none
OAB not downloading on CAS RRS feed

  • Question

  • Hi Guys,

    I have been trying to resolve the issue long running.

    Setup Information


    Exchange 2007 SP3/Rolup 8 v3

    Two AD sites. 1- US Site with 2 CAS/HUB (OS-2008 R2), CCR mailbox Server (OS 2003 R2sp2)

                          2- HK site 2 CAS/HUB, CCR mailbox SERver. (OS 2003 R2sp2 for all)

    Issue- Cannot download OAB in Site 2 CAS server from Site1 Mailbox\EXChange OAB share. with local system account.

    When I use domain admin account to Log on MSExchangeFDS OAB coping works fine.

    But cannot put domain admin account for service due to Security issue.

    Appreciate any Help on this.

    Thanks 

    JK

    Thursday, September 12, 2013 1:43 PM

Answers

  • Are you describing a problem seen by an Outlook client? If so, it looks like the permissions on the fie system and/or virtual directory may be incorrect.

    The permission on the OAB directory should grant the local system account "Full Control". The sub-directory for each OAB should also grant the same permission to the local system account.

    The permission on the OAB virtual directory should not allow anonymous access.

    OTOH, if you're saying that OAB updates are not being transferred from the OAB generation server to the CAS in Site 2 then there should be errors recorded in the application log with MSExchangeFDS as the source. Check for errors on the OAB generation server and the CAS in Site 2.

    IIRC, the MSExchangeFDS on the CAS tries to connect to the ExchangeOAB share on the OAB generation server. The ExchangeOAB directory should grant the local system account "full control".

    See this, too: http://blogs.technet.com/b/exchange/archive/2006/10/16/3395100.aspx


    --- Rich Matheisen MCSE&I, Exchange MVP

    Friday, September 13, 2013 3:48 AM
  • Hi JK,

    Accoding to my knowledge, we recommend multiple OAB for respective sites.

    As we know, it is slow of network connecting across sites. And it is better to plan a new OAB for you site2.

    Please refer to the steps below:

    1.Create a new OAB

    2.Restart MSExchange System Attendant service and MSExchange File Distribution service

    3.UPdated the new OAB

    4.Associate the new OAB to the users'mailbox databases of Site2

    5.Send/Receive OAB on Outlook client

    I hope it can help.

    Regards,
    Rebecca

    Friday, September 13, 2013 5:06 PM

All replies

  • I would suggest you to provide full permission to security group "Exchange Trusted Subsystem" on  "C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB" of CAS Server if not already provied then check if this works.

    If still not working then put Local System Account in Log on then enable Expert Logging of MSExchangeFDS\FileReplication then run below command and see if there are any event logged.

    Update-FileDistributionService -Identity CASServerName -Type "OAB"


    Regards, Sourabh Kumar Jha

    Thursday, September 12, 2013 11:47 PM
  • Are you describing a problem seen by an Outlook client? If so, it looks like the permissions on the fie system and/or virtual directory may be incorrect.

    The permission on the OAB directory should grant the local system account "Full Control". The sub-directory for each OAB should also grant the same permission to the local system account.

    The permission on the OAB virtual directory should not allow anonymous access.

    OTOH, if you're saying that OAB updates are not being transferred from the OAB generation server to the CAS in Site 2 then there should be errors recorded in the application log with MSExchangeFDS as the source. Check for errors on the OAB generation server and the CAS in Site 2.

    IIRC, the MSExchangeFDS on the CAS tries to connect to the ExchangeOAB share on the OAB generation server. The ExchangeOAB directory should grant the local system account "full control".

    See this, too: http://blogs.technet.com/b/exchange/archive/2006/10/16/3395100.aspx


    --- Rich Matheisen MCSE&I, Exchange MVP

    Friday, September 13, 2013 3:48 AM
  • Hi Sourabh,

    I tried to add Exchange Subsystem full access on Site 2 CAS server "C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB" But still no success.

    Now increasing logging level to Expert level.

    One thin I have tested is, 

    I created on service account and added it to Exchange Organization management group only and it works.

    So its just member of Domain user and Exchange Organization management group and OAB are downloading on Site 2 CAS.

    Will try with increasing logging and update.

    Thanks

    Friday, September 13, 2013 1:11 PM
  • Hi JK,

    Accoding to my knowledge, we recommend multiple OAB for respective sites.

    As we know, it is slow of network connecting across sites. And it is better to plan a new OAB for you site2.

    Please refer to the steps below:

    1.Create a new OAB

    2.Restart MSExchange System Attendant service and MSExchange File Distribution service

    3.UPdated the new OAB

    4.Associate the new OAB to the users'mailbox databases of Site2

    5.Send/Receive OAB on Outlook client

    I hope it can help.

    Regards,
    Rebecca

    Friday, September 13, 2013 5:06 PM
  • Hi Rebecca,

    Let me recall the issue,

    My main issue is OAB files are not downloading from mailbox to CAS with local system account.

    If there is the issue with Network it should not work for domain admin/Exchange admin as well.

    I have added 3rd server to the second site and it is receiving OAB files without any issue.

    But the reason I cannot assign new server  for clients to download the OAB is, that server is dedicated for External users. 

    I need to get old servers to download oab with local system account from Mailbox.

    It seems something related to authentication that is used in local site and remote site.

    Also after searching a lot and increasing Debug level I got nothing but the below error of certificate.

    Event Type:        Error

    Event Source:    AutoEnrollment

    Event Category:                None

    Event ID:              6

    Date:                     9/17/2013

    Time:                     12:01:27 AM

    User:                     N/A

    Computer:          HKHT02

    Description:

    Automatic certificate enrollment for local system could not find a valid certificate template to match Machine

    CNF:8b2c688b-f7d8-4d21-bfc1-4b9b573c9c88 as specified in the group policy automatic enrollment object.  Enrollment will not be performed.

    I believe this could be one of the cause.

    JK


     



    • Edited by Jaywantpune Tuesday, September 17, 2013 8:32 AM
    Tuesday, September 17, 2013 8:27 AM
  • As we know, it is slow of network connecting across sites. And it is better to plan a new OAB for you site2.

    From my understanding, Rebecca may consider this question from administrative propose. Downloading the OAB cross site may consume the network resources. As an administrator myself, I would also recommend to have a dedicated OAB genration server, which is publishing to local CAS, each site.

    For the question of the "Local System accout", to know more detailed informaiton about the permission for this accout, I suggest we contact a Windows Server support or ask this question on Windows Server forum:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=windowsserver

    Thanks,

    Simon


    Simon Wu
    TechNet Community Support

    Wednesday, September 18, 2013 9:03 AM
    Moderator