Offline Address Book web distribution in Exchange Server 2007

After installing Exchange Server 2007 with Client Access Server or Unified Messaging roles some of you might have noticed a new process - MSExchangeFDS.exe started. This is the Microsoft Exchange File Distribution Service, and it takes care of two independent but very similar tasks - on CAS servers it keeps local OAB files in sync with copy on the mailbox server, and on UM servers it distributes voice prompts. I'd like to explain in details the OAB part.

Exchange Server 2007 supports PF-free configuration, where there is no public folders database in the organization. In this scenario PF distribution mechanism for OAB files is no longer available, so Outlook 2007 supports another way to obtain them, web distribution. As in previous versions, it is a duty of MS Exchange System Attendant service running on Mailbox servers to generate OAB data, but now it also publishes data files to file share \\<MBXSERVER>\ExchangeOAB\ in <oabguid>subfolders (OAB V4 only, older OAB versions are still distributed only via PF). The set of files that belongs to a single OAB looks like this:

D:\>dir /b "\\XDIR144\ExchangeOAB\17dc7107-c684-4e03-a3f6-0b5806201546"

oab.xml

d021bc49-b8e2-4dc7-91ce-84859b292e6a-data-1.lzx

d021bc49-b8e2-4dc7-91ce-84859b292e6a-lng0401-1.lzx

d021bc49-b8e2-4dc7-91ce-84859b292e6a-lng0402-1.lzx

d021bc49-b8e2-4dc7-91ce-84859b292e6a-mac0401-1.lzx

d021bc49-b8e2-4dc7-91ce-84859b292e6a-mac0402-1.lzx

...

The FDS service running on each CAS server picks up these files from the file share and delivers them to the local web directory, usually named 'Oab' (e.g. https://df.microsoft.com/oab/), under <oabguid>subfolder. As an OAB data is periodically regenerated (once a day by default), FDS picks up new or updated files on its own schedule (by default it polls share for changes every 8 hours). Outlook 2007 obtains a single URL that points to the xml index of data files, or OAB manifest, and be able to retrieve data files. That URL is provided by Autodiscover service and may look like this:

https://df.microsoft.com/oab/429837a8-95f8-44a7-86ab-b73a04333585/oab.xml

Oab.xml contains pointers to all files that belong to OAB associated with user's mailbox, including template files, flat OAB and diffs, as well as related metadata - hashes, compressed and uncompressed sizes, languageID and sequence numbers, which allows Outlook to locate and download necessary files.

In case of slow link and/or intermittent connectivity, mail clients in the remote branch could pick up OAB files from local CAS server rather than remote mailbox server, therefore minimizing redundant traffic over uplink.

Changing default location of ExchangeOAB share on Mailbox server

As I mentioned earlier, System Attendant publishes OAB files to \\<MBXSERVER>\ExchangeOAB share, which is by default mapped to %ProgramFiles%\Microsoft\Exchange Server\ExchangeOAB. If you are not comfortable with storing data files on the same partition as your executable files, you can re-map this share to another location. Make sure that LocalSystem account has full access to both new share and folder, and "Exchange Servers" group has Read permissions to them, otherwise web distribution will not properly.

Configuring CAS server for web distribution

Check if your CAS server has OABVirtualDirectory, or distribution point (there can be zero or one OAB distribution points created per CAS server):

[PS] D:\>get-OabVirtualDirectory -Server XDIR145

If it doesn't, create the new one:

[PS] D:\>new-OabVirtualDirectory -Server XDIR145

Server Name Internal Url External Url

--- - --- ---

XDIR145 OAB (Default Web Site) http://xdir144.pdc-ytbgcr-...

Configuring OAB to be distributed by particular CAS server

In order to enable web distribution for a particular OAB, it has to generate Version 4 OAB and be associated with one or more distribution point. Let's see what we have in our configuration:

[PS] D:\>Get-OfflineAddressBook | fl Name,Server,Versions,PublicFolderDistributionEnabled,WebDistributionEnabled,VirtualDirectories

Name : Default Offline Address Book

Server : XDIR144

Versions : {Version4}

PublicFolderDistributionEnabled : True

WebDistributionEnabled : False

VirtualDirectories : {}

Ok, one OAB, version 4 is enabled, publishing to PF but not to web. Let's find our distribution point:

[PS] D:\>$a=Get-OabVirtualDirectory -Server XDIR145

And now, enabling web distribution:

[PS] D:\>Set-OfflineAddressBook "Default Offline Address Book" -Versions Version4 -VirtualDirectories $a

Please note that more than one version can be enabled, and more than one OAB virtual directory can distribute single OAB, so you might need to change that line to sustain previous values.

To verify changes generate OAB data (if OAB has been generating version 4 data before, content replication started immediately after Set-OfflineAddressBook task has finished, so you can skip first two steps):

[PS] D:\>Update-OfflineAddressBook "Default Offline Address Book"

Give some time to generate (wait for event 9107 on the OABGen server) and force synchronization:

[PS] D:\>Update-FileDistributionService XDIR145 -Type OAB

Give it some time for replication (wait for event 1008 from MSExchangeFDS on CAS server) and inspect folder %SystemDrive%\Program Files\Microsoft\Exchange Server\Mailbox\OAB - <OABGuid>subfolder content should be identical to \\<MailboxServer>\ExchangeOAB\<OABGuid>.

Changing poll interval and external URL

If default 8-hr polling interval doesn't work well for you, e.g. oab is generated more often, or the connectivity to the mailbox is scheduled, you can change it as PollInterval property on OABVirtualDirectory object, in minutes:

[PS] D:\>Get-OabVirtualDirectory| Set-OabVirtualDirectory -pollinterval 30

Note that this setting is per distribution point, i.e. that change will affect all OABs distributed by given CAS server. The implication of setting it too short - on each poll FDS downloads oab manifest, file about 20K in size (depending on number of ALs in OAB and number of supported languages).

Depending on particular network configuration and DNS settings, administrators might need to have intranet and extranet users access the OAB virtual directory using a different URL. It can be achieved by command:

[PS] D:\>Get-OabVirtualDirectory | Set-OabVirtualDirectory -InternalUrl https://xdir145.pdc-ytbgcr-dom.extest.microsoft.com/ -ExternalUrl https://oab.microsoft.com/

Make sure you have properly configured DNS and SSL. To test web access you can use web browser, just navigate to https://<servername>/oab/<OABGuid>/oab.xml. If web distribution is configured properly, you will be able to see the content of xml file.

Controlling access to OAB data

With a freshly coined OAB object, all authentica ted users can access it in each distribution point (after it is generated and distributed). This is controlled by extended right Download-OAB and by default this right is inherited from OAB container:

[PS] D:\>$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com"

[PS] D:\>get-adpermission $container -user "NT AUTHORITY\Authenticated Users"| where {$_.ExtendedRights -match 'ms-Exch-Download-OAB'} |fl

User                : NT AUTHORITY\Authenticated Users

Identity            : Offline Address Lists

Deny                : False

AccessRights        : {ExtendedRight}

ExtendedRights      : {ms-Exch-Download-OAB}

IsInherited         : False

Properties          :

ChildObjectTypes    :

InheritedObjectType :

InheritanceType     : All

To restrict access to particular OAB administrators should stamp this Extended Right ACE on each OAB object in AD, and remove inherited permission for Authenticated Users. An example below illustrates how to make two OABs, OAB1 and OAB2, accessible for Group1 and Group2 respectively:

First, get OABs and OAB container DNs and remove default permission ACE from container object:

[PS] D:\>$oab1 = Get-OfflineAddressBook OAB1

[PS] D:\>$oab2 = Get-OfflineAddressBook OAB2

[PS] D:\>$oab1.DistinguishedName

CN=OAB1,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com

[PS] D:\>$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com"

[PS] D:\>remove-adpermission $container -user "NT AUTHORITY\Authenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'

Now, add specific permissions to your security groups:

[PS] D:\>add-adpermission $OAB1.DistinguishedName -user 'Group1' -extendedrights 'ms-Exch-Download-OAB' -Deny:$false

[PS] D:\>add-adpermission $OAB2.DistinguishedName -user 'Group2' -extendedrights 'ms-Exch-Download-OAB' -Deny:$false

Make sure everything looks as expected:

[PS] D:\>get-adpermission $OAB1.DistinguishedName | where {$_.ExtendedRights -match 'ms-Exch-Download-OAB'} |fl

[PS] D:\>get-adpermission $OAB2.DistinguishedName | where {$_.ExtendedRights -match 'ms-Exch-Download-OAB'} |fl

Redistribute content and re-stamp files with new permissions (optional, this will happen automatically on the next poll):

[PS] D:\>Get-ClientAccessServer | Update-FileDistributionService -type oab

FDS will translate "Download-OAB" ACE to Read permission for <OABGuid> folder on Client Access Server. Don't try to change permissions on that folder manually - they will be overwritten by FDS on the next poll.

Please remember that from this point you will need to manually assign permissions for all OAB objects in the org.

- Vladimir Kritchko