Exchange 2007 Co-Existence with Exchange 2000 - Free / Busy lookup failure via the AS
Hi there,
I am in the middle of a co-existence scenario between an Exchange 2000 cluster, a temporary stand-alone Exchange 2003 bridgehead server (as Exchange 2007 wouldn't install with only a 2000 cluster nominated as the legacy routing group bridgehead, due to lack of AD computer object for it!!) and 2 x CA / HT boxes and 2 x CCR Cluster Nodes.
Now, aware of the concerns with enabling Public Folder Replication in conjunction with CCR Replication, I have not and do not want to enable PF replication at this stage. It is our plan that all user mailboxes and public folders will be archived by Symantec Enterprise Vault prior to migrating user mailboxes across to Exchange 2007 in order to reduce mailbox sizes and to get rid of Public Folders prior to Going live with E2K7.
So, my issue is: From an Outlook 2007 client hosted on Exchange 2007 and which uses the Availability Service for Free / Busy lookups to legacy mailboxes, the Free / Busy lookup fails and displays blank. Event 4003 from MSExchange Availability is then logged on the respective CAS box, once trying to enumerate the URL to the Exchange 2007 CCR Cluster, then again to the Exchange 2003 box and finally to the Exchange 2000 cluster. If I add the 'UseLegacyFB' registry key to the outlook client, the Free / Busy lookup works fine. I do not want to add this for all clients however, as we would prefer to be using the AS once we migrate some pilot users across to Exchange 2007. I have also tried disabling SSL and 128-bit encryption on the /public Vdirs on the E2K7 CAS boxes, but the event 4003 still gets logged. In addition, I do not want to enable PF Replication at all due to the CCR issue mentioned previously.
I am looking for suggestions on whether Free / Busy lookups from E2K7 mailboxes to legacy Exchange mailboxes is going to be possible without replicating the legacy Free/Busy System Folder to E2K7 CCR, using the Availability Service? Can we work around these 4003 event errors from appearing?
Exchange 2007 SP1 Update Rollup 9 is installed on both CAS/HT's and both CCR Nodes.
All suggestions welcomed!!!
Many thanks for your assistance in advance.
Regards,
MSE Blogger.
All Replies
- Have you seen below?
Exchange 2007 Users Unable to See Free/Busy Information for Mailboxes on Exchange 2003 Server
http://technet.microsoft.com/en-us/library/cc540460.aspx
Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3| - Hi,
Would you please post the entire 4003 event here for further research?
Thanks,
Mike - Sure, here is a paste of the 4003 events in order when attempting a Free / Busy lookup from Outlook 2007 via the AS. Attempts to E2K7 first, then E2K3 then E2K:
Process 3928[w3wp.exe:/LM/W3SVC/1/ROOT/EWS-1-128986259152141337]: Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequest failed. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequestProcessingException: The remote server returned an error: (404) Not Found.. The request information is http://E2K7ClusteredMailboxServerName.subdomain.InternalDNSDomainName/public/?Cmd=freebusy&start=2009-08-30T23:00:00Z&end=2009-10-11T23:00:00Z&interval=30&u=EMAIL REMOVED.. The Availability service could not successfully retrieve Schedule+ free/busy data for one or more legacy Exchange mailboxes. To find the root cause of this error, increase the diagnostic logging level of the MSExchange Availability service.
Process 3928[w3wp.exe:/LM/W3SVC/1/ROOT/EWS-1-12898625915141337]: Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequest failed. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequestProcessingException: The remote server returned an error: (404) Not Found.. The request information is http://E2K3TempServer.subdomain.InternalDNSDomainName/public/?Cmd=freebusy&start=2009-09-14T11:00:00Z&end=2009-10-14T11:00:00Z&interval=30&u=EMAIL REMOVED.. The Availability service could not successfully retrieve Schedule+ free/busy data for one or more legacy Exchange mailboxes. To find the root cause of this error, increase the diagnostic logging level of the MSExchange Availability service.
Process 3928[w3wp.exe:/LM/W3SVC/1/ROOT/EWS-1-128986259152141337]: Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequest failed. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequestProcessingException: The remote server returned an error: (404) Not Found.. The request information is http://E2KSingleCopyClusterEVS.subdomain.InternalDNSDomainName/public/?Cmd=freebusy&start=2009-08-30T23:00:00Z&end=2009-10-11T23:00:00Z&interval=30&u=EMAIL REMOVED.. The Availability service could not successfully retrieve Schedule+ free/busy data for one or more legacy Exchange mailboxes. To find the root cause of this error, increase the diagnostic logging level of the MSExchange Availability service.
Note: Server Names altered for security reasons.
Please note that when turning up the diagnostic logging as indicated in the event, no extra events or warnings are logged to indicate what the problem might be. Some additional information that may be useful for this:
If you browse to the E2K7 URL above via IE, the Public Folders OWA page is launched.
If you browse to the E2K3 URL above via IE, the Public Folders OWA page is launched.
If you browse to the E2K URL above via IE, an HTTP 404 Page Not Found page is displayed.
I look forward to hearing further.
Many thanks and kind regards,
MSEBlogger. Have you seen below?
Exchange 2007 Users Unable to See Free/Busy Information for Mailboxes on Exchange 2003 Server
http://technet.microsoft.com/en-us/library/cc540460.aspx
Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
Hi Vinod,
Thank you for your reply.
OK, so as per your article quote, which states:
"The two causes of the problem are as follows:- By default, the option "Require secure channel (SSL)" is selected on the certification authority (CA) server public folder virtual directory. This issue can occur if the common name on the certificate doesn't match the fully qualified domain name (FQDN) of the URL that is stored on the InternalURL attribute of Exchange Web Service.
- Forms-based authentication is enabled on Exchange Server 2003. For more information about forms-based authentication, see How to Configure Forms-Based Authentication for Outlook Web Access."
Point 1 references that the common name on the cert doesn't match the 'Internal FQDN' of the URL stated in 'InternalURL' attribute. This is correct, and our UCC cert common name is 'Mail.Domain.tld' and is different from that stated in the 'InternalURL' attribute, which is 'InternalServerName.InternalDomain.tld'. I have followed the procedure to modify the InternalURL attribute on both CAS Servers, and restarted IIS Admin Service. I restarted Outlook 2007 using AS and attempted to view Free / Busy again, but the same events are logged. Is it possible that this is still not working because the 'Availability Service' URL is still pointing to the 'InternalServerName.InternalDomain.tld' and therefore the same problem exists at present? Naturally, I can change the AS Internal URLs if needs be for testing also.
Point 2 is not applicable and there is no forms based authentication enabled in Exchange 2000.
Is there anything else that I can do to troubleshoot this? I have already posted the exact contents of the events as requested by the Moderator below.
Many thanks and kind regards,
MSEBlogger.- Hi,
The error 404 means the /public virtual directory of the target server was not found. This usually means that the target server is either offline or doesn’t contain a replica.
Therefore, would you please let me know whether the Exchange 2003 server has replication of the Free/Busy public folder?
For Exchange 2000 cluster, if you have serveral Web Site enabled, please refer to following KB article to check whether the correct host header is configured for the Exchange Virtual Server Web Site on the Active Node:
How to configure host header and authentication information in Exchange 2000 Server or Exchange Server 2003 Outlook Web Access on a Windows Server 2003 or Windows 2000 server cluster
http://support.microsoft.com/kb/287726/en-us
Thanks,
Mike Hi,
The error 404 means the /public virtual directory of the target server was not found. This usually means that the target server is either offline or doesn’t contain a replica.
Therefore, would you please let me know whether the Exchange 2003 server has replication of the Free/Busy public folder?
For Exchange 2000 cluster, if you have serveral Web Site enabled, please refer to following KB article to check whether the correct host header is configured for the Exchange Virtual Server Web Site on the Active Node:
How to configure host header and authentication information in Exchange 2000 Server or Exchange Server 2003 Outlook Web Access on a Windows Server 2003 or Windows 2000 server cluster
http://support.microsoft.com/kb/287726/en-us
Thanks,
Mike
Hi Mike,
Thank you for your response.
The Exchange 2003 Server does NOT contain any public folder replicas, and this is as I would expect. Since this is only a temporary box for routing between legacy Exchange and Exch 2007, I did not want to depend upon this box for anything else.
I will check the host header information for OWA on the Exchange 2000 cluster tomorrow and get back to you. This looks promising. Since the E2K 4003 error event indicates that the page cannot be found, it is probably the case that only the default 'Virtual Server Name' exists in the host header, which may explain why the DNS lookup for it is failing. I will check browsing to this tomorrow also and get back to you.
Many thanks in advance.
Regards,
MSEBlogger.- Hi Mike,
OK, so the Exchange 2000 header list does not contain an entry for the FQDN of the Exchange 2000 cluster, although numerous header entries do exist.
If I add the header as per http://support.microsoft.com/kb/287726/en-us will we need to restart IIS for the change to take effect?
Best Regards,
MSEBlogger. - Hi again,
OK, there is already a host header name for the NETBios name of the Exchange Virtual Server:
SERVERNAME
Upon adding an entry for 'SERVERNAME.fqdn.tld' from temp Exchange 2003 System Manager, which has the same IP and port binding, the following message is displayed:
The Virtual Server will not start if the combination of IP Address, Port, and Host name matches that of any Internet Server web site.
Are you sure that this configuration is unique?
Naturally, I am reluctant to apply this without checking first.. After a quick scan, I can't find much info on this.
Could you please advise?
Thanks and regards,
MSEBlogger Hi,
Thanks for your response.
I am not able to reproduce your problem on my lab. Based on the warning message, it indicated that if other web site has same IP Address, Port and Host Header combination, the Exchange web site will not start. Therefore, I suggest you check whether the other web site on the cluster has same IP Address, Port and Host Header combination. If not, I think that you can ignore the warning message.
I suggest you restart IIS after applying host header change.
~~~~~~~~~~~~~~~~
Mike ShenTechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb @ microsoft.com
~~~~~~~~~~~~~~~~
- Hi,
Any update regarding the issue?
Thanks,
Mike - Hi Mike,
There is already a host header entry for the NetBIOS name of the cluster, which is using the same IP address and port. So, I am assuming that trying to add the FQDN of the same name, IP address and port is causing the error to occur? This does seem like it could cause an issue in production. Have you been been able to repro this at all yet?
THanks,
MSEBlogger. Hi,
I am able to reproduce the warning this time and I think that you can safely ignore the warning. The warning just indicated if you have other website with same combination of IP Address, Port, and Host name, the Exchange Web Site may not be able to online.
According to KB Q287726, when back-end servers are clustered, you must add host headers for every possible method that users may use to try to connect to OWA.From your event 4003, the Availability service use the FQDN name of the Exchange cluster to access public folder store on the cluster. Therefore, you need to add the FQDN as the host header according to KB.
After that, please reset IIS server and ensure the FQDN Host Header is added to Exchange Web Site through IIS Admin.
After that, please access the http://E2KSingleCopyClusterEVS.subdomain.InternalDNSDomainName/public on the Exchange 2007 CAS server to check whether the 404 Page Not Found issue still persists
~~~~~~~~~~~~~~~~
Mike Shen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
~~~~~~~~~~~~~~~~
- Hi Mike,
Have added the host header for the FQDN of the E2K cluster as requested.
We can now browse to http://E2KSingleCopyClusterEVS.subdomain.InternalDNSDomainName/public, but are prompted for credentials. When we enter valid credentials, the page loads and does NOT display a 404 page not found error as before, which is progress.
However, the 4003 events are still logged on the CAS box as follows:
Process 8756[w3wp.exe:/LM/W3SVC/1/ROOT/owa-1-128995606743597904]: Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequest failed. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequestProcessingException: The remote server returned an error: (401) Unauthorized.. The request information is http://E2K7ClusteredMailboxServerName.subdomain.tld/public/?Cmd=freebusy&start=2009-10-21T23:00:00Z&end=2009-10-29T00:00:00Z&interval=30&u=EMAILREMOVED.. The Availability service could not successfully retrieve Schedule+ free/busy data for one or more legacy Exchange mailboxes. To find the root cause of this error, increase the diagnostic logging level of the MSExchange Availability service.
Process 8756[w3wp.exe:/LM/W3SVC/1/ROOT/owa-1-128995606743597904]: Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequest failed. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequestProcessingException: The remote server returned an error: (401) Unauthorized.. The request information is http://E2KSingleCopyClusterName.subdomain.tld/public/?Cmd=freebusy&start=2009-10-21T23:00:00Z&end=2009-10-29T00:00:00Z&interval=30&u=EMAILREMOVED.. The Availability service could not successfully retrieve Schedule+ free/busy data for one or more legacy Exchange mailboxes. To find the root cause of this error, increase the diagnostic logging level of the MSExchange Availability service.
Process 8756[w3wp.exe:/LM/W3SVC/1/ROOT/owa-1-128995606743597904]: Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequest failed. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.PublicFolderRequestProcessingException: The remote server returned an error: (401) Unauthorized.. The request information is http://E2K3TempServer.subdomain.tld/public/?Cmd=freebusy&start=2009-10-21T23:00:00Z&end=2009-10-29T00:00:00Z&interval=30&u=EMAILREMOVED.. The Availability service could not successfully retrieve Schedule+ free/busy data for one or more legacy Exchange mailboxes. To find the root cause of this error, increase the diagnostic logging level of the MSExchange Availability service.
So, we have 'Unauthorized' now instead of 'Page Not Found'.
Obviously, when browsing to the URL, we are prompted for credentials, so presumably the same is happening when the E2K7 CAS server tries to get there?
Where should we go from here? Even if we were to replicate public folders to any of these servers, the same error would surely be displayed, since they are all stating 'Unauthorized' ?
I look forward to your response.
Many thanks and kind regards,
MSEBlogger. - Some additional information, as included in my second post for comparison now:
If you browse to the E2K7 URL above via IE, we are prompted for credentials once on the E2K7 CCR Cluster (enter some credentials here), then a second time on the E2K7 CAS Server (enter same credentials here), and finally the 2007 Public Folders OWA page is launched.
If you browse to the E2K3 URL above via IE, we are prompted for credentials once on the E2K3 Temp server (enter some credentials here) and the 2003 Public Folders OWA page is launched.
If you browse to the E2K URL above via IE, we are prompted for credentials once on the E2K Single Copy Cluster (enter some credentials here) and then the Public Folders OWA page is launched.
So, cancelling any of the credentials prompts above then brings up the '401 Unauthorized' page, which is the same as that being logged in the event logs.
I'd really like to know how this is meant to work as it seems uncanny that all three are failing with the same error?
Many thanks again.
Regards,
MSEBlogger. Hi,
Thanks for your response.
I am glad to know that the original 404 page not found error disappeared after adding the FQDN to the host header. Currently, the error 401 (unauthorized) error is logged in the 4003 event.
At this time, I suggest you check:
1. Please ensure Form Based Authentication is disabled on the Exchange Virtual Server on Exchange 2000 cluster
2. Please ensure require SSL is disabled on the Public Folder virtual directory on Exchange 2000 cluster
3. Please ensure Integrated Authentication is enabled on the Public Folder virtual directory on the Exchange 2000 cluster
Mike Shen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb @ microsoft.com
~~~~~~~~~~~~~~~~
Hi,
Thanks for your response.
I am glad to know that the original 404 page not found error disappeared after adding the FQDN to the host header. Currently, the error 401 (unauthorized) error is logged in the 4003 event.
At this time, I suggest you check:
1. Please ensure Form Based Authentication is disabled on the Exchange Virtual Server on Exchange 2000 cluster
2. Please ensure require SSL is disabled on the Public Folder virtual directory on Exchange 2000 cluster
3. Please ensure Integrated Authentication is enabled on the Public Folder virtual directory on the Exchange 2000 cluster
Mike Shen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb @ microsoft.com
~~~~~~~~~~~~~~~~
Hi Mike,
1/ There is no forms based authentication option in Exchange 2000.
2/ SSL is definitely not required on the Public Folder virtual directory and I can browse to this no problem with no authentication prompts.
3/ Integrated Authentication is definitely enabled on the Public Folder virtual directory on E2K cluster, and no prompts are displayed when browsing to this if logged on as a valid user.
I am presuming that the system accesses this URL, but whether this is with a valid account or not, I am not sure.
Please advise on next steps.
Many thanks for your time.
Regards,
MSEBlogger.- Hi Mike,
Is there any update on this please?
Thanks and Regards Hi,
Sorry for delay in response. For some reason, I fail to receive the previous notification for your response.
At this time, I suggest you add the Public Folder URL which Exchange 2007 used to access Exchange 2000 users’ Free Busy to trusted site in IE on Client Access Server.
If the issue persists, please help me gather the related IIS log on the Active Node of the Exchange 2000 cluster when the 401 error is encountered for further research.
For your reference, I have captured the related IIS log on my mixed environment. As you can see, the Exchange 2007 firstly attempt to use anonymous account to logon Public Folder virtual directory. Then, it will attempt to authenticate to Public Folder virtual directory by using Exchange 2007 server account.
2009-10-28 12:07:14 W3SVC1 10.1.1.5 GET /public/ Cmd=freebusy&start=2009-10-13T08:00:00Z&end=2009-11-12T08:00:00Z&interval=30&u=Administrator@sinbe.com 80 - 10.1.1.100 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT)+Availability+Service 401 2 2148074254
2009-10-28 12:07:16 W3SVC1 10.1.1.5 GET /public/ Cmd=freebusy&start=2009-10-13T08:00:00Z&end=2009-11-12T08:00:00Z&interval=30&u=Administrator@sinbe.com 80 SINBE\2K7$ 10.1.1.100 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT)+Availability+Service 200 0 0
If you capture network package, you should be able to see that the Exchange 2007 authenticate to Exchange 2000 by using Kerberos authentication.
The request from Exchange 2007 server:
Http: Request, GET /public/
Command: GET
URI: /public/?Cmd=freebusy&start=2009-10-12T05:00:00Z&end=2009-11-11T05:00:00Z&interval=30&u=Administrator@sinbe.com
ProtocolVersion: HTTP/1.1
UserAgent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT) Availability Service
Authorization: Negotiate YIIJZwYGKwYBBQUCoIIJWzCCCVegJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCS0EggkpYIIJJQYJKoZIhvcSAQICAQBuggkUMIIJEKADAgEFoQMCAQ6iBwMFACAAAACjggOeYYIDmjCCA5agAwIBBaELGwlTSU5CRS5DT02iKjAooAMCAQKhITAfGwRIVFRQGxdld2luMmszZW50c3AyL
NegotiateAuthorization:
Scheme: Negotiate
Kerberosv5:
The response from Exchange 2003:
Http: Response, HTTP/1.1, Status Code = 200
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: OK
Date: Wed, 28 Oct 2009 12:30:20 GMT
Server: Microsoft-IIS/6.0
WWWAuthenticate: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWjc85r8WV0w1oMQjRYsPMidKoFzEBeDRc9b2GV+FsPibiCa8RvDG0y9fHAh9+54XEYo17KTsf+uG0Lih36AZXRZnh+kXIdf0xBj8y+ofTb1uBuxCF4mab8QgvA==
Therefore, if we are not able to get further clues from the IIS log, we may need capture network package to check whether the Exchange 2007 encounters any problem when using Kerberos authentication.
For your reference:
How to troubleshoot Kerberos-related issues in IIS
http://support.microsoft.com/kb/326985/en-us
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
http://support.microsoft.com/kb/215383/en-us
IIS logging for Windows Integrated authentication
http://support.microsoft.com/kb/969060/en-us
Mike
- Hi Mike,
Just a quick reply to this, before we begin doing the IIS log traces...
I have added all three of the Public Folder URLs to the 'Local Intranet' zone in IE (Windows 2008 OS with IE8), which allows me to successfully browse to each without prompting for authentication. Before doing this, I was indeed prompted every time to enter credentials, since the 'Medium-High' security settings being enforced previously did not allow passthrough of logged on credentials. So, question is, how can we get either the 'anonymous' or 'Exchange server' accounts to also pass-through I guess?
So, I think we should try gathering the logs when we get the 401 error as you suggested. What is the suggested first course of action please?
Thanks and Regards. Hi,
Would you please let me know if you access the Free/Busy URL listed in the 4003 event? Whether you can get similar result showed in following KB:
XCCC: Description of the Command to Retrieve Free/Busy Information From a Calendar Public Folder
http://support.microsoft.com/kb/813268/en-us
In addition, I suggest you run PFDavAdmin tool to check whether the Permission of “EX:/o=org/ou=First Administrative Group” public folder (the sub folder of SCHEDULE + FREE BUSY public folder) is correct. By default, the Everyone Group has Editor permission and Anonymous user has None permission. Please also ensure the DACL state for the folder is Good.
To enable the Anonymous access the Free Busy folder, you need ensure the Anonymous user group has Reviewer permission to the “EX:/o=orgname/ou=First Administrative Group (or other Admin Group name)” public folder and enable Anonymous access on the Public Folder virtual directory.
Note: Please understand that you must make these changes by using the Exchange System Manager program and not by using the Internet Information Services (IIS) Manager program. If you apply the changes in the Internet Information Services snap-in, Exchange resets the changes to use the configurations that are set in the Exchange System Manager program. This functionality is an update process that is handled by directory service to metabase.
After enable Anonymous access to Public Folder, please check whether we can access the Free/Busy URL without prompt for authentication. You can test it on a work group computer. If we can access the Free/Busy URL without prompt for authentication, please check whether the Outlook 2007 client is able to retrieve Free/Busy information for Exchange 2000 users successfully.
Note: I would like to explain that Anonymous Access is just a workaround regarding the issue. After performing above change, it allows Anonymous users to access the Free Busy folder.
Thanks,
Mike
- Hi,
Any update regarding the issue?
Thanks,
Mike
