? I really don't want to go uninstalling Exchange. Only things I can think of that might effect are that the issues seemed to start when I recreated my own account during the server migration. If anyone tries to mail my address internally, as it appears on the contacts in Outlook, they get an undeliverable back. The strange thing is that the email address hasn't changed after me re-creating the account so I would've expected it to still work.

The other thing is that this obviously occured during a migration. The old server hasn't been demoted yet (going to do that today) but I get the same results whether the old server is powered on or off so I don't *think* it's making a difference.

Really don't know where to go now...

Did you try to create a brand new Mailbox, and connect a brand new outlook profile to that mailbox, and see if the OAB is downloaded ?

when people e-mail you are they selecting you from the address book or are they using a cached outlook entry? what NDR are they getting?

Try this:
On your OAB folder and subfolders mentioned below:
"If I browse to https://autodiscover.columbustelecom.com/oab/0d3177d4-47e6-405b-bc91-ed8893feab5f/ I get access denied"

Give Authenticated Users "read" permissions and then see if you can open that URL. Then try Outlook

Ok, here are my latest updates. Thought I'd format this post so it's easier to read.

1. I've now demoted the SBS 2003 machine - still the same.
2. I created a new user using the SBS console on the 2008 machine. Gave it a new email address and logged on as that user. I connected to the mailbox yet still got the same error. What I did notice was that, when trying to download the address book, the dropdown showed:  "Download Offline Address Book List" (see screengrab: New User) whereas on other accounts it shows: "\Global Address Book" (see screengrab: Me). I still get the same error though.
3. Think I mentioned this earlier but somehow, at some point in the process, I've ended up with two OAB folders (0d3177d4-47e6-405b-bc91-ed8893feab5f) and (dd8107d5-8969-4820-8a90-89d34d05c998). Looking in IIS, these both appear under "Default Web Site\OAB" and under "SBS Web Applications\OAB" (i.e. - 4 in total).
4. I've set user permissions for authenticated users to read on all these folders but still cannot browse to the link above (403: Forbidden).
5. Not sure if this is related but, internally, I cannot browse to remote.columbustelecom.com (http or https). I added remote.columbustelecom.com pointing to my internal server IP in my HOSTS file, and I can now browse to it. As far as I can tell, DNS looks correct but I guess it isn't.
6. Also, externally, I cannot reach remote.columbustelecom.com at all. If I ping it, it gives our public IP but I cannot browse to it, nor does it respond to the ping.
7. Again, don't know if it's related but I have 2 disconnected mailboxes showing in Exchange management console.
8. When loading Outlook, I still get a certificate error. I planned to troubleshoot this later but could this be a cause for the problems?
9. Under Queue Viewer in Exchange Management Console, there are 4 items that won't send (see screengrab: Queue Viewer). If I double click this, then double click one of the messages, I get the below error:
10. 1. Identity: SERVER2010\29\18
       Subject: Hierarchy
       Internet Message ID: <B04093C224D7D04CBF3F6C5C081FBF1F04ACEFF890@SERVER2010.columbus.local>
       From Address: PublicFolderDatabase@columbustelecom.com
       Status: Ready
       Size (KB): 4
       Message Source Name: FromLocal
       Source IP: 255.255.255.255
       SCL: -1
       Date Received: 23/04/2010 11:30:01
       Expiration Time: 25/04/2010 11:30:01
       Last Error:
       Queue ID: SERVER2010\29
       Recipients:  SERVER2006-IS@columbustelecom.com
    2. I notice this mentions SERVER2006 (our old server). Is this a problem?

Thanks again. As you can see, I'm trying everything!
Cheers,
Zak

New-User.png
Me.png
Queue-Viewer.png

Also, regarding the NDR on my account. It's a bit odd. My name is Zaki Kayyal, but I'm known as Zak.Kayyal. If start typing my name and tab away (using the pre-stored address) I get the NDR (user unknown). zaki.kayyal is my login and zak.kayyal is a secondary address. If users manually type zak.kayyal it works. Externally though, either address works.

does the NDR say /o=youORgname/0u=youradmingroup/cn=reipients/cn=zak or something similar?

All you need to do then is add the /o string as an X500 e-mail address to your mailbox.

Hi,

Yes the message is similar to the one you described. Can you please let me know how to make the above change?

Here's the error:
 
IMCEAEX-_O=FIRST+20ORGANIZATION_OU=First+20administrative+20group_cn=Recipients_cn=zaki+2Ekayyal@columbustelecom.com
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

Cheers,

Zak

hmmm that is different, dump your mailbox and have a look and see if there is a LegacyExchangeDN on it or not.

Run
Get-EmailAddressPolicy | where { $_.RecipientFilterType -eq "Legacy" }

Does it list any?

Sorry, can you just explain how to do the above please?

Ah, thanks. :) Ran that query and got no results.

Do you think any of the things I mentioned in the larger post above are relevant?

dump your mailbox with:
get-mailbox -identity <you> |ft name, legacyExchangeDN

Here are my results.

[PS] C:\Windows\system32>get-mailbox -identity zaki.kayyal |ft name, legacyExcha
ngeDN

Name                                    LegacyExchangeDN
----                                    ----------------
Zaki Kayyal                             /o=First Organization/ou=Exchange Ad...

Sorry, I'm pretty new to PS, so I'm unsure how to expand them out (i.e. - Get rid of the ... and read the full result).

just do
get-mailbox -identity zaki.kayyal |ft legacyExchangeDN

then so it just gives the legacyExchangeDN

Ok, here's the result (again, can't read it all). Thanks so much for all your excellent help so far....

[PS] C:\Windows\system32>get-mailbox -identity zaki.kayyal |ft legacyExchangeDN

LegacyExchangeDN
----------------
/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=...

See what happens if you add
/o=FIRST ORGANIZATION/ou=First administrative group/cn=Recipients/cn=zaki.Ekayyal@columbustelecom.com

As an X500 e-mail address to your mailbox, then try and e-mail it using the cached Outlook entry

Hi

Just saw you long message. You cannot download the OAB if you have a certificate ERROR in your outlook.
First off all, post again the result of the following commands :
get-oabvirtualdirectory | fl
get-autodiscovervirtualdirectory | fl
Get-WebServicesVirtualDirectory | fl
get-clientaccesserver | fl
get-exchangecertificate | fl

Thanks

I thought it might have been a certificate thing. That's one area I was a bit grey on.
Here are my results:

[PS] C:\Windows\system32>get-oabvirtualdirectory | fl

Name                          : OAB (SBS Web Applications)
PollInterval                  : 30
OfflineAddressBooks           : {\NewOfflineAddressBook, \Default Offline Addre
                                ss List}
RequireSSL                    : True
BasicAuthentication           : True
WindowsAuthentication         : True
MetabasePath                  : IIS://SERVER2010.columbus.local/W3SVC/3/ROOT/OA
                                B
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\OAB
Server                        : SERVER2010
InternalUrl                   : https://autodiscover.columbustelecom.com/OAB
InternalAuthenticationMethods : {Basic, WindowsIntegrated}
ExternalUrl                   : http://autodiscover.columbustelecom.com/OAB
ExternalAuthenticationMethods : {Basic, WindowsIntegrated}
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=OAB (SBS Web Applications),CN=HTTP,CN=Protoc
                                ols,CN=SERVER2010,CN=Servers,CN=Exchange Admini
                                strative Group (FYDIBOHF23SPDLT),CN=Administrat
                                ive Groups,CN=First Organization,CN=Microsoft E
                                xchange,CN=Services,CN=Configuration,DC=columbu
                                s,DC=local
Identity                      : SERVER2010\OAB (SBS Web Applications)
Guid                          : 3d341df8-a6f5-4b0d-a734-8625542f7554
ObjectCategory                : columbus.local/Configuration/Schema/ms-Exch-OAB
                                -Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchOABVirtualD
                                irectory}
WhenChanged                   : 14/04/2010 13:51:15
WhenCreated                   : 29/03/2010 13:17:13
OriginatingServer             : SERVER2010.columbus.local
IsValid                       : True
Name                          : OAB (Default Web Site)
PollInterval                  : 480
OfflineAddressBooks           : {\NewOfflineAddressBook, \Default Offline Addre
                                ss List}
RequireSSL                    : True
BasicAuthentication           : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SERVER2010.columbus.local/W3SVC/1/ROOT/OA
                                B
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\OAB
Server                        : SERVER2010
InternalUrl                   : https://autodiscover.columbustelecom.com/OAB
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalUrl                   : http://autodiscover.columbustelecom.com/OAB
ExternalAuthenticationMethods : {WindowsIntegrated}
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,
                                CN=SERVER2010,CN=Servers,CN=Exchange Administra
                                tive Group (FYDIBOHF23SPDLT),CN=Administrative
                                Groups,CN=First Organization,CN=Microsoft Excha
                                nge,CN=Services,CN=Configuration,DC=columbus,DC
                                =local
Identity                      : SERVER2010\OAB (Default Web Site)
Guid                          : 6fa84c8d-0c16-4f30-b645-fdb664b761c9
ObjectCategory                : columbus.local/Configuration/Schema/ms-Exch-OAB
                                -Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchOABVirtualD
                                irectory}
WhenChanged                   : 14/04/2010 13:51:26
WhenCreated                   : 14/04/2010 13:44:51
OriginatingServer             : SERVER2010.columbus.local
IsValid                       : True  

[PS] C:\Windows\system32>get-autodiscovervirtualdirectory | fl

Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SERVER2010.columbus.local/W3SVC/3/ROOT/Au
                                todiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\Autodiscover
Server                        : SERVER2010
InternalUrl                   : https://remote.columbustelecom.com/Autodiscover
                                /Autodiscover.xml
ExternalUrl                   : https://remote.columbustelecom.com/Autodiscover
                                /Autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,
                                CN=Protocols,CN=SERVER2010,CN=Servers,CN=Exchan
                                ge Administrative Group (FYDIBOHF23SPDLT),CN=Ad
                                ministrative Groups,CN=First Organization,CN=Mi
                                crosoft Exchange,CN=Services,CN=Configuration,D
                                C=columbus,DC=local
Identity                      : SERVER2010\Autodiscover (SBS Web Applications)
Guid                          : 99bd1047-8596-40f9-acae-8371ce7d0f6f
ObjectCategory                : columbus.local/Configuration/Schema/ms-Exch-Aut
                                o-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove
                                rVirtualDirectory}
WhenChanged                   : 29/03/2010 14:31:54
WhenCreated                   : 29/03/2010 13:17:20
OriginatingServer             : SERVER2010.columbus.local
IsValid                       : True
Name                          : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SERVER2010.columbus.local/W3SVC/1/ROOT/Au
                                todiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\Autodiscover
Server                        : SERVER2010
InternalUrl                   :
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (Default Web Site),CN=HTTP,CN=P
                                rotocols,CN=SERVER2010,CN=Servers,CN=Exchange A
                                dministrative Group (FYDIBOHF23SPDLT),CN=Admini
                                strative Groups,CN=First Organization,CN=Micros
                                oft Exchange,CN=Services,CN=Configuration,DC=co
                                lumbus,DC=local
Identity                      : SERVER2010\Autodiscover (Default Web Site)
Guid                          : 597c310f-b327-4c89-a917-2b2a130a93ee
ObjectCategory                : columbus.local/Configuration/Schema/ms-Exch-Aut
                                o-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove
                                rVirtualDirectory}
WhenChanged                   : 14/04/2010 12:49:07
WhenCreated                   : 14/04/2010 12:49:07
OriginatingServer             : SERVER2010.columbus.local
IsValid                       : True
 
 

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl

InternalNLBBypassUrl          : https://server2010.columbus.local/ews/exchange.
                                asmx
Name                          : EWS (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SERVER2010.columbus.local/W3SVC/3/ROOT/EW
                                S
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\exchweb\EWS
Server                        : SERVER2010
InternalUrl                   : https://remote.columbustelecom.com/EWS/Exchange
                                .asmx
ExternalUrl                   : https://remote.columbustelecom.com/EWS/Exchange
                                .asmx
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=EWS (SBS Web Applications),CN=HTTP,CN=Protoc
                                ols,CN=SERVER2010,CN=Servers,CN=Exchange Admini
                                strative Group (FYDIBOHF23SPDLT),CN=Administrat
                                ive Groups,CN=First Organization,CN=Microsoft E
                                xchange,CN=Services,CN=Configuration,DC=columbu
                                s,DC=local
Identity                      : SERVER2010\EWS (SBS Web Applications)
Guid                          : 3773ecf6-c108-48a3-b376-123d5542ed83
ObjectCategory                : columbus.local/Configuration/Schema/ms-Exch-Web
                                -Services-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchWebServices
                                VirtualDirectory}
WhenChanged                   : 02/04/2010 14:18:44
WhenCreated                   : 29/03/2010 13:17:07
OriginatingServer             : SERVER2010.columbus.local
IsValid                       : True
InternalNLBBypassUrl          : https://server2010.columbus.local/EWS/Exchange.
                                asmx
Name                          : EWS (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SERVER2010.columbus.local/W3SVC/1/ROOT/EW
                                S
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\exchweb\EWS
Server                        : SERVER2010
InternalUrl                   : https://server2010.columbus.local/EWS/Exchange.
                                asmx
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,
                                CN=SERVER2010,CN=Servers,CN=Exchange Administra
                                tive Group (FYDIBOHF23SPDLT),CN=Administrative
                                Groups,CN=First Organization,CN=Microsoft Excha
                                nge,CN=Services,CN=Configuration,DC=columbus,DC
                                =local
Identity                      : SERVER2010\EWS (Default Web Site)
Guid                          : 52e4abdf-9c48-4782-b99c-2c989dc53e34
ObjectCategory                : columbus.local/Configuration/Schema/ms-Exch-Web
                                -Services-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchWebServices
                                VirtualDirectory}
WhenChanged                   : 14/04/2010 12:50:57
WhenCreated                   : 14/04/2010 12:50:57
OriginatingServer             : SERVER2010.columbus.local
IsValid                       : True
 
 
[PS] C:\Windows\system32>get-clientaccessserver | fl

Name                           : SERVER2010
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SERVER2010
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://autodiscover.columbustelecom.com/Autod
                                 iscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVER2010.columbus.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVER2010,CN=Servers,CN=Exchange Administr
                                 ative Group (FYDIBOHF23SPDLT),CN=Administrativ
                                 e Groups,CN=First Organization,CN=Microsoft Ex
                                 change,CN=Services,CN=Configuration,DC=columbu
                                 s,DC=local
Identity                       : SERVER2010
Guid                           : 06498858-0704-403e-84bd-9ba4d764cee5
ObjectCategory                 : columbus.local/Configuration/Schema/ms-Exch-Ex
                                 change-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 02/04/2010 14:16:45
WhenCreated                    : 29/03/2010 13:13:41
 
 

[PS] C:\Windows\system32>get-exchangecertificate | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVER2010.columbus.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SERVER2010.columbus.local
NotAfter           : 16/04/2013 00:00:00
NotBefore          : 17/04/2010 00:00:00
PublicKeySize      : 1024
RootCAType         : None
SerialNumber       : 25555E96222B4983412A26C0245043C4
Services           : None
Status             : Valid
Subject            : CN=SERVER2010.columbus.local
Thumbprint         : B0FCA6B6792617D8D6A79D8D2602CBDCDD7177F5
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.columbustelecom.com, columbustelecom.com, SERVER20
                     10.columbus.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=columbus-SERVER2010-CA
NotAfter           : 12/04/2012 12:11:55
NotBefore          : 13/04/2010 12:11:55
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 1530C0FC00000000000A
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.columbustelecom.com
Thumbprint         : B78E465543187C7961F2BED2BA33A8C39FA9B119
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.columbustelecom.com, columbustelecom.com, SERVER20
                     10.columbus.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=columbus-SERVER2010-CA
NotAfter           : 12/04/2012 11:58:36
NotBefore          : 13/04/2010 11:58:36
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 15248FCF000000000009
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.columbustelecom.com
Thumbprint         : 5A2F12BAE26173FDBB7A072D816BF2D00EB57891
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.columbustelecom.com, columbustelecom.com, SERVER20
                     10.columbus.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=columbus-SERVER2010-CA
NotAfter           : 07/04/2012 14:26:30
NotBefore          : 08/04/2010 14:26:30
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 15A5078C000000000008
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.columbustelecom.com
Thumbprint         : 9AA8D06600CC0995ADADF66F2FCDB93DF302181E
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.columbustelecom.com, columbustelecom.com, SERVER20
                     10.columbus.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=columbus-SERVER2010-CA
NotAfter           : 28/03/2012 14:21:03
NotBefore          : 29/03/2010 14:21:03
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61199CCB000000000005
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.columbustelecom.com
Thumbprint         : 5292F9ADECA8301267A4029356779C30AEB4FE21
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVER2010.columbus.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=columbus-SERVER2010-CA
NotAfter           : 29/03/2011 13:03:44
NotBefore          : 29/03/2010 13:03:44
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6126642F000000000004
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=SERVER2010.columbus.local
Thumbprint         : E1779AFDEBD0091609C508C3A3A88D58ECE2ED8F
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVER2010.columbus.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=columbus-SERVER2010-CA
NotAfter           : 28/03/2012 12:55:49
NotBefore          : 29/03/2010 12:55:49
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 611F2442000000000002
Services           : SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 038B29AE8E2822923904512F1695A226D2B051C9
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {columbus-SERVER2010-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=columbus-SERVER2010-CA
NotAfter           : 29/03/2015 13:05:33
NotBefore          : 29/03/2010 12:55:33
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 36C78FE88E876AA34084BF7996AD7B4B
Services           : None
Status             : Valid
Subject            : CN=columbus-SERVER2010-CA
Thumbprint         : A9E33C5C4E75FF61422B6F171005F0B23FBBCD83
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-YKAAUF5CRPN}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-YKAAUF5CRPN
NotAfter           : 26/03/2020 10:04:18
NotBefore          : 29/03/2010 11:04:18
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6E4129B57811DA8C4218D4ADDEE973C8
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-YKAAUF5CRPN
Thumbprint         : 59BA9948734EBE6CA7D859419ED01EA6824CEBA3
 

Not sure why so many certificates show! :(

ok
autodiscover.columbus.com is not on your cets..
run the following commands :

get-oabvirtualdirectory | set-oabvirtualdirectory -internalUrl https://server2010.columbus.local/OAB -externaurl htps://remote.columbustelecom.com/OAB
 
Get-WebServicesVirtualDirectory  | set-WebServicesVirtualDirectory -InternalUrl https://server2010.columbus.local/EWS/Exchange.asmx

get-clientaccessserver | set-clientaccessserver -AutoDiscoverServiceInternalUri https://autodiscover.columbustelecom.com/Autodiscover/Autodiscover.xml

restart IIS

test your outlook connection, from internal : Objective : no certificate errors.
 

can you ping sites?

If so, then I reckon that if you change the internalURL for the OAB to https://sites/OAB it will start to work because you have a certificate for the sites name.

on my SBS2008 the InternalURL of the OAB is
https://sites/OAB

Or just do what Seb says first...

I need to see which cert applys to your IIS : Browse to wour inetnal OWA, by using https, and double click on the cert in internet explorer.
Browse to the options of the cert, and find the attributes "subject alternative names", and tell us which names are on it. Also verify it's expiration date.

Ok, firstly, I followed the steps in your first post Seb. Note, after running:

Get-WebServicesVirtualDirectory  | set-WebServicesVirtualDirectory -InternalUrl https://server2010.columbus.local/EWS/Exchange.asmx

I got back: WARNING: The command completed successfully but no settings of 'SERVER2010\EWS
(Default Web Site)' have been modified.

Also, in the third command, is it -AutoDiscoverServiceInternalUri or -AutoDiscoverServiceInternalUrl. I did Uri as per your post. Restart IIS. Exited Outlook 2007 and reloaded, still got a certificate error.

MegaNuk3: I can ping Sites, but it doesn't resolve to our SBS, it resolves to another address...not sure what device that is right now.

I followed the step re. the certificate but, just to note as the above, despite DNS looking correct, I think there's an issue there. I can't get to our internal OWA address (remote.columbustelecom.com/owa) unless I edit my hosts file to make it point to our internal server IP. Once I do that and follow your steps above the Subject Alternative Names are:
DNS Name=columbustelecom.com
DNS Name=remote.columbustelecom.com
DNS Name=SERVER2010.columbus.local

Valid to date: 12 April 2012.

Do you think it's the DNS issue?

Ok, think we've almost fixed it! I just logged on to a machine as the admin account I created for the migration....and the address book downloaded! Got a certificate error still when I setup the account in Outlook, but the address book downloading is definite progress. I'm happy!

I'm at home now but, on my own account (via the VPN) it still won't download...though the error has changed. I now get 0X80070057. Could that be because I'm connecting via the VPN?

Cheers guys.

Ok, I remote desktopped a PC in the office, removed any exchange mailboxes and added mine again. Certificate errors still appearing but it's downloading the address book! I'll report back when I'm in the office again.

Thanks again x 9999

nice
still have to get rid of the cert error
But it's a good news :)

Yeah. At the moment I'm still having issues downloading it over the VPN (0X80070057) and there's obviously the certificate error but I'll do all I can over the weekend / Monday morning and post again then. If you're around to help on Monday, that'd be excellent.

Cheers.

yop

Hi Seb,

Thanks again for your help. The OAB issue is definitely resolved for all users inside the LAN! Really happy. I've yet to fully test this over the VPN but want to resolve the certificate error next. If you think I should award points for this one and create a new question, please let me know as I think this is a slightly different issue now.

The error I get is shown in the screengrab below. When I view the certificate, I get the 2nd screenshot. I think the issue here is that on the security alert it states "autodiscover.columbustelecom.com" but when viewing the certificate, it's issued to "remote.columbustelecom.com".

Is there an easy fix for this?

Cheers,

Zak

Oops, forgot the screengrabs. :)
Cert1.png
Cert2.png

Hi
can you have a look on this certificate stating the error, for the "AlternatSubjectNames" part ?
isn't autodiscover on it ?


The problem here, is that you're outlook clients are not detecting that they are connected to the server, and try to get the server thrdough Internet Web services, and thence look for AUTODISCOVER.columbustelecom.com

=> You will have either to give the vpn clients a correct path to autodiscover.columbustelecom.com, or to reissue a certificate for your exchange server, with all the correct names on it.

Hi,

No, autodiscover isn't listed under "AtlernateSubjectNames". Not sure how to add that using PS though. Is there a command to do this?

Also, just to clarify, this message appears from within the LAN and I notice I do have the "connected to Microsoft Exchange" message at the bottom right of Outlook before clicking Yes to the security alert.

Regarding your note about the VPN...which would be easier? As far as I can remember, the security cert error is a bit different when connecting over the VPN.

You can use this wizard to generate the Exchange certificate command that you would use for your server and include all the subjectAlternate Names, such as autodiscover.columbustelecom.com:

https://www.digicert.com/easy-csr/exchange2007.htm

Hum.
I Need to compare both certificate errors to have a better view of your organization : Can you post both errors, and both certificates details in that case

Also, can you confirm ?
You want access from INSIDE and from LAN : No Outlook over RPC, right ?
Your server name is Server2010.columbustelecom.local
Your remote server name (owa) is remote.columbustelecom.com
You have an external columbustelecom.com DNS zone, stating "remote" and "autodiscover" to your public IP address
You don't have any internal zone "columbustelecom.com", right ?

MegaNuk3, thanks for the link. I'll give that a try once I'm confident with what needs doing.

Seb - Ultimately, I would like Outlook over RPC though my initial task is to get rid of the cert. errors from within the LAN.

Our server name is SERVER2010.columbus.local

Our remote server name *should* be remote.columbustelecom.com though I can only access this internally at the moment...

Our external DNS is managed by a 3rd party but remote.columbustelecom.com and autodiscover.columbustelecom.com point to our public IP.

I do have an internal zone for columbustelecom.com...should this not be present? Within it, I have www setup to point to where our website is hosted, and I have remote,autodiscover and mail pointing to the internal IP of our DC.

I also have a seperate internal zone for remote.columbustelecom.com with the root (so, remote.columbustelecom.com) pointing to the internal IP of the server.

Is this not correct?

Cheers.

Also, I can post the error from outside the LAN around 7pm British time.

Hi again,

I've been really busy with a few other domains lately so only just getting the chance to revisit this one. Ok, just before I go ahead, there's no chance that deleting all the other certificates will cause the OAB issues to occur again, or Free/Busy info issues (a problem occuring near the start of the install) ?

Also, just to clarify, our FQDN for the DC is server2010.columbus.local so I presume I'd apply that to the certificate rather than server2010.columbustelecom.local, yea?

And (sorry if this is a really silly question) is this all possible without purchasing a secure certificate? Can I use the self-issued one?

I *think* I'm nearly there.

Oh, and one final thing, what is the command to delete the old certificates once I've created the new one?

Thanks again. Lifesavers, both of you. :)

Hi gents. Sorry to bump this but are either of you available to read the above post? I just want to try to ensure I don't mess anything else up by removing the old certificates. Hopefully I can get this one stroked off after this.

Cheers again,

Zak

Hello
I thought I answered : I've probably missed the submit Button :)

Yes it is possible to do that with an internal certificate service (microsoft pki).
In order not to distrub your infrastrcture, you must first install a new certificate and affect the services on it, and after that you can delete the old certs.

On the new certificate, you will have to put the following names (interpret intenal and external to your real domain names..):

- COMMON NAME : External FQDN of your principal EMAIL DOMAIN : remote.columbustelecom.com
- SANs : autodiscover.columbustelecom.com, autodiscover.internaldomain.local, autodiscover.whatever other.principal.email.domain.name.you.have
- SANs : Server2010

Hi Seb, thanks. Ok, I've generated the certificate using the link above which gave me back:

"New-ExchangeCertificate -GenerateRequest -Path c:\remot
e_columbustelecom_com.csr -KeySize 2048 -SubjectName "c=GB, s=Glasgow, l=Glasgow
, o=Columbus Telecom, cn=remote.columbustelecom.com" -DomainName server2010.colu
mbus.local, remote.columbustelecom.com, autodiscover.columbustelecom.com, server
2010 -PrivateKeyExportable $True"

I pasted this into the shell and got back:

Thumbprint                                Services   Subject
----------                                --------   -------
4A5327A5E11EA82CC7DA5486133890A7AC21D679  .....      C=GB, S=Glasgow, L=Glas...

I then pasted the command you posted, changing the path to the actual file so my command was:

Import-ExchangeCertificate -Path c:\remote_columbustele
com_com.csr | Enable-ExchangeCertificate -Services IIS, SMTP, UM, POP

But when I did this, I got the error back:

Import-ExchangeCertificate : The source data cannot be imported or the wrong pa
ssword was specified.
At line:1 char:27
+ Import-ExchangeCertificate <<<<  -Path c:\remote_columbustelecom_com.csr | En
able-ExchangeCertificate -Services IIS, SMTP, UM, POP
    + CategoryInfo          : ReadError: (0:Int32) [Import-ExchangeCertificate
   ], ImportCertificateDataInvalidException
    + FullyQualifiedErrorId : 56E2F48A,Microsoft.Exchange.Management.SystemCon
   figurationTasks.ImportExchangeCertificate

Is it because the file generated is a .csr file rather than .txt as you mentioned?

Cheers.

Hello

That's logical : you just made a certificate request. (the csr file)
You now have to transform that request in a real certficate. For that, you will have to present the CSR (the request) to a Certification Authority : Either a public one (comodo, versign, ...) or an internal Microsoft PKI if you have one.

Hmmm, can't you do:
Enable-ExchangeCertificate -Thumbprint 4A5327A5E11EA82CC7DA5486133890A7AC21D679 -Services IIS, SMTP, UM, POP

?

MegaNuk3 - Upon doing a bit of reading, I tried the above command already and I get:

"The certificate with thumbprint xxxxxx was not found."

Since I don't know about using an internal PKI, I think we're going to look at purchasing the certificate now as that looks to be the only valid option.

I'll discuss this with our director and try to get it ordered today.

That should create you a self-signed certificate.
I'm not using these, and i don't know if everything will work smoothly behind, perhaps you will have to import this certificate to the client computers when using OWA. But yes, you can try that, and if not working, just delete this cert at the end :)
I'm usually using a Microsoft our a Public CA.

Lol
Ok, it's a good step. From my poitn of view, COMODO UCC Certificates are the cheapest (About 1200$$ for three years).
(Oups)...

Apparently GoDaddy ones are really cheap too.

Hi gents, me again! Ok, since I last posted, I ordered a 90-day free secure certificate from Comodo to try out. I followed the above steps (with a few tweaks) and the cert is now installed...but I now get two certificate errors upon loading Outlook 2007! I don't want to go deleting the old certs just yet until I'm sure I know what's going on.

The first one clearly relates to the new certificate I've installed (screengrab attached). Despite everything above, under subject alternative name, all I have is shown in screenshot two. Not sure why autodiscover, server2010 etc. are not present there....

I'm not too worried about the 2nd cert error as I assume it'll disappear once I fix this one and remove the other unneeded certs.

I keep thinking I've cracked it but not quite yet!
Cert1.png
Cert2.png
Cert3.png

Interestingly however, it does look to have fixed the cert issue with RWW. At least that's one positive! :)

you missed the entry : autodiscover.columbus..........

Yeah, but the thing is, This:

"New-ExchangeCertificate -GenerateRequest -Path c:\remot
e_columbustelecom_com.csr -KeySize 2048 -SubjectName "c=GB, s=Glasgow, l=Glasgow
, o=Columbus Telecom, cn=remote.columbustelecom.com" -DomainName server2010.colu
mbus.local, remote.columbustelecom.com, autodiscover.columbustelecom.com, server
2010 -PrivateKeyExportable $True"

Is what I gave to comodo to generate the certificate.... :s

strange.. even the www.remote... is not on the request you made.
Try it again :)

Try this:

http://blogs.msdn.com/dgoldman/archive/2006/11/27/Error-0x80190194-when-using-an-outlook-2007-client-to-download-a-web-distribution-enabled-oab.aspx

It should fix your issue.  We can into this and I had the link bookmarked.  Hope it helps.

Hi all, sorry for the lack of activity on this. Been tied up with a few other projects lately. I think all the info I need is in this thread and I can't thank you both (seb_acker and MegaNuk3) enough for your help. I'm going to consider this resolved and dish out the points. I'm sorry it can't be more than 500 though!

Cheers,

Zak

Superb help from seb_acker and MegaNuk3.

Thanks for the points, glad you got it working in the end

Thanks and have it well for the next steps :)