Pages

24 Feb 2011

Exchange 2010: Cannot download Offline Address Book. 500 - Internal Server Error

The problems with downloading an Offline Address Book are very common and can have many sources. If you can't download the OAB using the Outlook 2007 or Outlook 2010 this article may be useful for you.
Problem description
When you try to download the OAB using Menu Tools -> Send/Recive -> Download Address Book you don't see the name of OAB in the drop down list.

Diagnostics
Firstly you have to check if the Autodiscover is configured properly. You can use a Test E-mail AutoConfiguration wizard (Hold CTRL and right click the Outlook icon in the System Tray). You should see the list of URL addresses.
  1. If the Autodiscover return an error you have to configure this service correctly (the configuration of the Autodiscover is out of scope of this article)
  2. If the XML is displayed you need to find the OAB URL that looks similar to: https://yourservername.yourdomain.tlddomain/oab/guidnumber. Notice: The OAB address can be found in both "Protocol: Exchange RPC" and "Protocol Exchange HTTP" sections. The first one is for internal clients who are accessing the OAB from LAN and the second is for external clients who are accessing the OAB from the Internet.
  3. If one of the OAB URLs is empty or wrong, correct the configuration using set-OABVritualDirectory cmdlet.
  4. If everything is right then copy the OAB URL and try to open it using your Web Browser
  5. You probably will see the error 500 - Internal Server Error (Figure 1)
Figure 1
In this situation check the following settings:
  1. Is the Web-Based distribution enabled? Organization Configuration -> Mailbox -> Offline Address Book tab -> display your OAB Properties -> Distribution tab -> Enable Web-Based distribution must be enabled. There has to be at least one Client Access Server on the list. If the settings are correct go to the next point.
  2. Using IIS Manager Console check if an OAB subfolder exists and contains a folder which name is a GUID. You should see a lot of files in this GUID subfolder. Check this on each CAS.
  3. Have you created the redirection to simplify the Outlook Web App URL, like in this article http://technet.microsoft.com/en-us/library/aa998359.aspx? If yes go to the next point.
  4. Did you remove the redirection from virtual folders? If yes go to the solution.
Solution
When you configure Http Redirection a web.config file is created in the OAB directory. This file has incorrect permissions. Assign Read and Read & Execute permission to Autheticated Users group then restart IIS using iisreset /noforce.
Now you can try to download the OAB using Outlook. It may be required to download it twice because sometimes the name of the OAB doesn't appear at first try.
Notice: When you are trying to open the OAB URL from Web Browser you will get "403 - Forbidden: Access is denied" error (Figure 2). This is normal. Your OAB is configured properly.
Figure 2
[Update 31.08.2016] Ken reported that it might take a little while to start working. He got 'object not found' error on first couple of tries after applying the solution.



1 Feb 2011

Exchange 2010 SP1: Problem while adding DAG members

Today, I encountered a problem with adding DAG members. I created DAG without any problems but later when I was trying to add a new member to DAG I received the following error:

Error:
A server-side database availability group administrative operation failed. Error: The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API '"CreateCluster() failed with 0x5. Error: Access is denied"' failed. [Server: MBX01.domain.local]
An Active Manager operation failed. Error: An error occurred while attempting a cluster operation. Error: Cluster API '"CreateCluster() failed with 0x5. Error: Access is denied"' failed..
Access is denied
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.267.0&t=exchgf1&e=ms.exch.err.ExC9C315
Warning:
The operation wasn't successful because an error was encountered. You may find more details in log file "C:\ExchangeSetupLogs\DagTasks\dagtask_2011-02-01_10-56-20.943_add-databaseavailabiltygroupserver.log".
Exchange Management Shell command attempted:
Add-DatabaseAvailabilityGroupServer -MailboxServer 'MBX01' -Identity 'DAG1'


I checked the log file and found that there was a problem with adding DAG computer object which is called CNO (Cluster Name Object):
[2011-02-01T10:06:50] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseEnd, ePhaseSeverity = ClusterSetupPhaseFatal, dwPercentComplete = 94, szObjectName = DAG1, dwStatus = 0x5 )
[2011-02-01T10:06:50] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseEnd, ePhaseSeverity = ClusterSetupPhaseFatal, dwPercentComplete = 94, szObjectName = DAG1, dwStatus = 0x5 )


The correct dwStaus is 0x0 which means "success", dwStatus = 0x5 means "access denied".  I realised that my client's Active Directory domain was hardened and there were non-standard permissions on AD objects. In particular the Active Directory attribute mS-DS-MachineAccountQuota was set to 0. This is why Exchange couldn't create CNO.


The solution:

  1. Create CNO account manually and grant Full Control over this object for all your DAG members (computer accounts).
  2. Disable CNO account - It took me a while to figure it out. If you keep this account enabled you will receive another error during adding DAG members.
  3. Now you can add members to DAG.


Notice: The following advice might be useful when you troubleshoot DAG.
1. After installation of a Failover Cluster feature, the Cluster service startup mode is set to disabled. It is also true after creating a DAG - this is a normal situation.
2. FSW (File Share Witness) is not created during creation of DAG, the folder and share are created when you add the second DAG member - FSW is only needed when you have even number of members.