Solved

RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC Runtime

Posted on 2010-09-01
89
5,545 Views
1 Endorsement
Last Modified: 2012-05-10
Hi there,

RPC over HTTP works only in 1 circumstance:

when using servername\administrator in stead of domainname\administrator.

When using other accounts we get rpc errors using the testexchangeconnectivity and the logonbox in Outlook 2007 keeps poping up.

Somehow the user gets resolved against the local SAM of the Exchange server. The exchange server is a member server. Total servers is 2, both running W2K8 64.

tcp6 disabled, auth method basic, rpc completely reinstalled, using exchange 2010 sp1, read almost every blog about the rcp over http issues.

Does anyone know what I am overlooking here?

Thanks,

Sander

PS also get security eventlog fail audits when trying to use a user mailbox in Outlook to connect via RPC/HTTP. Eventid is 4625: security ID: NULL SID ..etc etc
1
Comment
Question by:sanderfulpen
  • 52
  • 35
  • +1
89 Comments
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33582981
What version of exchange server are you running ?

If it's 2007
you can test your outlook anywhere here
www.testexchangeconnectivity.com/
0
 
LVL 5

Expert Comment

by:jawad1481
ID: 33583747
Hello,

Is this a child and parent domain scenario ?

I think we will have to analyse the IIS logs and find if we are getting any errors.

Regards,
:)
0
 

Author Comment

by:sanderfulpen
ID: 33584450
We are testing with testexchangeonnectivity and this gives the error mentioned in the title.

This is 1 single domain
1 DC W2K8
1 Memberserver W2K8=> Exchange 2010 SP1

testexchangeconnectivity.com gives the following result:

      Attempting to Ping RPC Proxy exchange.webstate.nl
       RPC Proxy was pinged successfully.
       
      Additional Details
       Completed with HTTP status 200 - OK
      Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server vexch02.vexch2010.local
       The attempt to ping the endpoint failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC Runtime
0
 

Author Comment

by:sanderfulpen
ID: 33585050
Exchange version is Exchange 2010 Enterprise by the way!

Many thanks for you help.

We have been looking into this the past 4 days and the amount of sleep we got is zero to none :-)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33585714
I want you to test something

From your exchange server
start > run > inetmgr
Click on server name > on right panel > go to Worker Process
Click on Default App Pool

Check if you are getting any Begin Request for http to https redirect, like the screenshot here
http://blogs.technet.com/blogfiles/sbs/WindowsLiveWriter/SlowConnectivityforOutlookAnywhereandSit_D110/clip_image006_2.jpg

post back a screenshot please.
0
 

Author Comment

by:sanderfulpen
ID: 33585752
ok working on it right now.... Back to you asap!
0
 

Author Comment

by:sanderfulpen
ID: 33585793
Ok when we view the current requests for defaultapplicationpool, we get an empty list.

we've tried refreshing and pushed the button 'show all', but we get no results
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33585834
can you stay on the screen and run test exchange connectivity
RPC tests
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33585842
Check if RPC is under default application pool
right click > advanced settings
0
 

Author Comment

by:sanderfulpen
ID: 33585861
Both checked and confirmed.

0
 

Author Comment

by:sanderfulpen
ID: 33585862
when we use <localservername>\administrator, then the testexchangeconnectivity results successful and we also see RPC in and out traffic pass through the defaultappool screen as you mentioned.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33585958
They were in a execute request handler / or beginRequest state ?
if execute request handler - then RPC is passing successfully.

Do you see this error anymore ?
Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server vexch02.vexch2010.local
       The attempt to ping the endpoint failed.

--
Can you try connecting an outlook 2007/2010 withe exchane 2010 and see how that goes.
After configuring start outlook with

outlook /rpcdiag
so that you can get the connections monitor.
0
 

Author Comment

by:sanderfulpen
ID: 33586096
The state is execute request handler (but only for the <servername>\administrator

When we try this as a domain\user we see nothing in the request screen

--

additional info:
domain name = domainname.local
exchange server = exchange02
dc = exchange01

We've tried to connect from outlook/testexchangeconnectivity with a domain user via the following credentials:

user:     domainname\username

That doesn't work.

We've tried the same with...:

user: exchange02\administrator

that does work.

In the not working situation we get the "Attempting to ping RPC Endpoint 6001.." error and via Outlook we get the logon box and a security audit eventid 4625.

Hope this helps..

0
 

Author Comment

by:sanderfulpen
ID: 33586122
It feels like the Exchange server doesn't validate user logon to the domaincontoler and in stead it checks it's local. Might this be the reason why the administrator account does work and a domain user account doesn't? The domain admin and local admin both use same username and passwords.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586173
You feel like we are getting close..
0
 

Author Comment

by:sanderfulpen
ID: 33586199
yes i do ;-)

I also found out some other stuff that could help us out:

I have changed the local sam administrator password, to keep this one seperated from the domain admin account.

When I use testexchangeconnectivity with a domain user email address (e.g. sander@cityplanner.nl) combined with the local exchange server admin credentials: exchange01\administrator

Then the results are:

      ExRCA is testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      Attempting to resolve the host name exchange.webstate.nl in DNS.
       Host successfully resolved
       
      Additional Details
       IP(s) returned: 82.148.192.121
      Testing TCP Port 443 on host exchange.webstate.nl to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
       
      The certificate name is being validated.
       Successfully validated the certificate name
       
      Additional Details
       Found hostname exchange.webstate.nl in Certificate Subject Common name
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
       
      Additional Details
       The Certificate chain has be validated up to a trusted root. Root = E=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, S=Western Cape, C=ZA
      The certificate date is being confirmed to ensure the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       Certificate is valid: NotBefore = 6/25/2010 12:00:00 AM, NotAfter = 6/24/2012 11:59:59 PM"
      The IIS configuration is being checked for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       Accept/Require Client Certificates not configured.
      Testing Http Authentication Methods for URL https://exchange.webstate.nl/rpc/rpcproxy.dll
       The HTTP authentication methods are correct.
       
      Additional Details
       Found all expected authentication methods and no disallowed methods. Methods Found: Basic
      SSL mutual authentication with the RPC proxy server is being tested.
       Mutual authentication was verified successfully.
       
      Additional Details
       Certificate common name exchange.webstate.nl matches msstd:exchange.webstate.nl
      Attempting to Ping RPC Proxy exchange.webstate.nl
       RPC Proxy was pinged successfully.
       
      Additional Details
       Completed with HTTP status 200 - OK
      Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server vexch02.vexch2010.local
       Pinged Endpoint successfully
       
      Additional Details
       RPC Status Ok (0) returned in 156 ms.
      ExRCA is testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
       Successfully tested NSPI Interface.
       
      Test Steps
       
      Attempting to ping RPC Endpoint 6004 (NSPI Proxy Interface) on server vexch02.vexch2010.local
       Pinged Endpoint successfully
       
      Additional Details
       RPC Status Ok (0) returned in 951 ms.
      Testing NSPI "Check Name" for user sander@cityplanner.nl against server vexch02.vexch2010.local
       The test passed with some warnings encountered. Please expand the additional details.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       NspiBind returned ecNotSupported. This typically indicates that your server requires RPC encryption. ExRCA will attempt the NSPI test again with encryption.
      Testing NSPI "Check Name" for user sander@cityplanner.nl against server vexch02.vexch2010.local
       Check Name succeeded.
       
      Additional Details
       DisplayName: Sander, LegDN: /o=HostedExchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Sander
      ExRCA is testing the Referral service on the Exchange Mailbox server.
       The Referral service was tested successfully.
       
      Test Steps
       
      Attempting to ping RPC Endpoint 6002 (Referral Interface) on server vexch02.vexch2010.local
       Pinged Endpoint successfully
       
      Additional Details
       RPC Status Ok (0) returned in 978 ms.
      Attempting to perform Referral for user /o=HostedExchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Sander on Server vexch02.vexch2010.local
       Succeeded getting Referral
       
      Additional Details
       Server returned by Referral Service: VEXCH02.vexch2010.local
      ExRCA is testing the Exchange Information Store on the Mailbox server.
       An error occurred while testing the Information Store.
       
      Test Steps
       
      Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server vexch02.vexch2010.local
       Pinged Endpoint successfully
       
      Additional Details
       RPC Status Ok (0) returned in 156 ms.
      Testing Logon to the Exchange Information Store
       An error occurred while logging on to the Information Store.
       
      Additional Details
       Store logon returned ecLoginPerm 1010. You don't have the correct permissions to sign in to the mailbox
0
 

Author Comment

by:sanderfulpen
ID: 33586235
could it be that the local admin of the exchange server is used to establish an RPCoverHTTP connection?

In the previous error log you can see that the final mailbox connection fails, which is obvious because the local admin has no privileges for the users mailbox. Therefore the final rpchttp phase fails.

i guess....
0
 

Author Comment

by:sanderfulpen
ID: 33586397
sunny I also think that in our environment the local administrator of the exchangeserver is the only account which is able to establish a rpc over http connection. All domain accounts aren't somehow allowed to do that, because as soon as we use domain accounts, rpc fails with all kinds of errors.

Any ideas?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586411
could it be that the local admin of the exchange server is used to establish an RPCoverHTTP connection?
>> No.

There are some permission issues. I am checking out the errors and will post back.

out of curiosity - is exchange server installed on a DC ?
0
 

Author Comment

by:sanderfulpen
ID: 33586439
We also found out that the 'active directory domain services' service on the exchange member server is not running.
0
 

Author Comment

by:sanderfulpen
ID: 33586449
exchange is a member server btw.

in our environment there are only 2 servers in 1 domain:

1 DC
1 Exch
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586458
Great point :)
it has to be started and set to automatic.

Can you tell me a list of services which are set to automatic and not started.
Ignore Perf. logs etc.
0
 

Author Comment

by:sanderfulpen
ID: 33586493
active directory domain services service is obviously not running on members ;-)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586501
Can you run this from exchange shell.

Get-OutlookProvider | fl
and post back here.

--
We will have to run this later.

Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:Autodiscover.externaldomain.com
0
 

Author Comment

by:sanderfulpen
ID: 33586521
the only automatic services which are not started (on exchange member server):

active directory domain services
Microsoft .Net Framework NGEN v4.0.30319_x64
Microsoft .Net Framework NGEN v4.0.30319_x86
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586531
Can you run this from exchange shell and let me know the output

Get-MailboxDatabase DBNAME | fl RpcClientAccessserver
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586539
Can you run these 2 please.

Get-OutlookProvider | fl
Get-MailboxDatabase DBNAME | fl RpcClientAccessserver

Also
Do you have a external DNS entry for

autodiscover.domain.com ?
0
 

Author Comment

by:sanderfulpen
ID: 33586551
result of Get-OutlookProvider | fl

RunspaceId           : a9e713e9-8efe-42e5-a146-b15f63a221ea
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : EXCH
DistinguishedName    : CN=EXCH,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=S
                       ervices,CN=Configuration,DC=vexch2010,DC=local
Identity             : EXCH
Guid                 : fb6fa737-1315-4159-b702-988f5d4fdf70
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True

RunspaceId           : a9e713e9-8efe-42e5-a146-b15f63a221ea
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : EXPR
DistinguishedName    : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=S
                       ervices,CN=Configuration,DC=vexch2010,DC=local
Identity             : EXPR
Guid                 : 430da112-a72a-4986-b367-d79b1090b424
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True

RunspaceId           : a9e713e9-8efe-42e5-a146-b15f63a221ea
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : WEB
DistinguishedName    : CN=WEB,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=Se
                       rvices,CN=Configuration,DC=vexch2010,DC=local
Identity             : WEB
Guid                 : 27c676fd-40b4-4fa1-aadc-08e71c92f5c8
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True
0
 

Author Comment

by:sanderfulpen
ID: 33586576
result of: Get-MailboxDatabase DBNAME | fl RpcClientAccessserver


RpcClientAccessServer : VEXCH02.vexch2010.local
0
 

Author Comment

by:sanderfulpen
ID: 33586583
No we haven't created a autodiscover.domain.com record.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586611
RpcClientAccessServer : VEXCH02.vexch2010.local
>> this has to be the external autodiscover.

Can you create a dns entry for autodiscover.domain.com > and point it to your public IP of firewall.

I am checking the output from the other command and I will post back.
0
 

Author Comment

by:sanderfulpen
ID: 33586635
working on that
0
 

Author Comment

by:sanderfulpen
ID: 33586695
autodiscover.ourdomain.nl record now points to the public IP of the exchange server.

Should I change the RpcClientAccessServer to autodiscover.ourdomain.nl?

If so, then how?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586760
Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:autodiscover.ourdomain.nl
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586775
RpcClientAccessServer : VEXCH02.vexch2010.local
>> this has to be the external autodiscover.

>> My bad. This has to be the CAS array / For single exchange - to the FQDN of internal exchange server - which is already set.
Lets keep it at that and just change the settings @ set-outlookprovider

and then try RPC /HTTPS from outlook again.
0
 

Author Comment

by:sanderfulpen
ID: 33586802
i have executed that command but the result of rpcclientaccessserver is still vexch02.vexch2010.local.

or am i too impatient?
0
 

Author Comment

by:sanderfulpen
ID: 33586811
ok I read you.

executing the test now
0
 

Author Comment

by:sanderfulpen
ID: 33586855
done. same results: RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC Runtime.

FYI: The server is configured for multi customer situation. So there are 4 domains on the server active. Companies have individual OU's and the GAL is seperated via adsiedit and several configuration changes done via http://www.msexchange.org/articles_tutorials/exchange-server-2007/migration-deployment/shared-hosting-exchange-2007-part1.html

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33586910
ahaaa..
Are you planning to use RPC/HTTPS for multiple customers too ?

Are you publishing different OWA's using ISA ?
0
 

Author Comment

by:sanderfulpen
ID: 33586941
no ISA and same OWA.

Yes, customers should be able to connect with Outlook.

Webmail and activesync functions properly.

Does this shine a new light on our case?
0
 

Author Comment

by:sanderfulpen
ID: 33586952
when I said 'domain' I meant that there are multiple smtp domains with MX pointing to our Exchange server.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33587048
yes @ got that.

Let me go through my notes on RPC/HTTPS in multiple tenant scenario.
0
 

Author Comment

by:sanderfulpen
ID: 33587122
ok
0
 

Author Comment

by:sanderfulpen
ID: 33587778
Hello Sunny are you still researching?
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 28

Expert Comment

by:sunnyc7
ID: 33587799
I am tied up with a client issue @ my office... Give me sometime.
Was researching this before i got pulled into this call.

0
 

Author Comment

by:sanderfulpen
ID: 33587823
ok! thanks anyway!
0
 

Author Comment

by:sanderfulpen
ID: 33588633
Sunnyc Is there something I can do in the meantime?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33588698
Sorry for being away for a long time.
Can you give me the registry key from the DC

start > run > regedit
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"NSPI Interface protocol sequences

I need a screenshot of that.

I am still with the client, I thought i will quickly check here how things are going.

Thank you for your patience :)

thanks
0
 

Author Comment

by:sanderfulpen
ID: 33588745
you're welcome. Thank you for yours ;-)

there is no 'parameters' key under NTDS.

I searched the registry for 'NSPI Interface protocol sequences' and got no results...
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33588799
Can you give me a screenshot.
You have to check this from the DC which has the global catalog role - not Exchange server.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33588809
also can you run this
Download this
http://www.joeware.net/freetools/tools/adfind/index.htm

extract to
c:\adfind
start > run > cmd
cd c:\adfind

adfind -sc c:EXCHANGESERVERNAME > c:\exchange.txt
adfind -sc c:DCNAME > c:\dc1.txt

Can you upload both here.

thanks
0
 

Author Comment

by:sanderfulpen
ID: 33588864
sorry for my confusion, you mean the DC of course. It must be the 4 days almost non stop troubleshooting this issue are taking its toll...

here is the screenshot (in a doc)
0
 

Author Comment

by:sanderfulpen
ID: 33589109
screenshot ntds
ntds-parameters.gif
0
 

Author Comment

by:sanderfulpen
ID: 33589125
adfind exchange
exchange.txt
0
 

Author Comment

by:sanderfulpen
ID: 33589130
adfind dc
dc1.txt
0
 

Author Comment

by:sanderfulpen
ID: 33589455
Pervious ones are incorrect.

This is the correct adfind export.
dc1.txt
0
 

Author Comment

by:sanderfulpen
ID: 33589462
Pervious ones are incorrect.

This is the correct adfind export.
exchange.txt
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33589633
I will check this and post back. Give me another 15 mins
0
 

Author Comment

by:sanderfulpen
ID: 33589810
ok
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590116
hi.
I also need 2 pieces of information
Can you give me the value of TCP/IP registry key from here
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeRPC\ParametersSystem

I also need the file
Microsoft.exchange.addressbook.service.exe.config

This is located in c:\program files\microsoft\exchange server\v14\bin
you can right click zip it and upload it here.

Sorry it took such a long time - support calls :(
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590187
Can you save this screenshot as a JPG - maybe a larger one ?
http:#33589109

It's not readable.

thank you for your patience :)
0
 

Author Comment

by:sanderfulpen
ID: 33590287
ok just a minute
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590330
I saw the guide by Rui Silva. that was for Exchange 2007.

Exchange 2010 multi tenant guide is here
http://technet.microsoft.com/en-us/library/ff923274.aspx

And the cmdlet guide is here
http://technet.microsoft.com/en-us/library/ff923252.aspx

Can you run this from exchange shell
get-organization | ft name

does it list all your domains ?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590365
Also
Please post back the output of this

get-outlookprovider | fl

0
 

Author Comment

by:sanderfulpen
ID: 33590406
Microsoft.exchange.addressbook.service.exe.config

renamed it to .txt


zipped it...

still workin on uploading it but EE finds the extention in the header of the file....which is blocked.

hang on
0
 

Author Comment

by:sanderfulpen
ID: 33590504
get-organization | ft name


gives an error.

The term 'get-organization' is not recognized as the name of a cmdlet,
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590525
This is Exchange 2010 sp1 correct ?
or 2007

And you are run this from Exchange Management Shell.
0
 

Author Comment

by:sanderfulpen
ID: 33590526
results of get-outlookprovider | fl


RunspaceId           : 17807f88-bb45-440a-b986-88ca7a75b062
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : EXCH
DistinguishedName    : CN=EXCH,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=S
                       ervices,CN=Configuration,DC=vexch2010,DC=local
Identity             : EXCH
Guid                 : fb6fa737-1315-4159-b702-988f5d4fdf70
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True

RunspaceId           : 17807f88-bb45-440a-b986-88ca7a75b062
CertPrincipalName    : msstd:autodiscover.webstate.nl
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : EXPR
DistinguishedName    : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=S
                       ervices,CN=Configuration,DC=vexch2010,DC=local
Identity             : EXPR
Guid                 : 430da112-a72a-4986-b367-d79b1090b424
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 9/2/2010 3:48:51 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 9/2/2010 1:48:51 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True

RunspaceId           : 17807f88-bb45-440a-b986-88ca7a75b062
CertPrincipalName    :
Server               :
TTL                  : 1
OutlookProviderFlags : None
AdminDisplayName     :
ExchangeVersion      : 0.1 (8.0.535.0)
Name                 : WEB
DistinguishedName    : CN=WEB,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=HostedExchange,CN=Microsoft Exchange,CN=Se
                       rvices,CN=Configuration,DC=vexch2010,DC=local
Identity             : WEB
Guid                 : 27c676fd-40b4-4fa1-aadc-08e71c92f5c8
ObjectCategory       : vexch2010.local/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass          : {top, msExchAutoDiscoverConfig}
WhenChanged          : 5/27/2010 3:57:22 PM
WhenCreated          : 5/27/2010 3:57:22 PM
WhenChangedUTC       : 5/27/2010 1:57:22 PM
WhenCreatedUTC       : 5/27/2010 1:57:22 PM
OrganizationId       :
OriginatingServer    : vexch01.vexch2010.local
IsValid              : True
0
 

Author Comment

by:sanderfulpen
ID: 33590534
yes excange 2010 running sp1
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590540
Your cert principal name is configured for

CertPrincipalName    : msstd:autodiscover.webstate.nl

Are you testing autodiscover for that server in your multi-tenant config / or other servers ?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590544
get-organization | ft
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590549
Get-Organization | format-table name
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590550
0
 

Author Comment

by:sanderfulpen
ID: 33590625
better screendump ntds\parameters
screendump.tiff
0
 

Author Comment

by:sanderfulpen
ID: 33590640
get-organization is an unknown command....

therefore I cannot execute any command starting with that...
0
 

Author Comment

by:sanderfulpen
ID: 33590662
i am testing everything on this server yes. autodiscover however doesn't work yet.


this setting is changed to autodiscover.webstate.nl because of the command I executed earlier today. I don't understand what it does though.

CertPrincipalName    : msstd:autodiscover.webstate.nl
0
 

Author Comment

by:sanderfulpen
ID: 33590680
EE doesn't allow me to upload the file .config you requested, so I cut and pasted the information here:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <runtime>
        <gcServer enabled="true" />
        <generatePublisherEvidence enabled="false"/>
    </runtime>
    <appSettings>
        <!-- Enables and disables the logging for the address book service. -->
        <add key="ProtocolLoggingEnabled" value="true" />

        <!-- Specifies the folder in which log files will be generated. -->
        <add key="LogFilePath" value="%ExchangeInstallDir%Logging\AddressBook Service\" />

        <!-- Specifies the max size that a single log file can grow to before a new one is generated. -->
        <add key="PerFileMaxSize" value="10MB" />

        <!-- Specifies the max size that the entire directory of logs can grow to before the oldest log is deleted. -->
        <add key="MaxDirectorySize" value="1GB" />

        <!-- Specifies length of time in hours log files will be retained before being deleted. -->
        <add key="MaxRetentionPeriod" value="720" />

        <!-- Specifies if we need to switch log file each hour. -->
        <add key="ApplyHourPrecision" value="true" />
    </appSettings>
</configuration>
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590687
You mean this one ?
Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:Autodiscover.externaldomain.com

--
When I was issuing these commands I didnt know you had a multiple domains hosted on 2010.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590732
Can you run this one

Get-RpcClientAccess -Server vexch01
0
 

Author Comment

by:sanderfulpen
ID: 33590780
ok i understand. sorry to mention it so late in the process.

do we need to change that value back?

Get-RpcClientAccess -Server vexch01 (it gets error that exchange server is not found. vexch02 is the exchange server)

Get-RpcClientAccess -Server vexch02 (results in =>)

Server          Responsibility            MaximumCo Encryptio BlockedClientVersions
                                          nnections nRequired
------          --------------            --------- --------- ---------------------
VEXCH02         Mailboxes, PublicFolders  65536     True
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33590800
Can you email me. My email address on my profile page
0
 

Author Comment

by:sanderfulpen
ID: 33590813
should i run the complete exchange 2010 multi tenant tutorial?
0
 

Author Comment

by:sanderfulpen
ID: 33590828
I just did
0
 

Author Comment

by:sanderfulpen
ID: 33616311
Our Exchange server was installed under local admin credentials while it should have been installed under Domain Admin credentials. We are considering a re install. Many kudo's to Sunnyc7. He is an extremely helpful specialist and knows more about Exchange than MS Support.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33616335
Sander :) thanks for the good words.
we have tried practically all resolutions advisable but we are not getting anywhere.

Key issue is
Administrator / Exchange Org / Exchange enterprise admins / Authenticated users - dont have permission on c:\windows\system32

i have tried cacls/icacls - and its not working.
either we go for setup /recover
or setup /prepareAD

both of which are risky on a live production server.

I just woke-up. Will post back when I figure out something.

0
 

Author Comment

by:sanderfulpen
ID: 33616415
Sunny customers ar already online in the system and working. What would you suggest?

Take the risk? Or export mailboxen somehow and import on new environment?
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 500 total points
ID: 33616549
Customers are already online = that's the problem.
We dont have a backup system to keep them online while we fix issues with this.

Export mailbox = one step command and it will export out everything. That takes less than 5 mins.

Can you post another question > installed Exchange 2010 as local admin / with Rui Silva's gal segregation lists and RPC errors.
Lets see if some of the other experts @ EE sign up for the case.
I will also sign-up.
Meanwhile I will login and check how things are going on the server.

I got to a stage where i was gettng these errors
http://messagexchange.blogspot.com/2008/12/outlook-anywhere-failing-rpc-end-points.html
0
 

Author Closing Comment

by:sanderfulpen
ID: 33628514
Many thanks to Sunny!
0
 

Expert Comment

by:scottmallet
ID: 35834784
I'm running into this exact same issue.  Unfortunately, the fix is not very clearly spelled out in this article.  I've followed the links as indicated in the "accepted solution", and verified all of the settings recommended.  Could you please let me know what finally fixed this in your environment?
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now