Cross-forest Free/Busy between trusted forests not functioning
In my test lab I'm trying to get f/b working between 2007/2010 in trusted domains following these articles.
http://technet.microsoft.com/en-us/library/bb125182%28EXCHG.80%29.aspx
http://blogs.technet.com/b/exchange/archive/2011/03/04/3412075.aspx
However I cannot get it work! Arrrggh!
I've got FIM syncing the users from the 2010 forest that appear as "forest mail contact" in 2007. When I create a meeting from my 2007 Outlook client, add the 2010 "contact" and it tries to update the f/b, I get these errors on the 2007 server.
Event Type: Error
Event Source: MSExchange ADAccess
Event Category: Topology
Event ID: 2130
Date: 7/22/2011
Time: 4:02:29 PM
User: N/A
Computer: ISLAB2-EXCH2K7
Description:
Process w3wp.exe (EWS) (PID=3624). Exchange Active Directory Provider could not find an available domain controller in domain DC=islab,DC=com. This event may be caused by network connectivity issues or configured incorrectly DNS server. This event may also
occur if you have not configured correctly your multiple Active Directory sites.
Event Type: Error
Event Source: MSExchange Availability
Event Category: Availability Service
Event ID: 4001
Date: 7/22/2011
Time: 4:02:28 PM
User: N/A
Computer: ISLAB2-EXCH2K7
Description:
Process 3624[w3wp.exe:/LM/W3SVC/1/ROOT/EWS-1-129558493332128396]: Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestWithAutoDiscover failed. Exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException:
A cross-forest Availability service that can fill request for mailbox <islabuser3>SMTP:islabuser3@islab.com could not be found.. This event may occur when Availability Service cannot discover an Availability Service in the remote forest.
From the 2007 Outlook client I can successfully open the autodiscovery URL for the 2010 server and no resulting certificate errors are thrown. Good right? :D
Also, on the 2010 side this error is being thrown occasionally..
Log Name: Application
Source: MSExchange ADAccess
Date: 7/24/2011 8:17:35 PM
Event ID: 2130
Task Category: Topology
Level: Error
Keywords: Classic
User: N/A
Computer: islab-exch2k10.islab.com
Description:
Process w3wp.exe () (PID=3768). Exchange Active Directory Provider could not find an available domain controller in domain DC=islab2,DC=com. This event may be caused by network connectivity issues or configured incorrectly DNS server. This event may also occur
if you have not configured correctly your multiple Active Directory sites.
Any ideas?
July 24th, 2011 11:52pm
The events are clearly talking about Network issues. Run netdiag on the sever and check if you are getting error.
About outlook that's fine, thats the issue with Cert which is no big deal to fix it :)
Post the update.
Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2011 1:57am
Run netdiag on the sever and check if you are getting error.
All passed..
C:\Program Files\Support Tools>netdiag
.....................................
Computer Name: ISLAB2-EXCH2K7
DNS Host Name: islab2-exch2k7.islab2.com
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : EM64T Family 6 Model 44 Stepping 2, GenuineIntel
List of installed hotfixes :
KB2079403
KB2115168
KB2124261
KB2229593
KB2296011
KB2345886
KB2347290
KB2360937
KB2378111
KB2387149
KB2393802
KB2412687
KB2419635
KB2423089
KB2440591
KB2443105
KB2443685
KB2476490
KB2478960
KB2478971
KB2483185
KB2485663
KB2503665
KB2506212
KB2507618
KB2507938
KB2508272
KB2508429
KB2509553
KB2510587
KB2524375
KB2530548
KB2535512
KB2536276
KB2544521
KB2544893
KB2555917
KB923561
KB924667-v2
KB925398_WMP64
KB925902
KB926122
KB926139-v2
KB927891
KB929123
KB932168
KB936357
KB941569
KB942831
KB944653
KB946026
KB948496
KB950762
KB950974
KB952004
KB952069
KB952954
KB954155
KB954550-v7
KB955759
KB956572
KB956802
KB956844
KB958469
KB958644
KB959426
KB960803
KB960859
KB961118
KB961501
KB967723
KB968389
KB969059
KB970430
KB970483
KB971029
KB971032
KB971657
KB971737
KB972270
KB973507
KB973540
KB973815
KB973869
KB973904
KB973917-v2
KB974112
KB974318
KB974392
KB974571
KB975025
KB975467
KB975558_WM8
KB975560
KB975562
KB975713
KB977816
KB977914
KB978338
KB978542
KB978601
KB978695
KB978706
KB979309
KB979482
KB979687
KB980232
KB980436
KB981322
KB982132
KB982666
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : islab2-exch2k7
IP Address . . . . . . . . : 10.1.1.120
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . : 10.1.0.1
Primary WINS Server. . . . : 10.1.0.10
Secondary WINS Server. . . : 10.1.0.13
Dns Servers. . . . . . . . : 10.1.1.119
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{40EC52A4-3EA4-4F8D-86CA-86C8B42F625D}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{40EC52A4-3EA4-4F8D-86CA-86C8B42F625D}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{40EC52A4-3EA4-4F8D-86CA-86C8B42F625D}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'ISLAB2' is to '\\islab2-2003r2dc.islab2.com'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
July 25th, 2011 12:44pm
glaviolette,
Some questions for you to answer:
What are the settings you have done so far for the AvailabilityAddressSpace? What about Autodiscover...is that name included in the certificates? Is a public or self-signed Certificate Used?
:Martina
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2011 7:12pm
glaviolette,
Some questions for you to answer:
What are the settings you have done so far for the AvailabilityAddressSpace? What about Autodiscover...is that name included in the certificates? Is a public or self-signed Certificate Used?
Following the document mentioned, I've run on the source exchange server (islab2.com):
Add-AvailabilityAddressSpace -Forestname islab.com -AccessMethod PerUserFB -UseServiceAccount:$true
Yes, I've included "autodiscover.islab.com" and the netbios name in the SAN of the self signed cert. Also, as I *somewhat* eluded to in my original message, I've tested the autodiscover URL (https://autodiscover.islab.com/autodiscover/autodiscover.xml)
from the "islab2.com" Outlook client from IE and they work (however they are asking for auth?)
Self Signed
Thanks for your reply.
Oh! I should also mention there is an Exchange 2003 server in the islab.com domain, in case it makes any difference.
July 25th, 2011 7:42pm
Hi, Ok two problems:
In order for this to work, a self-signed certiciate can not be used. Both servers must have a certificate that the other trust
This will not work for users that have their mailbox on Exchange 2003. Availability Service is an Exchange 07/10-thing
If the domain name and emaildomain is they same, then you can run the below in each enviroment. If the emaildomain is something else, then replace the value for -Forestname
IN TARGET - Islab.com
Add-AvailabilityAddressSpace -ForestName islab2.com -AccessMethod PerUserFB -UseServiceAccount:$true
Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Token-Serialization" -User "islab2.com\Exchange Servers"
IN SOURCE - Islab2.com
Add-AvailabilityAddressSpace -ForestName islab.com -AccessMethod PerUserFB -UseServiceAccount:$true
Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Token-Serialization" -User "islab.com\Exchange Servers"
:Martina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2011 8:08pm
Hi, Ok two problems:
In order for this to work, a self-signed certiciate can not be used. Both servers must have a certificate that the other trust
This will not work for users that have their mailbox on Exchange 2003. Availability Service is an Exchange 07/10-thing
If the domain name and emaildomain is they same, then you can run the below in each enviroment. If the emaildomain is something else, then replace the value for -Forestname
IN TARGET - Islab.com
Add-AvailabilityAddressSpace -ForestName islab2.com -AccessMethod PerUserFB -UseServiceAccount:$true
Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Token-Serialization" -User "islab2.com\Exchange Servers"
IN SOURCE - Islab2.com
Add-AvailabilityAddressSpace -ForestName islab.com -AccessMethod PerUserFB -UseServiceAccount:$true
Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Token-Serialization" -User "islab.com\Exchange Servers"
:Martina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
Huh, the Technet article seems to indicate as long as the self signed SAN cert is imported into the other server that's sufficient, you're saying that's not true?
Sorry, I've run those EXACT commands on each target/source. No joy.. :(
Thanks for your assistance!
July 26th, 2011 12:33am
Huh, the Technet article seems to indicate as long as the self signed SAN cert is imported into the other server that's sufficient, you're saying that's not true?
This is that the Technet article say:
Cross-Forest Availability and Certificates
When you install Exchange 2007 with the Client Access server role, a self-signed certificate is created. The self-signed certificate has two Subject Alternative Name (SAN) entries: one for the NetBIOS name of the Client Access server and one for the fully
qualified domain name (FQDN) of the Client Access server. Therefore, if you plan to use the default self-signed certificate installed on the Client Access server, you have only one option to make Autodiscover work between both forests: You must export the
SCP from the target forest to the source forest. In this scenario, you must have a trust relationship between both forests
Is really the DNS-Domainname and SMTP-Domain the same?
If not you must replace the value for -Forestdomain in the command.
The name of the switch is really missleading. It´s the primary SMTP-domain from the trusted domain that has to be added.
Can you run test-outlookwebservices and post the output? Example:
test-outlookwebservices -identity:somuser@sourceSMTP.com -TargetAddress someuser@TargetSMTP.com | flPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2011 1:18am
So, as self signed will work if exported to each forest, which I have done.
Yup, DNS/SMTP domain both match (islab.com/islab2.com).
Here is the output, which I have run before. Not very helpful that I could see??
[PS] C:\Documents and Settings\Administrator.ISLAB2>Test-OutlookWebServices -Ide
ntity:islabuser1@islab2.com -TargetAddress islabuser1@islab.com | fl
Id : 1003
Type : Information
Message : About to test AutoDiscover with the e-mail address islabuser1@islab2.
com.
Id : 1006
Type : Information
Message : The Autodiscover service was contacted at https://islab2-exch2k7.isla
b2.com/Autodiscover/Autodiscover.xml.
Id : 1011
Type : Error
Message : When querying Availability for islabuser1@islab.com received 5039:
Id : 1016
Type : Error
Message : [EXCH]-Error when contacting the AS service at https://islab2-exch2k7
.islab2.com/EWS/Exchange.asmx. The elapsed time was 312 milliseconds.
Id : 1015
Type : Success
Message : [EXCH]-Successfully contacted the OAB service at https://islab2-exch2
k7.islab2.com/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.
Id : 1014
Type : Success
Message : [EXCH]-Successfully contacted the UM service at https://islab2-exch2k
7.islab2.com/UnifiedMessaging/Service.asmx. The elapsed time was 671
milliseconds.
Id : 1006
Type : Success
Message : The Autodiscover service was tested successfully.
Id : 1021
Type : Information
Message : The following web services generated errors.
As in EXCH
Please use the prior output to diagnose and correct the errors.
July 26th, 2011 1:01pm
Please configure external Availability Service URL the same as the internal URL for a test. Also, please temporarily turn off firewall and antivirus program to check
the result.
Thanks.
Novak Wu
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2011 10:26pm
This is that the Technet article say:
Cross-Forest Availability and Certificates
When you install Exchange 2007 with the Client Access server role, a self-signed certificate is created. The self-signed certificate has two Subject Alternative Name (SAN) entries: one for the NetBIOS name of the Client Access server and one for the fully
qualified domain name (FQDN) of the Client Access server. Therefore, if you plan to use the default self-signed certificate installed on the Client Access server, you have only one option to make Autodiscover work between both forests:
You must export the SCP from the target forest to the source forest. In this scenario, you must have a trust relationship between both forests
Just to be clear, you are using a self-singed Certificate and not one issued from your Certificate Server?
If you are, you must export and import the SCP Settings, according to the Technet Article.
Please run get-exchangecertificate | fl and post the output here
The output from Test-Outlookwebservices is informative.
It shows that connectivity exists but Availability Service doesn´t work and that is usually caused by the certificate not beeing trusted, or missing name in the cert etc.
Could you also run Get-WebServicesVirtualDirectory | fl Name,*url* and post the output?
:MartinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
July 27th, 2011 2:39am
Hi Glaviolette,
Any update on this issue?Martina Miskovic
Free Windows Admin Tool Kit Click here and download it now
August 1st, 2011 1:20am
Hi Glaviolette,
Any update on this issue?
Martina Miskovic
Sorry for the delayed reply.
Yes, I finally got it working! While I don't have the *exact* answer, I can take a guess it had to do with matching my External/Internal URLs for each service with the certificate. Then testing those URLs from each Exchange server in IE. I had created my
own SAN certs on each lab DC/Certsrv then copied/installed the root CA to each lab exchange server.
This article helped as well.
http://www.enowconsulting.com/blog/index.php?paged=4
August 4th, 2011 5:35pm
I am glad it works for you now.
Thank for the update glaviolette!Martina Miskovic
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2011 8:18pm