none
Exchange 2003 to 2010--Offline Address Book problems RRS feed

  • Question

  • I have been wracking my brains out on a migration from Exchange 2003 to 2010.  The mailboxes moved over fine, but the public folders were a snafu.  After finally managing to remove them completely and recreating them, I am still stuck with a problem that started as soon as I moved mailboxes to the 2010 server.  The offline address book will not download correctly to Outlook (2007) and in the process of trying to retrieve it, Outlook endlessly asks for user authentication.  Authentication is supplied but it just asks again after a couple of seconds...ad infinitum.

    I did have a problem where 2010 kept trying to connect to an old DC (demoted after the install of 2010), but that APPEARS to be settled for the moment after completely removing the old DC from the domain.  However I am suspicious that the offline address book may still be confused, and authentication is failing for some related reason.  But who knows.  I have scoured ADSI Edit for references to the old DC and I don't find any, but the offline address book problem continues.  Mail retrieves and sends fine, but all Outlook users get that constant authentication dialog and the step it stalls on is the offline address book.

    I am at wits end on this one.
    Friday, December 11, 2009 5:36 AM

All replies

  • Is the OAB URL you've configured a URL that is in the users' trusted sites list for IE or the same domain of the AD domain they're logged into? Don't forget that an Outlook 2007 user on Exchange 2007 or 2010 will get the OAB not from the Public Folders, but from the CAS servers themselves via the Exchange File Distribution Service share.
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Exchange Server 2010 Configuration
    LMNOP
    Friday, December 11, 2009 6:11 AM
  • I tried adding those to Trusted Sites but same problem.  I tried accessing http://exchangeserver/oab directly and got a 401 error...don't know if that is supposed to work.  Maybe Exchange setup the virtual directories without the necessary permissions?  This is a fresh server install and Exchange 2010 was added before anything was changed in IIS.  How should the virtual directories be setup, and/or is there a way to make Exchange automatically reconfigure them?
    Friday, December 11, 2009 5:20 PM
  • Try to use
    Get-EventLogLevel | Set-EventLogLevel -Level Expert
    and check for any errors in the eventviewr.

    http://tariqjaber.com/blog MCSE 2003, MCTS (ISA 2006, Exchange 2007)
    Sunday, December 13, 2009 7:16 AM
  • also, I did try remove-oabvirtualdirectory then new-oabvirtualdirectory to recreate the virtual directory (then associated the oab with it in the EMC-Server Configuration-Client Access)

    now I get a 500 error instead of a 401 error...is that an improvement?

    will try upping log level and see what that produces
    Sunday, December 13, 2009 5:38 PM
  • I do see this error periodically:

    Process Microsoft.Exchange.RpcClientAccess.Service.exe (PID=2584). Configuration object CN=SMTP (EXCHANGE2003SERVER-{guid}),CN=Connections,CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=com read from CURRENTDC.DOMAIN.com failed validation and will be excluded from the result set. Set event logging level for Validation category to Expert to get additional events about each failure.

    and I see the record for this using ADSI Edit, but don't know if I should delete it or change it...will see what comes up when I set logging level to Expert for everything

    Sunday, December 13, 2009 6:38 PM
  • Getting these 2128 errors (abbreviated):

    Process msexchangerepl.exe (PID=3004). Object (Public Folder Database) was not found on the Domain Controller...

    Process msexchangerepl.exe (PID=3004). Object (EXCHANGE 2010 SERVER) was not found on the Domain Controller...

    Process Microsoft.Exchange.Search.ExSearch.exe (PID=3164). Object (Public Folder Database) was not found on the Domain Controller...

    Process Microsoft.Exchange.Search.ExSearch.exe (PID=3164). Object (EXCHANGE 2010 SERVER) was not found on the Domain Controller...

    Basically these errors are piling up for a variety of Exchange services...all from source MSExchange ADAccess...all claiming the server or public folder objects are not found on the DC...so how do I fix this???  Using ADSI Edit, I do see the server object under Services-Microsoft Exchange-DOMAIN-Administrative Groups-Exchange Administrative Group-Servers, so is it permissions?
    Sunday, December 13, 2009 6:44 PM
  • Also got error reported by MSExchangeIS Public Store:

    USER failed an operation on folder on database "Public Folder Database" because the user did not have the following access rights:

    'Delete' 'Read Property' 'Write Property' 'Create Message' 'View Item' 'Create Subfolder' 'Write Security Descriptor' 'Write Owner' 'Read Security Descriptor' 'Contact'

    the user in this entry is a domain admin, so how can he not have rights and how do I give him rights?

    Sunday, December 13, 2009 8:42 PM
  • anyone have any ideas?
    Monday, December 14, 2009 9:22 PM
  • Let's start with something quicker relating to OAB web downloads. You don't actually need to migrate the PF to get it to work via Web Distribution.

    Check permissions for "Authenticated Users" on your CAS's directories for your OABs (default C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB\<guid of OAB>). AU should have Read permissions.

    If it doesn't:
    Check that AU has List/Download OAB permissions on the relevant OAL. If not, then this is probably because Inheiritance is off those that OAL.
    To fix, check the inheiritance box, and rebuild the OAB (update-offlineaddressbook <blah>). Then, go to the CAS and restart the Exchange FDS service to resync the OABs to the CAS.

    For the user error, you might try adding to Enterprise Admins.

    -Max
    Tuesday, December 15, 2009 4:00 PM
  • Thank you for the reply!

    Unfortunately, AU did have read permissions, and I get the same error trying to connect as a domain admin, which has full access on the OAB directory tree.

    When I run update-offlineaddressbook I get:

    An Active Directory error 0x51 occurred when trying to check the suitability of server 'DOMAIN CONTROLLER'. Error: 'Active directory response: The LDAP server is unavailable.'
        + CategoryInfo          : NotSpecified: (-1:Int32) [Update-OfflineAddressBook], SuitabilityDirectoryException
        + FullyQualifiedErrorId : 2548BE6A,Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateOfflineAddressBook

    Cannot process the argument because activityId may not be a negative value.
    Parameter name: activityId
    Actual value was -1.
        + CategoryInfo          : InvalidArgument: (:) [Update-OfflineAddressBook], PSArgumentOutOfRangeException
        + FullyQualifiedErrorId : ArgumentOutOfRange,Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateOfflineAddressBook

    So it still appears that exchange is messed up and cannot access the domain/active directory properly...I have no idea how to fix this, it's driving me nuts now!

    Tuesday, December 15, 2009 9:33 PM
  • wondering at this point if I should try to re-run setup /prepareAD on the exchange server, does anyone know if this would be a bad idea or not?  given the tons of AD access errors in the event log, it sounds like something is not hooked up properly there

    want to avoid inadvertantly nuking my exchange server of course
    Tuesday, December 15, 2009 9:40 PM
  • by the way, since someone might ask, I did run dcdiag and the only test that fails is NCSecDesc and googling indicated that this was "normal" and "expected" (we don't use rodc's and did not run rodcprep)
    Tuesday, December 15, 2009 10:06 PM
  • Hi,

    Re-running /preparead or /preparedomain won't hurt anything.
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Exchange Server 2010 Configuration
    LMNOP
    Wednesday, December 16, 2009 4:04 AM
  • Those are benign I believe. We've had those in our org (we have 2003/2007/2010) for a long time now and it doesn't seem to cause any issues.
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Exchange Server 2010 Configuration
    LMNOP
    Wednesday, December 16, 2009 4:05 AM
  • Is there only one DC? If there are multiple is replication healthy?
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Exchange Server 2010 Configuration
    LMNOP
    Wednesday, December 16, 2009 4:06 AM
  • should I just delete the record?  that Exchange server is never coming back, and I don't see what purpose the SMTP object serves if it points to a non-existent server
    Wednesday, December 16, 2009 9:25 PM
  • there are two DCs right now, I thought replication was healthy but there is an issue with the Intersite Messaging service faulting on the PDC holder routinely so I am probably wrong on that point...I made a thread on the Windows 2008 forum so maybe until that is resolved the Exchange issue is secondary?
    Wednesday, December 16, 2009 9:27 PM
  • I do see this error periodically:

    Process Microsoft.Exchange.RpcClientAccess.Service.exe (PID=2584). Configuration object CN=SMTP (EXCHANGE2003SERVER -{guid }),CN=Connections,CN=DOMAIN ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN ,DC=com read from CURRENTDC .DOMAIN .com failed validation and will be excluded from the result set. Set event logging level for Validation category to Expert to get additional events about each failure.

    and I see the record for this using ADSI Edit, but don't know if I should delete it or change it...will see what comes up when I set logging level to Expert for everything

    I had the same error after migrating from 2003 to 2010. I was solved my problem.. You can use that steps:

    1. Open ADSI edit by adding the snap in in mmc
    2. Connect to Naming Context Configuration
    3. Drill down to <Organization Name> -> Services -> Microsoft Exchange -> <MSExchange Organization> -> Connections
    4. Delete the entries that are showing up in the log. I had two of them.

    bye

    <!-- <<< -->
    Saturday, January 30, 2010 10:00 PM
  • I had the same issue, the resolve was to fix the Aliases in the groups; there can't be any leading or trailing spaces or any spaces in the alias.   To view which Aliases that needed to be repaired I went into Active Directory Users and Computers --> Add\Remove Colums  --> and added Exchange Aliases; I went through all the alliases and removed the spaces.     I ran this commant at the power shell on the exchange server 2010 and repaired all objects that were yellow.  Test Group Names - Example OAB
    >Get-DistributionGroup -DomainController domaincontrollerhere.local >c:\group.txt
    • Proposed as answer by Scott Jaworski Wednesday, February 16, 2011 11:53 PM
    Friday, February 5, 2010 7:48 PM
  • By default the OAB is configured to use http internally. It is possible you are requiring SSL for the OAB download in IIS. If the box is checked it will reject any connection over http.

    Open IIS 7 - Sites - Default Web Site - OAB - SSL Settings. Uncheck Require SSL.

    Alternatively, you can change the internal OAB directory to https

    You can view this by opening Exchange Shell..

    get-OABVirtualDirectory | ft name,InternalURL,ExternalURL

    if the internalurl is http://server/oab you can run..

    get-OABVirtualDirectory | Set-OABVirtualDirectory -internalurl "https://server.domain.local/OAB"

     

    I say, try the IIS setting first. If that works. Set it back and change the internal URL to https to make it secure.

    • Proposed as answer by Scott Jaworski Thursday, February 17, 2011 12:05 AM
    Thursday, February 17, 2011 12:05 AM
  • I know this hasn't been added to in a while but im having a similar issue.... any thoughts
    Tuesday, September 13, 2011 2:17 AM