After much back and forth I have solved my certificate issues with Exchange. Links below. What I have now is just the plain old OAB 0X8004010F. I have tried adjusting URLs, recreating the OAB and even using pub-folder distribution rather than web-based, but every single one of the client computers gets a log message about OAB - some every five minutes. For the record once more this is SBS 2008, all Outlooks are in the same building, same LAN, and I don't need OAB at all so any solution that makes these logs go away is acceptable. In fact, I have never created an OAB, don't know anything about generation at 5AM and couldn't give a flying flarn what is in the list in the end, I'm just sick of getting a phone call or seven each day complaining about 'these little messages in my inbox'. Grrr! :-D I have provided info from the EMS as it stands now (after messing with security for a week or so, but supervised this time LOL): Name : OAB (SBS Web Applications) PollInterval : 0 OfflineAddressBooks : {I HATE OAB} RequireSSL : True BasicAuthentication : True WindowsAuthentication : True MetabasePath : IIS://WINSERVER.lakegroup.local/W3SVC/3/ROOT/OAB Path : C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB Server : WINSERVER InternalUrl : https://winserver.lakegroup.local/OAB InternalAuthenticationMethods : {Basic, WindowsIntegrated} ExternalUrl : https://mail.lakegroupstrata.com/OAB ExternalAuthenticationMethods : {Basic, WindowsIntegrated} AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=OAB (SBS Web Applications),CN=HTTP,CN=Protocols,CN=WINSERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,C N=Microsoft Exchange,CN=Services,CN=Configuration,DC=lakegroup,DC=local Identity : WINSERVER\OAB (SBS Web Applications) Guid : e7ce607f-c2aa-4188-a6dd-7e230a90df98 ObjectCategory : lakegroup.local/Configuration/Schema/ms-Exch-OAB-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualDirectory} WhenChanged : 25/03/2010 4:12:38 PM WhenCreated : 16/01/2009 11:23:02 PM OriginatingServer : WINSERVER.lakegroup.local IsValid : True [PS] C:\Users\icsolutions\Desktop>Get-OfflineAddressBook |fl Server : WINSERVER AddressLists : {Public Folders} Versions : {Version2, Version3, Version4} IsDefault : False PublicFolderDatabase : WINSERVER\Second Storage Group\Public Folder Database PublicFolderDistributionEnabled : True WebDistributionEnabled : False DiffRetentionPeriod : 30 Schedule : {Sun.5:00 AM-Sun.5:15 AM, Mon.5:00 AM-Mon.5:15 AM, Tue.5:00 AM-Tue.5:15 AM, Wed.5:00 AM-Wed.5:15 AM, Thu.5:00 AM-Thu.5:15 AM, Fri.5:00 AM-Fri.5:15 AM, Sat.5:00 AM-Sat.5:1 5 AM} VirtualDirectories : {} ExchangeVersion : 0.1 (8.0.535.0) AdminDisplayName : Name : Default Offline Address Book DistinguishedName : CN=Default Offline Address Book,CN=Offline Address Lists,CN=Address Lists Container,C N=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lakegroup, DC=local Identity : \Default Offline Address Book Guid : e0148f37-04fe-4283-8399-01b495690433 ObjectCategory : lakegroup.local/Configuration/Schema/ms-Exch-OAB ObjectClass : {top, msExchOAB} WhenChanged : 24/03/2010 3:05:00 PM WhenCreated : 16/01/2009 11:22:13 PM OriginatingServer : WINSERVER.lakegroup.local IsValid : True Server : WINSERVER AddressLists : {All Contacts, Default Global Address List} Versions : {Version4} IsDefault : True PublicFolderDatabase : WINSERVER\Second Storage Group\Public Folder Database PublicFolderDistributionEnabled : True WebDistributionEnabled : True DiffRetentionPeriod : 30 Schedule : {Sun.5:00 AM-Sun.5:15 AM, Mon.5:00 AM-Mon.5:15 AM, Tue.5:00 AM-Tue.5:15 AM, Wed.5:00 AM-Wed.5:15 AM, Thu.5:00 AM-Thu.5:15 AM, Fri.5:00 AM-Fri.5:15 AM, Sat.5:00 AM-Sat.5:1 5 AM} VirtualDirectories : {OAB (SBS Web Applications)} ExchangeVersion : 0.1 (8.0.535.0) AdminDisplayName : Name : I HATE OAB DistinguishedName : CN=I HATE OAB,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organizati on,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=lakegroup,DC=local Identity : \I HATE OAB Guid : 55595229-b225-4495-b589-5691f1582952 ObjectCategory : lakegroup.local/Configuration/Schema/ms-Exch-OAB ObjectClass : {top, msExchOAB} WhenChanged : 24/03/2010 3:31:02 PM WhenCreated : 24/03/2010 3:04:19 PM OriginatingServer : WINSERVER.lakegroup.local IsValid : True [PS] C:\Users\icsolutions\Desktop>Test-OutlookWebServices |fl Id : 1003 Type : Information Message : About to test AutoDiscover with the e-mail address icsolutions@lakegroupstrata.com. Id : 1007 Type : Information Message : Testing server WINSERVER.lakegroup.local with the published name https://winserver/ews/exchange.asmx & https: //winserver/ews/exchange.asmx. Id : 1019 Type : Information Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://winserver /autodiscover/autodiscover.xml. Id : 1006 Type : Information Message : The Autodiscover service was contacted at https://winserver/autodiscover/autodiscover.xml. Id : 1016 Type : Success Message : [EXCH]-Successfully contacted the AS service at https://winserver/ews/exchange.asmx. The elapsed time was 837 milliseconds. Id : 1015 Type : Information Message : [EXCH]-The OAB is not configured for this user. Id : 1014 Type : Success Message : [EXCH]-Successfully contacted the UM service at https://winserver/unifiedmessaging/service.asmx. The elapsed time was 184 milliseconds. Id : 1006 Type : Success Message : The Autodiscover service was tested successfully. Links to previous discussions: http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/750738ba-6d6e-47cb-9db7-8efb5bcd3d98 http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/7f9b2c81-4eff-4996-af8f-6e501e95fde8 http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/b8da24c4-4245-4e1e-8009-d8effe13f0bb http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/34b0a337-fbf4-4095-ab08-bdedbad1d5d9Celebrating 20 years of supporting someone else's software for a living.

On Thu, 25 Mar 2010 05:30:40 +0000, Freqy wrote:>>>After much back and forth I have solved my certificate issues with Exchange. Links below. >>What I have now is just the plain old OAB 0X8004010F. >>I have tried adjusting URLs, recreating the OAB and even using pub-folder distribution rather than web-based, but every single one of the client computers gets a log message about OAB - some every five minutes. >>For the record once more this is SBS 2008, all Outlooks are in the same building, same LAN, and I don't need OAB at all so any solution that makes these logs go away is acceptable. But they _do_ need the OAB if they're configured to work in Exchangecached mode. Are they?>In fact, I have never created an OAB, don't know anything about generation at 5AM and couldn't give a flying flarn what is in the list in the end, I'm just sick of getting a phone call or seven each day complaining about 'these little messages in my inbox'. Grrr! :-D Is the OAB set correctly on the "Client Settings" tab of the mailboxdatabase's property page?If you stop and start (don't just "restart") the "Microsoft ExchangeReplication Service", are there any errors recorded in the Applicationlog (this is the service that uploads the OAB files to the CAS)? Arethe permissions correct on the "C:\Program Files\Microsoft\ExchangeServer\ClientAccess\OAB" directory? Since you're running only on oneserver I think you'd have just the "Administrators" group and "SYSTEM"account in the list and both should be inheriting the permissions.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

But they _do_ need the OAB if they're configured to work in Exchange cached mode. Are they? Yes they are. Can you tell me exactly what the OAB is used for in this case and how an empty address book on a server that is never offline (so far touch wood lol) can be so important? Is the OAB set correctly on the "Client Settings" tab of the mailbox database's property page? Under that setting I have '\I HATE OAB' - the address book I created a couple of days ago. This made no difference to when I had '\Default Offline Address Book'. Are the permissions correct on the "C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB" directory? Admin and System have full control without 'Special Permissions', IIS_IUSRS has special permission only. Is this correct? And finally the only log entry of any interest when I stopped and started the replication service was: Starting from 29/03/2010 7:18:55 AM service 'Exchange Content Indexing' has performed this activity on the server: RPC Operations: 6477. Database Pages Read: 104 (of which 19 pages preread). Database Pages Updated: 23346 (of which 22215 pages reupdated). Database Log Records Generated: 20714. Database Log Records Bytes Generated: 773701. Time in User Mode: 469 ms. Time in Kernel Mode: 125 ms. Thanking you and looking forward to your response. Celebrating 20 years of supporting someone else's software for a living.

On Sun, 28 Mar 2010 22:24:39 +0000, Freqy wrote:>>>But they _do_ need the OAB if they're configured to work in Exchange cached mode. Are they? >>Yes they are. Can you tell me exactly what the OAB is used for in this case and how an empty address book on a server that is never offline (so far touch wood lol) can be so important? Well, let me ask you why the clients are configured to use Exchangecached-mode if the server is never off-line? :-)The OAB shouldn't be empty.Besides the obvious benefit of being able to work whil disconnectedfrom a server, cached-mode and the OAB benefit the server byoff-loading much of the network traffic to and from the Global Catalogservers and the Exchange Information Store.>Is the OAB set correctly on the "Client Settings" tab of the mailbox database's property page? >>Under that setting I have '\I HATE OAB' - the address book I created a couple of days ago. This made no difference to when I had '\Default Offline Address Book'. Okay.Have a look at the OAB Virtual Directory, too. What authenticationaccess is set on it? Is anonymous access allowed (it shouldn't be)?What about the secure communications properties? You said you had acertificate. Do you require SSL? Do you ignore client certificates?Previously you said "every single one of the client computers gets alog message about OAB", but you didn't say what the "log message" was.>Are the permissions correct on the "C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB" directory? >>Admin and System have full control without 'Special Permissions', IIS_IUSRS has special permission only. Is this correct? On an all-in-one server I think they are. So now look at the"C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB"directory and see if there's a sub-directory. And, in thatsub-directory, if there are *.lkz files.I'm trying to get an idea of where your problem might be. Whether it'sthat the web-based distribution isn't working or that there's nothingto distribute.>And finally the only log entry of any interest when I stopped and started the replication service was: Do you see one that looks like this after the service is started?Event Type: InformationEvent Source: MSExchangeFDSEvent Category: FileReplication Event ID: 1008Date: 3/28/2010Time: 11:10:31 PMUser: N/AComputer: SRVR005Description:Process MSExchangeFDS.exe (PID=5080). Offline Address Book datasynchronization task has completed successfully. OAB name: "DefaultOffline Address List", Guid: a76a9b0c-9d37-41bd-8c6b-0ac545b9d5a6For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

Well, let me ask you why the clients are configured to use Exchange cached-mode if the server is never off-line? :-) For backup purposes, in case the room where the server is burns down and the lady who does the backups has a car crash on the way home, but all the client machines are OK, or something. :-) The OAB shouldn't be empty. Why not? Nobody has ever put anything in there. This organisation uses custom CRM to store all their phone numbers and email addresses. Are you saying I need to put an address in there before things will start working? I don't believe MS would be quite stupid enough to have something that out-of-the-box gives a message repeatedly until you are forced to start using it. [cou-CEIP-ough] Besides the obvious benefit of being able to work whil disconnected from a server, cached-mode and the OAB benefit the server by off-loading much of the network traffic to and from the Global Catalog servers and the Exchange Information Store. Which is an even better reason than the above to run cached mode even if the server is never down - it reboots itself in the wee hours of Sunday morning and in 18 months of operation has never gone down during the week. Have a look at the OAB Virtual Directory, too. What authentication access is set on it? Sorry, but I don't know how to find that. Which part of the following tells me where that is? I also have two IIS managers in Administrative Tools. Which one should I be using? Name : OAB (SBS Web Applications)PollInterval : 0OfflineAddressBooks : {I HATE OAB}RequireSSL : TrueBasicAuthentication : TrueWindowsAuthentication : TrueMetabasePath : IIS://WINSERVER.lakegroup.local/W3SVC/3/ROOT/OABPath : C:\Program Files\Microsoft\Exchange Server\ClientAccess\OABServer : WINSERVERInternalUrl : https://winserver.lakegroup.local/OABInternalAuthenticationMethods : {Basic, WindowsIntegrated}ExternalUrl : https://mail.lakegroupstrata.com/OABExternalAuthenticationMethods : {Basic, WindowsIntegrated}AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=OAB (SBS Web Applications),CN=HTTP,CN=Protocols,CN=WINSERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,C N=Microsoft Exchange,CN=Services,CN=Configuration,DC=lakegroup,DC=localIdentity : WINSERVER\OAB (SBS Web Applications)Guid : e7ce607f-c2aa-4188-a6dd-7e230a90df98ObjectCategory : lakegroup.local/Configuration/Schema/ms-Exch-OAB-Virtual-DirectoryObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualDirectory}WhenChanged : 25/03/2010 4:12:38 PMWhenCreated : 16/01/2009 11:23:02 PMOriginatingServer : WINSERVER.lakegroup.localIsValid : True What about the secure communications properties? You said you had a certificate. Do you require SSL? Do you ignore client certificates? Secure communication is not required and to the best of my knowledge not enabled. I have created a certificate so that I can avoid certificate name mismatch prompts every time Outlook 2007 is opened (do NOT get me started on that!). Client certificates, I don't even know what you mean. Previously you said "every single one of the client computers gets a log message about OAB", but you didn't say what the "log message" was. Microsoft Exchange Offline Address Book: 0X8004010F. Sometimes it mentions that a URL could not be found or that an object does not exist, but it is always the same error code. Great work there - have unique error codes but reuse them for different error messages LOL. As for the OAB directory there is a '55595229-b225-4495-b589-5691f1582952' directory in which I have a bunch of files like '310296d7-37a1-45e6-8494-e9f0c9caf36a-data-1.lzx' and '310296d7-37a1-45e6-8494-e9f0c9caf36a-lng0c0a-1.lzx' as well as one called 'oab.xml'. I've set permissions on the directory and all these files the same as the permissions you mentioned on the OAB directory itself. Do you see one that looks like this after the service is started? That's a big negatory on that one. Thanks for your patience, I look forward to your response. Aaron. UPDATE: I just went into IIS manager, managed to find the OAB part. The web-directory that contained it (SBS Web Applications) was stopped, because of a port conflict with another site. I have turned off all other sites - Default Web Site, SBS Client Deployment Applications, SBS SharePoint, SharePoint Central Administration v3 and WSUS Administration - and reactivated SBS Web Applications. We'll see what that does... I also noticed that OAB looks like a shortcut to a folder, where all the other directories look like a document with a world behind. Any clues on why?Celebrating 20 years of supporting someone else's software for a living.

I'm not sure if I've found the solution to this problem, however my SBS 2008 had configuration errors. Words cannot describe how annoyed I am with this product and the sh*t I've been through simply to make it function as an Exchange Server and file sharer. If you have these messages, check the following: 1 - Open IIS Manager and go to SBS Web Applications. Verify the app is running (it will have a small black square overlaid on the icon if it is not). 2 - Follow Rich's instructions to check your file permissions and verify that an OAB exists. Use the commands in my OP to check that an OAB has been activated. If not you will find you can create one in the EMC under Mailbox. 3 - If you are like me you will be unable to restart the application due to a port conflict with another of the internal web-apps. At this point you will wish you could strangle the person who said SBS 2008 was ever ready to ship. 4 - My solution was simply to stop all those other bullsh*t services you've never used or even heard of such as SharePoint and WSUS Admin and restart the SBS Web Applications app. Strangely enough your out-of-office settings, OAB and Autodiscover will now be working. Thanks to Rich for guiding me to the point where I found this.If a product has faults the onus rests on the original manufacturer to solve problems arising because of that fault.

On Mon, 29 Mar 2010 22:59:08 +0000, Freqy wrote:>Well, let me ask you why the clients are configured to use Exchange cached-mode if the server is never off-line? :-) >>For backup purposes, in case the room where the server is burns down and the lady who does the backups has a car crash on the way home, but all the client machines are OK, or something. :-) I'm glad you put that smiley out there at the end.>The OAB shouldn't be empty. >>Why not? Nobody has ever put anything in there. Ummm . . . everything in your GAL should be in there.>This organisation uses custom CRM to store all their phone numbers and email addresses. Are you saying I need to put an address in there before things will start working? I don't believe MS would be quite stupid enough to have something that out-of-the-box gives a message repeatedly until you are forced to start using it. [cou-CEIP-ough] I'll just ignore that remark.>Besides the obvious benefit of being able to work whil disconnected from a server, cached-mode and the OAB benefit the server by off-loading much of the network traffic to and from the Global Catalog servers and the Exchange Information Store. >>Which is an even better reason than the above to run cached mode even if the server is never down - it reboots itself in the wee hours of Sunday morning and in 18 months of operation has never gone down during the week. Yes, but to run in cached mode requires the use of the OAB. I don'tknow why it reboots on its own, though. Is that something you do onpurpose?>Have a look at the OAB Virtual Directory, too. What authentication access is set on it? >>Sorry, but I don't know how to find that. Which part of the following tells me where that is? I also have two IIS managers in Administrative Tools. Which one should I be using? Two? It really shouldn't matter since they'll both use the samemetabase file.Looking at the OAB information you posted, and cutting out theextraneous stuff, I can see that your AD says that both Basic andWindows Integrated authentication are accepted. The reason I askedabout what IIS says is that there may be problems with the metabaseupdate thread that pushes the changes from the AD into the metabase.If the two don't agree it can be confusing.RequireSSL : TrueBasicAuthentication : TrueWindowsAuthentication : TrueInternalAuthenticationMethods : {Basic, WindowsIntegrated}ExternalAuthenticationMethods : {Basic, WindowsIntegrated}>What about the secure communications properties? You said you had a certificate. Do you require SSL? Do you ignore client certificates? >>Secure communication is not required and to the best of my knowledge not enabled. According to the information you posted, SSL is required.>I have created a certificate so that I can avoid certificate name mismatch prompts every time Outlook 2007 is opened (do NOT get me started on that!). Making that go away is pretty easy. Does SBS come with its own CA? Ifthe Powershell cmdlet to create the CER is too confusing, try thisURL: https://www.digicert.com/easy-csr/exchange2007.htm. If you thinkthere may be a problem with the certificate installation, try thisone: https://www.digicert.com/help/. And, to verify that all isworking well, use this URL: http://testexchangeconnectivity.com>Client certificates, I don't even know what you mean.If you don't issue certificates to clients to use, don't allow them onthe virtual directory. Look and you'll see the choices.>Previously you said "every single one of the client computers gets a log message about OAB", but you didn't say what the "log message" was. >>Microsoft Exchange Offline Address Book: 0X8004010F. Sometimes it mentions that a URL could not be found or that an object does not exist, but it is always the same error code. Great work there - have unique error codes but reuse them for different error messages LOL. The error code is accurate. It says the object doesn't exist. It's notconcerned with the "why" it doesn't exist, just that it doesn't. Theassumption is that the access part is working. See the above referenceto http://testexchangeconnectivity.>As for the OAB directory there is a '55595229-b225-4495-b589-5691f1582952' directory in which I have a bunch of files like '310296d7-37a1-45e6-8494-e9f0c9caf36a-data-1.lzx' and '310296d7-37a1-45e6-8494-e9f0c9caf36a-lng0c0a-1.lzx' as well as one called 'oab.xml'. I've set permissions on the directory and all these files the same as the permissions you mentioned on the OAB directory itself. The permissions on the sub-directory that contains all those files ismuch more expansive than the permissions on the OAB directory. I hopeyou didn't remove the permissions that allow Authenticated Users"Read" access.>Do you see one that looks like this after the service is started? >>That's a big negatory on that one. That's not a good thing. That service is what takes the OAB changesand pushes them into the directory for web distribution. If that's notworking the changes in your GAL, which should be reflected in the OAB,won't be the same in the Public Folder and Web Distribution. Thatneeds to be fixed.>UPDATE: I just went into IIS manager, managed to find the OAB part. The web-directory that contained it (SBS Web Applications) was stopped, because of a port conflict with another site. I have turned off all other sites - Default Web Site, SBS Client Deployment Applications, SBS SharePoint, SharePoint Central Administration v3 and WSUS Administration - and reactivated SBS Web Applications. >>We'll see what that does... Well, having the VD running would be an improvement.>I also noticed that OAB looks like a shortcut to a folder, where all the other directories look like a document with a world behind. Any clues on why?The OAB virtual directory should look the same as the Rpc andRpcWithCert virtual directories. What's in the "Application Name"? Itshould be greyed out and say "Default Application" with "None" as theexecute permissions.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

I know I've closed this thread but I have more questions/feedback for you just out of interest if you don't mind. Ummm . . . everything in your GAL should be in there. Well, yes, unless nobody ever put anything in that either. I'm confused; is it supposed to contain all the domain email addresses by default? Or are you saying that all the Outlooks are collecting email addresses and adding them automatically? I'm also yet to find where I can see the addresses (or lack of) that are in this list. At least one user that I spoke to can now download the OAB, but where is it? Two? Yes, there is IIS manager and IIS 6.0 manager. If this is unusual I can only assume it has something to do with a legacy web-service and the fact I'm using a 64-bit OS. I'll just ignore that remark. I didn't really expect a response unless you are the man in charge of user interface policy for every piece of software MS makes. :-) Making that go away is pretty easy. I wish I could make you eat those words! SBS does not have a CA by default, that was problem number one. In the end I had to pay to get a solution to this, and what was missing was a bunch of switches on the commandlet that I've never seen documented anywhere. Not to mention IT SHOULD HAVE BEEN CERTIFIED TO TALK TO DOMAIN COMPUTERS WITHOUT MY HELP!!! According to the information you posted, SSL is required. It's enabled; I still don't think it's necessary to encrypt my LAN traffic. I'm certainly not going to play with it now though. :-D The error code is accurate. If that is a unique error code describing EXACTLY ONE INDIVISIBLE system malfunction, how can it be accompanied by different messages essentially at random? Simple: the code has either been reused or the programmer was lazy with their try-catch structure. Thus the error code may be accurate but it is not useful. It defeats the purpose of allocating the codes in the first place - why not just have the message? That's not a good thing. ... That needs to be fixed. Unless I discover another problem, it never will be. I've said from the start all I ever wanted was to turn OAB off. All this has made zero difference to client functionality, it is simply in aid of not getting messages posted to every user every hour about something nobody uses. Personally I hope it stays wrong forever just to prove my point. Maybe that will somehow get collected as usage statistics and convince them to allow it to be turned off in later versions of Exchange. Well, having the VD running would be an improvement. Yeah, funny how having services running makes them available. I really don't know how I ended up with a port conflict, it just annoys me that it happened without my interference. If I had installed Eudora server (can't remember its name right now) and was attempting to get Outlook Express 4 to work with it, I'd expect to have to play with something. If I put Exchange 2007 on my server and Outlook 2007 on my clients, I don't expect to go looking for misconfigured web-applications in SBS 2008.If a product has faults the onus rests on the original manufacturer to solve problems arising because of that fault.

On Tue, 30 Mar 2010 03:32:31 +0000, Freqy wrote:>>>I know I've closed this thread but I have more questions/feedback for you just out of interest if you don't mind. >>Ummm . . . everything in your GAL should be in there. >>Well, yes, unless nobody ever put anything in that either. The GAL is a representation of the mail- and mailbox-enabled objectsin your AD. If you have none then I'd have to ask why you're usingExchange at all!>I'm confused; is it supposed to contain all the domain email addresses by default? Well, all those that belong to the objects in your AD domain. That maynot be the "domain" you're asking about, though. Are you asking aboutthe AD domain or the DNS domain?>Or are you saying that all the Outlooks are collecting email addresses and adding them automatically? Outlook isn't doing anything except using information from a datasource, which is either the OAB or the NSPI presented by your GCs.Right now we're talking about the Active Directory.>I'm also yet to find where I can see the addresses (or lack of) that are in this list. At least one user that I spoke to can now download the OAB, but where is it?The OAB probably resides in two places in your Exchange organization.I believe you said you used Public Folders, so there's at least oneOAB folder there. The OAB is kept as messages in that folder. Each daythe changes in the GAL are recorded in a "delta" file.You also have the OAB in the file system directory beneath the OABfolder. All those files in that directory are the "delta" files (andindex files, and the complete OAB, too).>Two? >>Yes, there is IIS manager and IIS 6.0 manager. If this is unusual I can only assume it has something to do with a legacy web-service and the fact I'm using a 64-bit OS. No, it's not unusual, just unexpected. You have the IIS 6 metabasecompatibility feature installed on your Windows 2008 server.>I'll just ignore that remark. >>I didn't really expect a response unless you are the man in charge of user interface policy for every piece of software MS makes. :-) >>Making that go away is pretty easy. >>I wish I could make you eat those words! SBS does not have a CA by default, that was problem number one. That doesn't mean it's not easy. It's just not free if you don't useyour own cert.>In the end I had to pay to get a solution to this, Most of use do.>and what was missing was a bunch of switches on the commandlet that I've never seen documented anywhere. And those are . . . ?>Not to mention IT SHOULD HAVE BEEN CERTIFIED TO TALK TO DOMAIN COMPUTERS WITHOUT MY HELP!!!Installing Exchange creates a "self-signed" certificate. Adomain-joined Outlook client will ignore the name mismatch.>According to the information you posted, SSL is required. >>It's enabled; It's also required. A connection that doesn't use HTTPS (SSL) won'twork. [ snip ]>That's not a good thing. ... That needs to be fixed. >>Unless I discover another problem, it never will be. I've said from the start all I ever wanted was to turn OAB off. All this has made zero difference to client functionality, it is simply in aid of not getting messages posted to every user every hour about something nobody uses. Personally I hope it stays wrong forever just to prove my point. Maybe that will somehow get collected as usage statistics and convince them to allow it to be turned off in later versions of Exchange. >>Well, having the VD running would be an improvement. >>Yeah, funny how having services running makes them available. >>I really don't know how I ended up with a port conflict, it just annoys me that it happened without my interference. If I had installed Eudora server (can't remember its name right now) and was attempting to get Outlook Express 4 to work with it, I'd expect to have to play with something. If I put Exchange 2007 on my server and Outlook 2007 on my clients, I don't expect to go looking for misconfigured web-applications in SBS 2008.>If a product has faults the onus rests on the original manufacturer to solve problems arising because of that fault. If your beef is with SBS you'll find a more sympathetic audience in aSBS forum. You posted this in an Exchange server forum. Exchangedoesn't require IIS 6 compatibility and installing other "stuff" on anExchange server usually results in, well, let's just say it doesn'tusually work out well.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

Thanks for filling in some of the blanks Rich. Couple of things though: Installing Exchange creates a "self-signed" certificate. A domain-joined Outlook client will ignore the name mismatch. Unless that certificate was somehow damaged in my case, that is completely untrue! Half my problem was wading through pages of instructions about my 'edge' servers and 'transport' servers and how to get non-domain clients working. All I ever wanted was for the domain connected clients on the same LAN to work with my ONE server. Outlook isn't doing anything except using information from a data source, which is either the OAB or the NSPI presented by your GCs. Right now we're talking about the Active Directory. In other words this entire experience has been for the benefit of giving everyone a copy of their cubicle buddies' email addresses, which they already have elsewhere and wouldn't use if the server was down anyway. That makes me feel MUCH better! :-( >In the end I had to pay to get a solution to thisMost of us do. What I suspect you are talking about paying for is a certificate that will work outside your own LAN, e.g. from GoDaddy or Verisign. In my case I paid MS to fix my internal certificate. The exact switches involved enabling the certificate for IIS and including AutoDiscover. Exchange doesn't require IIS 6 compatibility and installing other "stuff" on an Exchange server usually results in, well, let's just say it doesn'tusually work out well. I can't justify another $15,000 worth of server to my client just to account for the fact that Exchange can't coexist with other applications. For that amount I could write them their own customised shared calendar program and just host the email externally. Plus, the only thing we're talking about that's been installed on the server is a couple of SQL databases here - I have no idea why/when/who/how IIS 6 would have been activated unless it was an option I ticked during setup. I don't mess with servers like clients; I just run the installers from MS, read carefully, and press 'Next', 'Next'... While I do have problems with SBS (not the least of which is I wish I'd waited for R2) I blame Exchange itself for being unable to install correctly on that platform and Outlook for being such a pain about a setting that never mattered. I'd have to ask why you're using Exchange at all!I've asked myself that question numerous times in the last few weeks. :-D Thanks again, catch you around. Aaron.If a product has faults the onus rests on the original manufacturer to solve problems arising because of that fault.

Rich: Thank you for having the patience to continue to respond in this thread. Your assistance helped me solve this issue, which I was also having. I do understand this is an Exchange forum, but you should share these experiences with any cohorts on the SBS team, as it is definitely a repeatable and reproducable bug in Exchage 2007/SBS 2008 setups. Here are some of the issues I encountered: 1. The RPC Virtual Directory is under "SBS Web Applications" which runs on port 80. Exchange is, per get-OfflineAddressBook, expecting it to be in "Default Web Site" which by default runs on port 82. Since I couldn't figure out how to make Exchange look in the right location for the RPC virtual directory, i created an identical RPC virtual directory under the Default Web Site. This immediately caused an error to disappear from powershell, and caused the 0X8004010F to stop and caused outlook to now just hang on "Download Offline Address Book". 2. Generating the SSL cert doesn't appear to work out of the box. I had to regenerate an SSL cert with all the applicable SANs, install the Certificate Services web component, submit and issue the certificate from there, and re-import it into Exchange. 3. Finally, I'm not sure why OAB requires SSL. I had that turned off for a long time in my self-troubleshooting. Perhaps this is the sort of configuration issue that Best Practices Analyzer could catch? Maybe this is addressed in Exchange 2010 already. Just a suggestion. However, after fixing the RPC directory, reissuing the certificate, and turning on SSL w/ ignore client certificates, my OAB issues are all gone. Again, thank you for having the patience to continue to respond. Your information and suggestions helped me, and I appreciate it. Stephen Martin Network Administrator Applied Medical Technology, Inc.

On Mon, 19 Apr 2010 12:59:22 +0000, Screevo wrote:>Rich: Thank you for having the patience to continue to respond in this thread. Your assistance helped me solve this issue, which I was also having. I do understand this is an Exchange forum, but you should share these experiences with any cohorts on the SBS team, Sorry. I don't have any of those. :-)>as it is definitely a repeatable and reproducable bug in Exchage 2007/SBS 2008 setups. Here are some of the issues I encountered:>>1. The RPC Virtual Directory is under "SBS Web Applications" which runs on port 80.There can be an identically named virtual directory in every web site.I expect that SBS may be using the RPC proxy for web services otherthan Exchange.>Exchange is, per get-OfflineAddressBook, expecting it to be in "Default Web Site" which by default runs on port 82.Ewww . . .>Since I couldn't figure out how to make Exchange look in the right location for the RPC virtual directory, i created an identical RPC virtual directory under the Default Web Site. This immediately caused an error to disappear from powershell, and caused the 0X8004010F to stop and caused outlook to now just hang on "Download Offline Address Book".I'm not sure how Outlook would know to use port 82.>2. Generating the SSL cert doesn't appear to work out of the box. I had to regenerate an SSL cert with all the applicable SANs, install the Certificate Services web component, submit and issue the certificate from there, and re-import it into Exchange.The cert that's installed when you install Exchange has only a singlename. Outlook should ignore the name mismatch, at least when you'reconnecting on your LAN.>3. Finally, I'm not sure why OAB requires SSL. Access to the OAB VD doesn't allow anonymous access. SSL protects thecredentials from prying network monitors.>I had that turned off for a long time in my self-troubleshooting. Perhaps this is the sort of configuration issue that Best Practices Analyzer could catch? Maybe this is addressed in Exchange 2010 already. Just a suggestion. However, after fixing the RPC directory, reissuing the certificate, and turning on SSL w/ ignore client certificates, my OAB issues are all gone.I'm sure there was a heart-felt "thank ghod" when it all startedworking. :-)---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

Heh, Unfortunately when I installed SP2 last night, now it's not working again. :-/ Edit: Ok. I have it so it at least attempts to download the OAB, but now (and this didn't happen prior to the SP2 update last night), it gets to "Decompressing Offline Address Book Files". At first it shows 2 minutes, then 5, then 14... 15... 17... Right now it's still going on my PC. Any ideas on how to deal with this issue? Edit 2: And now, after a few more tweaks, it's just taking forever on "Copying Offline Address Book Template File".