Hello

A client of ours has an Exchange 2013 environment consisting of 2 Server 2012 Standard servers running Exchange 2013 SP1 setup in a failover DAG. The servers are on different sites linked with a fibre connection (different subnets but can see each other fine).

We've noticed that if we try to access the ECP on the second server via "https://secondserver/ecp/" it brings up the logon page but when we log in with the admin account it redirects us to the account's OWA page.The OWA is reached through the external name for the firstserver (mail.domain.com) which has an internal DNS entry on the domain to link to the internal IP address (issues with certificate and external dns forced us to do this).

If we log onto the first server via "https://firstserver/ecp/" it brings up the logon page then brings up ECP fine. We can manage both servers from the ECP fine but if the link between the sites go down we can't access the ECP for the second server at all (just get a "page cannot be displayed" as it tries to redirect to the first server external OWA url).

I've checked IIS and there seems to be no redirect in place that we can tell. DNS seems to be fine (no errors) and both servers have different external URL's set for virtual directories. There's NO exchange 2010 server at all - it's purely 2013.

I've also re-created the ECP directory, this had no effect at all.

Running out of ideas so hoping someone can let us know what may be causing this or at least point us int he right direction. The client doesn't want to start replicating the databases until this issue is fixed.

Many thanks in advance for assistance given.

Regards,

Hi
I would suggest you to run the below command to find the EWS internal url
Get-EWSVirtualDirectory | fl Name,InternalUrl

Also you can try the below url and most likely it should work 
https://casserverfqdn/ecp?ExchClientVersion=15

Hi Andy,

Please run the following command to check your OWA and ECP virtual directory configurations:

Get-EcpVirtualDirectory -ShowMailboxVirtualDirectories | FL Identity,internalURL,externalURL,InternalAuthenticationMethods

Get-OwaVirtualDirectory -ShowMailboxVirtualDirectories | FL Identity,internalURL,externalURL,InternalAuthenticationMethods

It seems that your administrator mailbox is located in first Exchange 2013. Please try to log in second Exchange 2013 as an administrator by using Https://localhost/ecp in second machine to have a try.

Thanks,

Hi

Thanks for your responses.

1. Get-EWSVirtualDirectory is showing as an unsupported command.

2. Tried the client version string on the URL but this has no effect. Both servers are running the same version of exchange and there is no exchange 2010/2007 server active in the domain.

3. I ran the OWA/ECP commands and got:

Identity: <server1>/ecp (exchange back end)

InternalUrl & ExternalUrl were blank

Authentication: NTLM, WindowsIntegrated

Identity: <server1>/ecp (Default Web Site)

InternalURL: https://mail.domain.com/ecp

ExternalURL: https://mail.domain.com/ecp

Authentication: Basic, FBA

Identity: <server2>/ecp (exchange back end)

InternalUrl & ExternalUrl were blank

Authentication: NTLM, WindowsIntegrated

Identity: <server2>/ecp (Default Web Site)

InternalURL: https://mailbackup.domain.com/ecp

ExternalURL: https://mailbackup.domain.com/ecp

Authentication: Basic, FBA

Identity: <server1>/owa (exchange back end)

InternalUrl & ExternalUrl were blank

Authentication: NTLM, WindowsIntegrated

Identity: <server1>/owa (Default Web Site)

InternalURL: https://mail.domain.com/owa

ExternalURL: https://mail.domain.com/owa

Authentication: Basic, FBA

Identity: <server2>/owa (exchange back end)

InternalUrl & ExternalUrl were blank

Authentication: NTLM, WindowsIntegrated

Identity: <server2>/owa (Default Web Site)

InternalURL: https://mailbackup.domain.com/owa

ExternalURL: https://mailbackup.domain.com/owa

Authentication: Basic, FBA

ALL mailbxoes (including the administrator) currently reside on Server1. Server2 is setup as DAG to replicate the mailboxes over and use as failover in the event Server1 develops a problem.

Do we need a separate admin account mailbox on server2 to access the ECP on there? (If I log onto the second server and go to "https://mail.domain.com/ecp" I can get onto the ECP on server1 using the admin account but if the link is down this does not work).

Try to have one CAS and one mailbox role in one site and one CAS and one mailbox in second site, and of course put both mailbox servers in a DAG. actually ur mailbox administrator in this case resides on server1 and  ecp tries to connect mailbox on server1 as it has active database. if you do dag failover and database get shifted to server2 then you will be able to login to ecp via server2. actually when link get down, dag failover do not happens and ecp do not find the active database so as mailbox.

Hi Andy,

According to your posting, your virtual directories should be configured correctly in your server side. Please restart IIS service by running iisreset /noforce from a command prompt window. Then double check to access your second server EAC by using https://mailbackup.domain.com/ecp.    

If the issue persists, please ping your mailbackup.domain.com to get a proper IP address. Then try using https://<IPaddress>/ecp to access EAC. If it doesnt work, we can go to ADUC > Microsoft Exchange Security Groups. Manually add the admin account which is used to access EAC into the following groups:

Server Management

Recipient Management

Organizations Management

Hope it works.

Thanks,

Hi Andy,

I just want to make sure if you have obtained the opportunity to test the solution. If anything is unclear with the previous information I've provided to you, please don't hesitate to let me know.

Regards,

Hello

I've tried the suggestions made and the outcome is as follows:

1. IIS has been reset multiple times. The actual correct EAC logon screen does show up whether I use FQDN or IP, it's just after typing in username and password that it gets auto-redirected.

2. The admin account was already a member of those groups. 

I created a new admin account and put it's mailbox on the second Exchange server in a new database. When trying to access the EAC that opens up the new admin account's own options but not the enterprise options.

Qaiser's response does make a bit more sense (from what I know of Exchange 2013 and the way it handles mailboxes) - I may organise with the client to setup the mailbox copies and then fully try the DAG failover, hopefully the connection should work correctly at that point.  

Hi Andy,

Thank you for your updates.

This is a quick note to let you know that I am trying to involve someone familiar with this topic to further look at this issue.

Regards,

Hello Andy,

Please check if there's any redirection on Default web Site, ecp virtual directory, OWA virtual directory, exchange back end.

Sent By

Silver

Hi Silver

I've checked all of them and there's no redirections in place on any of those virtual directories.

We've setup the database copies which have replicated fine, we're currnetly organising with the client to power down the primary exchange server and force the email to failover to the secodnary server. When this happens we can take a look to see if the ecp works at that time as per one of the previous posts.

Hello Andy,

Ok, you can test it and make us updated. We will wait here.

Sent By

Silver

Hello Andy,

Any update?

Sent By

Silver

Hi Silver

Not as yet. The IT manager at our client is on holiday and doesn't want us doing anything until he gets back - hopefully will get to test it by end of next week.

Hello Andy,

OK. We can monitor for one week.

Sent By

Silver

Hi

Our client inadvertently caused a failover on the exchange systems this morning by shutting down the primary exchange server. Unfortunately we still couldn't access the EAC when this happened.

When the second server became active and all mailbox db's moved (and were healthy) I tried to access the EAC - all we got was either the OWA interface for the admin mailbox or the OWA settings for the admin account - we couldn't get onto the exchange organisation settings.

I managed to move the active database back to the primary server using powershell and we can now access EAC again but really need to get this issue resolved before we can sign-off as complete.

Regards,

Andy

Hello Andy,

Thanks for your update.

From your description, I know when login EAC using admin account, it returns OWA interface or the OWA setting. Could you check what is the url at that time?

If we create another admin account, add this account to the following groups, and use this account to access EAC. What is the result?

• Enterprise Admin
• Organization Management
• Recipient Management
• Schema Admins
• Domain Admins

Please try above steps and let us know the results. Thanks!

Sent By

Silver

Hi Silver

I setup a new admin account with that group membership but still having same issue. To confirm what is happening (when Server1 set to active):

If I log onto https://server1.domain.com/ecp/ with an admin account I can access the EAC fine.

If I log onto https://server2.domain.com/ecp/ with an admin account it redirects me back to https://server1.domain.com/owa

If the exchange DAG fails over to Server2:

If I log onto https://server1.domain.com/ecp/ with an admin account it redirects me to https://server2.domain.com/owa

If I log onto https://serevr2.domain.com/ecp/ it opens up the settings for the admin account, but not for the exchange organisation.

Far as I can see there's no redirects in place on IIS at all. At the moment if the exchange fails over I have to manually fail it back to Server1 via pwoershell then I can access EAC again on server1. Obviously if server1 goes down completely we lose all access to the EAC.

Hello Andy,

Thanks for your reply.

For the URL redirect, this is because the mailbox location is determined to be in another Active Directory site and there are CAS2013  in that site that have the ExternalURL populated. In this situation, the redirevtion will be redirect to the CAS server in that site. Therefore, the phenomena is common.

On the other hand, I know when active database failover to server 2. the user will open the setting for admin account not organization setting. Based on my experience, this is related to permission issue. Could you let the new created account to try to login ecp when DAG is failover to server2 and get a screen shot of it?

Thanks

Sent By

Silver

Hi Silver

My client allowed us to do a failover earlier this morning. I went to the https://server2.domain.com/ecp/ address and logged in using both admin accounts. In both cases the result was the same and we got the ecp for just the user account, not the organization:

Just to confirm the exchange servers are both at different sites but are part of the same AD domain.

Hello Andy,

After testing in my lab, I find if the user account doesn't have enough permission for ecp files, the same phenomenon will come as yours. In light of this, please go to the following location and right click ecp folder->security->add the admin account with full control permission. Wait for some time and try to login again to see if it is working.

Thanks!

Sent By

Silver

• Marked as answer by Andrew M Morton - Oriium IT Support Thursday, May 29, 2014 4:21 PM

Hello Andy,

After testing in my lab, I find if the user account doesn't have enough permission for ecp files, the same phenomenon will come as yours. In light of this, please go to the following location and right click ecp folder->security->add the admin account with full control permission. Wait for some time and try to login again to see if it is working.

Thanks!

Sent By

Silver

• Marked as answer by Andrew M Morton - Oriium IT Support Thursday, May 29, 2014 4:21 PM

Hi Silver

I applied the permissions to that folder yesterday for both servers for both the admin accounts we have. Unfortunately when I fail over the databases and try to access the EAC I'm still only getting the ECP for the admin account on the second server, not the organization ECP.  This happens with both admin accounts.

Hello Andy,

If it is still not working, we can try to add full control permission for the twp accounts on the folder one level above ecp folder and wait for some time to let the permission applied and see if it is working.

Sent By

Silver

• Marked as answer by Andrew M Morton - Oriium IT Support Thursday, May 29, 2014 4:21 PM

Hello Andy,

If it is still not working, we can try to add full control permission for the twp accounts on the folder one level above ecp folder and wait for some time to let the permission applied and see if it is working.

Sent By

Silver

• Marked as answer by Andrew M Morton - Oriium IT Support Thursday, May 29, 2014 4:21 PM

Hello Andy,

Did it work?

Sent By

Silver

Hi Silver

I've been out of the office for past few days so haven't had chance to try this yet. I should be able to apply the permissions later today and then do a failover test again.

Success! I can now access the EAC (enterprise) on the second server using localhost address once the database has failed over (bit slow to load but it does get there).

Many thanks for your help on this Silver.

Hi Andy,

Great! I am glad to hear that it is working in your environment. Congratulations!

Sent By

Silver

Andy, are you only able to access EAC on the second server when the DB fails over? Or, can you access it even if the prod server is up and primary?

Yes, the EAC/OWA will automatically redirect your connection to the server where the mailbox is currently active so in this case if the admin account mailbox is active on Server1 then I can only access the EAC on server 1.

If I want to access it on server2 then I have to fail the database over or move the admin account to a mailbox database active on server2.

I've found if you need to do something specific on the passive server then you can either do a lot of things through the EAC on the active server or it would need doing via powershell on the passive server directly.

Hello all,

"Yes, the EAC/OWA will automatically redirect your connection to the server where the mailbox is currently active so in this case if the admin account mailbox is active on Server1 then I can only access the EAC on server 1." -can anybody post a link to a msdn/technet article stating it?

Regards,

Michael

I'm not aware of anything that states that officially Michael but Exchange 2013 does works differently from the way earlier versions did - all client access is now directed to whichever server the corresponding mailbox database is active on.

I've not come across anything that shows it's possible to log onto each server's EAC separately with the same account without failing over the databases as (providing Exchange is working correctly) you can administrate all the exchange servers in a domain from the EAC on just one server.

Hello Andy,

"I'm not aware of anything that states that officially..." - so am I, and in this case the statement "all client access is now directed to whichever server the corresponding mailbox database is active on." is just a reflection of what Exchange administrators see, not knowing is it by design or not... Sounds weird to me...

Regards,

Michael