Configuration tips and common troubleshooting steps for multiple forest deployment of Autodiscover service


Overview

The Autodiscover service for Microsoft Exchange Server 2007 provides automatic profile configuration for Microsoft Office Outlook 2007 clients that are connected to your Exchange messaging environment.

When you install the Client Access server (CAS) role on a computer running Exchange 2007, a new virtual directory is created under the Default Web Site in Internet Information Services (IIS). In the Active Directory a Service Connection Point (SCP) object is created that allows all domain-connected clients running Outlook 2007 to query the Active Directory and configure the Outlook profile automatically.

Many organizations have complex topologies with multiple forests where the Exchange is running in a resource forest and an accounts forest which contains the user accounts for the organization. In the multiple trusted forest scenario, the user accounts and Microsoft Exchange are deployed in multiple forests. Exchange 2007 features such as the Availability service and Unified Messaging rely on the Autodiscover service to access user accounts across forests. In this scenario, the Autodiscover service must be available to users across multiple trusted forests.

The intention of this post is not to explain how Autodiscover works, how to implement it for multiple forests, or troubleshoot every scenario. It is a brief, practical list of tips for use during the deployment and covers some common examples and methods to resolve issues.

For more details how Exchange 2007 Autodiscover works and deployment considerations, see the white paper: Exchange 2007 Autodiscover Service and Deployment Considerations for the Autodiscover Service

Configuration tips

Those tips assume that the Exchange 2007 is installed in the Fourthcoffe.com Exchange 2007 Resource forest and the user accounts are located in the Nwtraders.com Accounts forest.

1. Verify that DNS Name resolution works between the Exchange 2007 resource forest and the Account forest.

2. A one-way outgoing trust relationship is required between the Exchange 2007 forest and the accounts forest. Test the trust relationship between forests. For detailed steps, see Create a one-way, outgoing, forest trust for both sides of the trust.

3. Verify that the mailbox you are testing is a Linked Mailbox (a mailbox that is assigned to an individual user in a separate, trusted forest) and the user from the account domain has full access and you are testing the correct SMTP address configured for the mailbox. See Understanding Recipients.

4. Review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP) object for each Exchange 2007 Client Access server.

CN=<CAS_SERVER>,CN=Autodiscover,CN=Protocols,CN=<CAS_SERVER>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<ORG>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Fourthcoffee,DC=com

  • Keywords contains by default the site name in which the Client Access server resides. The keywords attributes controls the site affinity to help the Outlook 2007 to find the best CAS.
  • ServiceBindingInformation contains by default the Autodiscover URL https://cas_server.domain/autodiscover/autodiscover.xml

5. When you install the Client Access role, a self-signed certificate is installed by default which has a common name that maps to the NETBIOS name of the server. The self-signed certificate also includes the FQDN of the server as an additional DNS name that is stored in the certificate's Subject Alternative Name field. This enables domain-connected clients to successfully connect to the Autodiscover service without receiving any certificate warnings if the certificate has not expired and the FQDN of the server you are connecting to is stored in the Subject Alternative Name of the certificate. For details see: Autodiscover and Certificates

6. After you run the command Export-Autodiscoverconfig, make sure that all Service Connection Point objects were created on the Accounts forest (Nwtraders.com).

CN=Fourthcoffee.com,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com

7. Review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP) object on the Accounts forest (Nwtraders.com).

  • Keywords in this case should contain all authoritative Accepted domains SMTP address created under Organization Configuration – Hub Transport – Accepted Domains tab.
  • ServiceBindingInformation will contain the LDAP://Fourthcoffee.com (Exchange 2007 resource forest).

8. From the Outlook 2007 client on the Account forest (Nwtraders.com) verify that you can connect to the Exchange 2007 resource forest port 389. Ex: Telnet Fourthcoffee.com 389.

9. From the Outlook 2007 client on the Account forest (Nwtraders.com) confirm that you are able to access the Autodiscover URL https://cas_server.domain/autodiscover/autodiscover.xml from step "4" ServiceBindingInformation attribute.

10. Every time you created a new authoritative Accepted domain under Organization Configuration – Hub Transport – Accepted Domains tab you have to run the Export-AutodiscoverConfig cmdlet. For more details see: Managing Accepted Domains

Common troubleshooting steps

1. Checking DNS name resolution. Since the PDC Emulator controls the trust relationship between the domains, check if the PDC emulator from each forest can ping the domain name.

  • From PDC on Fourthcoffee.com ping nwtraders.com
  • From PDC on Nwtraders.com ping Fourthcoffee.com (Exchange 2007 resource forest)
  • From the Outlook 2007 client on Nwtraders.com ping Fourthcoffee.com

Note: If this step fails you need to review your DNS name resolution.

  • DNS client configuration
  • DNS server Primary, Secondary and Stub zones;
  • DNS Forward and Root Hints options.

2. Test Trust relationship between the two forests. A one-way outgoing trust is required between the Exchange forest and the accounts forest. For detailed steps, see Create a one-way, outgoing, forest trust for both sides of the trust.

Run domain.msc on a domain controller to validate the domain trust relationship or Netdom.exe command.

Netdom trust trusted_domain_name /domain: trusting_domain_name /verify
The trust between nwtraders.com and fourthcoffee.com has been successfully verified
The command completed successfully.

3. Verify that the Master Account has full access to the Linked Mailbox as well as the smtp address using the cmdlets Get-Mailbox and Get-MailboxPermission. See How to Create a Linked Mailbox.

Get-Mailbox <mailbox_user> | fl
PrimarySmtpAddress : Char@fourthcoffee.com
RecipientType : UserMailbox
RecipientTypeDetails : LinkedMailbox
IsLinked : True
LinkedMasterAccount : NWTRADERS\Char

Get-Mailboxpermission <mailbox_user> | fl
AccessRights : {FullAccess, ExternalAccount}
InheritanceType : All
User : NWTRADERS\Char
Identity : Fourthcoffee.com/Users/Char

4. To review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP) object for each Exchange 2007 Client Access server, you can use the ldifde.exe command, Adsiedit.msc or Get-ClientAccessServer cmdlet.

Ldifde.exe –f scp.txt –d "CN=<cas_server>,CN=Autodiscover,CN=Protocols,CN=<cas_server>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=vandyr136711org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Fourthcoffee,DC=com"

Get-ClientAccessServer | fl *Auto*
AutoDiscoverServiceCN : CAS_SERVER
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://cas_server.fourthcoffee.com/Autodisc over/Autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}

Note: Keywords and ServiceBindingInformation

5. Review the Exchange certificate on the Client Access server using the command Get-ExchangeCertificate and verify the following attributes: CertificateDomain, Services, Status, IsSelfSigned, Issuer and Subject. For more details see: Autodiscover and Certificates

Get-ExchangeCertificates | fl
CertificateDomains : {mail.fourthcoffee.com, TX136711-MS1, TX136711-MS1.fourthcoffee.com, Fourthcoffee.com, autodiscover.Fourthcoffee.com }
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Fourthcoffee, DC=Fourthcoffee, DC=com
Services : IMAP, POP, IIS
Status : Valid
Subject : CN=mail.fourthcoffee.com

6. To review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP) object on the Accounts forest, you can use the ldifde.exe command, Adsiedit.msc.

Ldifde –f scp_account.txt –d "CN=Fourthcoffee.com,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com"
dn:CN=Fourthcoffee.com,CN=MicrosoftExchange Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com
distinguishedName:
CN=Fourthcoffee.com,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com
keywords: Domain=Nwtraders.com
keywords: Domain=Fourthcoffee.com
keywords: 67661D7F-8FC4-4fa7-BFAC-E1D7794C1F68
serviceBindingInformation: LDAP://Fourthcoffee.com

7. Every time you created a new authoritative Accepted domain under Organization Configuration – Hub Transport – Accepted Domains tab you have to run the Export-AutodiscoverConfig cmdlet

On an Exchange 2007 Client Access server in the source forest, run the following command to retrieve the credentials that you will use to run the Export-AutodiscoverConfig cmdlet:

$a = Get-Credential

Export-AutoDiscoverConfig -DomainController <FQDN> –TargetForestDomainController <String> -TargetForestCredential $a -MultipleExchangeDeployments $true

Related reading:

White Paper: Exchange 2007 Autodiscover Service
http://technet.microsoft.com/en-us/library/bb332063.aspx#HowtoConfigureExchangeServices

How to Configure the Autodiscover Service for Multiple Forests
http://technet.microsoft.com/en-us/library/aa996849(EXCHG.80).aspx

How to Configure the Autodiscover Service to Use Site Affinity
http://technet.microsoft.com/en-us/library/aa998575(EXCHG.80).aspx

How to Configure the Autodiscover Service for Cross Forest Moves
http://technet.microsoft.com/en-us/library/bb201665(EXCHG.80).aspx

How to Deploy Exchange 2007 in an Exchange Resource Forest Topology
http://technet.microsoft.com/en-us/library/aa998031.aspx

Understanding Recipients
http://technet.microsoft.com/en-us/library/bb201680(EXCHG.80).aspx

How to Create a Linked Mailbox
http://technet.microsoft.com/en-us/library/bb123524(EXCHG.80).aspx

How to Convert a Mailbox to a Linked Mailbox
http://technet.microsoft.com/en-us/library/bb201694.aspx

Autodiscover and Certificates
http://technet.microsoft.com/en-us/library/bb332063.aspx#ADAndCertificates

- Vandy Rodrigues

Share this post :
Comments (2)
  1. pesospesos says:

    Hi, are you guys aware of any issues with exch web services in sp1?  Since moving to SP1 we have users who get stuck in Out of Office mode – and they can’t get it to turn off despite doing so both in Outlook 2007 and in OWA.  The odd part is that I am able to get it to turn off by configuring an OL2003 profile for them and turning it off in Outlook 2003.  Also, conference room resource booking is now broken – users get no notice, but the meeting does not book on the resource…  very troubling!

  2. Exchange says:

    pesos,

    I have to admit that I did not hear of this being a widespread problem, and I think I would as I am close to support organization, but it is possible I guess…

    Could I ask you to open a support call on this? If it does turn up to be a bug, we’ll eat the cost of the call.

Comments are closed.

Skip to main content