ECP Redirect to url for exchange server in another AD Site

%3CLINGO-SUB%20id%3D%22lingo-sub-1551451%22%20slang%3D%22en-US%22%3EECP%20Redirect%20to%20url%20for%20exchange%20server%20in%20another%20AD%20Site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551451%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20working%20with%20a%20client%20who%20has%20been%20having%20an%20issue%20with%20ECP%20for%20a%20few%20years%20now%2C%20but%20has%20become%20a%20much%20larger%20problem%20recently.%26nbsp%3B%20All%20mailboxes%20have%20been%20moved%20to%20O365%20and%20we%20therefore%20changed%20autodiscover%20to%20point%20to%20autodiscover.outlook.com%20(this%20is%20important).%26nbsp%3B%20We%20have%20no%20mailboxes%20on-prem%20as%20the%20servers%20are%20licensed%20with%20a%20Hybrid%20license%20and%20having%20mailboxes%20homed%20on-prem%20would%20be%20out%20of%20license%20compliance%20(also%20important).%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EFrom%20the%20exchange%20server%20in%20the%20AD%20Site%20%22LA%22%2C%20when%20I%20try%20to%20go%20to%20the%20ECP%20using%20%3CA%20href%3D%22https%3A%2F%2Flocalhost%2Fecp%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flocalhost%2Fecp%3C%2FA%3E%26nbsp%3Bor%20%3CA%20href%3D%22https%3A%2F%2FIPADDRESS%2Fecp%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FIPADDRESS%2Fecp%3C%2FA%3E%26nbsp%3Bor%20%3CA%20href%3D%22https%3A%2F%2Fwebmail.domain.com%2Fecp%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwebmail.domain.com%2Fecp%3C%2FA%3E%26nbsp%3BI%20get%20redirected%20to%20%3CA%20href%3D%22https%3A%2F%2Fautodiscover.domain.com.au%2Fecp%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fautodiscover.domain.com.au%2Fecp%3C%2FA%3E.%20This%20worked%20(but%20was%20really%20really%20slow)%20up%20until%20we%20changed%20autodiscover.domain.com.au%20to%20point%20to%20autodiscover.outlook.com.%26nbsp%3B%20Now%20we%20can't%20access%20the%20ECP%20at%20all.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EThe%20exchange%20server%20was%20a%20brand%20new%20installation%20in%20February.%26nbsp%3B%20And%20this%20has%20been%20happening%20on%20all%20their%20exchange%20servers%20for%20a%20few%20years%20at%20least.%26nbsp%3B%20They%20have%202%20exchange%202013%20servers%20in%20the%20environment%20that%20will%20be%20decommissioned%20soon%20(these%20servers%20are%20in%20a%20different%20AD%20Site%20than%20the%20LA%20server)%20and%202%20exchange%202016%20CU15%20servers%20(one%20in%20each%20of%20the%20AD%20Sites).%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EIf%20my%20admin%20account%20had%20a%20mailbox%20homed%20on-prem%2C%20I%20would%20be%20able%20to%20use%20the%20webmail.domain.com%20URL%20and%20it%20would%20not%20redirect.%26nbsp%3B%20But%20due%20to%20licensing%20compliance%2C%20keeping%20a%20server%20on-prem%20is%20not%20an%20option.%26nbsp%3B%20We%20have%20looked%20all%20through%20IIS%20and%20cannot%20find%20any%20redirects%2C%20and%20certainly%20did%20not%20configure%20any%20when%20we%20installed%20Exchange.%26nbsp%3B%20When%20we%20installed%20the%20other%20new%202016%20server%2C%20we%20immediately%20had%20the%20same%20redirect%20with%20no%20configuration%20changes%20post%20installation.%26nbsp%3B%20So%20this%20appears%20to%20be%20at%20an%20organization%20level%2C%20but%20I%20don't%20see%20anything%20glaringly%20obvious%20with%20%22Get-OrganizationConfig%20%7C%20FL%22.%26nbsp%3B%20I%20see%20nothing%20in%20the%20web.config%20files.%26nbsp%3B%20I%20don't%20know%20where%20to%20look%20next.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1551451%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1551839%22%20slang%3D%22en-US%22%3ERe%3A%20ECP%20Redirect%20to%20url%20for%20exchange%20server%20in%20another%20AD%20Site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551839%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F242175%22%20target%3D%22_blank%22%3E%40Raechel%20Moermond%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20i%20understand%20correctly%20%2C%20you%20want%20to%20reach%20your%20ECP%20Url%20on%20the%20On%20Prem%20Hybrid%20%2C%20but%20without%20luck.%3C%2FP%3E%3CP%3EHave%20you%20checked%20that%20he%20ECP%20Virtual%20Directories%20for%20the%20INTERNAL%20url%20are%20correct%20%3F%20(%20the%20URL%20you%20try%20to%20reach%20basically%20)%20%3F%20Also%20Important%20did%20you%20checked%20the%20OWA%20Url%20matches%20the%20ECP%20Url%20%2C%20also%20Internal%20%3F%3C%2FP%3E%3CP%3EAnd%20finally%20whatever%20URL%20is%20the%20ecp%20e.x%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fhybrid.au.someone.com%2Fecp%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fhybrid.au.someone.com%2Fecp%3C%2FA%3E%26nbsp%3B%2C%20the%20FQDN%20must%20be%20included%20on%20your%20Certificate%20%2C%20or%20at%20least%20a%20Wildcard%20Certificate%20for%20the%20Domain%20should%20exist%3C%2FP%3E%3CP%3EA%20common%20mistake%20also%20is%20the%20DAG.%20Remember%20the%20DAG%20is%20NOT%20the%20CAS%20Endpoint%20%2C%20just%20a%20reminder%20here%20maybe%20it%20switches%20something.%20It%20really%20gets%20me%20though%20the%20issue%20like%20it%20is%20an%20issue%20that%20is%20going%20on%20for%20a%20long%20time.....%20Don't%20fear%20to%20change%20the%20Exchange%20and%20have%20a%20look%20on%20your%20Virtual%20Dirs%20ECP%20in%20relation%20with%20OWA.%20You%20can%20also%20recreate%20them%20without%20messing%20anything%20at%20all%20and%20to%20tell%20you%20truth%20it%20is%20not%20a%20common%20thing%20to%20point%20to%20the%20autodiscover%20Endpoint.%20Use%20a%20DNS%20resolvable%20FQDN%2C%20and%20avoid%20Server%20Names.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1552509%22%20slang%3D%22en-US%22%3ERe%3A%20ECP%20Redirect%20to%20url%20for%20exchange%20server%20in%20another%20AD%20Site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552509%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F242175%22%20target%3D%22_blank%22%3E%40Raechel%20Moermond%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20need%20to%20know%20a%20few%20things%20about%20your%20current%20configuration%20of%20virtual%20directories.%20you%20can%20simply%20run%20the%20below%20Cmdlets%20in%20the%20Exchange%20Management%20Shell%2C%20and%20let%20me%20know%20the%20config%2C%20so%20I%20can%20help%20you%20with%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH2%20id%3D%22toc-hId--1297296365%22%20id%3D%22toc-hId--1297296365%22%20id%3D%22toc-hId--1297296365%22%20id%3D%22toc-hId--1297296365%22%20id%3D%22toc-hId--1297296365%22%3ENote%3A%3C%2FH2%3E%3CP%3E%26nbsp%3B%3CSTRONG%3E%20make%20sure%20you%20replace%20your%20domain%20name%20with%20something%20similar%20like%20%22Contoso.Com%22%20before%20you%20post%20your%20configs.%3C%2FSTRONG%3E%20you%20can%20simply%20use%20find%2Freplace%20and%20replace%20%22myactualdomain.org%22%20with%20%22Contoso.Com%22%20in%20notepad%2C%20and%20post%20the%20results%20here.%20other%20things%20in%20the%20generated%20output%20are%20not%20sensitive%20info%2C%20then%20relax.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EStart-Transcript%20dvconflog.txt%0AGet-EcpVirtualDirectory%20%7C%20fl%20server%2C%20Name%2C%20*URL*%2C%20*auth*%0AGet-OwaVirtualDirectory%20%7C%20fl%20server%2C%20Name%2C%20*URL*%2C%20*auth*%0AGet-ClientAccessService%20%7C%20fl%20Name%2C%20OutlookAnywhereEnabled%2C%20AutodiscoverServiceInternalUri%0AGet-ClientAccessArray%20%7C%20fl%0AGet-ExchangeServer%20%7C%20fl%20*version*%0AStop-Transcript%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1552787%22%20slang%3D%22en-US%22%3ERe%3A%20ECP%20Redirect%20to%20url%20for%20exchange%20server%20in%20another%20AD%20Site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552787%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F391686%22%20target%3D%22_blank%22%3E%40KonstantinosPassadis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EThere%20is%20no%20DAG%2C%20so%20that's%20not%20a%20concern.%26nbsp%3B%20on%20the%20LA%20server%2C%20all%20internal%20URLs%20are%20set%20to%20the%20server%20name%20(https%3A%2F%2Fserver.fqdn%2Fecp%2C%20https%3A%2F%2Fserver.fqdn%2Fowa%2C%26nbsp%3Betc.).%26nbsp%3B%20On%20the%20old%20NZ%20server%20and%20the%20old%20AU%20server%20(that%20will%20be%20decommissioned)%2C%20the%20internal%20URLs%20are%20set%20to%20the%20server%20name%20and%20the%20external%20URLs%20are%20set%20to%20autodiscover.domain.com.au.%26nbsp%3B%20The%20new%20NZ%20server%20is%20set%20like%20the%20LA%20server%20-%20internal%20URLs%20only.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F140127%22%20target%3D%22_blank%22%3E%40behrooz%20amiri%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20running%20those%20commands%20now%2C%20but%20it%20will%20take%20a%20long%20time%20as%20the%20exchange%20servers%20are%20in%20different%20AD%20sites%20and%20there%20seems%20to%20be%20some%20trouble%20getting%20the%20NZ%20and%20AU%20exchange%20settings%20in%20a%20timely%20manner%20from%20the%20LA%20server.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1553692%22%20slang%3D%22en-US%22%3ERe%3A%20ECP%20Redirect%20to%20url%20for%20exchange%20server%20in%20another%20AD%20Site%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1553692%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F140127%22%20target%3D%22_blank%22%3E%40behrooz%20amiri%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20attached%20the%20output.%26nbsp%3B%20I'm%20currently%20recreating%20the%20virtual%20directories.%26nbsp%3B%20we'll%20see%20what%20that%20does.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%20to%20add%3A%20recreating%20the%20virtual%20directories%20did%20absolutely%20nothing%20for%20me%2C%20as%20I%20expected.%26nbsp%3B%20I've%20also%20tried%20%22%3CA%20href%3D%22https%3A%2F%2Fusmail.domain.com%2Fecp%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fusmail.domain.com%2Fecp%3C%2FA%3E%22%20which%20is%20now%20pointing%20to%20the%20LA%20server%20and%20it%20all%20redirects%20to%20%3CA%20href%3D%22https%3A%2F%2Fautodiscover.domain.com.au%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fautodiscover.domain.com.au%3C%2FA%3E.%26nbsp%3B%20It%20simply%20doesn't%20matter%20where%20I%20start%2C%20what%20server%2C%20or%20what%20browser%20I%20use%2C%20something%20above%20the%20server%20level%20(since%20these%20are%20new%20servers%20and%20even%20localhost%20redirects)%20is%20redirecting%20ECP.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I'm working with a client who has been having an issue with ECP for a few years now, but has become a much larger problem recently.  All mailboxes have been moved to O365 and we therefore changed autodiscover to point to autodiscover.outlook.com (this is important).  We have no mailboxes on-prem as the servers are licensed with a Hybrid license and having mailboxes homed on-prem would be out of license compliance (also important).

From the exchange server in the AD Site "LA", when I try to go to the ECP using https://localhost/ecp or https://IPADDRESS/ecp or https://webmail.domain.com/ecp I get redirected to https://autodiscover.domain.com.au/ecp. This worked (but was really really slow) up until we changed autodiscover.domain.com.au to point to autodiscover.outlook.com.  Now we can't access the ECP at all.

The exchange server was a brand new installation in February.  And this has been happening on all their exchange servers for a few years at least.  They have 2 exchange 2013 servers in the environment that will be decommissioned soon (these servers are in a different AD Site than the LA server) and 2 exchange 2016 CU15 servers (one in each of the AD Sites).

If my admin account had a mailbox homed on-prem, I would be able to use the webmail.domain.com URL and it would not redirect.  But due to licensing compliance, keeping a server on-prem is not an option.  We have looked all through IIS and cannot find any redirects, and certainly did not configure any when we installed Exchange.  When we installed the other new 2016 server, we immediately had the same redirect with no configuration changes post installation.  So this appears to be at an organization level, but I don't see anything glaringly obvious with "Get-OrganizationConfig | FL".  I see nothing in the web.config files.  I don't know where to look next.

4 Replies
Highlighted

Hello @Raechel Moermond 

If i understand correctly , you want to reach your ECP Url on the On Prem Hybrid , but without luck.

Have you checked that he ECP Virtual Directories for the INTERNAL url are correct ? ( the URL you try to reach basically ) ? Also Important did you checked the OWA Url matches the ECP Url , also Internal ?

And finally whatever URL is the ecp e.x : https://hybrid.au.someone.com/ecp , the FQDN must be included on your Certificate , or at least a Wildcard Certificate for the Domain should exist

A common mistake also is the DAG. Remember the DAG is NOT the CAS Endpoint , just a reminder here maybe it switches something. It really gets me though the issue like it is an issue that is going on for a long time..... Don't fear to change the Exchange and have a look on your Virtual Dirs ECP in relation with OWA. You can also recreate them without messing anything at all and to tell you truth it is not a common thing to point to the autodiscover Endpoint. Use a DNS resolvable FQDN, and avoid Server Names.

Highlighted

@Raechel Moermond 

I need to know a few things about your current configuration of virtual directories. you can simply run the below Cmdlets in the Exchange Management Shell, and let me know the config, so I can help you with this.

 

Note:

  make sure you replace your domain name with something similar like "Contoso.Com" before you post your configs. you can simply use find/replace and replace "myactualdomain.org" with "Contoso.Com" in notepad, and post the results here. other things in the generated output are not sensitive info, then relax.

 

 

Start-Transcript dvconflog.txt
Get-EcpVirtualDirectory | fl server, Name, *URL*, *auth*
Get-OwaVirtualDirectory | fl server, Name, *URL*, *auth*
Get-ClientAccessService | fl Name, OutlookAnywhereEnabled, AutodiscoverServiceInternalUri
Get-ClientAccessArray | fl
Get-ExchangeServer | fl *version*
Stop-Transcript

 

 

Highlighted

@KonstantinosPassadis 

 

There is no DAG, so that's not a concern.  on the LA server, all internal URLs are set to the server name (https://server.fqdn/ecp, https://server.fqdn/owa, etc.).  On the old NZ server and the old AU server (that will be decommissioned), the internal URLs are set to the server name and the external URLs are set to autodiscover.domain.com.au.  The new NZ server is set like the LA server - internal URLs only.

 

@behrooz amiri 

I'm running those commands now, but it will take a long time as the exchange servers are in different AD sites and there seems to be some trouble getting the NZ and AU exchange settings in a timely manner from the LA server.

Highlighted

@behrooz amiri 

I've attached the output.  I'm currently recreating the virtual directories.  we'll see what that does.

 

Edit to add: recreating the virtual directories did absolutely nothing for me, as I expected.  I've also tried "https://usmail.domain.com/ecp" which is now pointing to the LA server and it all redirects to https://autodiscover.domain.com.au.  It simply doesn't matter where I start, what server, or what browser I use, something above the server level (since these are new servers and even localhost redirects) is redirecting ECP.