Autodiscover SCP on account forest
- Hi,
In our environment we have 2 Mailbox, 1 Hub and 1 CAS. The CAS Server had a Verisign certificate with name "exchange.domain.com". All users clients for this forest can connect correctly and autodiscover is found by SCP.
Actually we will use this forest as a resource forest for 400 additional users on an account forest. There are a domain trust and we check http://technet.microsoft.com/en-us/library/bb331973.aspx to open the necessary ports accross the firewalls.
Users on account forest can configure manually outlook with Outlook anywhere without no error but autodiscover didn't work. For solve this I ran export-autodiscoverconfig on Hub Server and this wrote the account forest AD. I checked, following this entr http://msexchangeteam.com/archive/2008/02/13/448127.aspx, keywords and ServiceBindingInformation and they looks ok but if I use Test E-mail Autoconfiguration method on Outlook it didn't try check SCP, only autodiscover.smtpdomain.com, redirect url and dns srv.
What can I try to solve this issue? Thanks!!
All Replies
Initially we also had some problems getting this to work. Take a look at this document. Here you have
* the Fourthcoffe.com Exchange 2007 Resource forest
* the user accounts are located in the Nwtraders.com Accounts forest.
Configuration tips and common troubleshooting steps for multiple forest deployment of Autodiscover service
http://msexchangeteam.com/archive/2008/02/13/448127.aspx
Jon-Alfred Smith MCTS: Messaging | MCSE: S+MI followed this article the first time but I will re-read this documentation. Also is there any difference if I run the cmdlet "export-autodiscoverconfig" on a hub transport?
How I can know why the computer joined on the account forest didn't follow the SCP in his domain?
ThanksIt's stated quite clearly that you have do it on a Client Access Server:
If your Exchange deployment has two or more trusted forests, you must update the Active Directory directory service so that users who are running Microsoft Office Outlook 2007 in one forest can access the Client Access servers in the remote (or target) forest to use the Autodiscover service. To do this, run the Export-AutodiscoverConfig cmdlet in each forest that contains the Client Access servers that are providing the Autodiscover service against the target forests. This will configure the service connection point (SCP) information for the Autodiscover pointer in Active Directory.
http://technet.microsoft.com/en-us/library/aa996849.aspxThe Export-AutoDiscoverConfig cmdlet lets you create or update a Service Connection Point (SCP) for an Autodiscover service pointer in a target Exchange forest on a Microsoft Exchange Server 2007 computer that has the Client Access server role installed.
http://technet.microsoft.com/en-us/library/aa998832.aspx
As to your second question, I'm not sure.
Jon-Alfred Smith MCTS: Messaging | MCSE: S+M- Thanks Jon,
Actually this cmdlet didn't work from CAS Server, only from Hub and Mailbox. I followed this article to determine with ports must be opened, http://technet.microsoft.com/en-us/library/bb331973.aspx
I'm sure that it is a network ports issue. Do I need this ports to be open from CAS to account forest Dc's:
389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon)?
- Hello,
Finally our firewall team opened the necessary ports for the cas server.
I run the script export-autodiscoverconfig -TargetForestDomainController accountdc.Acdomain.net -TargetForestCredential $a -MultipleExchangeDeployments $false and the entry was wrote in the AD account domain.
I run Test E-mail Autoconfiguration method on Outlook and it still didn't try check SCP.
The resource forest exchange has a name like domain.lan.es and has multiple SMTP domains as authoritative.
Any help will be apreciated, Thanks!! Finally I’ve had a chance to test this again. We are about to migrate some new 900 mailbox users. I’m using exactly the same command as you:
# User: <target-domain>\<user>
# Pwd: ********
$a = Get-Credential
Export-AutoDiscoverConfig -TargetForestDomainController DC.target-domain.com -TargetForestCredential `
$a -MultipleExchangeDeployments $false
We do also have multiple authoritative domains. The new users authenticate with their own domain controllers and get their Outlook 2007 settings through the exported service connection point on their DCs. The Test E-mail Autoconfiguration shows they do check the SCP. New profile creations show that they use the new information. Another test on Outlook is Tools, Account Settings, Repair (which forces a new Autodiscover). We don't have firewalls. This is most likely to be the difference.
Do your clients actually connect to the Exchange server with MAPI / RPC? I would think, they don't, but use RPC over HTTPS instead. If so, this would mean a new firewall issue, this time from Outlook to Exchange. The main problem is 135/tcp (endpoint mapper) in the communication. By default all ports over 1023 need to be open (you might be able to restrict it to less ports).
MCTS: Messaging | MCSE: S+M | Small Business Specialist
