Exchange 2013 Untrusted Cross-Forest Availability Intermittently Working

Similar Messages

• Gal Sync and group member sync cross forest. Not working together

    I am finalizing a cross forest migration. The End client needs an extended period of time with both domains up and running. I have been working with an advisory engineer and we are having a hard time.
    We started by setting up GAL sync and that works as expected. Then we tried to setup group provisioning, and I have that working. I can create a groups and add members, as long as those users are in FIM and the Target forest the membership information
  is preserved. During the process we removed the GAL sync agents for ease of troubleshooting. Now when I run the GAL sync agents and I search the connector space I am showing connector false on both sides. I am not sure how to correct that. The other objects
  were created by the DS agents and FIM.  If I sync a new object it will create a contact cross forest. 
    What I want it to do is run the GAL sync without group contacts. Synchronize the GAL on both sides. (Groups have been created on both sides of the domain and ADMT has moved the group membership with the user) After the GAL is synchronized I need FIM
  to synchronize the group membership adding the contacts from the missing users that have moved. I am not sure how to get that logic in the system.
    I am not sure I am going about this the right way. It may be easier to use the FIM and AD DS agents to provision users cross forest as contacts and the group membership would be preserved.  If that is the case, I am not sure how to pull
  that off.
  Does anyone have recommendations?
  Thank You

   
  This is an overview of basically how it works. 
  The Group sync is pretty much out of the box, the real key here is the User is imported to FIM and that 'Person' is then provisioned outbound as a contact. 
  Membership synchronizes with the Group and FIM maintains group membership cross forest as the source user, and the target contact are the same 'Person'. 
  Precedence is important.  The OU structure is the same on both forests and needs to be initialized.  The Groups Sync is ahead of the users and then the users sync, and the group membership
  syncs. 
  The attribute flow is a long list.  It includes all of the exchange information for the contact, and it provisions the contact as mail enabled on both sides.  There is no VB it’s all
  done in sync rules. 
  Next Ill post the attribute flow and precedence diagram, I’ll get that together this week (I hope).  I intend to put this up in a lab and get screen shots on the whole configuration. 
  I will do that as soon as I can.
  Let me know if you have questions.

• 404 can't find page Error when logging into Exchange 2013 OWA, after a refresh, login works

  Hi,
  I've upgrade two of my customers to Exchange 2013.
  On of them was coming from 2007, and the other was already running 2010.
  Migration from both of the servers went good.
  However with the customer which upgraded from 2010 to 2013 i'm experiencing strange OWA behavior:
  When I login to OWA on https://owa.contoso.com/owa, and input my credentials and click sign in: I receive this error:
  404
  can't find page :-(
  The page you're looking for couldn't be found on the server.
  X-FEServer: JVBMAIL01
  Date: 11-6-2014 11:54:48
  Fewer details..
  -> Refresh the page
  In the addressbar, the following URL is displayed: https://owa.contoso.com/owa/auth/errorFE.aspx?httpCode=404
  But... when I click: "Refresh the page" of just hit F5, the login proceeds, and my OWA is displayed and working fine.
  This behavior only happens with my customer which was upgraded from 2010 to 2013.
  The customer which i've upgraded from 2007 to 2013 doesn't experience this problem.
  I've matched the IIS settings and redirect/ssl options on both servers. They are the same.
  I've tried other users and i've experienced that on one user, the error message didn't appear.
  When I try to delete the Exchange atributes from the user, (after exporting the mail to a PST file) and re-add the Exchange attributes, the message is gone. This isn't a solotuion however, since i've got 166 users, and about 150 of them, get the error message.
  New users don't get the error.
  Anybody got any clues?

  Hi,
  From your description, I would like to verify the following thing for troubleshooting:
  Please make sure that the authentication is set to Basic Authentication and Forms Authentication is disabled on OWA and ECP virtual directly in IIS. After the above settings, please restart IIS by running IISReset /noforce command.
  Hope it helps.
  Best regards,
  Amy Wang
  TechNet Community Support

• Exchange 2013 CAS - Round Robin DNS not working properly

  I have exchange 2013 server (2MB, 2CAS) server. I created two dns records for mail.test.com, autodiscover.test.com pointing to my two CAS servers.
  But the problem is if i switched of one cas server, client outlook not connecting automatically to other CAS server. By restarting the outlook also its not working. By restarting the system or running the command ipconfig /flushdns in command prompt, it
  working.
  is there any configuration iam missing, please advice how to achieve decent load balancing in Exchange 2013 CAS without going for third party Loadbalancer...

  I have exchange 2013 server (2MB, 2CAS) server. I created two dns records for mail.test.com, autodiscover.test.com pointing to my two CAS servers.
  But the problem is if i switched of one cas server, client outlook not connecting automatically to other CAS server. By restarting the outlook also its not working. By restarting the system or running the command ipconfig /flushdns in command prompt, it
  working.
  is there any configuration iam missing, please advice how to achieve decent load balancing in Exchange 2013 CAS without going for third party Loadbalancer...
  If a CAS role server is down or unable to service clients, you have to remove it from  DNS round-robin consideration manually. There is no health check with DNS round-robin unlike a true load balancer.
  Also, I would set the TTL to a low value for the CAS servers in the round-robin.
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Exchange 2003 -2010 cross forest (NDR 5.4.6)

  Hi.
  Have: Exchange 2003+2010 in source forest. Exchange 2010 in target forest.
  Successful migrate mailbox to target forest (in source forest this mailbox convert to mailuser).
  When try send e-mail to this mailbox (it`s in target forest) from Exchange 2003 mailbox get this:
  A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients.
  If send from Exchange 2010 (source/target) - all mail ok.
  If delete this mailuser (in source forest) - all set to ok.
  x500?
  Please, help.
  Thanks.

  Hi,
  In the error event, 5.4.6 means "Routing loop detected" (RFC1893).
  This issue occurs if the source Exchange organization is authoritative for the target domain. Because the source Exchange organization is responsible for mail delivery to target, the categorizer tries to find locally a recipient for
  that message. The categorizer does not succeed, and then you receive the NDR.
  More details in the following KB:
  You receive an NDR with a 5.4.6 status code when you send a message to a specific domain in Exchange
  http://support.microsoft.com/kb/324732/en-us
  Hope it is the solution.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Cross-forest migration to Exchange 2013 SP1 and Outlook 2013 SP1

  Hello! I have two forest: Exchange 2010 SP2 RU5 - resource forest and Exchange 2013 SP1 - account forest. I make cross-forest migration from resource forest (linked mailboxes with account forest) to forest with Exchange 2013 SP1.
  I have moved mailbox from resource forest exchange 2010 to exchange 2013 sp1 forest.
  Outlook 2010 connect to migrated mailbox without any problem, but outlook 2013 sp1 cannot connect to migrated mailbox.
  Error look like - cannot find exchange server.
  I created new mailbox in Exchange 2013 organization and can connect to it with outlook 2010 and outlook 2013 sp1.
  Someone have the same problem with migrated mailbox? How to solve it?
  Truly, Valery Tyurin

  You can use New-MoveRequest to perform a cross-forest move. Here is a well post and step-wise explanation you can check for cross forest migration from exchange 2010 to exchange 2013(http://msexchangeguru.com/2013/11/03/e2013crossforestmigration/).
  Moreover, you can try this utility (
  http://www.exchangemigrationtool.com/ ) to accomplish this task.

• Exchange 2010 to Exchange 2013 Migration and Architect a resilient and high availability exchange setup

  Hi,
  I currently have a single Exchange 2010 Server that has all the roles supporting about 500 users. I plan to upgrade to 2013 and move to a four server HA Exchange setup (a CAS array with 2 Server as CAS servers  and one DAG with 2 mailbox Servers). My
  goal is to plan out the transition in steps with no downtime. Email is most critical with my company.
  Exchange 2010 is running SP3 on a Windows Server 2010 and a Separate Server as archive. In the new setup, rather than having a separate server for archiving, I am just going to put that on a separate partition.
  Here is what I have planned so far.
  1. Build out four Servers. 2 CAS and 2 Mailbox Servers. Mailbox Servers have 4 partitions each. One for OS. Second for DB. Third for Logs and Fourth for Archives.
  2. Prepare AD for exchange 2013.
  3. Install Exchange roles. CAS on two servers and mailbox on 2 servers. Add a DAG. Someone had suggested to me to use an odd number so 3 or 5. Is that a requirement?
  4. I am using a third party load balancer for CAS array instead of NLB so I will be setting up that.
  5. Do post install to ready up the new CAS. While doing this, can i use the same parameters as assigned on exchange 2010 like can i use the webmail URL for outlook anywhere, OAB etc.
  6. Once this is done. I plan to move a few mailboxes as test to the new mailbox servers or DAG.
  7. Testing outlook setups on new servers. inbound and outbound email tests.
  once this is done, I can migrate over and point all my MX records to the new servers.
  Please let me know your thoughts and what am I missing. I like to solidify a flowchart of all steps that I need to do before I start the migration. 
  thank you for your help in advance

  Hi,
  okay, you can use 4 virtual servers. But there is no need to deploy dedicated server roles (CAS + MBX). It is better to deploy multi-role Exchange servers, also virtual! You could install 2 multi-role servers and if the company growths, install another multi-role,
  and so on. It's much more simpler, better and less expensive.
  CAS-Array is only an Active Directory object, nothing more. The load balancer controls the sessions on which CAS the user will terminate. You can read more at
  http://blogs.technet.com/b/exchange/archive/2014/03/05/load-balancing-in-exchange-2013.aspx Also there is no session affinity required.
  First, build the complete Exchange 2013 architecture. High availability for your data is a DAG and for your CAS you use a load balancer.
  On channel 9 there is many stuff from MEC:
  http://channel9.msdn.com/search?term=exchange+2013
  Migration:
  http://geekswithblogs.net/marcde/archive/2013/08/02/migrating-from-microsoft-exchange-2010-to-exchange-2013.aspx
  Additional informations:
  http://exchangeserverpro.com/upgrading-to-exchange-server-2013/
  Hope this helps :-)

• Exchange 2013 disconnects externally after every hour but works fine internally

  Hello All,
  I have a very strange problem in my office. At the new years eve, there was a disconnection in our Internet from our ISP and everything came back online again after 1 hour. before this happened everything was working fine such as externally all the mobile
  devices were able to connect to exchange 2013 and event owa was working fine and laptop devices as well. All was good, but once the disconnect happened, i am only able to access my emails over 3 G connection but not over the ISP connection, what i mean from
  that is that if i try to connect to owa or my outlook from home DSL connection i cannot connect but with my 3g connection on my phone i can connect and everything works fine. i have re issued the certificates and installed them again, but still the same thing,
  after every hour or sometimes less the exchange 2013 sort of disconnects and starts working when i restart the CAS server where the traffic is routed to.
  Has any one faced this issue, please help, i was thinking that something wrong with my firewall as i was not even able to connect to my ssl vpn so i thought that firewall is culprit, but i have replaced the firewall as well and still the same issue.
  Please help, i am trying to troubleshoot this problem since last 10 days but with no luck.
  Thank You. 

  Have you checked the network settings? Do you have multiple network adapters? May be DNS related also. Check, if you have configured DNS correctly.  
  Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

• Calendar permission for cross-forest users

  How can I grant mailbox folder like doctor's Outlook 2010 calendar to a cross-forest user like a receptionist. 
  The reception accepts and manages all booking for about 10 doctors and they used to work perfectly.  When reception complained that she started seeing Busy status for say 3 out of 10 doctors, I noticed the other 7 working calendars have DomainB\Reception
  explicitly added on the Calendar permission while the 3 faulty ones don't.
  When I tried:
  Add-mailboxfolderpermission -Id 'DomainADoctor1:\calendar' -user 'DomainB\Reception' -accessrights editor
  I simply get the error "The user "DomainB\Reception" is either not valid SMTP address, or there is no matching information."
  Obviously, the cross-forest permission still works but I cannot make the powershell command to work.  I have also tried the ExFolder utility to no avail.  The old Exch admin has left the company.  We use Exchange 2010 SP2
  Thank you for any assistance.

  Just to add more info, the reception mailbox is hosted on DomainA and it is linked to an external account DomainB\Reception. 
  Alternatively, I tried:
  Add-mailboxfolderpermission -Id 'DomainADoctor1:\calendar' -user 'Reception @ DomainA.com' -accessrights editor
  and the command works fine but when the Reception checks the calendar on both Outlook and OWA, she only sees "Busy" on each existing appointments and cannot add new. 
  For those calendars that work, the Editor permission shows "NT User: DomainB" while those that won't shows DomainB mailbox.
  Appreciate any help on this.

• Exchange 2013 setup

  Greetings
  Currently i am using Exchange 2007 setup (xyz.com) and it is not published to the internet i.e. only the Domain joined users have access to it and mx records are not hosted for xyz.com
  And have hosted solution (abc.com)
  Now, I am planning to upgrade the Exchange 2007 to Exchange 2013 infra. But here my requirement is to use abc.com as the email address domain.
  My plan is to migrate and add abc.com in accepted domain. Please suggest if this can be achieved by doing so and if yes, what other changes i need to plan as i want to have the same email address domain (abc.com) having the virtual directories by the same
  name (mail.abc.com)
  Please provide yours inputs.
  Thanks
  K2

  Hi,
  Thank you for your question.
  By my understanding, you want to use Exchange 2013 with domain abc.com to replace domain xyz, right? If I misunderstand, please be free to let me know.
  If that, we could refer to the following links to migrate Exchange 2007 to Exchange 2013 by crossing domains:
  https://social.technet.microsoft.com/Forums/exchange/en-US/35828bef-3eaa-4540-b2ef-0dc1da0d77ca/cross-forest-migration-from-exchange-2007-to-exchange-2013?forum=exchangesvrgeneral
  https://social.technet.microsoft.com/Forums/office/en-US/ccfaf77e-ae0f-47ac-94c4-c122df3efdf0/exchange-2007-to-2013-migrationcoexistance?forum=exchangesvrgeneral
  But we suggest you install Exchange 2010 in abc.com domain, then we perform cross domain migration from Exchange 2007 to Exchange 2010, then migrate to Exchange 2013.
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• Exchange 2007 - Exchange 2013 Mailbox Migration Issues

  Exchange 2013 -  Mail Flow is working.   OWA Access is great.   We have issues connecting Outlook 2010 Clients.  If I create a new user and mailbox Outlook 2010 works fine.   However, if we migrate a user's mailbox to the new Exchange
  2013 server.  Outlook Web (OWA) works and mail flow but "OUTLOOK 2010 can not connect to the new server"  There is something different about a newly created account and a migrated account.  Any help would be great.   I did check
  inheritance in AD and it was on for these accounts.  This occurs with any account migrated to the new server.

  1. Could you double check your Exchange 2007 Internal Autodiscover URI - it should be pointing to Exchange 2013. All clients should be receiving their autodiscover config from the Exchange 2013 server. Based on the client's mailbox location, Exchange 2013
  generates and provides the correct information.
  2. If the autodiscover URI is "autodiscover.yourdomain.com" and you've configured Split-Brain DNS or Pin-Point DNS zones on the local network, make sure the name is resolved to Exchange 2013 internal IP address.
  Step by Step Screencasts and Video Tutorials

• Exchange 2013 CAS incorrectly proxying after mailbox move to Exchange 2013

  Hi,
  I am moving Exchange 2010 mailboxes to Exchange 2013 SP1 in production. When I move 2010 mailbox Outlook, OWA works fine right after the move but ActiveSync (HTTPProxy log shows
  on CAS 2013 server that it is still re-directing it to Exchange 2010 CAS servers). Exchange 2013 CAS server ActiveSync takes hours before it starts to see that mailbox is moved to Exchange 2013. I am certain it is not ActiveDirectory replication since all
  other clients are working.
  This time I move another user this time it did not work for 3.5hrs.  I had to reboot Exchange 2013 CAS server after that it worked.
  There is must be something that is not refreshing on Exchange 2013 CAS server.  
  Is there anything I can do right after the move to make it quick, I can not re-start server after every mailbox move.  Currently we are in Pilot mode and only moving few
  mailboxes at a time.
  Thanks,
  Raman

  Hi,
  I am moving Exchange 2010 mailboxes to Exchange 2013 SP1 in production. When I move 2010 mailbox Outlook, OWA works fine right after the move but ActiveSync (HTTPProxy log shows
  on CAS 2013 server that it is still re-directing it to Exchange 2010 CAS servers). Exchange 2013 CAS server ActiveSync takes hours before it starts to see that mailbox is moved to Exchange 2013. I am certain it is not ActiveDirectory replication since all
  other clients are working.
  This time I move another user this time it did not work for 3.5hrs.  I had to reboot Exchange 2013 CAS server after that it worked.
  There is must be something that is not refreshing on Exchange 2013 CAS server.  
  Is there anything I can do right after the move to make it quick, I can not re-start server after every mailbox move.  Currently we are in Pilot mode and only moving few
  mailboxes at a time.
  Thanks,
  Raman
  Does simply recycling the ActiveSync app pool speed things up?
  Also, I would recommend installing CU6 instead of SP1.
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Error 550 5.7.1 unable to relay with SMTP PORT 25 Exchange 2013

  Hi All,
  I know this issue has been posted for a while, but still can't resolved issue. We've new Exchange 2013 SP1 (CU4) installation, everything is working properly, the OWA, Exchange Client Connection, SMTP/POP with SSL, except with SMTP Using Port 25 Non-Encrypted
  Connection.  
  If I'm using the SMTP Port 25 without TICK "My Outgoing Server (SMTP) Requires authentication", I've got the error: "550 5.7.1 Unable to relay", but if I TICK the option above, my message will be deliver without any error, how do i get
  rid this problem, I need to UN-TICK the option above for the time being, since we've hundreds email account, I want to avoid to educate and tell the user and even remote their PC, just to configure this issue, it will drive me crazy, we're going to use the
  Exchange Client Connection in the future, If everything is smooth and ok.
  I research this problem on the Internet and of course with TECHNET, but still can't, anyone can help me on this?
  fyi, I tried so many things, delete the default the Default Front End Transport for Port 25, it also not fix my issue.
  Thx
  Irwan

  Hi
  You can paste the output of below result
  Get-receiveconnector | fl name,bindings,PermissionGroups
  I think your default receive connector should be missing out some permissions.
  Also try to see if you get any message on protocol logs and paste them too
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish
  (MVP)

• Update from Exchange 2013 Cu2 to SP1 - Outlook 2010 with SP2 clients disconnected

  Hi,
  we recently upgraded a standalone Exchange 2013 Server to SP1. Owa works fine, but all internal Outlook 2010 Clients (with SP2) get disconnected. Creating a new Profile, and testing the internal autodiscovery leeds to an Error 12030 (Connection reset) during
  the discovery process.
  I already checked the Service Point, the discovery URLs, even recreated the autodiscover virtual Directory in iis. But nothing changed.
  The self signed certificate, that was used before the update is further used, and well known to all Clients. As I tested, OWA is working well everywhere.
  Anyone some new ideas?
  Best regards
  Bernhard

  Hi,
  How did you recreate outlook profile? Manually or Automatic?
  If automatic failed, please try to recreate manually and check the result.
  If manual failed, please refer to the following methods to troubleshoot the issue:
  1>Try to open the following link and check the result:
   https://CASName/autodiscover/autodiscover.xml
  2>Try to use RCA to test outlook autodiscover and check the result.
  https://testconnectivity.microsoft.com/
  Thansk.
  Niko Cheng
  TechNet Community Support

• Internal CA - Cross Forest Enrollment

  Hi,
  I'm trying to get cross-forest certificate enrollment working. My resource forest is built on Serer 2012 R2, and my accounts forest is built on Server 2008 R2.
  I have s simple setup with an offline Root CA, and an Enterprise subordinate CA.
  I have followed the steps in this article: https://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx
  While it seems to be mostly working, I'm getting many failed requests on the Enterprise CA. Each domain controller in the accounts forest is trying to enroll a certificate every 8 hours.
  with the error:
  The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422 CERTCRV_E_TEMPLATE_DENIED)
  If I right click the failure and try to issue it, the error changes to:
  Configuration informaiton could not be read from the domain controller, either because the machine is unavailable, or access has been denied. 0x80070547 (WIN32: 1351 ERROR_CANT_ACCESS_DOMAIN_INFO)
  The domain controller gets errors 13 and 6 in the event log.
  I have noticed that error 13 in the event log refers to the NT AUTHORITY\SYSTEM account (the SID is listed in the details tab).
  Is there special permissions I need to apply to get this working? Any ideas on what I need to do?
  Sorry, I do not have a great deal of experience in Certificate Services yet.
  Thankyou for your help

  In a cross forest enrollment issue, there are a few possibilities on what you have missed in your configuration.
  1) As Amy stated, did you configure permissions on the certificate template to include global/universal groups from the remote forest (and assign the group the minimum of Read and Enroll permissions)
  2) Did you enable LDAP referrals on the issuing CA so that Kerberos will allow authentication of a security principal from the remote forest.
  3) Did you replicate the certificate templates, OIDs, and Enrollment services containers fully (and successfully) from the CA forest to the remote forest.
  4) Did you validate that a two-way,  bi-directional, cross-forest trust exists between the two forests.
  Brian