Andy Lu的技术小栈

With Exchange 2007 we introduce the idea of the Autodiscover service. This service allows your Outlook 2007 clients to retrieve the URLs that it needs to gain access to the new web services offered by Exchange 2007. These web services (OAB, UM, OOF, and Availability) provide a good portion of the new functionality available to Outlook 2007. Please see this blog post for more details on Outlook 2007 feature matrix based on the Exchange server version.

For domain joined clients Outlook is able to find the Autodiscover service using a service connection point (SCP). The SCP is an AD entry specific to each client access server. When Outlook 2007 is able to securely connect to the domain and read this entry from AD, it can connect directly to this URL. Once connected to the Autodiscover end point, the Autodiscover service provides the client with the URLs of the other exchange web services.

For non domain joined clients or clients that are not able to directly access the domain, Outlook is hard coded to find the Autodiscover end point by looking up either https://company.com/Autodiscover/Autodiscover.xml or https://Autodiscover.company.com/Autodiscover/Autodiscover.xml (where company.com is the portion of the users SMTP address following the @ sign). This means that to service clients in this scenario we must provide connectivity to one of these URLs. On the surface this should not be hard; but this connection is made over SSL and requires a valid certificate.

The communication to Autodiscover end point and subsequent communications to the services all occur over SSL. This requires that we have valid certificates (trusted, matching the name of the URL we are connecting to, and not expired) for the Autodiscover connection point and the services URLs. By default the services URLs are all variations of https://serversname.

When you install a client access server we provide IIS with a self-signed certificate that meets validity tests for domain joined clients. When a client connects to a server over SSL and the server presents a self-signed certificate, the client will be prompted to verify that the certificate was issued by a trusted authority. The client must explicitly trust the issuing authority. Long-term use of this self-signed certificate is not recommended by Microsoft. Instead, it should be replaced with a commercially available Internet trusted, or a trusted internal PKI Infrastructure issued certificate as soon as possible. The problem is that we must be able to resolve Autodiscover.company.com or company.com with a trusted certificate in addition to other externally published exchange services like OWA.

Most of our smaller customers currently only have an Exchange related certificate for use with OWA. This certificate is usually something like mail.contoso.com. This continues to work for OWA in 2007 but now we also have to handle an SSL connection to Autodiscover.contoso.com. (Microsoft recommends using Autodiscover.company.com for the Autodiscover service.) This requires us to either resolve mail.contoso.com and Autodiscover.constoso.com to separate IP addresses, or to provide both names in the same certificate.

Multiple names in one certificate

Microsoft recommends that you provide both names in the same certificate. This is done thru something called a Unified Communications Certificate also know as a Subject Alternative Name Certificate. There are a number of vendors that can provide you with this type of certificate (we covered experience with one of them here). The advantage of a Unified Communications Certificate is that it makes configuration of Autodiscover much easier; the down side for our customers is that currently, this type of certificate can cost up to 10 times more than any existing single name certificates that they may already own.

Configuration with this type of certificate is very easy. Here is a general outline of the process:

1. Get a Unified Communications Certificate for your environment with Autodiscover.company.com and any other names you need. (e.g. mail.company.com, www.company.com , etc)
2. Apply the Certificate to the CAS server.
3. Configure your internal SCP to point to Autodiscover.company.com
4. Configure your Internal and External Service URLs to point to mail.company.com
5. Make sure that your configured URLs resolves via DNS to the expected IP address of the CAS server

Alternative methods

If you are not able to get a Unified Communications Certificate then there are two other methods you can use to get the same level of functionality. Both of these methods are supported by Microsoft but are harder to implement and manage over the longer term and thus could have a higher total cost of ownership depending on your environment. Both also require that you have two external IP address available.

Method 1: Multiple Certificates

To work around the need for a Unified Communications Certificate you can get two certificates for your environment; your existing mail.company.com certificate and a new Autodiscover.company.com certificate. As long as we can serve up the correct certificate at the correct time we are able to connect with no issues.

Doing this simply requires that we setup two virtual servers on the CAS server. One services Autodiscover.company.com on one IP address and the other services the remaining web services on mail.company.com using a different IP address.

Here is an outline of this setup process:

1. Get a separate certificate for mail.company.com and Autodiscover.company.com
2. Create a new virtual server in IIS on the CAS
3. Create a new Autodiscover virtual directory in the new virtual server and remove the old one.
4. Assign separate IP address, and certificates to each Virtual server
5. Configure your internal SCP to point to Autodiscover.company.com
6. Configure your Internal and External Service URLs to point to mail.company.com
7. Make sure that your configured URLs will resolve internally and externally via DNS to the expected IP address for each of the services

In this configuration, internal domain member clients find the SCP to make the connection to Autodiscover. External clients find Autodiscover.company.com using DNS to make the connection to Autodiscover. In both cases the clients are referred to mail.company.com for the actual Exchange Services.

Method 2: Http Referral

This option allows us to redirect the client to another URL for Autodiscover. The major downside of this configuration is that users are prompted in Outlook to confirm this redirection. There is a check box on the prompt to not get prompted again for this URL to limit the impact for users.

To implement this configuration we still have to use two IP addresses and two virtual servers; but we only need one certificate.

Here is an outline of this setup process:

1. Create a new virtual server on the CAS server with a new IP
2. Create a stub Autodiscover virtual directory and Autodiscover.xml file thru IIS
3. Redirect the Autodiscover.xml file to mail.company.com
4. Configure your internal SCP to point to mail.company.com
5. Configure your Internal and External Service URLs to point to mail.company.com
6. Make sure that your configured URLs will resolve via DNS to the expected IP address of the CAS server

In this configuration, domain member clients get the SCP and connect using that URL to the Autodiscover service. External clients connect to Autodiscover.company.com over http and get a referral to mail.company.com. The external Outlook clients are prompted the first time they make this connection to verify they are being redirected to a trusted URL; once that is accepted Outlook connects to the mail.company.com for Autodiscover.

Conclusion

There are multiple ways to setup Exchange 2007 to support Outlook 2007 clients and the new Services URLs. You have to decide what method if best for your environment, technical skill level, and cost.

Additional resources / related reading:

White Paper: Exchange 2007 Autodiscover Service
http://technet.microsoft.com/en-us/library/bb332063.aspx

Description of the Exchange-specific Web sites that are provided by X.509 certification authorities
http://support.microsoft.com/kb/929395/en-us

Set-ClientAccessServer
http://technet.microsoft.com/en-us/library/bb125157.aspx

How to Configure SSL Certificates to Use Multiple Client Access Server Host Names
http://technet.microsoft.com/en-us/library/aa995942.aspx

Deployment Considerations for the Autodiscover Service: Using Multiple Sites for Internet Access to the Autodiscover Service
http://technet.microsoft.com/en-us/library/aa997633.aspx

Deployment Considerations for the Autodiscover Service: Hosted Environments and the Autodiscover Service
http://technet.microsoft.com/en-us/library/aa997633.aspx

How to Configure Exchange Services for the Autodiscover Service
http://technet.microsoft.com/en-us/library/6ced71d4-ae0a-4b75-a5c5-30633c676b88.aspx

There is an excellent script at http://www.exchangeninjas.com/set-allvdirs that can assist you in setting up all of the URLs and the SCP without having to type out all of the commands. This script is provided as is and use of the script is solely at your own risk.

Hi Jason,

Thank you for your replies and  to solve the problem of your expba report, you can open another case for every case here just solve one problem in Microsoft Online Email Support Service J.

If the xml report files of the extra analysis have been collected , pack them and send to me for the further process please.

Thanks for  choosing Microsoft product and service, nice day!

Best Regards,

Andy Lu

发件人: Jason Li
发送时间: 2010年7月29日 10:20
收件人: Andy Lu
抄送: Philipe Cong (GTSC)
主题: RE: [REG:********] XCON | PRO |Email Support | E14 |Exchange 2003 to 2007 mail is delivered only every 30 minutes.

More information. I can telnet from my exchange 2003 server to exchange 2007 server successfully.

From: Jason Li
Sent: Thursday, July 29, 2010 10:17
To: ‘Andy Lu’
Cc: Philipe Cong
Subject: RE: [REG:********] XCON | PRO |Email Support | E14 |Exchange 2003 to 2007 mail is delivered only every 30 minutes.

Okay, I will follow your steps to run the extra and send the xml file to you. Btw, I also run exbpa (attached). It reports some errors. please let me know what you could find for this mater.

From: Andy Lu
Sent: Thursday, July 29, 2010 10:11
To: Jason Li
Cc: Philipe Cong
Subject: 答复: [REG:********] XCON | PRO |Email Support | E14 |Exchange 2003 to 2007 mail is delivered only every 30 minutes.

Dear Jason,

Thanks for your reply and your problem information update. Referred to your reply, the exchange 2k3 and 2k7 servers are in the same domain. So the steps of using uslookup can be omitted.

The steps of using the extra are as follows:

1. Open the extra and click the ‘select a task’ on the left panel.
2. As the problem of yours, choose the ’mail flow troubleshooter ’.
3. Enter the label of this analysis and choose the symptom ’Messages destined to recipients are delayed or are not received by some recipients’.
4. Then press the ‘next’ button and fill the boxes on the next page
5. Press the ‘next’ button to start the analysis and export the report to an xml file then send it to meJ.

Looking forward to your next reply, and thanks for your time.

Best Regards,

Andy Lu

发件人: Jason Li 
发送时间: 2010年7月28日 17:57
收件人: Andy Lu
抄送: Philipe Cong (GTSC)
主题: RE: [REG:********] XCON | PRO |Email Support | E14 |Exchange 2003 to 2007 mail is delivered only every 30 minutes.

Hey Andy,

This is internal mail flow from my exchange 2003 server to my exchange 2007 server. Need I still to lookup the MX record??

I will telnet from the server bar to the hub transport server and update you result tomorrow.

How to use the extra? Could you please make your steps more specific. thanks. I see there are lots of task in the extra, which one I need to select.

Regards,

Jason

From: Andy Lu
Sent: Wednesday, July 28, 2010 17:25
To: Jason Li
Subject: RE: [REG:********] XCON | PRO |Email Support | E14 |Exchange 2003 to 2007 mail is delivered only every 30 minutes.

Hello Jason,

Thank you for contacting Microsoft Technical Professional Support. My name is Andy and I will be assisting you with this service request. For your information, the Case ID is ********.

——————

Before we go any further, I’d like to explain some more about web response support service. We will support you via mails and each response is usually within approximately 24 hours (excluding weekends). I will make every effort to closely investigate it with you as quickly as possible. If the technical issue is very urgent and you prefer real-time communication via phone, you can contact our phone service by calling 1-800-936-4900.

——————

Problem:

=======

The messages target to the exchange 2007 server mailboxes cannot be relayed immediately and will be queued by the exchange 2003 server for every 30 minutes.

Exchange server running on Windows Server 2003 OS.

Case Closure:

Once we get the above issue resolved we will consider this incident as resolved and closed.  

To troubleshooting this issue, we need to collect below required information first.

1. Use the nslookup command on your Exchange 2003 server to resolute the domain name of the Exchange 2007 server, let me know the resolute result by reply this mail.
2. If there is any problem on using the nslookup command, please do as follows

a)       Open the command prompt and type the command ‘nslookup’ then press the Enter key.

b)      Input server<IP address>, the ‘IP address’ part is the external DNS’s IP address.

c)       Input set q=MX, then press the Enter key.

d)      Input the <domain name>, which is the name of the Exchange 2007 server, then press the Enter key.

e)       Record the result it will present.

1. If the resolution got a result, use the telnet to send messages to the exchange 2007 server, record the result it will present. Anything unclear about this test, please refer to XFOR: Telnet to Port 25 to Test SMTP Communication:http://support.microsoft.com/default.aspx?scid=kb;EN-US;153119
2. Use the Exchange Troubleshooting Analyzer(ExTRA)’s mail flow troubleshooter to diagnose the problem, export the result into a xml file and sent it by reply this mail. To download the ExTRA:http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en

Thank you for your time. Have a nice day!

Best Regards,

Andy Lu

Exchange Server Support Engineer

Microsoft Online Email Support Serivce

Exchange Server 2007 Editions

The RG is used for controlling mail flow and  public folder references, and it is a logical collection which mostly bases on the physical network topology.

But AG is used for administration purpose and it can contain the objects like RG, servers, policies and public folders hierarchies, it is a logical group which need not bases on the physical network. So we cannot delegate administrative permission on the RG.

欢迎来到 我是南昌大学。这是您的第一篇日志。您可以编辑它或是删除它，然后开始写您自己的博客。