Solved

Exchange 2010 SP1 Outlook Anywhere not working for Directory connections

Posted on 2013-01-02
6
465 Views
Last Modified: 2013-01-03
We have 2 Exchange servers with a DAG in our environment they are both CAS servers.  After a successful demotion and promotion of these servers to virtualize them we are now having issues with Outlook Anywhere.

Outlook Anywhere works but will not connect to the directory.

I can telnet ports 6001 and 6002 to the server but not 6004. The exchange servers are not even listening on these ports via netstat cmd.

I can browse to the RPC web page with no issues.

I have checked the "ValidPorts" registry key.
0
Comment
Question by:LouisvilleGeek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38737249
Quickest way to deal with this is to reinstall Outlook Anywhere:
Disable Outlook Anywhere completely, wait 15 minutes for the event ID to confirm it has gone, then remove the RPC Proxy feature from IIS. Ensure that the two RPC virtual directories have gone from IIS manager and run IISRESET.

Then reinstall the RPC Proxy and enable Outlook Anywhere again. Do not test until you see the event log entry to confirm it is enabled. It takes about 15 minutes.

When you say demote/promote - you aren't referring to DCPROMO I hope?

Simon.
0
 

Author Comment

by:LouisvilleGeek
ID: 38737259
Simon,

Yes - both of the Exchange servers are domain controllers.

We recently virtualized one of them and as such we demoted it then after it was virtualized, promoted it back.  Yes, with dcpromo.

Both times demotion/promotion were successful.  They are both GC's but hold no FSMO roles.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38737294
Running DCPROMO on a server with Exchange installed is not supported. It breaks many things, including IIS functionality, which is what has probably happened here.
Doesn't matter if it was successful or not - because that only affects the DC part, it doesn't tell you what was broken in Exchange.

Personally, I would have moved to member servers if you were moving from physical to virtual. You have significantly complicated the setup of your environment by having both DC and DAG functionality on the same server. As you must have Enterprise edition Windowsows to run a DAG there is no excuse to have DC as well, as you can have four VMs per physical licence.

That might be quite blunt, but even now I would be looking to remove each server in turn, rebuild it as a member server so that it is just Exchange and not a DC. I wouldn't like to see what happens in a failover of the DAG because Exchange on a DC acts in an odd way. Again to be blunt, that is a VERY poor design of your Exchange environment.

Simon.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:LouisvilleGeek
ID: 38737574
Simon,

I am going to try to reinstall Outlook Anywhere tonight after hours.

I appreciate your blunt analysis there.  I knew that was a bad design.  I am simply trying to put out the fire here.  I didn't design it.

I tried to keep the servers as member servers but Exchange authentication was broken.  Promoting them back to DC's fixed that issue.

What we will look to future-proof this is to remove the DAG.  Stand up a new Exchange server and move all of our mailboxes to it.  We only need one Exchange server.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38738504
I have never seen a DAG with domain controller on the same instance of Windows outside of SBS. The symptoms you saw around authentication is one of the issues that running DCPROMO causes, as it screws up all of the security settings. Complete mess. The move to virtual was your opportunity to move things around.

If youa re going to move, make sure that you have an RPC CAS Array in place, it will make life a lot easier.

Simon.
0
 

Author Closing Comment

by:LouisvilleGeek
ID: 38740002
Excellent detail and great instructions.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question