Solved

AD Account settings and Exchange 2007

Posted on 2010-11-17
11
534 Views
Last Modified: 2012-05-10
This is going to be a long one so best grab yourself a tea or coffee before reading!

Background -

We have a single domain with 2 DCs - 2K3 AD, running Exchange 2K3 but in the process of migrating to Exchange 2K7 - Simple Exchange 2K7 install, nothing complicated. - Clients - XP SP3, couple of Windows 7 machines in testing for upgrading all XP machines.

The problem -

We have moved most (90%) of our users across and everything appears to be fine, they log on, launch Outlook which automatically reconfigured them to the new server and everything is happy.

Then we had a user log into a Windows 7 machine and setup their profile - unable to find the settings using Autodiscover - The usual error

Autodiscover to https://mailserver.domain/Autodiscover/Autodiscover.xml Failed (0x80072f78) - Now doing major amounts of research always points to the 2 same things as the cause - Certificates and permissions on IIS - However this is not the case.

Upon further testing I have found the following - Any new account that is created on the domain can quite happily login to XP or Win7 and autodiscover works a treat.
Accounts that have been created by myself in the past 2 years all work on both XP and Win7. (Prior to this date I wasn't the Network Admin)

So far every old account (Over 2 years old) fails on the Win 7 machines, but works Win XP.  I've used ADSIEdit and LDAP Browser to compare settings of working and non working accounts - Everything (Apart from GUID etc) are correct (Exchange details, legacy details, etc) in both working/non working accounts.

If I take a non working account, delete it, recreate it and reattach the mailbox then it happily works on both - This is a workaround, but not a solution, I'd rather not have to do this with all our users!

I've done a lot of research on this and found 1 other posting on the web where the same thing happened, they found a setting in the users AD account that they updated and it fixed the error (LegacyDN) but this fix doesn't work for us.

I'm 100% sure it's a setting somewhere in the users AD account that basically stops them from connecting to Autodiscover, but I'm at a loss as what.
0
Comment
Question by:GIFFER
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 26

Expert Comment

by:Tony Johncock
ID: 34154003
I've seen something similar happen for activesync.

If you open up AD Users & Computers, and look at the properties of one of the affected accounts' security tab (may need to turn on advanced view if it isn't there). Click Advanced and ensure that the inherit permissions button it checked.

May not be relevant to your case, but definately worth a quick look.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34154019
See if it helps for windows 7.

http://support.microsoft.com/kb/940881/en-us

Can you rename the profile & ask the user to relogin & let new profile be created.

There is profile version difference between XP & win &
XP has V1 & win & V2, lets just try.
0
 

Author Comment

by:GIFFER
ID: 34154021
That was one of the first places I checked - Permissions are being inherited and a manual comparison for a working/non working user show the same results.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:GIFFER
ID: 34154037
@Awinish - We have the correct record for this (Already tried and tested).

I've ruled out profiles as the old user (having never logged into a Windows 7 machine before) doesn't have a V2 profile until they first login, but the issue is there.
0
 

Author Comment

by:GIFFER
ID: 34155737
More Testing and now more information -

I can kind of get things working, but in the process I end up losing another function.

In IE, if I tick the 'Automatically detect' settings option and remove the Proxy settings then Autodiscovery works - but the internet no longer works - reverse the setting and the Internet works but Autodiscover fails.

This only appears to the case on the Windows 7 machines - In XP, it doesn't make a difference if you have anything ticked or not, it works.
0
 
LVL 26

Expert Comment

by:Tony Johncock
ID: 34155795
Do you actually have a proxy server?
0
 

Author Comment

by:GIFFER
ID: 34155846
We have a Bloxx webfilter which doubles as a proxy box.
0
 
LVL 26

Assisted Solution

by:Tony Johncock
Tony Johncock earned 250 total points
ID: 34155932
Have you tried adding your autodiscover address as an exception in IE?
0
 
LVL 24

Accepted Solution

by:
Awinish earned 250 total points
ID: 34156269
I think intranet client trying to go to internet for getting autodiscoverer host record to query exchange server for mailbox, as these records are in internal dns only.

Exclude the internal domain name from proxy using *.domain.com & also create a host record in dns for intranet client to point o exchange server.
0
 

Author Closing Comment

by:GIFFER
ID: 34156602
All solved, thanks for your help guys.

I had to remove the 'Automatically detect' and add the *.domain.com (internal) as an exception - The full url for the autodiscover couldn't be accepted but the domain was.
0
 
LVL 26

Expert Comment

by:Tony Johncock
ID: 34156626
You might want to look at dropping those settings down by group policy.

Thanks for the points and good luck.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question