24 Feb 2011

Exchange 2010: Cannot download Offline Address Book. 500 - Internal Server Error

The problems with downloading an Offline Address Book are very common and can have many sources. If you can't download the OAB using the Outlook 2007 or Outlook 2010 this article may be useful for you.
Problem description
When you try to download the OAB using Menu Tools -> Send/Recive -> Download Address Book you don't see the name of OAB in the drop down list.

Firstly you have to check if the Autodiscover is configured properly. You can use a Test E-mail AutoConfiguration wizard (Hold CTRL and right click the Outlook icon in the System Tray). You should see the list of URL addresses.
  1. If the Autodiscover return an error you have to configure this service correctly (the configuration of the Autodiscover is out of scope of this article)
  2. If the XML is displayed you need to find the OAB URL that looks similar to: https://yourservername.yourdomain.tlddomain/oab/guidnumber. Notice: The OAB address can be found in both "Protocol: Exchange RPC" and "Protocol Exchange HTTP" sections. The first one is for internal clients who are accessing the OAB from LAN and the second is for external clients who are accessing the OAB from the Internet.
  3. If one of the OAB URLs is empty or wrong, correct the configuration using set-OABVritualDirectory cmdlet.
  4. If everything is right then copy the OAB URL and try to open it using your Web Browser
  5. You probably will see the error 500 - Internal Server Error (Figure 1)
Figure 1
In this situation check the following settings:
  1. Is the Web-Based distribution enabled? Organization Configuration -> Mailbox -> Offline Address Book tab -> display your OAB Properties -> Distribution tab -> Enable Web-Based distribution must be enabled. There has to be at least one Client Access Server on the list. If the settings are correct go to the next point.
  2. Using IIS Manager Console check if an OAB subfolder exists and contains a folder which name is a GUID. You should see a lot of files in this GUID subfolder. Check this on each CAS.
  3. Have you created the redirection to simplify the Outlook Web App URL, like in this article If yes go to the next point.
  4. Did you remove the redirection from virtual folders? If yes go to the solution.
When you configure Http Redirection a web.config file is created in the OAB directory. This file has incorrect permissions. Assign Read and Read & Execute permission to Autheticated Users group then restart IIS using iisreset /noforce.
Now you can try to download the OAB using Outlook. It may be required to download it twice because sometimes the name of the OAB doesn't appear at first try.
Notice: When you are trying to open the OAB URL from Web Browser you will get "403 - Forbidden: Access is denied" error (Figure 2). This is normal. Your OAB is configured properly.
Figure 2
[Update 31.08.2016] Ken reported that it might take a little while to start working. He got 'object not found' error on first couple of tries after applying the solution.

1 Feb 2011

Exchange 2010 SP1: Problem while adding DAG members

Today, I encountered a problem with adding DAG members. I created DAG without any problems but later when I was trying to add a new member to DAG I received the following error:

A server-side database availability group administrative operation failed. Error: The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API '"CreateCluster() failed with 0x5. Error: Access is denied"' failed. [Server: MBX01.domain.local]
An Active Manager operation failed. Error: An error occurred while attempting a cluster operation. Error: Cluster API '"CreateCluster() failed with 0x5. Error: Access is denied"' failed..
Access is denied
Click here for help...
The operation wasn't successful because an error was encountered. You may find more details in log file "C:\ExchangeSetupLogs\DagTasks\dagtask_2011-02-01_10-56-20.943_add-databaseavailabiltygroupserver.log".
Exchange Management Shell command attempted:
Add-DatabaseAvailabilityGroupServer -MailboxServer 'MBX01' -Identity 'DAG1'

I checked the log file and found that there was a problem with adding DAG computer object which is called CNO (Cluster Name Object):
[2011-02-01T10:06:50] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseEnd, ePhaseSeverity = ClusterSetupPhaseFatal, dwPercentComplete = 94, szObjectName = DAG1, dwStatus = 0x5 )
[2011-02-01T10:06:50] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseEnd, ePhaseSeverity = ClusterSetupPhaseFatal, dwPercentComplete = 94, szObjectName = DAG1, dwStatus = 0x5 )

The correct dwStaus is 0x0 which means "success", dwStatus = 0x5 means "access denied".  I realised that my client's Active Directory domain was hardened and there were non-standard permissions on AD objects. In particular the Active Directory attribute mS-DS-MachineAccountQuota was set to 0. This is why Exchange couldn't create CNO.

The solution:

  1. Create CNO account manually and grant Full Control over this object for all your DAG members (computer accounts).
  2. Disable CNO account - It took me a while to figure it out. If you keep this account enabled you will receive another error during adding DAG members.
  3. Now you can add members to DAG.

Notice: The following advice might be useful when you troubleshoot DAG.
1. After installation of a Failover Cluster feature, the Cluster service startup mode is set to disabled. It is also true after creating a DAG - this is a normal situation.
2. FSW (File Share Witness) is not created during creation of DAG, the folder and share are created when you add the second DAG member - FSW is only needed when you have even number of members.

29 Jan 2011

Force removal of Public Folders Database

To uninstall the last Exchange 2003 server from Exchange Organisation you have to delete Public Folders Databases. You can find a few very good articles about removing the last Exchange 2003. These articles are very useful when everything goes well and you can replicate all Public Folders to a new Exchange 2007/2010 server. What if you are unable to replicate all Public Folders and some folders remain on the old server (at least Exchange tools state that)? I know from experience that this is a very common problem. I'm going to describe the procedure which easily solves this problem.

Important notice: If you remove Public Folders database using this method all data that remains in it will be lost!
Important notice 2: If you remove the first Public Folder Database via this method, the site folder server will point to a deleted object. You will subsequently need to fix that using ADSIEDIT. Refer to Site folder server deleted

To forcibly remove Public Folder Database

  1. Open the following path using the adsiedit.msc tool
    CN=Configuration,DC=yourdomain,DC=yourhighlevelpartofdomain,CN=Services,CN=Microsoft Exchange,CN=YourOrganizationName,CN=Administrative Groups, CN=YourAdministrativeGoupName,CN=Servers,CN=YourServerName,CN=StorageGroupNameWhichContainsPFDatabase
  2. In right window, right click Public Folder database name and delete it
You can use this procedure also with Exchange 2007/2010 Public Folder Databases.

27 Jan 2011

Exchange 2010 - Certificate Status: RevocationCheckFailure

I was configuring Exchange 2010 for a customer who bought GoDaddy certificates to use with Exchange. When I tried to verify installed certificate using Get-ExchangeCertificte | FL
command, the certificate Status was RevocationChekFailure. The certificate was displayed correctly under MMC console, so it was obviously problem with access to CRL Publication Point.
Exchange 2010 was installed on Windows 2008 R2 and a proxy server was needed to connect to the Internet.
Exchange 2010 uses WinHttp service to connect to the Internet. This service doesn't import proxy settings from Internet Explorer configuration.
You have two options to configure WinHttp:
1. WPAD - If WPAD is deployed on the network then WinHttp service will get configuration automatically
2. Manual configuration - If you don't have WPAD you must configure WinHttp service manually. I'm going to describe this method.

To verify current settings:
Run netsh winhttp show proxy from Command Line. You will see your current settings. Direct access means that there is no proxy for WinHttp

To set proxy run the following command:
netsh winhttp set proxy proxy-server="http=yourhtpproxyserver:8080;https=yourhttpsproxyserver:8080" bypass-list="*.yourADdomain.local"

The above command is correct only for Windows 2008 R2, for Windows 2008 use this command:
netsh winhttp set proxy-server="http=yourhtpproxyserver:8080;https=yourhttpsproxyserver:8080" bypass-list="*.yourADdomain.local"

Optionally you can clear CRL Cache with the following command certutil -urlcache crl delete

Notice: Please remember to set value of bypass-list parameter to your local Active Directory domain FQDN. If you pass over this part you won't be able to connect to your Exchange using Exchange Management Console nor PowerShell.