Exchange 2013 CU7 server performance/outage issues.
Hi Forum,
We are constantly faced with incidents from users that the connections are lost with the exchange server. As a result, we hired a consultant to install an new Exchange 2013 environment based on the Microsoft, VM-Ware and NetApp best practices.
We are still having problems with performance issues. From the client prospective, the performance has not changed, weekly hangs are still happening and I’m at my wits end.
This is our configuration:
2 Windows Server 2012 R2 CAS and DB
VM with 4 vCpu, 16GB, 1 Vmxnet3, IPv6 disabled (the Microsoft way)
VM Ware 5.1 U1
Cluster without AAP
DB1 active on Server 1 (Datacenter 1 with 3 host cluster)
DB2 active on Server 2 (Datacenter 2 with 3 host cluster)
Veeam 8 Backup (Move-ActiveMailboxDatabase DB2 -ActivateOnServer Server1 , backup server 2 then Move-ActiveMailboxDatabase back to
Server2.
Exchange is in Online-Mode due to Citrix XD VDI clients.
1300 Mailboxes and 750 users.
NetApp with SATA disks. (1.5TB E: Vol for DB1/1.5TB F: Vol for DB2)
No archiving
Unlimited mailbox sizes.
The problems are:
If we migrate a non-Exchange VM in the same cluster or to\from the same host, this results in a 30 second to 5 min Outlook outage;
If we make both DB’s active on mail server 1 and reboot server 2, this results in a 30 second to 5 min Outlook outage;
If we make both DB’s active on mail server 1 and do a Veeam backup of server 2, sometimes one of the DB’s go back to server 1, on its own;
While monitoring we see that the w3wp.exe and the Microsoft.Exchange.Store.worker.exe are consuming most of the cpu and memory;
What can I do to solve the outages?
Tnx. Timotatty.
Exchange server performance issues.
Hi Forum,
We are constantly faced with incidents from users that the connections are lost with the exchange server. As a result, we hired a consultant to install an new Exchange 2013 environment based on the Microsoft, VM-Ware and NetApp best practices.
We are still having problems with performance issues. From the client prospective, the performance has not changed, weekly hangs are still happening and I’m at my wits end.
This is our configuration:
2 Windows Server 2012 R2 CAS and DB
VM with 4 vCpu, 16GB, 1 Vmxnet3, IPv6 disabled (the Microsoft way)
VM Ware 5.1 U1
Cluster without AAP
DB1 active on Server 1 (Datacenter 1 with 3 host cluster)
DB2 active on Server 2 (Datacenter 2 with 3 host cluster)
Veeam 8 Backup (Move-ActiveMailboxDatabase DB2 -ActivateOnServer Server1 , backup server 2 then Move-ActiveMailboxDatabase back to
Server2.
Exchange is in Online-Mode due to Citrix XD VDI clients.
1300 Mailboxes and 750 users.
NetApp with SATA disks. (1.5TB E: Vol for DB1/1.5TB F: Vol for DB2)
No archiving
Unlimited mailbox sizes.
The problems are:
If we migrate a non-Exchange VM in the same cluster or to\from the same host, this results in a 30 second to 5 min Outlook outage;
If we make both DB’s active on mail server 1 and reboot server 2, this results in a 30 second to 5 min Outlook outage;
If we make both DB’s active on mail server 1 and do a Veeam backup of server 2, sometimes one of the DB’s go back to server 1, on its own;
While monitoring we see that the w3wp.exe and the Microsoft.Exchange.Store.worker.exe are consuming most of the cpu and memory;
What can I do to solve the outages?
Tnx. Timotatty.
Hi Simon,<o:p></o:p>
Apparently we are using basic authentication which result in a FailingCode=401 as seen in the Event Log under Active Monitoring --> Probe Results from ECP and others. This
became apparent after reading this blog:
http://blogs.technet.com/b/ehlro/archive/2014/02/20/exchange-2013-managed-availability-healthset-troubleshooting.aspx<o:p></o:p>
We are now overriding some of the monitors which require Forms Based Authentication.<o:p></o:p>
Regarding the other 2 issues we have changed the licensing model for Veeam 8 to allow full throughput which will reduce the backup time and add compression.
The KEMP support team helped us by deselecting Use HTTP/1.1 under View/Modify Services --> ECP –> Modify --> Real Servers. This
now only flags a service (ECP or ActiveSync or OWA) as being down instead of an etire server should one component fail.<o:p></o:p>
I am satisfied but still not happy with the steps required to troubleshoot an Unhealthy Health Sets:<o:p></o:p>
Invoke-MonitoringProbe always returns with: WARNING: Could not find assembly or object type associated with monitor identity '<Healthe Set >\< Probe >'. Please ensure
that the given monitor identity exists on the server.
This makes it very difficult to troubleshoot
Unhealthy Health Sets.
Regards,
Timotatty
Similar Messages
-
Exchange 2013 CU7 - Frequent Outlook 2013 Disconnections and Delays
We currently have the following environment:
Windows 2012 VM on Hyper-V with 24GB of RAM and 4 virtual procs (1 socket)
Cisco UCS, B200 M3 Blades
Exchange 2013 CU7
Exchange 2007 is in our environment, but public folders have been removed and only a few stale, unused accounts exist on it.
Two dual-role CAS/Mailbox servers
Mailbox servers are in a DAG
MAPI/HTTP is our connection protocol
.NET Framework 4.5.2
Clients are Outlook 2013 SP1 on Windows 7 and 8.1
(Currently round robin DNS, but we have a hardware load balancer we've temporarily taken out of the mix to solve this problem)
What we're seeing is frequent disconnections from Exchange, regardless of the CAS server. That is, both CAS servers will disconnect clients, but not at the same time. When we look at the Exchange boxes, we notice that the CPU is 99% - 100% each time the
disconnections occur. When we hunt down the IISWorker process causing the sudden CPU run, we see it comes back to the following app pools:
MSExchangeMAPIFrontEndAppPool
MSExchangeMAPIMailboxAppPool
(We were running RPC/HTTP, but switched to MAPI/HTTP to resolve the problem. We had the same issue with equivalent RPC app pools at the time.)
Eventually, within a minute or two, the CPU load will decrease and the clients connected via that CAS will regain connection. As you can imagine, the pain is felt more frequently by uncached clients--although everyone, regardless of caching, will see
the disconnections.
Basically, the problem sounds exactly as shown in this KB: http://support.microsoft.com/kb/2995145 Unfortunately, we already had .NET 4.5.2 installed, and have changed the environment variable and registry as shown in the article.
We're in contact with Microsoft Support, but thus far they're scratching their heads.
I'm clearing up all small errors to decrease the noise in the application error logs, but the most persistent one is Event ID 106 (MSExchange Common):
"Performance counter updating error. Counter name is Time in Resource per second, category name is MSExchange Activity Context Resources. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: Instance 'ad-powershell-defaultdomain'
already exists with a lifetime of Process. It cannot be recreated or reused until it has been removed or until the process using it has exited."
Loading/reloading and recreation of the performance counters does not fix the problem, by Microsoft Support or us. Of course, this error existed before we started having issues; I'd just like to clean it up just in case it's a contributing factor.
Has anyone seen anything similar?We're using a Barracuda load balancer (641), but we've eliminated that as a source of the problem. The CPU spikes and disconnections happen whether or not the load balancer is in use.
This problem is still ongoing, and we're still working with Microsoft Support. Right now they're focused on our environment, but having combed through it numerous times, there's nothing that stands out. I suspect this is a bug in CU7 (yet I would
readily accept our environment being at fault if it means we can identify and resolve the problem), but that's not the road Support is going down.
We've looked at storage I/O on the VM hosts (disk responses are 10 MS or less), added double the CPUs to each mail server (for a total of 8, each), disabled TCP chimney offload, run numerous Experfwiz log collections, etc... Now
the tech is focused on a particular mailbox database being the culprit because it also takes up more CPU when the MAPI app pools are gunning pretty high. I suspect that it is a symptom and not the problem, but I have no choice but to follow his lead.
What is your environment like? Are you also CU7? And did the problem show itself after a cumulative update was applied? -
Getting Error while installing Exchange 2013 on server 2012
Error During Exchange 2013 Mailbox Transport
Role Install On Server 2012
Exchange
Server forums
>
Exchange
Server 2013 - Setup, Deployment, Updates, and Migration
Question
1
Sign
in to vote
I was installing Exchange 2013 on Server 2012. The server is not a DC, but is a member of a domain with a 2008 R2 functional level, and I was logged in as a domain admin. There has never been an Exchange instance on this domain. I got past
the prerequisite checks, and the installer showed 15 steps, so I walked away. When I came back, I saw this:
Step 8 of 15: Mailbox role: Transport service
Error:
The following error was generated when "$error.Clear();
$maxWait = New-TimeSpan -Minutes 8
$timeout = Get-Date;
$timeout = $timeout.Add($maxWait);
$currTime = Get-Date;
$successfullySetConfigDC = $false;
while($currTime -le $timeout)
$setSharedCDCErrors = @();
try
Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
$successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
if($successfullySetConfigDC)
break;
Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
catch
Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
Start-Sleep -Seconds 30;
$currTime = Get-Date;
if( -not $successfullySetConfigDC)
Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
" was run: "Unable to set shared config DC.".Hi Deepak,
From the error description, I would like to clarify the following things:
1. Please ensure that IPv6 on the network adaptor is turned on.
2. Please check if the account that you used to install Exchange has necessary permissions to perform the installation.
3. Make sure that DNS is configured correctly.
Hope my clarification is helpful.
If there are any problems, please feel free to let me know.
Best regards,
Amy
Amy Wang
TechNet Community Support -
Support for TLS 1.2 over Exchange 2013 on Server 2012?
Greetings,
We're trying to roll out TLS 1.2 in our test environment and can't seem to get Exchange to work with the protocol.
We've been using this method to enable TLS 1.2 (and disable the other protocols - TLS1.0, SSL2.0, SSL3.0, PCT1.0): http://www.adminhorror.com/2011/10/enable-tls-11-and-tls-12-on-windows_1853.html
We originally tried using Exchange 2010 on 2008 R2, but then I ran across this article saying that it is not supported: http://support.microsoft.com/kb/2709167/en-us
We've since tried to set it up with Exchange 2013 on Server 2012. Still no luck. The only time Exchange wants to work is when TLS1.0 is enabled.
I suspect that TLS1.1 and TLS 1.2 are also not supported on Exchange 2013, or that I'm changing the wrong registry keys, but I wanted to find confirmation. I've searched extensively and can't find any documentation leading me to believe one way or the other
if it's supported.
Any help or insight would be greatly appreciated. Thanks!
--Arichi All,
Even i have tried enabling TLS 1.2 on Exchange 2013 from registry. i followed the below article.
http://jackstromberg.com/2013/09/enabling-tls-1-2-on-iis-7-5-for-256-bit-cipher-strength/
When i check OWA in chrome and check the connection information it says "The connection uses TLS 1.2.
However when i run the below command to check for TLS 1.2 i get the following O/P.
Command: java -jar TestSSLServer.jar ns-ex13.gtestexchange.com 443
O/P:
Supported versions: SSLv3 TLSv1.0 TLSv1.1
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
SSLv3
RSA_WITH_RC4_128_MD5
RSA_WITH_RC4_128_SHA
RSA_WITH_3DES_EDE_CBC_SHA
TLSv1.0
RSA_WITH_RC4_128_MD5
RSA_WITH_RC4_128_SHA
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(TLSv1.1: idem)
Server certificate(s):
1979e6bdbd9b8e197d00c45534959eaba82b6f40: CN=ex10.gtestexchange.com, OU=Domain
Control Validated
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: protected
===================================================
It doesnt says anything about TLS 1.2.
Any suggestions from your side? -
New Exchange 2013 CAS server in existing Exchange 2007 Organization
Dear Friends,
We have exchange 2007 SP3 with CU13 installed with single copy cluster for database and 1 OWA server for CAS/HT. We will migrate from current to Exchange 2013SP1. As we want to have HA, we have installed 2 new Exchange 2013 SP1 CAS server on widnows 2012
R2 after preparing our organisation for Exchange 2013. The setup went smooth without any error and successfully installed CAS with management tools. After installation it ask to reboot the server which we did. Now after reboot, we are not able to run Exchange
Management Sell. It never connects to the new server. In our old 2007 EMS also doesn't list any exchange 2013 server. We are also not able to connect to new CAS servers with below URL:
https://servername/ecp/?ExchClientVer=15
Its says site under maintenance. Please advise what to check. We were thinking of deploying CAS 1st and make it co-exist with Exchange 2007 before deploying Exchange 2013 mailbox server which will be setup in DAG. What are we doing wrong.
Thanks in advance!!Dear Friends,
We have exchange 2007 SP3 with CU13 installed with single copy cluster for database and 1 OWA server for CAS/HT. We will migrate from current to Exchange 2013SP1. As we want to have HA, we have installed 2 new Exchange 2013 SP1 CAS server on widnows 2012
R2 after preparing our organisation for Exchange 2013. The setup went smooth without any error and successfully installed CAS with management tools. After installation it ask to reboot the server which we did. Now after reboot, we are not able to run Exchange
Management Sell. It never connects to the new server. In our old 2007 EMS also doesn't list any exchange 2013 server. We are also not able to connect to new CAS servers with below URL:
https://servername/ecp/?ExchClientVer=15
Its says site under maintenance. Please advise what to check. We were thinking of deploying CAS 1st and make it co-exist with Exchange 2007 before deploying Exchange 2013 mailbox server which will be setup in DAG. What are we doing wrong.
Thanks in advance!!
If you have only the 2013 CAS installed and not the mailbox role, then nothing will really work. Remember, in 2013, the mailbox role does all the work, the CAS is simply a proxy for the most part.
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
How to introduce exchange 2013 mailbox server in an existing Exchange 2010 Environment
Hi All,
we are planning to install exchange 2013 mailbox server in an Exchange 2010 environment. we have 3 MB servers, 1 CAS 1 HUB which is installed with Exchange 2010 SP3 Enterprise Edition. how to install new exchange server 2013 and i have to add the 2013
servers in to existing DAG and migrate all mailboxes in to 2013 server. Please advise me from the scratch. also will it be create any impact in my existing setup.
Thanks, Venkatesh. "Hardwork Never Fails"For a step by step follow the deployment assistant
http://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2419-W-AAAAAAAAQAAAAAEAAAAAAAA%7e
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
Deploy Exchange 2013 , Lync server 2013 and shrepoint server 2013
Hi dears ,
I have a deployment requirement in which I have to plan for deploy Exchange 2013 , Lync server 2013 and SharePoint server 2013 on premise for 500 user and for one organization , now I have been asked to provide the software and hardware requirement
for this deployment .
so I wonder , is there any guide or link to find the hardware and software requirements for this deployment ?Hi,
You can refer to the link below about the hardware/system requirements for Lync Server 2013:
https://technet.microsoft.com/en-us/library/gg398438.aspx
Note: it is not supported to install Lync Server in the same computer with DC, Exchange Server and SharePoint Server.
If you want to deploy Lync Server, you’d better read the guide firstly before deploy it:
https://technet.microsoft.com/en-us/library/gg398616.aspx
For the deployment of Exchange 2013 and SharePoint 2013, you can also post case on Exchange and SharePoint forum, and there are more experts will help you:
Exchange 2013:
https://social.technet.microsoft.com/Forums/office/en-US/home?category=exchangeserver
SharePoint 2013:
https://social.technet.microsoft.com/Forums/office/en-US/home?category=sharepoint
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Hi everyone,
Hope you can help me out on a couple of issues I've been experiencing during the initial stages of a project to upgrade an on premise Exchange 2007 to 2013.
On Monday last week I installed the first Exchange 2013 server into the network after a few weeks of careful planning, information gathering and remediation of our current Exchange 2007 environment and associated systems.
The server itself has been having some issues from the word go, some of which I've resolved but none that are show stoppers but I want to get them resolved before building more servers and setting up the planned 2 x 2 node DAG's
The main problems are as follows:
There's usually one service that does not start following an OS restart and it's not always the same service. So far I've seen the following not start: DAG Management, Migration Workflow, Anti-spam Update, Unified Messaging, UM Call Router, Transport
Service.
The critical system event log entries are complaining of timeouts when the services are starting up but I can't imagine that the servers boot time is too long... It's a 2 vCPU/12Gb vRAM VM, Windows 2012 R2
I receive an error in the Event Log regarding RPC over HTTP Proxy
to one of the 2007 CAS servers (not our primary one). The first error was because the Windows Component was missing but since installing it, disabling Outlook Anywhere, reenabling it, restarting the server, I now have a new error which is shown further down
this post
The Exchange 2013 server install is pretty default, CAS/MBX roles and some basic configuration performed such as new DNS entries, Public SSL certs installed and assigned, URL's updates, SCP updated. I have review and resolved some errors from the event logs
for over chatty warnings about disk space (the warning is that we have loads of space...)
This is a brief outline of the environment:
Exchange 2007 SP3 RU13
UK - Two physical locations in a stretch LAN (100Mb WAN)
4 x CCR Cluster Mailbox Servers in two separate CCR Clusters
Cluster 1 - Windows 2003 R2: One physical, one virtual server - don't ask, legacy install and I know the virtual is not a supported configuration.
Cluster 2 - Windows 2008 R2: Two virtuals - New cluster built following a 4 day failure of Cluster 1. The aim was to move to supported config and decommission cluster 1.
Note: Migration of Cluster 1 to Cluster 2 was halted as 2013 was so close it seemed pointless to continue the migration and instead migrate both Clusters to 2013 once in production.
2 x Virtual Windows 2003 R2 - Hub Transport Servers
2 x Virtual Windows 2003 R2 - Client Access Servers
1 x Virtual Windows 2003 R2 - Unified Messaging Server
1 x Virtual Windows 2003 R2 - Edge Transport Server (DMZ)
US - One physical location
1 x Physical Windows 2008 R2 - Mailbox, Client Access, Hub Transport Server
Exchange 2013 CU5
UK - Installed into same site along side Exchange 2007 servers
1 x Virtual Windows 2012 R2 - Mailbox, Client Access Server
Problem 2 Error Message - Please note, server names and domain name changed:
Log Name: Application
Source: MSExchange Front End HTTP Proxy
Date: 18/07/2014 10:00:37
Event ID: 3005
Task Category: Core
Level: Warning
Keywords: Classic
User: N/A
Computer: EXC2013.domain.local
Description:
[RpcHttp] Marking ClientAccess 2010 server EXC2007CAS1.domain.local (https://EXC2007CAS1.domain.local/rpc/rpcproxy.dll) as unhealthy due to exception: System.Net.WebException: The underlying connection was closed: The connection was closed unexpectedly.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)
Event Xml:
<Event xmlns=http://schemas.microsoft.com/win/2004/08/events/event>
<System>
<Provider Name="MSExchange Front End HTTP Proxy" />
<EventID Qualifiers="32768">3005</EventID>
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-07-18T09:00:37.000000000Z" />
<EventRecordID>64832</EventRecordID>
<Channel>Application</Channel>
<Computer>EXC2013.domain.local</Computer>
<Security />
</System>
<EventData>
<Data>RpcHttp</Data>
<Data>EXC2007CAS1.domain.local</Data>
<Data>https://EXC2007CAS1.domain.local/rpc/rpcproxy.dll</Data>
<Data>System.Net.WebException: The underlying connection was closed: The connection was closed unexpectedly.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)</Data>
</EventData>
</Event>Hi Off2work,
I've gone through the article and the Get-OutlookAnywhere commandlet looks fine (especially when compared with our working CAS).
Having looked through IIS I have spotted two additional misconfigurations with a missing setting to require SSL on the RPC folder and also the .NET version was not set.
I've now set those to Require SSL and .NET 2.0.5072 however this has made no difference following restarted of both 2007 CAS and 2013 servers.
I could potentially reinstall the CAS server or additionally decommission it as we have two of them and the other is not causing any errors with the 2013 server. This broken CAS server doesn't even have DNS records (except it's own hostname) or firewall
rules pointing to it, nor does it have any active client connections if I check with a quick netstat -a
As for UM, it's next on my list following some client/server connectivity testing so I have not yet assigned the SSL to the services or setup the dial plans, etc.
The services do start most of the time, but others then don't so it's not a consistent issue with just this service. On my current boot, the DAG Management service failed to start, but again I don't have a DAG implemented yet.
I will see if UM drops out of that list once I've configured it shortly
Thanks for taking the time to respond (and that goes to DareDevil too) -
Exchange 2013 Cumulative Update 5 Install Issue
I have tried installing Exchange 2013 Cumulative Update 5 on our server but it is failing at the Mailbox role: Transport Service section with the following error. I am running the command prompt as Administrator. Any help would be great.
Error: The following error was generated when "$error.Clear(); Set-LocalPermissions
" was run: "System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl) at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception
exception, ErrorCategory category, Object target) at Microsoft.Exchange.Management.Deployment.SetLocalPermissions.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String
funcName, Action func, Boolean terminatePipelineIfFailed)".Hi Tim,
From the Exchange setup log description, there is only one error, "Attempted to perform an unauthorized operation.". The error indicates that it is a permission problem. I would like to verify if you add the account to the local admin group. If no, please
add the account to the admin group and continue to install the CU5.
If the issue persists, I recommend you download a new CU5 for Exchange 2013 and reinstall it to check the result.
For you convenience:
Cumulative Update 5 for Exchange Server 2013
http://www.microsoft.com/en-us/download/details.aspx?id=43103
Hope it helps.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Amy Wang
TechNet Community Support -
Exchange 2013 CU7 OWA 400 Bad Request after successful login
Scenario:
Exchange 2007/2013 Migration
One
Exchange 2007 Server [removed]
One
Exchange 2013 Server Std, Windows 2012
All mailboxes moved to 2013
- November 27-30 2014
All public folders moved to
2013 - December 2, 2014
Exchange
2007 is still running and has not been removed from the domain, yet. [update]
Exchange
2007 removed from domain - 12-13-14
SSL
Certs are current for: Autodiscover.ExtDom.com, ex13.ExtDom.com, ex13.IntDom.com
Applied
CU6 (Dec 3, 2014) to fix Mobile access issues. Since applying CU6, OWA does not work with the exception of mobile browsers (Chrome - Nexus 7) or Safari 5.1.7 on Windows 7. These browsers get the OWA 2010 theme (Yellow).
User
logs into OWA with Domain\UserName and PWD(IE). After clicking Sign In, page returns Bad Request. No errors logged in w3scv logs.
[update]
CU7 applied 12-11-2014
All
users can connect using Outlook 2013 or Mobile (iPhone & Android)
Exchange
Admin Center (ECP) still works!
Browsers
tested: IE10 (windows 7 x64),Chrome 39.0.2171.71m, Opera 26.0, FireFox 34.0.5, Safari 5.1.7
Attempted:
https://ex13.ExtDom.com/owa
https://ex13.IntDom.com/owa
https://ex13.ExtDom.com/owa?ExchClientVer=15
https://ex13.IntDom.com/owa?ExchClientVer=15
https://localhost/owa
(on Ex 2013 server)
https://localhost/owa?ExchClientVer=15
(on Ex 2013 Server)
Fixes
attempted:
remove
| create Virtual Directories for OWA
Change
authentication through Exchange PowerShell - Integrated/Basic from FBA/Basic
reverted
since change didn’t work.
Run
UpdateCas.ps1
Run
UpdateConfigFiles.ps1
IISReset
(iisReset /NoForce fails)
OWA
(Default Web Site) displays as Version 15.0 (Build 995.29) in EAC. [update] Build 1044.25 (CU7)
Links
used for troubleshooting:
http://community.spiceworks.com/topic/514617-exchange-2013-unable-to-login-to-owa-ecp
https://social.technet.microsoft.com/Forums/ie/en-US/f8aa95d4-19e4-483c-8c4b-b039ab0d0127/400-bad-request-when-logging-in-to-owa-exchange-2013?forum=exchangesvrclients
http://tecfused.com/2013/09/23/exchange-2013-ecp-double-login-error-400/
https://social.technet.microsoft.com/Forums/lync/en-US/c25ce81c-76ea-471a-93ae-eeaf9e5015ac/exchange-2013-owa-error-400-bad-request?forum=exchangesvradmin
http://support.microsoft.com/kb/2871485/en-gbHi,
Does it work if you disable the FBA and only use the basic authentication?
Please also let us know the authentication settings on the Default Web site.
Thanks,
Simon Wu
TechNet Community Support -
Hello Folks,
I have this problem and is making me crazy if anyone have any idea please shed some light on this:-
1. Working Outlook 2010 and 2013 clients with webmail.xyz.com as Outlook Anywhere proxy address.
2. Installed new Exchange 2013 server (server02)with CAS and Mailbox role, Exchange install wizard finished and server is rebooted.
3. Server came up online started changing internal and external FQDN's of Virtual Directories and Outlook Anywhere to webmail.xyz.com
4. As soon as Fqdn's changed some outlook clients create support request that Outlook suddenly white's out and after reopening it is giving error cannot connect to exchange. upon checking Clients Exchange Proxy address is set to http://server02.xyz.com,
even though OA/OWA/ECP/OAB/EWS/Autodiscover/ActiveSync FQDN's Point to webmail.xyz.com, on all servers if i create new outlook profile for same user it picks up correct settings through autodiscover and connects fine, this is happening to about 20% of outlook
clients every time i am introducing new Exchange 2013 server in Organization. we have around 2000 users and planning on installing 4 exchange servers to distribute load and everytime changing outlook profile of close to 150-200 users is not possible.
Any help is greatly appreciated.
Thanks
CoolHere are the EXCRA results
Here IP (x.x.x.x) returned is my Load Balancer IP (Webmail.xyz.com).
Connectivity Test Successful with Warnings
Test Details
Testing Outlook connectivity.
The Outlook connectivity test completed successfully.
Additional Details
Elapsed Time: 9881 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
Autodiscover was tested successfully.
Additional Details
Elapsed Time: 2063 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Additional Details
Elapsed Time: 2063 ms.
Test Steps
Attempting to test potential Autodiscover URL https://xyz.com:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 186 ms.
Test Steps
Attempting to resolve the host name xyz.com in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host xyz.com couldn't be resolved in DNS InfoNoRecords.
Elapsed Time: 186 ms.
Attempting to test potential Autodiscover URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml
Testing of the Autodiscover URL was successful.
Additional Details
Elapsed Time: 1876 ms.
Test Steps
Attempting to resolve the host name autodiscover.xyz.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Elapsed Time: 338 ms.
Testing TCP port 443 on host autodiscover.xyz.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 173 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 318 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.xyz.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=webmail.xyz.com, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US.
Elapsed Time: 219 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.xyz.com was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 36 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 289 ms.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Additional Details
Elapsed Time: 756 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml for user [email protected].
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Test Exch1</DisplayName>
<LegacyDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1</LegacyDN>
<DeploymentId>4ec753c9-60d9-4c05-9451-5b24e2d527a7</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>[email protected]</Server>
<ServerDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]</ServerDN>
<ServerVersion>73C0834F</ServerVersion>
<MdbDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<PublicFolderServer>webmail.xyz.com</PublicFolderServer>
<AD>DC-03.domain.xyz.com</AD>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>off</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>on</ServerExclusiveConnect>
<EwsPartnerUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsPartnerUrl>
<GroupingInformation>Default-First-Site-Name</GroupingInformation>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
</Account>
</Response>
</Autodiscover>HTTP Response Headers:
request-id: 9d325a80-f1fd-4496-ac48-2be6bb782c28
X-CalculatedBETarget: Server01.domain.xyz.com
X-DiagInfo: Server01
X-BEServer: Server01
Persistent-Auth: true
X-FEServer: Server01
Content-Length: 11756
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Mon, 25 Aug 2014 19:12:25 GMT
Set-Cookie: X-BackEndCookie=S-1-5-21-1293235207-2459173341-1304346827-14544=u56Lnp2ejJqBypqcnsfJx5nSy8ucnNLLnJzP0sfKz8/Sy5nHmsiamZrMyZrLgYHPxtDNy9DNz87L387Gxc7Nxc3J; expires=Thu, 25-Sep-2014 00:12:26 GMT; path=/Autodiscover; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Elapsed Time: 756 ms.
Autodiscover settings for Outlook connectivity are being validated.
The Microsoft Connectivity Analyzer validated the Outlook Autodiscover settings.
Additional Details
Elapsed Time: 0 ms.
Testing RPC over HTTP connectivity to server webmail.xyz.com
RPC over HTTP connectivity was verified successfully.
Additional Details
HTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 7817 ms.
Test Steps
Attempting to resolve the host name webmail.xyz.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Elapsed Time: 107 ms.
Testing TCP port 443 on host webmail.xyz.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 180 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 303 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server webmail.xyz.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 224 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name webmail.xyz.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 34 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 298 ms.
Testing HTTP Authentication Methods for URL https://webmail.xyz.com/rpc/[email protected]:6002.
The HTTP authentication methods are correct.
Additional Details
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLMHTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 296 ms.
Attempting to ping RPC proxy webmail.xyz.com.
RPC Proxy was pinged successfully.
Additional Details
Elapsed Time: 454 ms.
Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 0 ms.
Elapsed Time: 1007 ms.
Testing the MAPI Address Book endpoint on the Exchange server.
The address book endpoint was tested successfully.
Additional Details
Elapsed Time: 2177 ms.
Test Steps
Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 906 ms.
Elapsed Time: 918 ms.
Testing the address book "Check Name" operation for user [email protected] against server [email protected].
The test passed with some warnings encountered. Please expand the additional details.
Tell me more about this issue and how to resolve it
Additional Details
The address book Bind operation returned ecNotSupported. This typically indicates that your server requires encryption. The Microsoft Connectivity Analyzer will attempt the Address Book test again with encryption.
NSPI Status: 2147746050
Elapsed Time: 825 ms.
Testing the address book "Check Name" operation for user [email protected] against server [email protected].
Check Name succeeded.
Additional Details
DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 433 ms.
Testing the MAPI Referral service on the Exchange Server.
The Referral service was tested successfully.
Additional Details
Elapsed Time: 1808 ms.
Test Steps
Attempting to ping the MAPI Referral Service endpoint with identity: [email protected]:6002.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 953 ms.
Elapsed Time: 949 ms.
Attempting to perform referral for user /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1 on server [email protected].
We got the address book server successfully.
Additional Details
The server returned by the Referral service: [email protected]
Elapsed Time: 858 ms.
Testing the MAPI Address Book endpoint on the Exchange server.
The address book endpoint was tested successfully.
Additional Details
Elapsed Time: 626 ms.
Test Steps
Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 156 ms.
Elapsed Time: 154 ms.
Testing the address book "Check Name" operation for user [email protected] against server [email protected].
Check Name succeeded.
Additional Details
DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 472 ms.
Testing the MAPI Mail Store endpoint on the Exchange server.
We successfully tested the Mail Store endpoint.
Additional Details
Elapsed Time: 555 ms.
Test Steps
Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 234 ms.
Elapsed Time: 228 ms.
Attempting to log on to the Mailbox.
We were able to log on to the Mailbox.
Additional Details
Elapsed Time: 326 ms. -
Exchange 2013 SP1 server working for several months now messages are getting stuck in drafts folder
This a small, simple environment. There is a MS Server 2012 R2 server hypervisor with a MS Server 2012 R2 VM running Exchange 2013 patched to SP1. This server has been deployed into production and passing mail without issues for several months.
Upon initial deployment, we experienced the issue that many have reported and that has been widely documented where Mail Flow works fine inbound, but outbound will stick in the drafts folder. We resolved the issue by manually configuring the IP Address of
our internal DNS server (which is an installed role on our hypervisior / base layer server). The issue was immediately resolved and mail was flowing in both directions without issue. We later installed SP1 and there was no issue. Mail has
been flowing normally all the while.
Now fast-forward through several weeks of reliable mail delivery... We experienced a power loss and a system shutdown and upon reboot, inbound is working and outbound goes to drafts. I've confirmed DNS Lookup settings in ECP still points to our internal
server as previously configured. Both servers have internet access, NSLOOKUP returns expected values, and DNS appears to be working normally.
I'm not sure if we had an MS Update that installed with the reboot that caused the breakage, if there was a lingering settings change that took effect on reboot, or what is causing the interruption. I'm looking for some fresh ideas on where to look
for answers, and all the information available on the drafts folder issue points to DNS settings that have already been put in place.
Any constructive ideas are welcome! Thanks in advance.
DavidAmit,
Long story short, I'm not sure how or why, but there were a few automatic services that were not starting "automatically." I'm used to seeing some services that are triggered by the application to start and stop on their own, so I didn't necessarily
panic when there were a few automatic services that were stopped..
However, The MS Exchange Health Manager, and the Mailbox Submission services weren't running. After manually starting the services my drafts folder emptied and we are back in business.. Maybe not "innovative" as you said, but it certainly put us on
the right track. We were looking so hard at DNS because of all the reported cases of "stuck in drafts" being related to DNS, we totally overlooked the obvious, so THANKS!
Now the only question is, what stopped the services and why did they not restart automatically?? -
Migration to Exchange 2013 from 2010 - Client side issues
Hi Everyone,
I've been having issues with clients connecting to an existing Exchange server (Getting login prompt- but not usual reason).
We currently run Exchange 2010 with approx 200 mailboxes on the server. Last night I renewed the certificate on the 2010 server (go daddy SAN cert, all ok) and added the cert to my new Exchange 2013 server. I tested it with my account, and a
test account approx 12 times, and had not login prompt when launching Outlook. All seemed ok, until this morning.....
This morning, most (not all) users are getting the login prompt. We are able to get by this by inputting domain\username and Outlook opens fine and is able to connect. No users are on the Exchange 2013 server yet (only 1 test account)
I've been googling all morning and I'm not seeing anything directly relating to my issue. I've read about the Anon vs Negotiate issues (KB2834139) - But - the strange thing is all clients are set to negotiate network security (And encrypt data) This
is opposite of what the MS article says. CLients are all Outlook 2010
Here are my outlook anywhere settings:
ServerName : exchange2010
IISAuthenticationMethods : {Basic}
ServerName : exchange2013A
IISAuthenticationMethods : {Basic, Ntlm}
ServerName : exchange2013B
IISAuthenticationMethods : {Basic, Ntlm}
Identity ClientAuthenticationMethod IISAuthenticationMethods
exchange2010\Rpc (Default Web Site) Basic {Basic}
exchange2013a\Rpc (Default Web Site) Ntlm {Basic, Ntlm}
exchange2013b\Rpc (Default Web Site) Ntlm {Basic, Ntlm}
If I change the Exchange 2010 server to NTLM, will this resolve what I'm seeing? And do I need to restart RPC Client Access and Transport Service to make changes take effect? Or reboot the whole server?
If you need more info or logs please let me know
Thank you for any help!
-JeffHi,
Please confirm if the Login prompt issue occurs when users open the Outlook client at first time after renewing Exchange certificate or happens when opening the Outlook every time.
I noticed that the user can connect to Exchange server after inputting domain\username. Please confirm if the issue happens to external users who use Outlook Anywhere. For Outlook Anywhere coexistence,
please choose NTLM for IIS authentication.
Set-OutlookAnywhere -Identity "exchange2010\Rpc (Default Web Site)" -IISAuthenticationMethods Basic,Ntlm
Regards,
Winnie Liang
TechNet Community Support -
Exchange 2013 CAS server returned '500 Message rejected'
Hi, all.
Exchange 2013 with CAS server and 2 mailbox servers. Health checks are all 100% healthy.
One of our users cannot receive email from an external user. Our CAS server keeps rejecting the message. I can trace the message and see that it did indeed hit our servers, and was rejected. But I cannot find out WHY it was rejected.
Here is the Delivery Report from the EAC:
Delivery Report for NAME ([email protected])
Failed
3/30/2015 1:41 PM <CAS servername>
The message couldn't be delivered.
[{LRT=};{LED=500 Message rejected};{FQDN=};{IP=}]
The external user gets this NDR:
<our local CAS servername> gave this error:
Message rejected
In the Diagnostic information for administrator section:
<our local CAS servername> returned '500 message rejected'
followed by the Original message headers. I think I'm looking for some more verbose logging to see what rule or configuration rejected the message. Any help would be greatly appreciated!
Thanks!
DanMy main question: how can I see what triggered my CAS server to reject this message with error 500?
Our user can receive email from other external senders ok. It seems to be just this one sender having trouble.
Our transport rules are not complex, and I see no rules that would block this sender or domain.
We use Exchange Online Protection. The message gets through EOP and hits our CAS server. The CAS server rejects the message - it never gets to the Client.
The CAS server gives the error 500 - but that's all I can find. I need a command or somewhere to look to see what triggered the 500 error.
I've posted the NDR received by the sender and scrubbed our identifying information.
Rcn.com looks like the sender's online forwarding host - the spf record for senderdomain.net points back to rcn.com. I've run an spf record check and it passes, so I do not believe that is the issue.
Here is the NDR:
From: [email protected]
To: [email protected]
Sent: Monday, March 30, 2015 1:41 PM
Subject: Undeliverable: Hello from FirstName
CAS1.our_internal_domain.local rejected your message to the following email addresses:
FirstName LastName ([email protected])
A problem occurred while delivering your message to this email address. Try sending your message again. If the problem continues, please contact your email admin.
CAS1.our_internal_domain.local gave this error:
Message rejected
Diagnostic information for administrators:
Generating server: BY1PR0501MB1112.namprd05.prod.outlook.com
[email protected]
CAS1.our_internal_domain.local
Remote Server returned '500 Message rejected'
Original message headers:
Received: from BLUPR05CA0049.namprd05.prod.outlook.com (10.141.20.19) by
BY1PR0501MB1112.namprd05.prod.outlook.com (25.160.103.146) with Microsoft
SMTP Server (TLS) id 15.1.118.21; Mon, 30 Mar 2015 17:40:54 +0000
Received: from BL2FFO11FD027.protection.gbl (2a01:111:f400:7c09::115) by
BLUPR05CA0049.outlook.office365.com (2a01:111:e400:855::19) with Microsoft
SMTP Server (TLS) id 15.1.125.19 via Frontend Transport; Mon, 30 Mar 2015
17:40:54 +0000
Received: from smtp.rcn.com (69.168.97.78) by
BL2FFO11FD027.mail.protection.outlook.com (10.173.161.106) with Microsoft
SMTP Server (TLS) id 15.1.130.10 via Frontend Transport; Mon, 30 Mar 2015
17:40:54 +0000
Return-Path: [email protected]
X_CMAE_Category: , ,
X-CNFS-Analysis: v=2.0 cv=PMSNCIWC c=1 sm=1 a=gRQJo8bc1j9+0GSSRogFxg==:17 a=NTyKUL13AAAA:8 a=ML7w5Z3_AAAA:8 a=3H5rcUylbt2uBKgiyYQA:9 a=wPNLvfGTeEIA:10 a=XQfDMMe_SRUA:10 a=SEXQnC1BqQAA:10 a=7ZjHjvgxCjAA:10 a=Wcs1mLwGzyUA:10 a=sBa8ZLUje9YA:10 a=k-GqB2yPh3IA:10
a=N4kHG9ehtKzd7-3o534A:9 a=_W_S_7VecoQA:10 a=gRQJo8bc1j9+0GSSRogFxg==:117
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
X-Authed-Username: ZHAtZm1hQHJjbi5jb20=
Authentication-Results: smtp02.rcn.cmh.synacor.com
[email protected]; sender-id=neutralourdomain.com; dkim=none
(message not signed) header.d=none;ourdomain.com; dmarc=pass action=none
header.from=senderdomain.net;
Authentication-Results: smtp02.rcn.cmh.synacor.com [email protected]; spf=neutral; sender-id=neutral
Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.user=sender; auth=pass (LOGIN)
Received-SPF: neutral (smtp02.rcn.cmh.synacor.com: 69.72.92.252 is neither permitted nor denied by domain of senderdomain.net)
Received: from [69.72.92.252] ([69.72.92.252:2689] helo=FirstNameLastName)
by smtp.rcn.com (envelope-from <[email protected]>)
(ecelerity 3.6.2.43620 r(Platform:3.6.2.0)) with ESMTPA
id 58/6E-17115-4AA89155; Mon, 30 Mar 2015 13:40:53 -0400
Message-ID: <011A7DBF0D954F62987032D45778AF29@FirstNameLastName>
From: FirstName LastName <[email protected]>
To: FirstName LastName <[email protected]>
Subject: Hello from FirstName
Date: Mon, 30 Mar 2015 13:40:49 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01D06AEF.223E4A60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
X-EOPAttributedMessage: 0
Received-SPF: Pass (protection.outlook.com: domain of senderdomain.net designates
69.168.97.78 as permitted sender) receiver=protection.outlook.com;
client-ip=69.168.97.78; helo=smtp.rcn.com;
Authentication-Results: spf=pass (sender IP is 69.168.97.78)
[email protected];
X-Forefront-Antispam-Report:
CIP:69.168.97.78;CTRY:US;IPV:NLI;EFV:NLI;SFV:SKN;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:BY1PR0501MB1112;H:smtp.rcn.com;FPR:;SPF:None;LANG:en;
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0501MB1112;
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test:
BCL:0;PCL:0;RULEID:(601004);SRVR:BY1PR0501MB1112;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0501MB1112;
X-OriginatorOrg: ourdomain.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Mar 2015 17:40:54.1243
(UTC)
X-MS-Exchange-CrossTenant-Id: c92ecf05-92f8-42f4-a246-24bee4988793
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0501MB1112
Dan -
2 exchange 2013 multirole server and 1 addess for Outlook Anywhere. How to?
Hello everybody.
I'm coming to you with a question about my new Exchange 2013 infrastructure.
I have 2 Exchange 2013 SP1 servers. Both are multirole (CAS + MBX). My servers are Server12 and Server13.
I created a DAG which IP adderss is 192.168.3.30 (Servers IP are 3.31 and 3.32). Everything's working fine.
For CAS High Availability, I followed this thread : http://exchangeserverpro.com/exchange-2013-client-access-server-high-availability/
On my firewall, I use NAT to send https flow from my public IP address (mail.domain.fr, external domain
published on internet) to point to mail.domain.org (internal domain, non published on Internet). The mail.domain.org alias is my record defined in my internal DNS to
point to my 2 multirole server, as shown in the tutorial above.
I encounter a problem with external outlook anywhere. My problem comes with Outlook Anywhere which is not working fine when I redirect https flow to my cluster IP address (192.168.3.30) (DAG's address, corresponding to my servers). If I do the same redirection,
but pointing to only one of my servers, it's working fine. In Exchange, external outlook Anywhere directory points to mail.domain.fr
But anyway, if this servers goes down, I have to change manually the NAT on my firewall. And I don't want to :).
How can I do ? Can I do something without a physical load-balancer?
ThanksYou cannot point Outlook Anywhere to your DAG cluster IP address. It must be pointed to the actual IP address of either server.
For no extra cost DNS round robin is the best you will get, but it does have some drawbacks as it may give the IP address of a server you have taken down for maintenance or the server has an issue.
You could look to implement a load balancer but again if you are doing this for high availability then you want more than one load balancer in the cluster - otherwise you've just moved your single point of failure.
Having your existing NAT and just remembering to update it to point to the other server during maintenance may suit your needs for now.
If you can go into more detail about what the high availability your business is looking to achieve and the budget we can suggest the best method to meet those needs for the price point.
Have a great day
Oliver
Oliver Moazzezi | Exchange MVP, MCSA:M, MCITP:Exchange 2010,Exchange 2013, BA (Hons) Anim | http://www.exchange2010.com | http://www.cobweb.com | http://twitter.com/OliverMoazzezi
Maybe you are looking for
-
How do I keep my custom font size
I have a big monitor. I go to "screen resolution" and changed to large font. But next I log in to my computer. The font change back to its initial small font. How do I keep the change I made? Please give me some clue. I have Win 8.1
-
17" imac looks and game performance
Hi All, Im thinking about getting a intel iMac for home, but Im not sure I can stretch to the 20" I remember thinking the 20" g5 imac was much better looking than the 17" because the area bellow the screen seemed more in proportion. Does the 17" inte
-
Export complete "Most Popular Items" report
I need to take snapshots of the Most Popular Items (views) report for a pages library so we can analyze the data to get weekly/monthly/yearly visit trends/data for each page within the library. Our typical pages library (being used as KB's) contains
-
How long is the damned thing going to say "waiting" before it actually downloads?
Sitting here doing nothing and it seems not to be downloading at all.
-
What is going wrong with this config ??
Hello guys, I am busting my head to find out what is going wrong with this config and cant figure it out since i am not an advanced cisco technician. Problem is that i cant access the 94.70.142.127 server that is supposed to be in a DMZ zone. I know