Overview The Autodiscover service for Microsoft Exchange Server 2007 provides automatic profile configuration for Microsoft Office Outlook 2007 clients that are connected to your Exchange messaging environment. When you install the Client Access server (CAS) role on a computer running Exchange 2007, a new virtual directory is created under the Default Web Site in Internet Information Services (IIS). In the Active Directory a Service Connection Point (SCP) object is created that allows all domain-connected clients running Outlook 2007 to query the Active Directory and configure the Outlook profile automatically. Many organizations have complex topologies with multiple forests where the Exchange is running in a resource forest and an accounts forest which contains the user accounts for the organization. In the multiple trusted forest scenario, the user accounts and Microsoft Exchange are deployed in multiple forests. Exchange 2007 features such as the Availability service and Unified Messaging rely on the Autodiscover service to access user accounts across forests. In this scenario, the Autodiscover service must be available to users across multiple trusted forests. The intention of this post is not to explain how Autodiscover works, how to implement it for multiple forests, or troubleshoot every scenario. It is a brief, practical list of tips for use during the deployment and covers some common examples and methods to resolve issues. For more details how Exchange 2007 Autodiscover works and deployment considerations, see the white paper: Exchange 2007 Autodiscover Service and Deployment Considerations for the Autodiscover Service
Configuration tips
Those tips assume that the Exchange 2007 is installed in the Fourthcoffe.com Exchange 2007 Resource forest and the user accounts are located in the Nwtraders.com Accounts forest. 1. Verify that DNS Name resolution works between the Exchange 2007 resource forest and the Account forest. 2. A one-way outgoing trust relationship is required between the Exchange 2007 forest and the accounts forest. Test the trust relationship between forests. For detailed steps, see Create a one-way, outgoing, forest trust for both sides of the trust. 3. Verify that the mailbox you are testing is a Linked Mailbox (a mailbox that is assigned to an individual user in a separate, trusted forest) and the user from the account domain has full access and you are testing the correct SMTP address configured for the mailbox. See Understanding Recipients. 4. Review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP) object for each Exchange 2007 Client Access server. CN=<CAS_SERVER>,CN=Autodiscover,CN=Protocols,CN=<CAS_SERVER>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<ORG>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Fourthcoffee,DC=com- Keywords contains by default the site name in which the Client Access server resides. The keywords attributes controls the site affinity to help the Outlook 2007 to find the best CAS.
- ServiceBindingInformation contains by default the Autodiscover URL https://cas_server.domain/autodiscover/autodiscover.xml
CN=Fourthcoffee.com,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com7. Review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP) object on the Accounts forest (Nwtraders.com).
- Keywords in this case should contain all authoritative Accepted domains SMTP address created under Organization Configuration – Hub Transport – Accepted Domains tab.
- ServiceBindingInformation will contain the LDAP://Fourthcoffee.com (Exchange 2007 resource forest).
Common troubleshooting steps
1. Checking DNS name resolution. Since the PDC Emulator controls the trust relationship between the domains, check if the PDC emulator from each forest can ping the domain name.- From PDC on Fourthcoffee.com ping nwtraders.com
- From PDC on Nwtraders.com ping Fourthcoffee.com (Exchange 2007 resource forest)
- From the Outlook 2007 client on Nwtraders.com ping Fourthcoffee.com
- DNS client configuration
- DNS server Primary, Secondary and Stub zones;
- DNS Forward and Root Hints options.
Netdom trust trusted_domain_name /domain: trusting_domain_name /verify The trust between nwtraders.com and fourthcoffee.com has been successfully verified The command completed successfully.3. Verify that the Master Account has full access to the Linked Mailbox as well as the smtp address using the cmdlets Get-Mailbox and Get-MailboxPermission. See How to Create a Linked Mailbox.
Get-Mailbox <mailbox_user> | fl PrimarySmtpAddress : Char@fourthcoffee.com RecipientType : UserMailbox RecipientTypeDetails : LinkedMailbox IsLinked : True LinkedMasterAccount : NWTRADERS\Char Get-Mailboxpermission <mailbox_user> | fl AccessRights : {FullAccess, ExternalAccount} InheritanceType : All User : NWTRADERS\Char Identity : Fourthcoffee.com/Users/Char4. To review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP) object for each Exchange 2007 Client Access server, you can use the ldifde.exe command, Adsiedit.msc or Get-ClientAccessServer cmdlet.
Ldifde.exe –f scp.txt –d "CN=<cas_server>,CN=Autodiscover,CN=Protocols,CN=<cas_server>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=vandyr136711org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Fourthcoffee,DC=com" Get-ClientAccessServer | fl *Auto* AutoDiscoverServiceCN : CAS_SERVER AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service AutoDiscoverServiceInternalUri : https://cas_server.fourthcoffee.com/Autodisc over/Autodiscover.xml AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596 AutoDiscoverSiteScope : {Default-First-Site-Name}Note: Keywords and ServiceBindingInformation 5. Review the Exchange certificate on the Client Access server using the command Get-ExchangeCertificate and verify the following attributes: CertificateDomain, Services, Status, IsSelfSigned, Issuer and Subject. For more details see: Autodiscover and Certificates
Get-ExchangeCertificates | fl CertificateDomains : {mail.fourthcoffee.com, TX136711-MS1, TX136711-MS1.fourthcoffee.com, Fourthcoffee.com, autodiscover.Fourthcoffee.com } HasPrivateKey : True IsSelfSigned : False Issuer : CN=Fourthcoffee, DC=Fourthcoffee, DC=com Services : IMAP, POP, IIS Status : Valid Subject : CN=mail.fourthcoffee.com6. To review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP) object on the Accounts forest, you can use the ldifde.exe command, Adsiedit.msc.
Ldifde –f scp_account.txt –d "CN=Fourthcoffee.com,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com" dn:CN=Fourthcoffee.com,CN=MicrosoftExchange Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com distinguishedName: CN=Fourthcoffee.com,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com keywords: Domain=Nwtraders.com keywords: Domain=Fourthcoffee.com keywords: 67661D7F-8FC4-4fa7-BFAC-E1D7794C1F68 serviceBindingInformation: LDAP://Fourthcoffee.com7. Every time you created a new authoritative Accepted domain under Organization Configuration – Hub Transport – Accepted Domains tab you have to run the Export-AutodiscoverConfig cmdlet On an Exchange 2007 Client Access server in the source forest, run the following command to retrieve the credentials that you will use to run the Export-AutodiscoverConfig cmdlet:
$a = Get-Credential Export-AutoDiscoverConfig -DomainController <FQDN> –TargetForestDomainController <String> -TargetForestCredential $a -MultipleExchangeDeployments $trueRelated reading: White Paper: Exchange 2007 Autodiscover Service http://technet.microsoft.com/en-us/library/bb332063.aspx#HowtoConfigureExchangeServices How to Configure the Autodiscover Service for Multiple Forests http://technet.microsoft.com/en-us/library/aa996849(EXCHG.80).aspx How to Configure the Autodiscover Service to Use Site Affinity http://technet.microsoft.com/en-us/library/aa998575(EXCHG.80).aspx How to Configure the Autodiscover Service for Cross Forest Moves http://technet.microsoft.com/en-us/library/bb201665(EXCHG.80).aspx How to Deploy Exchange 2007 in an Exchange Resource Forest Topology http://technet.microsoft.com/en-us/library/aa998031.aspx Understanding Recipients http://technet.microsoft.com/en-us/library/bb201680(EXCHG.80).aspx How to Create a Linked Mailbox http://technet.microsoft.com/en-us/library/bb123524(EXCHG.80).aspx How to Convert a Mailbox to a Linked Mailbox http://technet.microsoft.com/en-us/library/bb201694.aspx Autodiscover and Certificates http://technet.microsoft.com/en-us/library/bb332063.aspx#ADAndCertificates - Vandy Rodrigues
You Had Me at EHLO.