Solved

We are having a few issues after migrating Exchange from 2010 to 2013.

Posted on 2014-10-15
12
345 Views
Last Modified: 2014-10-22
1. Main issue is that we cannot add secondary mailboxes to an account or additional profiles.
2. Running through testing we see that the ExRCA.com
      An error message was returned from the Autodiscover service
      XML response:
      <?xml version="1.0"?>
      <Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
      <Response>
      <Error Time="17:24:48.2529679" Id="2716901415">
      <ErrorCode>500</ErrorCode>
      <Message>The email address can't be found.</Message>
svc records and autodiscover dns records are all there and check out along with the wildcard cert

3. When trying to download OAB if gives an error.
      The error is 0x80200049 the operation failed

We have rebuilt the oab and autodiscover virtual directory following proper directions
we have recreated the oab and assigned it and it appears to be there we can access the web url for it same with the autodiscover url.

Any help would be appreciated. James
0
Comment
Question by:auctionpay
  • 9
  • 3
12 Comments
 
LVL 1

Author Comment

by:auctionpay
Comment Utility
additional info:

when sending from a secondary profile that was already existed the message immediately errors out with the response.

This message could not be sent. Try sending the message again later, or contact your network administrator.  Error is [0x80070005-00000000-00000000].
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Internally Autodiscover and SRV records are not used if the clients are members of the domain.
The clients query the domain for Autodiscover information. If that isn't set correctly then the client will fail to connect.

My instinct is that you haven't set the URLs correctly.

http://semb.ee/hostnames2013

Furthermore, as you are using a wildcard certificate, you should probably look at setting these two values as well:

Get-OutlookProvider "EXCH" | Set-OutlookProvider -CertPrincipalName "msstd:*.example.com"
Get-OutlookProvider "EXPR" | Set-OutlookProvider -CertPrincipalName "msstd:*.example.com"

Simon.
0
 
LVL 1

Author Comment

by:auctionpay
Comment Utility
that was done previously
Get-OutlookProvider give this
Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                        msstd:*.ourdomain.com     1
EXPR                                                        msstd:*.ourdomain.com     1
WEB                                                         msstd:*.ourdomain.com     1

I have gone through all the steps mentioned in the site. We have one 2010 CAS server that has not been removed yet so I had run the scrips for the individual cas server.
I am still having issues.
The outlook auto test always worked and still does
0
 
LVL 1

Author Comment

by:auctionpay
Comment Utility
Okay uninstalled last 2010 cas server just to eliminate it still no luck.
0
 
LVL 1

Author Comment

by:auctionpay
Comment Utility
issue number 2 is resolved

Main issue is still unresolved
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If you are getting the same errors as you originally posted, then Autodiscover isn't working.
Autodiscover is mandatory with Exchange 2013 deployments.

When you run an Autodiscover test in Outlook, does it return the correct URLs?
Do you have more than the Exchange web sites on the CAS role holder? Bindings correct?

Simon.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:auctionpay
Comment Utility
Yes when I run auto discover it runs correctly for all test that I know.
I found a way to get outlook to add the mailbox to a second profile if I let it do the autodiscover/autoconfig for the logged in user then change the name on the account and resolve the name again. You can't send as that person until I go and perform Get-Mailbox "other mailbox" | Add-ADPermission -User "user" -ExtendedRights "Send As" even though the account has send as according to ECA and they could before the migration.
0
 
LVL 1

Assisted Solution

by:auctionpay
auctionpay earned 0 total points
Comment Utility
Where I stand now. It looks like the main cause of my issues is 2 fold. Exchange 2013 changes how "Send as" works. Now instead of "Send as" it is "Send on behalf of" you have to go back in and add the "Send as" to get rid of issue 3. Issue 1 looks to be related to issue 3 in the fact that when adding a secondary mail box it looks at the OAB on your machine and cannot. If it does its autodiscover and the name is changed it has already resolved the CAS and received its GUID and can just check permissions then on full control. If you do not have "Send as" permissions at this point you will not be able to send from this profile.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
"Exchange 2013 changes how "Send as" works. Now instead of "Send as" it is "Send on behalf of" you have to go back in and add the "Send as" to get rid of issue 3"

Nothing has changed.
Send As and Send on Behalf of have always been different. The permissions are different and are handled differently. It hasn't changed since SP2 for Exchange 2003, when Full Mailbox Access and the Send As permission were seperated.

If a user has Full Mailbox Access, then Autodiscover should add the account automatically in Outlook without any additional work being required - although only if permission is granted to a user, not to a group.

Simon.
0
 
LVL 1

Assisted Solution

by:auctionpay
auctionpay earned 0 total points
Comment Utility
Simon,
In Exchange the permission setting have changed
manage send asIt is not send on behalf of,
Yes that capability has been around to set send on behalf of. However that is not the way it was before migration. Just something that had to be tracked down and changed.
Autodiscover and OAB for secondary profiles are needed. If you do not have a current copy of the OAB on your system you will be prompted to connect with your primary account before you can add a secondary. That way the OAB can be downloaded and it can identify what permissions you have for what mailbox. You can connect to the server all day long and not add a different profile until you have a good copy of OAB on your system or you spoof your credentials. The way I did before I got OAB and the GC working together.
I was able to identify the root cause of out OAB issue and it had to do with Domain Controller issues and thus OAB was not generating correctly or linking to peoples profiles.
My issues are now resolved.
James
0
 
LVL 1

Accepted Solution

by:
auctionpay earned 0 total points
Comment Utility
My problems have all been resolved. OAB was working for most people as of yesterday the last thing was that it was showing up/downloadable by half of the users. Found that default BITS limit in GPO was blocking it. Everytime that I or someone else was trying to download would fail because Maximum number BITS jobs for each user was reached increasing this aloud amount and doing a gpupdate allowed the OAB to download and everything is looking good.

James
0
 
LVL 1

Author Closing Comment

by:auctionpay
Comment Utility
There was no real comment provided by anyone else. I was just updating my post as I was working through the issue I could go through and write out all the steps for each issue but I think I have provided enough that people can work through the issues I was having.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Resolve DNS query failed errors for Exchange
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now