Troubleshooting Outlook Connectivity: Understanding Outlook Profiles


Written by Gerald Ramich, Senior Microsoft Premier Field Engineer.


This article is for folks who are trying to troubleshoot Outlook Connectivity issues. In my experience, many people confuse profile creation with connectivity to the server, so in this post I’ll explain what happens at profile creation time.  We’ll look at two Outlook Profile creation options:

  1. Non-AutoDiscover Profile Creation (for legacy clients or manual creation)
  2.  AutoDiscover Profile Creation.

1.0 Non-AutoDiscover Profile Creation (legacy clients or manual creation)

1.1 Using a DC or Domain Name for the Mailbox Server

First let’s look what happens, in Outlook 2003 or Outlook 2007 and higher if you manually configure an Outlook Profile if you place a DC or Domain Name for the Mailbox Server and Username. What happens when you click check names?

  1. The client machines Arps the DC
  2. The client does a 3-way connection to End Point Mapper (EPM) on the DC and Connects to EPM (Port 135) and gets the NSPI (Name Service Provider Interface) Port.
  3. The client does a 3-way connection to NSPI on the DC and Connects to NSPI (Random Port).
  4. The DC Authenticates the client has AD Read Access, determines the Database the client mailbox is associated with and returns the “CAS” server associated with the Exchange 2010 Database’s AD Site associated with the Database. (see below for How the MAPI End Point is found). The following is an easy way for you to determine the end point:
    • Use Get-MailboxDatabase <database> |fl RPCClientAccessServer
    • The RPCAccessServer in your environment will not change but in Cross Site failovers. Use Get-MailboxDatabase <database> -Status |fl RPCClientAccessServer
    • Do not use the MountedOnServer as it will show where the database is mounted BUT you will be using the RPCAccess server associated with the Database, which does NOT change. The CAS servers associated with the Database WILL connect via RPC over to the remote Mailbox servers in the other AD site. Note: this is your RPCClientAccess Server if it’s defined as your load balancer.
  5. The client machine Arps the CAS server in the AD site of the Database.
  6. The client does a 3-way connection to End Point Mapper (EPM) on the CAS and Connects to EPM (Port 135) and gets the Store Port (Port Random).
  7. The client does a 3-way connection to the Store on the CAS and Connects to the Store (Random Port) to verify connectivity to the store.
    • What does it do?
      1. Is the Store up? If yes, that’s good.
        • Does the client need referral to another server? (Mailbox Move, AD replication behind, etc), no disconnect
          • No, the Store Disconnects
          • Yes, the Store Redirects the client to use 1) AutoDiscover or 2) Update profile and redirect to remote store.
      2. Is the Store down? Fail to verify or create the profile correctly.
  8. Then the connection is closed. The information in the Mailbox is NOT accessed!

1.2 Using a RPC Array or CAS for the Mailbox Server

Second let’s look at what happens, in Outlook 2003 or Outlook 2007 and higher when you manually configure and Outlook Profile, and if you place an RPC Array or CAS for the Mailbox Server and Username. What happens when you click check names?

  1. The client machines Arps the RPC Array or CAS
  2. The client a 3-way connection to End Point Mapper (EPM) on the CAS and Connects to EPM (Port 135) and gets the RFR (MS Exchange Directory Referral) Port.
  3. The client does a 3-way connection to RFR on the CAS and CAS Connects to DC’s NSPI (Random Port) which proxies the Auth to a DC.
  4. The DC Authenticates via the RFR Proxy that the client has AD Read Access, determines the Database the client mailbox is associated with and the AD Site, and it returns the “CAS” server associated with the Exchange 2010 Database’s AD Site associated with the Database (see below for How the MAPI End Point is found). The following is an easy way for you to determine the end point.
    • Use Get-MailboxDatabase <database> |fl RPCClientAccessServer
    • The RPCAccessServer in your environment will not change but in Cross Site fail overs. Use Get-MailboxDatabase <database> -Status |fl RPCClientAccessServer
    • Do not use the MountedOnServer as it will show where the database is mounted BUT you will be using the RPCAccess server associated with the Database, which does NOT change. The CAS servers associated with the Database WILL connect via RPC over to the remote Mailbox servers in the other AD site.Note: this is your RPCClientAccessServer defined as your load balancer.
  5. The client machine Arps the Array or CAS server in the AD site of the Database (If needed, depends on if the CAS/Array was the same as the one used in the Mailbox Server field).
    • Use Get-MailboxDatabase <database> |fl RPCClientAccessServer
    • The RPCAccessServer in your environment will not change but in Cross Site fail overs. Use Get-MailboxDatabase <database> -Status |fl RPCClientAccessServer
    • Do not use the MountedOnServer as it will show where the database is mounted BUT you will be using the RPCAccess server associated with the Database, which does NOT change. The CAS servers associated with the Database WILL connect via RPC over to the remote Mailbox servers in the other AD site.
  6. The client a 3-way connection to End Point Mapper (EPM) on the CAS and Connects to EPM (Port 135) and gets the Store Port (Random Port).
  7. The client does a 3-way connection to Store on the CAS and Connects to Store (Random Port) to verify connectivity to the store.
    • What does it do?
      1. Is the Store up? That’s good.
        • Does the client need referral to another server? (Mailbox Move, AD replication behind, etc), no disconnect
          • No, the Store Disconnects
          • Yes, the Store Redirects the client to use 1) AutoDiscover or 2) Update the profile and redirect to the remote store.
      2. Is the Store down? Fail to verify or create the profile correctly.
  8. Then the connection is closed. The information in the Mailbox is NOT accessed!

 

1.3 How the MAPI End Point is found.

  1. The HomeMDB is looked up for the Mailbox/User. This is their Mailbox Database.
  2. The Mailbox Database from the HomeMDB attribute is looked up in the AD and the Mailbox Database LegacyExchangeDN is pulled. The LegacyExchangeDN includes the RPCClientAccess value or the CAS server in the site at the time the database was created. NOTE: the format will always be …./CN=<FQDN CAS or ARRAY>/CN=Microsoft Private MDB ß the last value does NOT match the database name! It is always Microsoft Private MDB.
  3. Outlook then uses the RFR services to resolve the NetBIOS name to connect to the FQDN

Public Folders are the same:

  1. The HomeMDB is looked up for the Mailbox/User. This is their Mailbox Database so they can get the associated PF.
  2. The Mailbox Database from the Mailboxes HomeMDB attribute is looked up in the AD and msExchHomePublicMDB is pulled from the Users Mailbox Database.
  3. The Public Folder Database that is associated with the users mailbox database (msExchHomePublicMDB) is looked up in the AD and the Public folder Database’s LegacyExchangeDN is pulled. The LegacyExchangeDN includes RPCClientAccess value or the CAS server in the site at the time the database was created.NOTE: the format will always ve …./CN=<FQDN CAS or ARRAY>/CN=Microsoft Public MDB ß the last value does NOT match the database name! It is always Microsoft Public MDB.
  4. Outlook then uses the RFR services to resolve the NetBIOS name to connect to the FQDN

2.0 - AutoDiscover Profile Creation

2.1 The AutoDiscover Process

The basic Idea of how AutoDiscover Profile creation works is as follows:

1. Outlook 2007/2010 sends a Lightweight Directory Access Protocol (LDAP) query to Active Directory looking for all available SCP objects. This applies to clients joined to a domain. Note if your MACHINE is in a remote forest you will get SCP records (or lack of) from that Forest and not the forest in which your mailbox is located.

a. An LDAP Query for SCPs with a Keywords value of 77378F46-2C66-4aa9-A6A6-3E7A48B19596 (that’s the AutoDiscoverServiceGuid for every CAS)

b. Specifically, Outlook initializes the LDAP connection using the ldap_init() function and passes a NULL value for the hostname. When a particular global catalog server name (or domain name) is not specified, the operation searches for a global catalog server in the domain, based on the membership of the computer that is initializing the operation.

2. Outlook 2007/2010 sorts and enumerates the returned results based on the client's Active Directory site by using the keyword attribute of the SCP record. One of two lists is created, an in-site list or an out-of-site list.

a. the SCP helps the client find the closest CAS to the client machine

b. Based on the list, we chose the OLDEST (whenCreated) Date, Outlook works its way down the list until it connects.

3. Once connected to the CAS server for AutoDiscover closest to the client:

a. It provides a list of CAS that has AutodiscoverSiteScope information set for the Associated AD site of the Database where the client Mailbox is located.

1. AutodiscoverSiteScope is a parameter that is set on the Client Access server by using the Set-ClientAccessServer cmdlet.

2. The parameter specifies the site for which the Autodiscover service is authoritative.

3. The AutodiscoverSiteScope information contained in the SCP records for the in-site list matches the Active Directory site for the Mailbox AD Sites.

4. The Autodiscover service queries Active Directory to obtain the connection settings and URLs for the Exchange services that have been configured.

5. The Autodiscover service returns an HTTPS response with an XML file that includes the connection settings and URLs for the available Exchange services.

6. Outlook uses the appropriate configuration information and connection settings to connect to your Exchange messaging environment.

7. If no SCP records are found:

a. Outlook will try to connect to the predefined URLs (for example, https://autodiscover.contoso.com/autodiscover/autodiscover.xml) by using DNS. If that fails also, Outlook will try the HTTP redirect method and, failing that, Outlook will try to use the SRV record lookup method. If all lookup methods fail, Outlook will be unable to obtain Outlook configuration and URL settings.

2.2 SCP Objects

· The SCP object contains two pieces of information, the serviceBindingInformation attribute and the keywords attribute.

· The serviceBindingInformation attribute has the Fully Qualified Domain Name (FQDN) of the Client Access server in the form of https://cas01.contoso.com/autodiscover/autodiscover.xml, where cas01.contoso.com is the fully qualified domain name (FQDN) for the Client Access server.

· The keywords attribute specifies the Active Directory sites to which this SCP record is associated. By default, this attribute specifies the Active Directory site to which the Client Access server belongs.

· When a domain-connected client connects to the Active Directory directory service, the Exchange 2007/2010 client authenticates to Active Directory and tries to locate the Autodiscover SCP objects that were created during Setup by using the user's credentials.

· In deployments that include multiple Client Access servers, an Autodiscover SCP record is created for each Client Access server.

· By using the user credentials, the Outlook 2007/2010 client authenticates to Active Directory and searches for the Autodiscover SCP objects. After the client obtains and enumerates the instances of the Autodiscover service, the client connects to the first Client Access server in the enumerated and sorted list and obtains the profile information in the form of XML data that is needed to connect to the user's mailbox and available Microsoft Exchange features.

· An Outlook 2007/2010 client connects to the Autodiscover service as follows:

Ldifde -f scp_account.txt -d "CN=Fourthcoffee.com,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com"clip_image001[32]

The results:

dn:

CN=Fourthcoffee.com,CN=MicrosoftExchange Autodiscover,CN=Services,CN=Configuration, DC=Northwindtraders,DC=com

distinguishedName:

CN=Fourthcoffee.com,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration, DC=Northwindtraders,DC=com

keywords:

Domain=Example.com

keywords:

Domain=Fourthcoffee.com

keywords:

67661D7F-8FC4-4fa7-BFAC-E1D7794C1F68

serviceBindingInformation:

LDAP://Fourthcoffee.com

clip_image001[33]

Using the Get-ClientAccessServer cmdlet:

Get-ClientAccessServer | fl *Auto*

The results:

AutoDiscoverServiceCN:

CAS_SERVER

AutoDiscoverServiceClassName

ms-Exchange-AutoDiscover-Service

AutoDiscoverServiceInternalUri:

https://cas_server.fourthcoffee.com/Autodiscover/Autodiscover.xml

AutoDiscoverServiceGuid:

77378f46-2c66-4aa9-a6a6-3e7a48b19596

AutoDiscoverSiteScope:

{Default-First-Site-Name}