locked
Exchange 2007 RPC over HTTPS issues RRS feed

  • Question

  • I've been over this in every conceivable way and can't figure out what is wrong.
    I have two all-in-one (client access, mailbox, hub transport) exchange servers (psmail and momail) at two different sites.

    If i try:
    rpcping -t ncacn_http -o RpcProxy=mail.evpod.com -P "astasiak,evpod,*" -H 1 -F 3 -a connect -u 9 -v 3 -s psmail -I "astasiak,evpod,*" -e 6001
    rpcping -t ncacn_http -o RpcProxy=mail.evpod.com -P "astasiak,evpod,*" -H 2 -F 2 -a connect -u 10 -v 3 -s psmail -I "astasiak,evpod,*" -e 6004

    (mail.evpod.com is the external address for psmail.)
    I get error 1722. Same thing happens if I use fqdn (psmail.evpod.local).
    If I try against the other server (momail) the 6001 ping succeeds (6004 still fails).
    Same thing happens if I use external address of MOMAIL. I can't rcpping it on either, but can ping PSMAIL on 6001.

    I can connect with telnet to both server on 6001,2, and 4. (However 6002/4 just display cursor on connect, only 6001 prints ncacn_http)
    rpcping with just -E works just fine on both servers.
    I've checked authentication and certificate on both RPC virtuals.
    I've turned IPv6 off and on again.
    I've even uninstalled and reinstalled the RPC-HTTP proxy.
    I've checked validports many times.
    I've checked IIS logs and the requests seem to be just fine.

    I'm at my wits end.
    There are two things I can't explain:
    one of the suggestions from testexchangeconnectivity.com was DNS issues.
    when I try to ping (normal ICMP ping) PSMAIL from itself it resolves to the IPv6 address fe80::1%1. Same for MOMAIL.

    Both servers are Exchange 2007 SP3 (v8.3 build 83.6) with the most recent update rollup. Running on Windows 2003 R2. Separate DCs (one on Windows 2008, one on 2003).

    When I run rpcdump it comes back "0 registered endpoints found."

    Update:
    Well, totally removing IPv6 seemed to get the rpcping to 6001 to work. However it is still not able to work on 6004 (NSPI).

    This post:

    http://social.technet.microsoft.com/Forums/en-US/exchangesoftwareupdate/thread/9bdb72a5-1557-4713-afa8-68c06b9bac7b/

    Suggests:

    1.On the Mailbox servers: a DWORD entry needs to be created on each Mailbox server named "Do Not Refer HTTP to DSProxy" at HKLM\System\CCS\Services\MSExchangeSA\Parameters\ and the value set to 1

    2. On CAS server, set following registry keys:

    a. The ValidPorts setting at HKLM\Software\Microsoft\RPC\RPCProxy needs setting so that the entries referring to 6004 point to DC servers in addition to the mailbox server.

    b. The PeriodicPollingMinutes key at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeServiceHost\RpcHttpConfigurator\ needs setting to zero to prevent RpcHttpConfigurator from updating the Valid Ports key automatically.

    3.On the Global Catalog servers: a REG_MULTI_SZ  entry needs to be created on each GC named NSPI interface protocol sequences at HKLM\System\CCS\Services\NTDS\Parameters\ and the value set to ncacn_http:6004. After that, please restart the GC.

     

    While I can certainly do the above, I need to add the appropriate ports on the GC servers to the Valid Ports Key. Is that determined by HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\TCP/IP Port? (currently 53211) Or by "NSPI interface protocol sequences"? (which would make it 6004, same as on exchange server) Or by something else?

    Thursday, May 5, 2011 2:30 PM

Answers

  • Hello,

     

    You can try the following steps on all the GC:

     

    1. Start Registry Editor.

    2. Locate and then click the following registry subkey:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. On the Edit menu, point to New, and then click Multi-String Value.

     

    Note Make sure that you select the correct value type for the registry subkey. If the registry subkey type is set to anything other than Multi-String Value, you may experience problems.

     

    3. Name the new registry value NSPI interface protocol sequences.

    4. Right-click NSPI interface protocol sequences, and then click Modify.

    5. In the Value data box, type:

     

    ncacn_http:6004

     

      

     

    6. Click OK. Quit Registry Editor, and then restart the computer.

     

    Thanks,

    Simon

     

    Wednesday, May 11, 2011 4:39 AM

All replies

  • Hello,

    I would like to share with you the following article which can answer your questions about the registry keys for ROH.

    http://social.technet.microsoft.com/Forums/en-US/exchangesoftwareupdate/thread/9bdb72a5-1557-4713-afa8-68c06b9bac7b/

    To troubleshoot the Outlook Anywhere issue, I suggest we also try the remote connectivity analyzer tool via:

    https://www.testexchangeconnectivity.com/

    Plese post error message for further research.

    Thanks,
    Simon

    Monday, May 9, 2011 2:04 AM
  • The error from testexchangeconnectivity.com was (and still is):

        Testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
         An error occurred while testing the NSPI RPC endpoint.
        
        Test Steps
        
        Attempting to ping RPC endpoint 6004 (NSPI Proxy Interface) on server psmail.evpod.local.
         The attempt to ping the endpoint failed.
          Tell me more about this issue and how to resolve it
        
        Additional Details
         The RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime process.

    As you may have noticed, I quoted the above article. It is unclear what exactly is responsible for setting the port on the domain controller. I'm assuming it is the value of "NSPI interface protocol sequences", but that change alone does not result in the GC listening on that port.

    Tuesday, May 10, 2011 7:32 PM
  • Hello,

     

    You can try the following steps on all the GC:

     

    1. Start Registry Editor.

    2. Locate and then click the following registry subkey:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. On the Edit menu, point to New, and then click Multi-String Value.

     

    Note Make sure that you select the correct value type for the registry subkey. If the registry subkey type is set to anything other than Multi-String Value, you may experience problems.

     

    3. Name the new registry value NSPI interface protocol sequences.

    4. Right-click NSPI interface protocol sequences, and then click Modify.

    5. In the Value data box, type:

     

    ncacn_http:6004

     

      

     

    6. Click OK. Quit Registry Editor, and then restart the computer.

     

    Thanks,

    Simon

     

    Wednesday, May 11, 2011 4:39 AM
  • That does get the DC to listen on port 6004 (it wasn't listening after my last post due to a corrupted windows update causing a reboot loop, it was pingable, but that was about it, but that's resolved now).

    However I get the same result (testexchangeconnectivity fails on port 6004).

    I would prefer not to have to set "Do Not Refer HTTP to DSProxy" to avoid having to expose my DC unnecessarily. Is there any way to get the DSProxy to work? Telnetting to 6002 and 6004 on the exchange server still results in just a cursor.

     

    Wednesday, May 11, 2011 1:54 PM
  • Please search for "Do Not Refer HTTP to DSProxy" in the following link:

     

    http://blogs.technet.com/b/exchange/archive/2008/06/20/3405633.aspx

     

    Thanks,

    Simon

    Thursday, May 12, 2011 2:27 AM
  • I understand that, but I am not in either of the situations described (split rcp_in and rcp_out out or IPv6 issues) so DSProxy should work. Also that article states that DSProxy use is hardcoded during profile creation, so there will still be issues if it is not working properly.

     

    Thanks,

    Adam

    Thursday, May 12, 2011 10:41 AM
  • I discovered the source of my problems. User error as usual. In case any one else runs into the same problem, I had set the TCP/IP static port to the same as the RPC/HTTP port. See below for what you DO NOT WANT:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem]
    "Rpc/HTTP Port"=dword:00001771
    "TCP/IP Port"=dword:00001771

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters]
    "TCP/IP Port"=dword:00001772
    "TCP/IP NSPI Port"=dword:00001774
    "HTTP Port"=dword:00001772
    "RPC/HTTP NSPI Port"=dword:00001774

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSRS\Parameters]
    "TCP/IP"=dword:00001777

    What it SHOULD have been was:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem]
    "Rpc/HTTP Port"=dword:00001771
    "TCP/IP Port"=dword:00001775

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters]
    "TCP/IP Port"=dword:00001776
    "TCP/IP NSPI Port"=dword:00001778
    "HTTP Port"=dword:00001772
    "RPC/HTTP NSPI Port"=dword:00001774

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSRS\Parameters]
    "TCP/IP"=dword:00001777

    I esentially had ncacn_tcpip and ncacn_http trying to listen on the same port, so ncacn_http (which i guess comes second) wasn't listening on the ports like it was supposed to.

    Monday, May 16, 2011 4:28 PM