Exchange 2010 SP1 Outlook Anywhere not working for Directory connections

Posted on 2013-01-02
Last Modified: 2013-01-03
We have 2 Exchange servers with a DAG in our environment they are both CAS servers.  After a successful demotion and promotion of these servers to virtualize them we are now having issues with Outlook Anywhere.

Outlook Anywhere works but will not connect to the directory.

I can telnet ports 6001 and 6002 to the server but not 6004. The exchange servers are not even listening on these ports via netstat cmd.

I can browse to the RPC web page with no issues.

I have checked the "ValidPorts" registry key.
Question by:LouisvilleGeek
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 500 total points
ID: 38737249
Quickest way to deal with this is to reinstall Outlook Anywhere:
Disable Outlook Anywhere completely, wait 15 minutes for the event ID to confirm it has gone, then remove the RPC Proxy feature from IIS. Ensure that the two RPC virtual directories have gone from IIS manager and run IISRESET.

Then reinstall the RPC Proxy and enable Outlook Anywhere again. Do not test until you see the event log entry to confirm it is enabled. It takes about 15 minutes.

When you say demote/promote - you aren't referring to DCPROMO I hope?


Author Comment

ID: 38737259

Yes - both of the Exchange servers are domain controllers.

We recently virtualized one of them and as such we demoted it then after it was virtualized, promoted it back.  Yes, with dcpromo.

Both times demotion/promotion were successful.  They are both GC's but hold no FSMO roles.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38737294
Running DCPROMO on a server with Exchange installed is not supported. It breaks many things, including IIS functionality, which is what has probably happened here.
Doesn't matter if it was successful or not - because that only affects the DC part, it doesn't tell you what was broken in Exchange.

Personally, I would have moved to member servers if you were moving from physical to virtual. You have significantly complicated the setup of your environment by having both DC and DAG functionality on the same server. As you must have Enterprise edition Windowsows to run a DAG there is no excuse to have DC as well, as you can have four VMs per physical licence.

That might be quite blunt, but even now I would be looking to remove each server in turn, rebuild it as a member server so that it is just Exchange and not a DC. I wouldn't like to see what happens in a failover of the DAG because Exchange on a DC acts in an odd way. Again to be blunt, that is a VERY poor design of your Exchange environment.

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!


Author Comment

ID: 38737574

I am going to try to reinstall Outlook Anywhere tonight after hours.

I appreciate your blunt analysis there.  I knew that was a bad design.  I am simply trying to put out the fire here.  I didn't design it.

I tried to keep the servers as member servers but Exchange authentication was broken.  Promoting them back to DC's fixed that issue.

What we will look to future-proof this is to remove the DAG.  Stand up a new Exchange server and move all of our mailboxes to it.  We only need one Exchange server.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38738504
I have never seen a DAG with domain controller on the same instance of Windows outside of SBS. The symptoms you saw around authentication is one of the issues that running DCPROMO causes, as it screws up all of the security settings. Complete mess. The move to virtual was your opportunity to move things around.

If youa re going to move, make sure that you have an RPC CAS Array in place, it will make life a lot easier.


Author Closing Comment

ID: 38740002
Excellent detail and great instructions.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
A hard and fast method for reducing Active Directory Administrators members.
This video discusses moving either the default database or any database to a new volume.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question