Solved

Exchange 2010 AutoDiscover pointing to Client Access Server instead of F5 load balancer for some clients.

Posted on 2010-09-07
15
2,639 Views
Last Modified: 2012-08-14
We use an F5 load balancing device in our Exchange environment. It is assigned the DNS name "Outlook". The F5 load balances between two CAS Exchange servers, "ServerA" and "ServerB". We also use the Exchange AutoDiscover service and have it direct the clients to the F5 device "Outlook" for load balancing.

For most clients AutoDiscover works great and points the users to the F5 device "Outlook". On some clients the autodiscover points to client directly to the CAS "ServerA" instead of "Outlook".

The same user can log onto a different workstation and the autodiscover will correctly point to "Outlook". All clients use outlook 2007 or Outlook 2010.

We need ideas on what is causing some clients to get "autodiscovered" directly to the Exchange Server instead of the F5.
0
Comment
Question by:JasonLattin
  • 9
  • 6
15 Comments
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33620750
get-clientAccessServer | fl
get-autodiscovervirtualdirectory | fl

Please output both.

Asssumption:
a) Hardware Load Balancer (HLB)
Dns entry created for email.domain.local > pointing to HLB

b) UCC/SAN cert with the CAS server name in the certificate
email.domain.local (HLB)
cas1.domain.local
cas2.domain.local
email.domain.com (external)
autodiscover.domain.com (external)

to do:
Configure autodiscover SCP's and internal URL to pick it up from email.domain.local ?

Please confirm

thanks
0
 

Author Comment

by:JasonLattin
ID: 33620813
RunspaceId                           : 8653071c-2c1f-41a5-b565-0dd4945fd70a
Name                                 : ServerB
Fqdn                                 : ServerB.mycompany.com
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : ServerB
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://ServerB.mycompany.com/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {DFW}
AlternateServiceAccountConfiguration :
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=ServerB,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=
                                       Administrative Groups,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configur
                                       ation,DC=mycompany,DC=com
Identity                             : ServerB
Guid                                 : 86065845-3432-4607-8384-d3ad06b5d793
ObjectCategory                       : mycompany.com/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 8/24/2010 11:28:10 AM
WhenCreated                          : 4/24/2010 7:03:25 PM
WhenChangedUTC                       : 8/24/2010 3:28:10 PM
WhenCreatedUTC                       : 4/24/2010 11:03:25 PM
OrganizationId                       :
OriginatingServer                    : CLL-ENTDC03VW.mycompany.com

RunspaceId                           : 8653071c-2c1f-41a5-b565-0dd4945fd70a
Name                                 : ServerA
Fqdn                                 : ServerA.mycompany.com
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : ServerA
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://ServerA.mycompany.com/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {DFW}
AlternateServiceAccountConfiguration :
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=ServerA,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=
                                       Administrative Groups,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configur
                                       ation,DC=mycompany,DC=com
Identity                             : ServerA
Guid                                 : 8985a78c-4752-4c94-83b0-f9d4c7f38ef9
ObjectCategory                       : mycompany.com/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 6/7/2010 10:23:16 AM
WhenCreated                          : 4/25/2010 3:06:47 PM
WhenChangedUTC                       : 6/7/2010 2:23:16 PM
WhenCreatedUTC                       : 4/25/2010 7:06:47 PM
OrganizationId                       :
OriginatingServer                    : CLL-ENTDC03VW.mycompany.com
0
 

Author Comment

by:JasonLattin
ID: 33620850
get-autodiscovervirtualdirectory | fl
----------------------------------------------------

RunspaceId                    : 8653071c-2c1f-41a5-b565-0dd4945fd70a
Name                          : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication    : False
WSSecurityAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://ServerB.mycompany.com/W3SVC/1/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
Server                        : ServerB
InternalUrl                   : https://ServerB/autodiscover/autodiscover.xml
ExternalUrl                   : https://webmail.mycompany.com/autodiscover/autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.10 (14.0.100.0)
DistinguishedName             : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=ServerB,CN=Servers,CN=Ex
                                change Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=mycompany,CN=
                                Microsoft Exchange,CN=Services,CN=Configuration,DC=mycompany,DC=com
Identity                      : ServerB\Autodiscover (Default Web Site)
Guid                          : 6ce2b027-47a4-4011-9d6a-f5dfa0f61482
ObjectCategory                : mycompany.com/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 6/30/2010 6:20:33 PM
WhenCreated                   : 4/24/2010 7:08:04 PM
WhenChangedUTC                : 6/30/2010 10:20:33 PM
WhenCreatedUTC                : 4/24/2010 11:08:04 PM
OrganizationId                :
OriginatingServer             : CLL-ENTDC03VW.mycompany.com
IsValid                       : True

RunspaceId                    : 8653071c-2c1f-41a5-b565-0dd4945fd70a
Name                          : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication    : False
WSSecurityAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://ServerA.mycompany.com/W3SVC/1/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
Server                        : ServerA
InternalUrl                   : https://ServerA/autodiscover/autodiscover.xml
ExternalUrl                   : https://webmail.mycompany.com/autodiscover/autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.10 (14.0.100.0)
DistinguishedName             : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=ServerA,CN=Servers,CN=Ex
                                change Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=mycompany,CN=
                                Microsoft Exchange,CN=Services,CN=Configuration,DC=mycompany,DC=com
Identity                      : ServerA\Autodiscover (Default Web Site)
Guid                          : 5dddbc1f-c61a-4b5f-aee2-ec385923750e
ObjectCategory                : mycompany.com/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 6/30/2010 6:16:23 PM
WhenCreated                   : 4/25/2010 3:11:13 PM
WhenChangedUTC                : 6/30/2010 10:16:23 PM
WhenCreatedUTC                : 4/25/2010 7:11:13 PM
OrganizationId                :
OriginatingServer             : CLL-ENTDC03VW.mycompany.com
IsValid                       : True
0
 

Author Comment

by:JasonLattin
ID: 33620860
SunnyC7,
0
 

Author Comment

by:JasonLattin
ID: 33620863
SunnyC7,
0
 

Author Comment

by:JasonLattin
ID: 33620875
sunnyC7.. the DNs entries you mentioned are made and I believe thatthe certificate is set up correctly, but can verify that if you can give me steps on how to do it. I didn't set up that part of the install. Since the autodiscover does work for a large number of clients I'm thinking thatthe certs are good to go.
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 500 total points
ID: 33620876
a) Assuming the DNS entry for HLB is -

*email.domain.local*

you need to run this on both - SERVER A and SERVER B
--

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://email.domain.local/Autodiscover/Autodiscover.xml"

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://email.domain.local/Autodiscover/Autodiscover.xml"

--
Assuming you took care of the certificate part above, that should work.

You can restart both CAS servers after making these changes.
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 28

Expert Comment

by:sunnyc7
ID: 33620899
if you have UCC/SAN Cert's installed

get-exchangecertificate | fl

check the cert where IsSelfSigned is > NOT TRUE
that's your UCC/SAN
Check the domains listed in there and compare it with my first post.

The above Get/Set should work.

Post back questions.

thanks
0
 

Author Comment

by:JasonLattin
ID: 33620981
Sunnyc7,

I appreciate your quick response.
Did you see something specifc in our logs that leads you to believe that this hasn't already been done? I believe those steps have been done. I am open to the idea if you saw something specific that wasn't correct but if you are just recommending those steps "in case" they haven't been done then I'm hesitant to take down the environment without specific cause. We're have small offices overseas and there is no maintenance window that won't bring small numbers of users down so I want to be sure.

What did you see that tells you the commands haven't already been done?
0
 

Author Comment

by:JasonLattin
ID: 33620995
Sunnc7,
Also, as an addition to my earlier email, if those steps weren't done then why would it work correctly with the same user on a different workstation? I'm sure you can understand my hesitance to reboot our servers without a very specific remedy.

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33621028
Good question and the answer is yes

Present Config:
AutoDiscoverServiceInternalUri       : https://ServerA.mycompany.com/Autodiscover/Autodiscover.xml
AutoDiscoverServiceInternalUri       : https://ServerB.mycompany.com/Autodiscover/Autodiscover.xml

InternalUrl                   : https://ServerB/autodiscover/autodiscover.xml
InternalUrl                   : https://ServerA/autodiscover/autodiscover.xml

--
What this means is your autodiscoverinternalURI's were never configured. They point to the servers itself - which *may* have worked if the servers were stand alone and not part of the CAS.

if you have CAS1 / CAS2 - they have to have their SCP's configured with the load balancer not themselves.

See the 4-part guide here
http://www.msexchange.org/articles_tutorials/exchange-server-2010/high-availability-recovery/load-balancing-exchange-2010-client-access-servers-using-hardware-load-balancer-solution-part1.html
0
 

Author Comment

by:JasonLattin
ID: 33621034
AccessRules        :
CertificateDomains : {bade9413-f056-df11-8970-00155d013c86}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=hostingco OneStop CA, O=hostingco Corporation, DC=seanoc, DC=hostingco, DC=net, C=us
NotAfter           : 5/3/2015 4:11:47 PM
NotBefore          : 5/3/2010 4:01:47 PM
PublicKeySize      : 1024
RootCAType         : Registry
SerialNumber       : 71852661000000000175
Services           : None
Status             : Valid
Subject            : CN=bade9413-f056-df11-8970-00155d013c86
Thumbprint         : 095A27538C54DFF30641A9E8FA0340E9ACA86A57

AccessRules        :
CertificateDomains : {webmail.mycompany.com, ServerB.mycompany.com, ServerA.mycompany.com, autodiscover.vertafo
                     re.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
NotAfter           : 5/6/2013 7:59:59 PM
NotBefore          : 5/2/2010 8:00:00 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 04C22726DE894E3F9065FCD6802EF225
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=webmail.mycompany.com, OU=Enterprise IT, O="mycompany, Inc.", L=Bothell, S=Washington, C=US
Thumbprint         : 558994806228DD25428424D3251B991507ED0694

AccessRules        :
CertificateDomains : {ServerB, ServerB.mycompany.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=ServerB
NotAfter           : 4/24/2015 7:04:46 PM
NotBefore          : 4/24/2010 7:04:46 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 204E14C23D451D95441CAED507370FDB
Services           : SMTP
Status             : Valid
Subject            : CN=ServerB
Thumbprint         : 700CD824AE69491227807266B90E617E1DADCB6E
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33621063
AccessRules        :
CertificateDomains : {webmail.mycompany.com, ServerB.mycompany.com, ServerA.mycompany.com, autodiscover.vertafo
                     re.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
NotAfter           : 5/6/2013 7:59:59 PM
NotBefore          : 5/2/2010 8:00:00 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 04C22726DE894E3F9065FCD6802EF225
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=webmail.mycompany.com, OU=Enterprise IT, O="mycompany, Inc.", L=Bothell, S=Washington, C=US
Thumbprint         : 558994806228DD25428424D3251B991507ED0694

>> Both CAS servers are listed - which is correct, but NLB DNS entry is not listed.
You can make those changes suggested above on both servers and give it a shot.

you can try connecting outlook without reboot and see if it works.
http:#33620876

Also read the guide in my prior post.

thanks

0
 

Author Comment

by:JasonLattin
ID: 33645576
We have discovered what is going on with this and the resolution was very different than we had originally anticipated. I'm awarding points to Sunnyc7 Since his advice was solid and very well thought out technically even though our fix wasn't directly listed.

The "Fix" :
A number of months ago we upgraded form Exchange 2003 to Exchnage 2010. duyring this period we were living in to email worlds with some users on the 2003 boxes and some on the 2010 boxes. During this transition autodiscover was automatically switching some users Outlook clients to the new servers even though we hadn't moved the actual user accoutn over, so one of my peers disabled autodiscover during the transition. During that time while autodiscover was disabled any Outlook profile that was set up had to be done "manually". It was these users who, even though we had re-enabled autodiscovery, were still stuck pointing to an individual email server. Enabling auto-discovery did not overwrite the manual profile. The "fix" we found was simply to go into their "account settings" in Outlook and highlight the Exchange Server setting and choose "repair". This fixed the bad mojo that had us messed up prior to that.

Thanks sunnyc7 and I appreciate your thorough responses.

Jason
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33645607
damnn...
It would have been really hard to catch that @ manual settings. :)

Glad to be of help Jason
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now