Offline Address Book web distribution in Exchange Server 2007


After installing Exchange Server 2007 with Client Access Server or Unified Messaging roles some of you might have noticed a new process - MSExchangeFDS.exe started. This is the Microsoft Exchange File Distribution Service, and it takes care of two independent but very similar tasks - on CAS servers it keeps local OAB files in sync with copy on the mailbox server, and on UM servers it distributes voice prompts. I'd like to explain in details the OAB part.

Exchange Server 2007 supports PF-free configuration, where there is no public folders database in the organization. In this scenario PF distribution mechanism for OAB files is no longer available, so Outlook 2007 supports another way to obtain them, web distribution. As in previous versions, it is a duty of MS Exchange System Attendant service running on Mailbox servers to generate OAB data, but now it also publishes data files to file share \\<MBXSERVER>\ExchangeOAB\ in <oabguid>subfolders (OAB V4 only, older OAB versions are still distributed only via PF). The set of files that belongs to a single OAB looks like this:

D:\>dir /b "\\XDIR144\ExchangeOAB\17dc7107-c684-4e03-a3f6-0b5806201546"

oab.xml

d021bc49-b8e2-4dc7-91ce-84859b292e6a-data-1.lzx

d021bc49-b8e2-4dc7-91ce-84859b292e6a-lng0401-1.lzx

d021bc49-b8e2-4dc7-91ce-84859b292e6a-lng0402-1.lzx

d021bc49-b8e2-4dc7-91ce-84859b292e6a-mac0401-1.lzx

d021bc49-b8e2-4dc7-91ce-84859b292e6a-mac0402-1.lzx

...

The FDS service running on each CAS server picks up these files from the file share and delivers them to the local web directory, usually named 'Oab' (e.g. https://df.microsoft.com/oab/), under <oabguid>subfolder. As an OAB data is periodically regenerated (once a day by default), FDS picks up new or updated files on its own schedule (by default it polls share for changes every 8 hours). Outlook 2007 obtains a single URL that points to the xml index of data files, or OAB manifest, and be able to retrieve data files. That URL is provided by Autodiscover service and may look like this:

https://df.microsoft.com/oab/429837a8-95f8-44a7-86ab-b73a04333585/oab.xml

Oab.xml contains pointers to all files that belong to OAB associated with user's mailbox, including template files, flat OAB and diffs, as well as related metadata - hashes, compressed and uncompressed sizes, languageID and sequence numbers, which allows Outlook to locate and download necessary files.

In case of slow link and/or intermittent connectivity, mail clients in the remote branch could pick up OAB files from local CAS server rather than remote mailbox server, therefore minimizing redundant traffic over uplink.

Changing default location of ExchangeOAB share on Mailbox server

As I mentioned earlier, System Attendant publishes OAB files to \\<MBXSERVER>\ExchangeOAB share, which is by default mapped to %ProgramFiles%\Microsoft\Exchange Server\ExchangeOAB. If you are not comfortable with storing data files on the same partition as your executable files, you can re-map this share to another location. Make sure that LocalSystem account has full access to both new share and folder, and "Exchange Servers" group has Read permissions to them, otherwise web distribution will not properly.

Configuring CAS server for web distribution

Check if your CAS server has OABVirtualDirectory, or distribution point (there can be zero or one OAB distribution points created per CAS server):

[PS] D:\>get-OabVirtualDirectory -Server XDIR145

If it doesn't, create the new one:

[PS] D:\>new-OabVirtualDirectory -Server XDIR145

Server Name Internal Url External Url

--- - --- ---

XDIR145 OAB (Default Web Site) http://xdir144.pdc-ytbgcr-...

Configuring OAB to be distributed by particular CAS server

In order to enable web distribution for a particular OAB, it has to generate Version 4 OAB and be associated with one or more distribution point. Let's see what we have in our configuration:

[PS] D:\>Get-OfflineAddressBook | fl Name,Server,Versions,PublicFolderDistributionEnabled,WebDistributionEnabled,VirtualDirectories

Name : Default Offline Address Book

Server : XDIR144

Versions : {Version4}

PublicFolderDistributionEnabled : True

WebDistributionEnabled : False

VirtualDirectories : {}

Ok, one OAB, version 4 is enabled, publishing to PF but not to web. Let's find our distribution point:

[PS] D:\>$a=Get-OabVirtualDirectory -Server XDIR145

And now, enabling web distribution:

[PS] D:\>Set-OfflineAddressBook "Default Offline Address Book" -Versions Version4 -VirtualDirectories $a

Please note that more than one version can be enabled, and more than one OAB virtual directory can distribute single OAB, so you might need to change that line to sustain previous values.

To verify changes generate OAB data (if OAB has been generating version 4 data before, content replication started immediately after Set-OfflineAddressBook task has finished, so you can skip first two steps):

[PS] D:\>Update-OfflineAddressBook "Default Offline Address Book"

Give some time to generate (wait for event 9107 on the OABGen server) and force synchronization:

[PS] D:\>Update-FileDistributionService XDIR145 -Type OAB

Give it some time for replication (wait for event 1008 from MSExchangeFDS on CAS server) and inspect folder %SystemDrive%\Program Files\Microsoft\Exchange Server\Mailbox\OAB - <OABGuid>subfolder content should be identical to \\<MailboxServer>\ExchangeOAB\<OABGuid>.

Changing poll interval and external URL

If default 8-hr polling interval doesn't work well for you, e.g. oab is generated more often, or the connectivity to the mailbox is scheduled, you can change it as PollInterval property on OABVirtualDirectory object, in minutes:

[PS] D:\>Get-OabVirtualDirectory| Set-OabVirtualDirectory -pollinterval 30

Note that this setting is per distribution point, i.e. that change will affect all OABs distributed by given CAS server. The implication of setting it too short - on each poll FDS downloads oab manifest, file about 20K in size (depending on number of ALs in OAB and number of supported languages).

Depending on particular network configuration and DNS settings, administrators might need to have intranet and extranet users access the OAB virtual directory using a different URL. It can be achieved by command:

[PS] D:\>Get-OabVirtualDirectory | Set-OabVirtualDirectory -InternalUrl https://xdir145.pdc-ytbgcr-dom.extest.microsoft.com/ -ExternalUrl https://oab.microsoft.com/

Make sure you have properly configured DNS and SSL. To test web access you can use web browser, just navigate to https://<servername>/oab/<OABGuid>/oab.xml. If web distribution is configured properly, you will be able to see the content of xml file.

Controlling access to OAB data

With a freshly coined OAB object, all authenticated users can access it in each distribution point (after it is generated and distributed). This is controlled by extended right Download-OAB and by default this right is inherited from OAB container:

[PS] D:\>$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com"

[PS] D:\>get-adpermission $container -user "NT AUTHORITY\Authenticated Users"| where {$_.ExtendedRights -match 'ms-Exch-Download-OAB'} |fl

User                : NT AUTHORITY\Authenticated Users

Identity            : Offline Address Lists

Deny                : False

AccessRights        : {ExtendedRight}

ExtendedRights      : {ms-Exch-Download-OAB}

IsInherited         : False

Properties          :

ChildObjectTypes    :

InheritedObjectType :

InheritanceType     : All

To restrict access to particular OAB administrators should stamp this Extended Right ACE on each OAB object in AD, and remove inherited permission for Authenticated Users. An example below illustrates how to make two OABs, OAB1 and OAB2, accessible for Group1 and Group2 respectively:

First, get OABs and OAB container DNs and remove default permission ACE from container object:

[PS] D:\>$oab1 = Get-OfflineAddressBook OAB1

[PS] D:\>$oab2 = Get-OfflineAddressBook OAB2

[PS] D:\>$oab1.DistinguishedName

CN=OAB1,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com

[PS] D:\>$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com"

[PS] D:\>remove-adpermission $container -user "NT AUTHORITY\Authenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'

Now, add specific permissions to your security groups:

[PS] D:\>add-adpermission $OAB1.DistinguishedName -user 'Group1' -extendedrights 'ms-Exch-Download-OAB' -Deny:$false

[PS] D:\>add-adpermission $OAB2.DistinguishedName -user 'Group2' -extendedrights 'ms-Exch-Download-OAB' -Deny:$false

Make sure everything looks as expected:

[PS] D:\>get-adpermission $OAB1.DistinguishedName | where {$_.ExtendedRights -match 'ms-Exch-Download-OAB'} |fl

[PS] D:\>get-adpermission $OAB2.DistinguishedName | where {$_.ExtendedRights -match 'ms-Exch-Download-OAB'} |fl

Redistribute content and re-stamp files with new permissions (optional, this will happen automatically on the next poll):

[PS] D:\>Get-ClientAccessServer | Update-FileDistributionService -type oab

FDS will translate "Download-OAB" ACE to Read permission for <OABGuid> folder on Client Access Server. Don't try to change permissions on that folder manually - they will be overwritten by FDS on the next poll.

Please remember that from this point you will need to manually assign permissions for all OAB objects in the org.

- Vladimir Kritchko

Comments (17)
  1. dazed&confused says:

    I am currently debating with myself weather or not to impliment an exchange server for my company. I have to pitch the idea relativly soon, there is just one stubling block… We would be replacing ACT contact manager with is a shared contact database that resides on our server. My question is….does Exchange have a shared "database" or address book that all users can see, modify & add to? Our database is at about 10,000 contacts, if Exchange does have a shared address book how many contacts will it hold?

  2. Vladimir Kritchko says:

    You can create "Org contacts" folder of Contacts type in Outlook and share it for the whole organization. You can provide permissions for adding, editing and deleting new items to particular groups of users. 10K contacts should be manageable by Exchange.

  3. paul silverstein says:

    Having issues that nobody seems to know about.

    If we have 2 Address books and 2 security groups

    How can we make one address book only visable to one group, and the same for the other?

    I have done it in 2003, but cant figure it on 2007?!?

  4. Vladimir Kritchko says:

    The easiest way to achieve it is to follow these steps.

     

    First, you have to get OAB container DN and remove default permission ACE from this object:

    >$oab1 = Get-OfflineAddressBook OAB1

    >$oab2 = Get-OfflineAddressBook OAB2

     

    >$oab1.DistinguishedName

    CN=OAB1,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com

     

    >$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com"

    >remove-adpermission $container -user "NT AUTHORITYAuthenticated Users" -ExtendedRights  ‘ms-Exch-Download-OAB’

     

    Now, add specific permissions to your security groups:

    >add-adpermission $OAB1.DistinguishedName -user ‘Group1’ -extendedrights ‘ms-Exch-Download-OAB’ -Deny:$false

    >add-adpermission $OAB2.DistinguishedName -user ‘Group2’ -extendedrights ‘ms-Exch-Download-OAB’ -Deny:$false

     

    Make sure everything looks like expected:

     

    >get-adpermission $OAB1.DistinguishedName | where {$_.ExtendedRights -match ‘ms-Exch-Download-OAB’} |fl

    >get-adpermission $OAB2.DistinguishedName | where {$_.ExtendedRights -match ‘ms-Exch-Download-OAB’} |fl

     

    Redistribute content and restamp files with new permissions:

    >Get-ClientAccessServer | Update-FileDistributionService -type oab

     

    Please remember however, that from now on you will need to manually assign permissions for new OAB objects.

  5. paul silverstein says:

    Thanks Vladimir Kritchko,

    I followed your steps, and verified the permissions took effect.  

    However, when I logon via OWA, I still see all the address books.

    If I attempt to logon using Outlook 2007 with an existing profile, and see all the address books.  If I try to create a new profile, Outlook 2007 can no longer connect to Exchange and I cannot use it.

    When I reset the permissions, Outlook 2007 works as expected.

    FYI I am using Exchange 2007 Beta 2.  Are you trying this in a newer release?

  6. Exchange says:

    We have edited the original post to add additional information that came up in comments; thank you!

  7. paul silverstein says:

    Sorry if I was unclear.  I have performed the above steps and it does not work.  All address books are still available to anybody.

  8. Vladimir Kritchko says:

    When you logon via OWA, you see Address Lists, not Offline Address Books. The same applies to Outlook in Online mode. Outlook in cached mode.

    I am setting up the repro configuration and will provide more comments when I am done.

  9. Vladimir Kritchko says:

    …Only Outlook in cached mode uses OAB…

  10. Vladimir Kritchko says:

    In order to download the right OAB, Outlook 2007 consults Autodiscovery service. This service looks up user’s Mailbox for OfflineAddressBook property. If this is not set, it looks up Mailbox database for this mailbox and checks its OfflineaddressBook property. If this is empty as well, it returns OAB that has IsDefault= true. After download is complete, only address lists in this OAB are available for search (as long as Outlook is in cached mode).

  11. paul silverstein says:

    I am not clear what we are doing different, but its not working.  Can anybody else get this working?

    I am running Exchange 2007 beta 2.  I am using Outlook 2007 in cached mode.

    I create 2 users and put them each in different dynamic groups.  I create 2 security groups and put each dynamic group into their respective security group.

    I then create an AddressList for each company and include all receipients for their company (by filter)

    I then create an OfflineAddressBook for each company based upon the addresslist above.

    I run the Set-Mailbox [username] -OfflineAddresBook and point it to their respective address book.

    I then run your commands listed above.  I even use ADSI edit and check the permissions and see it took effect as expected.  I then reboot my Exchange 2007 server to make sure everything is clean and starts fresh.

    Now, I create a new profile for one of my users and set it in Cached mode.  I then launch Outlook 2007 and it asks for username/password which I enter for this user.  It launches Outlook and on the top bar I click on Address book.  It lists the Outlook Address Books and Contacts underneath.  Then it lists Global Address lists, then it has All Address Lists, which contain BOTH company address lists I have created.

    I need this to work for all users, independant if they are in cached mode or not.  I understand this website is directly talking about OAB, so if we can get that to work, then I am at least 1/2 way there.

    I cannot find anybody anywhere who can make this happen, including Microsoft employee’s on the Exchange team I met at a conference a few weeks back.  Did microsoft forget to add this functionality, if not, what am I missing in my steps above?

  12. Dave Goldman [MSFT] says:

    1. If you are trying to create a new profile and that user does not have the correct access or is hiden from the GAL they will get a bookmark failure when you are trying to do a check names during the profile creation process. This is one problem with self hosting as you have to manually change the permissions to suit your needs all the time. If you are too restrictive with the acls on the Default Offline Address Book users will not be able to create a profile.

    2. When you are using OAW you are talking directly to the GAL and not using the OAB files that have been filtered and downloaded to the client.

    Your comment: Now, I create a new profile for one of my users and set it in Cached mode.  I then launch Outlook 2007 and it asks for username/password which I enter for this user.  It launches Outlook and on the top bar I click on Address book.  It lists the Outlook Address Books and Contacts underneath.  Then it lists Global Address lists, then it has All Address Lists, which contain BOTH company address lists I have created.

    Dave – You still have to modify the permissons to remove the OAB from outlook so it is not seen by the users. When Outlook starts up it has its own logic for building the list of OABs that are going to be displayed by the address book provider.

  13. paul silverstein says:

    Thanks Dave

    Can you give the cmdlet(s) to modify permissions to remove an OAB from Outlook, so its not seen by users?

  14. Robert Aleck says:

    Are you going to include better diagnostic tools for OAB generation – I know you can use set-eventloglevel to set logging for OAB generation to ‘expert’, but that doesn’t really add much. I’m getting this error:

    OALGen only supports alphanumeric and space characters on the offline address name. The offline address list is not going to be published.

    – /o=cynexia/cn=addrlists/cn=oabs/cn=Offline Address Book

    in our test environment. There is only one account with a mailnickname, and an LDAP query using the purportedSearch attribute of the GAL shows this account and the 2 system mailboxes. I’ve looked at the mailuser object, but can’t see anything. Diagnostic logging, including all compared attributes, values returned by LDAP queries etc.

  15. Robert Aleck says:

    Sorry – forgot to mention – this is an E2K7 environment, OAB generation is running on a CCR pair.

  16. Dave Goldman says:

    OABInteg has been out for a while and it will do all of this for you. I am working on the portions for Exchange 2007. This will test almost every aspect of the OAB Generation process. The most useful test is the oabinteg.exe /s:serverName /t:proxytest
    /v:2. You can download a copy of the tool from here:
    http://gotdotnet.com/Community/UserSamples/Download.aspx?SampleGuid=A2338E73-F521-4071-9B1D-AAF49C346ACD

    For more information about the OABInteg tool, see the OABInteg-UserGuide.doc file that is included with the OABInteg tool. The OABInteg-UserGuide.doc file contains details about each test. Additionally, the OABInteg-UserGuide.doc file contains information about
    display functionality and display counters.

    The problem you are having is specifically related to active directory permissions. I am not sure if you changed any permissions or not but in order for this to work you need the following:

    1. The "Exchange Enterprise servers" group in each domain needs to be given rights to open the default Global Address List

    2. The Everyone and Authenticated User groups have to have the following access (Read, List Contents, Open Address List)

    Dave

  17. Anonymous says:

     Outlook 2007 is the latest version of the e-mail client for accessing an Exchange mailbox. To make…

Comments are closed.

Skip to main content