Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5808
  • Last Modified:

RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC Runtime

Hi there,

RPC over HTTP works only in 1 circumstance:

when using servername\administrator in stead of domainname\administrator.

When using other accounts we get rpc errors using the testexchangeconnectivity and the logonbox in Outlook 2007 keeps poping up.

Somehow the user gets resolved against the local SAM of the Exchange server. The exchange server is a member server. Total servers is 2, both running W2K8 64.

tcp6 disabled, auth method basic, rpc completely reinstalled, using exchange 2010 sp1, read almost every blog about the rcp over http issues.

Does anyone know what I am overlooking here?

Thanks,

Sander

PS also get security eventlog fail audits when trying to use a user mailbox in Outlook to connect via RPC/HTTP. Eventid is 4625: security ID: NULL SID ..etc etc
1
sanderfulpen
Asked:
sanderfulpen
  • 52
  • 35
  • +1
1 Solution
 
sunnyc7Commented:
What version of exchange server are you running ?

If it's 2007
you can test your outlook anywhere here
www.testexchangeconnectivity.com/
0
 
jawad1481Commented:
Hello,

Is this a child and parent domain scenario ?

I think we will have to analyse the IIS logs and find if we are getting any errors.

Regards,
:)
0
 
sanderfulpenAuthor Commented:
We are testing with testexchangeonnectivity and this gives the error mentioned in the title.

This is 1 single domain
1 DC W2K8
1 Memberserver W2K8=> Exchange 2010 SP1

testexchangeconnectivity.com gives the following result:

      Attempting to Ping RPC Proxy exchange.webstate.nl
       RPC Proxy was pinged successfully.
       
      Additional Details
       Completed with HTTP status 200 - OK
      Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server vexch02.vexch2010.local
       The attempt to ping the endpoint failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC Runtime
0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
sanderfulpenAuthor Commented:
Exchange version is Exchange 2010 Enterprise by the way!

Many thanks for you help.

We have been looking into this the past 4 days and the amount of sleep we got is zero to none :-)
0
 
sunnyc7Commented:
I want you to test something

From your exchange server
start > run > inetmgr
Click on server name > on right panel > go to Worker Process
Click on Default App Pool

Check if you are getting any Begin Request for http to https redirect, like the screenshot here
http://blogs.technet.com/blogfiles/sbs/WindowsLiveWriter/SlowConnectivityforOutlookAnywhereandSit_D110/clip_image006_2.jpg

post back a screenshot please.
0
 
sanderfulpenAuthor Commented:
ok working on it right now.... Back to you asap!
0
 
sanderfulpenAuthor Commented:
Ok when we view the current requests for defaultapplicationpool, we get an empty list.

we've tried refreshing and pushed the button 'show all', but we get no results
0
 
sunnyc7Commented:
can you stay on the screen and run test exchange connectivity
RPC tests
0
 
sunnyc7Commented:
Check if RPC is under default application pool
right click > advanced settings
0
 
sanderfulpenAuthor Commented:
Both checked and confirmed.

0
 
sanderfulpenAuthor Commented:
when we use <localservername>\administrator, then the testexchangeconnectivity results successful and we also see RPC in and out traffic pass through the defaultappool screen as you mentioned.
0
 
sunnyc7Commented:
They were in a execute request handler / or beginRequest state ?
if execute request handler - then RPC is passing successfully.

Do you see this error anymore ?
Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server vexch02.vexch2010.local
       The attempt to ping the endpoint failed.

--
Can you try connecting an outlook 2007/2010 withe exchane 2010 and see how that goes.
After configuring start outlook with

outlook /rpcdiag
so that you can get the connections monitor.
0
 
sanderfulpenAuthor Commented:
The state is execute request handler (but only for the <servername>\administrator

When we try this as a domain\user we see nothing in the request screen

--

additional info:
domain name = domainname.local
exchange server = exchange02
dc = exchange01

We've tried to connect from outlook/testexchangeconnectivity with a domain user via the following credentials:

user:     domainname\username

That doesn't work.

We've tried the same with...:

user: exchange02\administrator

that does work.

In the not working situation we get the "Attempting to ping RPC Endpoint 6001.." error and via Outlook we get the logon box and a security audit eventid 4625.

Hope this helps..

0
 
sanderfulpenAuthor Commented:
It feels like the Exchange server doesn't validate user logon to the domaincontoler and in stead it checks it's local. Might this be the reason why the administrator account does work and a domain user account doesn't? The domain admin and local admin both use same username and passwords.
0
 
sunnyc7Commented:
You feel like we are getting close..
0
 
sanderfulpenAuthor Commented:
yes i do ;-)

I also found out some other stuff that could help us out:

I have changed the local sam administrator password, to keep this one seperated from the domain admin account.

When I use testexchangeconnectivity with a domain user email address (e.g. sander@cityplanner.nl) combined with the local exchange server admin credentials: exchange01\administrator

Then the results are:

      ExRCA is testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      Attempting to resolve the host name exchange.webstate.nl in DNS.
       Host successfully resolved
       
      Additional Details
       IP(s) returned: 82.148.192.121
      Testing TCP Port 443 on host exchange.webstate.nl to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
       
      The certificate name is being validated.
       Successfully validated the certificate name
       
      Additional Details
       Found hostname exchange.webstate.nl in Certificate Subject Common name
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
       
      Additional Details
       The Certificate chain has be validated up to a trusted root. Root = E=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, S=Western Cape, C=ZA
      The certificate date is being confirmed to ensure the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       Certificate is valid: NotBefore = 6/25/2010 12:00:00 AM, NotAfter = 6/24/2012 11:59:59 PM"
      The IIS configuration is being checked for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       Accept/Require Client Certificates not configured.
      Testing Http Authentication Methods for URL https://exchange.webstate.nl/rpc/rpcproxy.dll
       The HTTP authentication methods are correct.
       
      Additional Details
       Found all expected authentication methods and no disallowed methods. Methods Found: Basic
      SSL mutual authentication with the RPC proxy server is being tested.
       Mutual authentication was verified successfully.
       
      Additional Details
       Certificate common name exchange.webstate.nl matches msstd:exchange.webstate.nl
      Attempting to Ping RPC Proxy exchange.webstate.nl
       RPC Proxy was pinged successfully.
       
      Additional Details
       Completed with HTTP status 200 - OK
      Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server vexch02.vexch2010.local
       Pinged Endpoint successfully
       
      Additional Details
       RPC Status Ok (0) returned in 156 ms.
      ExRCA is testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
       Successfully tested NSPI Interface.
       
      Test Steps
       
      Attempting to ping RPC Endpoint 6004 (NSPI Proxy Interface) on server vexch02.vexch2010.local
       Pinged Endpoint successfully
       
      Additional Details
       RPC Status Ok (0) returned in 951 ms.
      Testing NSPI "Check Name" for user sander@cityplanner.nl against server vexch02.vexch2010.local
       The test passed with some warnings encountered. Please expand the additional details.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       NspiBind returned ecNotSupported. This typically indicates that your server requires RPC encryption. ExRCA will attempt the NSPI test again with encryption.
      Testing NSPI "Check Name" for user sander@cityplanner.nl against server vexch02.vexch2010.local
       Check Name succeeded.
       
      Additional Details
       DisplayName: Sander, LegDN: /o=HostedExchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Sander
      ExRCA is testing the Referral service on the Exchange Mailbox server.
       The Referral service was tested successfully.
       
      Test Steps
       
      Attempting to ping RPC Endpoint 6002 (Referral Interface) on server vexch02.vexch2010.local
       Pinged Endpoint successfully
       
      Additional Details
       RPC Status Ok (0) returned in 978 ms.
      Attempting to perform Referral for user /o=HostedExchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Sander on Server vexch02.vexch2010.local
       Succeeded getting Referral
       
      Additional Details
       Server returned by Referral Service: VEXCH02.vexch2010.local
      ExRCA is testing the Exchange Information Store on the Mailbox server.
       An error occurred while testing the Information Store.
       
      Test Steps
       
      Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server vexch02.vexch2010.local
       Pinged Endpoint successfully
       
      Additional Details
       RPC Status Ok (0) returned in 156 ms.
      Testing Logon to the Exchange Information Store
       An error occurred while logging on to the Information Store.
       
      Additional Details
       Store logon returned ecLoginPerm 1010. You don't have the correct permissions to sign in to the mailbox
0
 
sanderfulpenAuthor Commented:
could it be that the local admin of the exchange server is used to establish an RPCoverHTTP connection?

In the previous error log you can see that the final mailbox connection fails, which is obvious because the local admin has no privileges for the users mailbox. Therefore the final rpchttp phase fails.

i guess....
0
 
sanderfulpenAuthor Commented:
sunny I also think that in our environment the local administrator of the exchangeserver is the only account which is able to establish a rpc over http connection. All domain accounts aren't somehow allowed to do that, because as soon as we use domain accounts, rpc fails with all kinds of errors.

Any ideas?
0
 
sunnyc7Commented:
could it be that the local admin of the exchange server is used to establish an RPCoverHTTP connection?
>> No.

There are some permission issues. I am checking out the errors and will post back.

out of curiosity - is exchange server installed on a DC ?
0
 
sanderfulpenAuthor Commented:
We also found out that the 'active directory domain services' service on the exchange member server is not running.
0
 
sanderfulpenAuthor Commented:
exchange is a member server btw.

in our environment there are only 2 servers in 1 domain:

1 DC
1 Exch
0
 
sunnyc7Commented:
Great point :)
it has to be started and set to automatic.

Can you tell me a list of services which are set to automatic and not started.
Ignore Perf. logs etc.
0
 
sanderfulpenAuthor Commented:
active directory domain services service is obviously not running on members ;-)
0
 
sunnyc7Commented:
Can you run this from exchange shell.

Get-OutlookProvider | fl
and post back here.

--
We will have to run this later.

Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:Autodiscover.externaldomain.com
0
 
sanderfulpenAuthor Commented:
the only automatic services which are not started (on exchange member server):

active directory domain services
Microsoft .Net Framework NGEN v4.0.30319_x64
Microsoft .Net Framework NGEN v4.0.30319_x86
0
 
sunnyc7Commented:
Can you run this from exchange shell and let me know the output

Get-MailboxDatabase DBNAME | fl RpcClientAccessserver
0
 
sunnyc7Commented:
Can you run these 2 please.

Get-OutlookProvider | fl
Get-MailboxDatabase DBNAME | fl RpcClientAccessserver

Also
Do you have a external DNS entry for

autodiscover.domain.com ?
0
 
sanderfulpenAuthor Commented:
result of Get-OutlookProvider | fl

RunspaceId           : a9e713e9-8efe-42e5-a146-b15f63a221ea
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : EXCH
DistinguishedName    : CN=EXCH,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=S
                       ervices,CN=Configuration,DC=vexch2010,DC=local
Identity             : EXCH
Guid                 : fb6fa737-1315-4159-b702-988f5d4fdf70
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True

RunspaceId           : a9e713e9-8efe-42e5-a146-b15f63a221ea
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : EXPR
DistinguishedName    : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=S
                       ervices,CN=Configuration,DC=vexch2010,DC=local
Identity             : EXPR
Guid                 : 430da112-a72a-4986-b367-d79b1090b424
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True

RunspaceId           : a9e713e9-8efe-42e5-a146-b15f63a221ea
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : WEB
DistinguishedName    : CN=WEB,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=Se
                       rvices,CN=Configuration,DC=vexch2010,DC=local
Identity             : WEB
Guid                 : 27c676fd-40b4-4fa1-aadc-08e71c92f5c8
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True
0
 
sanderfulpenAuthor Commented:
result of: Get-MailboxDatabase DBNAME | fl RpcClientAccessserver


RpcClientAccessServer : VEXCH02.vexch2010.local
0
 
sanderfulpenAuthor Commented:
No we haven't created a autodiscover.domain.com record.
0
 
sunnyc7Commented:
RpcClientAccessServer : VEXCH02.vexch2010.local
>> this has to be the external autodiscover.

Can you create a dns entry for autodiscover.domain.com > and point it to your public IP of firewall.

I am checking the output from the other command and I will post back.
0
 
sanderfulpenAuthor Commented:
working on that
0
 
sanderfulpenAuthor Commented:
autodiscover.ourdomain.nl record now points to the public IP of the exchange server.

Should I change the RpcClientAccessServer to autodiscover.ourdomain.nl?

If so, then how?
0
 
sunnyc7Commented:
Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:autodiscover.ourdomain.nl
0
 
sunnyc7Commented:
RpcClientAccessServer : VEXCH02.vexch2010.local
>> this has to be the external autodiscover.

>> My bad. This has to be the CAS array / For single exchange - to the FQDN of internal exchange server - which is already set.
Lets keep it at that and just change the settings @ set-outlookprovider

and then try RPC /HTTPS from outlook again.
0
 
sanderfulpenAuthor Commented:
i have executed that command but the result of rpcclientaccessserver is still vexch02.vexch2010.local.

or am i too impatient?
0
 
sanderfulpenAuthor Commented:
ok I read you.

executing the test now
0
 
sanderfulpenAuthor Commented:
done. same results: RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC Runtime.

FYI: The server is configured for multi customer situation. So there are 4 domains on the server active. Companies have individual OU's and the GAL is seperated via adsiedit and several configuration changes done via http://www.msexchange.org/articles_tutorials/exchange-server-2007/migration-deployment/shared-hosting-exchange-2007-part1.html

0
 
sunnyc7Commented:
ahaaa..
Are you planning to use RPC/HTTPS for multiple customers too ?

Are you publishing different OWA's using ISA ?
0
 
sanderfulpenAuthor Commented:
no ISA and same OWA.

Yes, customers should be able to connect with Outlook.

Webmail and activesync functions properly.

Does this shine a new light on our case?
0
 
sanderfulpenAuthor Commented:
when I said 'domain' I meant that there are multiple smtp domains with MX pointing to our Exchange server.
0
 
sunnyc7Commented:
yes @ got that.

Let me go through my notes on RPC/HTTPS in multiple tenant scenario.
0
 
sanderfulpenAuthor Commented:
ok
0
 
sanderfulpenAuthor Commented:
Hello Sunny are you still researching?
0
 
sunnyc7Commented:
I am tied up with a client issue @ my office... Give me sometime.
Was researching this before i got pulled into this call.

0
 
sanderfulpenAuthor Commented:
ok! thanks anyway!
0
 
sanderfulpenAuthor Commented:
Sunnyc Is there something I can do in the meantime?
0
 
sunnyc7Commented:
Sorry for being away for a long time.
Can you give me the registry key from the DC

start > run > regedit
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"NSPI Interface protocol sequences

I need a screenshot of that.

I am still with the client, I thought i will quickly check here how things are going.

Thank you for your patience :)

thanks
0
 
sanderfulpenAuthor Commented:
you're welcome. Thank you for yours ;-)

there is no 'parameters' key under NTDS.

I searched the registry for 'NSPI Interface protocol sequences' and got no results...
0
 
sunnyc7Commented:
Can you give me a screenshot.
You have to check this from the DC which has the global catalog role - not Exchange server.
0
 
sunnyc7Commented:
also can you run this
Download this
http://www.joeware.net/freetools/tools/adfind/index.htm

extract to
c:\adfind
start > run > cmd
cd c:\adfind

adfind -sc c:EXCHANGESERVERNAME > c:\exchange.txt
adfind -sc c:DCNAME > c:\dc1.txt

Can you upload both here.

thanks
0
 
sanderfulpenAuthor Commented:
sorry for my confusion, you mean the DC of course. It must be the 4 days almost non stop troubleshooting this issue are taking its toll...

here is the screenshot (in a doc)
0
 
sanderfulpenAuthor Commented:
screenshot ntds
ntds-parameters.gif
0
 
sanderfulpenAuthor Commented:
adfind exchange
exchange.txt
0
 
sanderfulpenAuthor Commented:
adfind dc
dc1.txt
0
 
sanderfulpenAuthor Commented:
Pervious ones are incorrect.

This is the correct adfind export.
dc1.txt
0
 
sanderfulpenAuthor Commented:
Pervious ones are incorrect.

This is the correct adfind export.
exchange.txt
0
 
sunnyc7Commented:
I will check this and post back. Give me another 15 mins
0
 
sanderfulpenAuthor Commented:
ok
0
 
sunnyc7Commented:
hi.
I also need 2 pieces of information
Can you give me the value of TCP/IP registry key from here
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeRPC\ParametersSystem

I also need the file
Microsoft.exchange.addressbook.service.exe.config

This is located in c:\program files\microsoft\exchange server\v14\bin
you can right click zip it and upload it here.

Sorry it took such a long time - support calls :(
0
 
sunnyc7Commented:
Can you save this screenshot as a JPG - maybe a larger one ?
http:#33589109

It's not readable.

thank you for your patience :)
0
 
sanderfulpenAuthor Commented:
ok just a minute
0
 
sunnyc7Commented:
I saw the guide by Rui Silva. that was for Exchange 2007.

Exchange 2010 multi tenant guide is here
http://technet.microsoft.com/en-us/library/ff923274.aspx

And the cmdlet guide is here
http://technet.microsoft.com/en-us/library/ff923252.aspx

Can you run this from exchange shell
get-organization | ft name

does it list all your domains ?
0
 
sunnyc7Commented:
Also
Please post back the output of this

get-outlookprovider | fl

0
 
sanderfulpenAuthor Commented:
Microsoft.exchange.addressbook.service.exe.config

renamed it to .txt


zipped it...

still workin on uploading it but EE finds the extention in the header of the file....which is blocked.

hang on
0
 
sanderfulpenAuthor Commented:
get-organization | ft name


gives an error.

The term 'get-organization' is not recognized as the name of a cmdlet,
0
 
sunnyc7Commented:
This is Exchange 2010 sp1 correct ?
or 2007

And you are run this from Exchange Management Shell.
0
 
sanderfulpenAuthor Commented:
results of get-outlookprovider | fl


RunspaceId           : 17807f88-bb45-440a-b986-88ca7a75b062
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : EXCH
DistinguishedName    : CN=EXCH,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=S
                       ervices,CN=Configuration,DC=vexch2010,DC=local
Identity             : EXCH
Guid                 : fb6fa737-1315-4159-b702-988f5d4fdf70
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True

RunspaceId           : 17807f88-bb45-440a-b986-88ca7a75b062
CertPrincipalName    : msstd:autodiscover.webstate.nl
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : EXPR
DistinguishedName    : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=S
                       ervices,CN=Configuration,DC=vexch2010,DC=local
Identity             : EXPR
Guid                 : 430da112-a72a-4986-b367-d79b1090b424
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 9/2/2010 3:48:51 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 9/2/2010 1:48:51 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True

RunspaceId           : 17807f88-bb45-440a-b986-88ca7a75b062
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : WEB
DistinguishedName    : CN=WEB,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=Se
                       rvices,CN=Configuration,DC=vexch2010,DC=local
Identity             : WEB
Guid                 : 27c676fd-40b4-4fa1-aadc-08e71c92f5c8
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True
0
 
sanderfulpenAuthor Commented:
yes excange 2010 running sp1
0
 
sunnyc7Commented:
Your cert principal name is configured for

CertPrincipalName    : msstd:autodiscover.webstate.nl

Are you testing autodiscover for that server in your multi-tenant config / or other servers ?
0
 
sunnyc7Commented:
get-organization | ft
0
 
sunnyc7Commented:
Get-Organization | format-table name
0
 
sanderfulpenAuthor Commented:
better screendump ntds\parameters
screendump.tiff
0
 
sanderfulpenAuthor Commented:
get-organization is an unknown command....

therefore I cannot execute any command starting with that...
0
 
sanderfulpenAuthor Commented:
i am testing everything on this server yes. autodiscover however doesn't work yet.


this setting is changed to autodiscover.webstate.nl because of the command I executed earlier today. I don't understand what it does though.

CertPrincipalName    : msstd:autodiscover.webstate.nl
0
 
sanderfulpenAuthor Commented:
EE doesn't allow me to upload the file .config you requested, so I cut and pasted the information here:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <runtime>
        <gcServer enabled="true" />
        <generatePublisherEvidence enabled="false"/>
    </runtime>
    <appSettings>
        <!-- Enables and disables the logging for the address book service. -->
        <add key="ProtocolLoggingEnabled" value="true" />

        <!-- Specifies the folder in which log files will be generated. -->
        <add key="LogFilePath" value="%ExchangeInstallDir%Logging\AddressBook Service\" />

        <!-- Specifies the max size that a single log file can grow to before a new one is generated. -->
        <add key="PerFileMaxSize" value="10MB" />

        <!-- Specifies the max size that the entire directory of logs can grow to before the oldest log is deleted. -->
        <add key="MaxDirectorySize" value="1GB" />

        <!-- Specifies length of time in hours log files will be retained before being deleted. -->
        <add key="MaxRetentionPeriod" value="720" />

        <!-- Specifies if we need to switch log file each hour. -->
        <add key="ApplyHourPrecision" value="true" />
    </appSettings>
</configuration>
0
 
sunnyc7Commented:
You mean this one ?
Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:Autodiscover.externaldomain.com

--
When I was issuing these commands I didnt know you had a multiple domains hosted on 2010.
0
 
sunnyc7Commented:
Can you run this one

Get-RpcClientAccess -Server vexch01
0
 
sanderfulpenAuthor Commented:
ok i understand. sorry to mention it so late in the process.

do we need to change that value back?

Get-RpcClientAccess -Server vexch01 (it gets error that exchange server is not found. vexch02 is the exchange server)

Get-RpcClientAccess -Server vexch02 (results in =>)

Server          Responsibility            MaximumCo Encryptio BlockedClientVersions
                                          nnections nRequired
------          --------------            --------- --------- ---------------------
VEXCH02         Mailboxes, PublicFolders  65536     True
0
 
sunnyc7Commented:
Can you email me. My email address on my profile page
0
 
sanderfulpenAuthor Commented:
should i run the complete exchange 2010 multi tenant tutorial?
0
 
sanderfulpenAuthor Commented:
I just did
0
 
sanderfulpenAuthor Commented:
Our Exchange server was installed under local admin credentials while it should have been installed under Domain Admin credentials. We are considering a re install. Many kudo's to Sunnyc7. He is an extremely helpful specialist and knows more about Exchange than MS Support.
0
 
sunnyc7Commented:
Sander :) thanks for the good words.
we have tried practically all resolutions advisable but we are not getting anywhere.

Key issue is
Administrator / Exchange Org / Exchange enterprise admins / Authenticated users - dont have permission on c:\windows\system32

i have tried cacls/icacls - and its not working.
either we go for setup /recover
or setup /prepareAD

both of which are risky on a live production server.

I just woke-up. Will post back when I figure out something.

0
 
sanderfulpenAuthor Commented:
Sunny customers ar already online in the system and working. What would you suggest?

Take the risk? Or export mailboxen somehow and import on new environment?
0
 
sunnyc7Commented:
Customers are already online = that's the problem.
We dont have a backup system to keep them online while we fix issues with this.

Export mailbox = one step command and it will export out everything. That takes less than 5 mins.

Can you post another question > installed Exchange 2010 as local admin / with Rui Silva's gal segregation lists and RPC errors.
Lets see if some of the other experts @ EE sign up for the case.
I will also sign-up.
Meanwhile I will login and check how things are going on the server.

I got to a stage where i was gettng these errors
http://messagexchange.blogspot.com/2008/12/outlook-anywhere-failing-rpc-end-points.html
0
 
sanderfulpenAuthor Commented:
Many thanks to Sunny!
0
 
scottmalletCommented:
I'm running into this exact same issue.  Unfortunately, the fix is not very clearly spelled out in this article.  I've followed the links as indicated in the "accepted solution", and verified all of the settings recommended.  Could you please let me know what finally fixed this in your environment?
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 52
  • 35
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now