Difference between revisions of "Troubleshooting Exchange"
(→Exchange Autodiscover) |
(→Exchange Autodiscover) |
||
| Line 196: | Line 196: | ||
http://technet.microsoft.com/en-us/library/bb332063%28EXCHG.80%29.aspx | http://technet.microsoft.com/en-us/library/bb332063%28EXCHG.80%29.aspx | ||
| + | |||
| + | We expect an address like https://autodiscover.mail.gwava.net/EWS/exchange.asmx or | ||
| + | https://autodiscover.mail.gwava.net/autodiscover/autodiscover.xml | ||
Revision as of 18:25, 4 November 2014
We do Exchange discovery look-ups in four ways:
- LDAP
- SCP
- EWS
- autodiscover
Troubleshooting all that can be challenging.
Contents |
LDAP Browser
http://www.ldapbrowser.com/download.htm
This is just a browser sand allows you to read and traverse your Active Directory forest.
The thing is to log in using the credentials you gave Retain, if you can do that it will work for an archive job. But in real life it will be more difficult than that.
- Log in as the Administrator user to find the actual credentials and path of the ApplicationImpersonation account.
- Then go back and figure out how to log in to AD with them and see all of the tree.
- Then make sure Retain is set with those properties and use the EWSEditor Log Viewer Tool to find how it works or fails.
Impersonation Account troubleshooting
If a customer is having issues with the Impersonation Account User this is a useful tool to troubleshoot the problem.
- Log into the Active Directory forest as an administrator so you have full rights.
- Drill down to the user retain uses for the ImpersonationAccount. The things you are looking for are:
- userPrincipalName: that is the name you should be using to log into Exchange
- memberOf: the user must be a member of CN=Application Impersonation
- userAccountControl: should be NormalAccount (it cannot be an admin account or it will not work due to Microsoft security features) and NoPasswordExpiration (so you never have to worry about jobs failing because the worker can't log in anymore)
- homeMDB: this shows that the retain user has a mailbox account on the server which is required.
- In the Exchange Module/Impersonation tab. The Global Catalog User needs to be the userPrincipalName of the ImpersonationAccount user and the Global Catalog Password is the matching password.
- Now to test the Impersonation account user, create a new session in LDAPBrowser. File/New/New Profile and login using the Impersonation User credentials (but in this case it will be the distinguishedName). The user should be able to navigate to the Users container and any OU containers users reside in. If the Impersonation User can access all these containers then Retain will be able to archive all of them as well.
User AD Data export
If there is a particular user that has issues you can log into LDAPBrowser and export their data.
- Go to that user and File/Export Data.
- A wizard will appear and you will want to export as a .csv file.
- Save to a place you can find it again later.
homeMDBBL export
To find out what users are part of a mail box database go to a user that is known to be part of that database, and double-click on the homeMDB property. That will jump you to a different place in the directory tree which is normally hidden. Something along the lines of:
CN=Mailbox Database 0766879867, CN=Databases, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups, CN=sol, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=ad, DC=sol, DC=net
There will be a list of homeMDBBL showing the users in that database. From here you can do a data export that will provide a list of all users in that database.
EWSEditor
http://ewseditor.codeplex.com/ A more dangerous tool since it can change entries.
- Log in as the Impersonation user to the Impersonation Mailbox. This is a very picky tool so you will have to do it right.
- Use the Autodiscover Viewer Tool to attempt to access other mailboxes on the system and look in the EWSEditor Log tool to see what steps it is going through to reach the user.
Login into EWSEditor with Impersonation Rights
To test the Impersonation User you want to log into EWSEditor with the impersonation user mailbox with the impersonation user credentials.
- Specify the Service URL: to be something along the lines of https://10.1.4.200/EWS/Exchange.asmx and set the Exchange version to your own.
- Check Use the following credentials instead of the default Windows credentials
- User Name is the mailNickName or sAMAccountName and fill in the password and domain.
- Check Use impersonation to log on to another mailbox using the credentials specified on the credentials tab by identifying the mailbox Id below.
- Id Type: set to PrincipalName
- Id: set to the impersonation user's UPN e.g., Retain@ad.sol.net
Autodiscover Tool
EWSEditor has an autodiscover tool under Tools/Autodiscover Viewer.
- Uncheck Default Windows Credentials and enter the Impersonation User Credentials
- Enter the SMTP address of the mailbox you are attempting to access and the Exchange version you are running and press run.
- If you are successful you will see data returned.
- Otherwise an error will be returned. For more detail you can go back to the EWSEditor and select Tools/EWSEditor Log Viewer and see the steps it attempted in detail.
MS Remote Connectivity Tester
https://testconnectivity.microsoft.com/ An online tool that can be helpful to narrow down issues.
Exchange Management Shell
In the Exchange Management Shell, not the regular powershell, on the Exchange server run the following command:
Get-WebServicesVirtualDirectory | fl >C:\ews.txt
The results should look something like this:
RunspaceId : 33ac48e8-9ff0-461f-b604-6ea6ef8a3bf4
CertificateAuthentication :
InternalNLBBypassUrl :
GzipLevel : Low
MRSProxyEnabled : False
Name : EWS (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
MetabasePath : IIS://EXMS.support.LOCAL/W3SVC/1/ROOT/EWS
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.0 (Build 775.38)
Server : EXMS
InternalUrl : https://mail.support.com/EWS/Exchange.asmx
ExternalUrl : https://mail.support.com/ews/exchange.asmx
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=EXMS,CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Exchange,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=support,DC=LOCAL
Identity : EXMS\EWS (Default Web Site)
Guid : 62be879a-5a5c-495a-8cca-481bfd1c40c2
ObjectCategory : support.LOCAL/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged : 3/20/2014 1:49:19 PM
WhenCreated : 2/21/2014 11:22:32 AM
WhenChangedUTC : 3/20/2014 8:49:19 PM
WhenCreatedUTC : 2/21/2014 7:22:32 PM
OrganizationId :
OriginatingServer : LA-DC1.support.LOCAL
IsValid : True
ObjectState : Changed
RunspaceId : 33ac48e8-9ff0-461f-b604-6ea6ef8a3bf4
CertificateAuthentication :
InternalNLBBypassUrl :
GzipLevel : Low
MRSProxyEnabled : False
Name : EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
MetabasePath : IIS://EXMS2.support.LOCAL/W3SVC/1/ROOT/EWS
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.0 (Build 775.38)
Server : EXMS2
InternalUrl : https://mail.support.com/EWS/Exchange.asmx
ExternalUrl : https://mail.support.com/EWS/Exchange.asmx
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=EXMS2,CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Exchange,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=support,DC=LOCAL
Identity : EXMS2\EWS (Default Web Site)
Guid : 35cf96b1-29b4-442e-81c2-93298a8526af
ObjectCategory : support.LOCAL/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged : 3/20/2014 1:49:37 PM
WhenCreated : 3/13/2014 10:30:45 AM
WhenChangedUTC : 3/20/2014 8:49:37 PM
WhenCreatedUTC : 3/13/2014 5:30:45 PM
OrganizationId :
OriginatingServer : LA-DC1.support.LOCAL
IsValid : True
ObjectState : Changed
This is a quick report of the systems settings. The important thing to check is that BasicAuthentication is set to True.
IIS
To restart IIS immediately run PowerShell as Administrator and run the command "IISRESET" and it will restart IIS immediately.
Autodiscover
Ports
Autodiscover ports in Firewall https://social.technet.microsoft.com/Forums/exchange/en-US/7a6eceb0-3705-4147-be69-e8b0881d651f/autodiscover-ports-in-firewall?forum=exchangesvrdeploylegacy
- External Interface is Protocol- Https, TCP/UDP-TCP,Port-443
- Internal Interface Protocol- HTTPS, TCP/UDP-TCP, Port-4443
Exchange Autodiscover
http://technet.microsoft.com/en-us/library/bb332063%28EXCHG.80%29.aspx
We expect an address like https://autodiscover.mail.gwava.net/EWS/exchange.asmx or https://autodiscover.mail.gwava.net/autodiscover/autodiscover.xml
