Troubleshooting Exchange
We do Exchange discovery look-ups in four ways:
Troubleshooting all that can be challenging.
Contents |
Built-in Retain Tools
Retain does have some built-in tools for helping diagnose issues connecting to Exchange.
Exchange Test
The Exchange Test can be found under the Bug icon. It is also the same test found under Module Configuration/Exchange/Exchange Forest Test Connection button.
NOTE: This only tests basic LDAP authentication. If you want a more stringent test, including autodiscover, impersonation, login, etc, try this link AFTER SAVING Exchange configuration:testExchange.jsp in the Util directory of RetainServer
If this test is successful you will be logged into the target user's mailbox. If not, then you have to check the error messages for clues.
RetainWorker/diag/ex
If you log into the Retain Worker there is another tool. It looks much the same as the Exchange Test but also requires the Retain server IP address or name.
This too will log you into a primitive version of the target user's mailbox.
Active Directory Tools
There are three major tools for accessing Active Directory(AD) on the server. These can be accessed from the Tools menu of Server Manager or from the Start Menu.
- Active Directory Users and Computers
- Active Directory Domains and Trusts
- Active Directory Sites and Services
Active Directory Users and Computers
This is where users are organized and managed even if they are created in the Exchange Admin Center. Here is where organizational units are created and users placed in them.
Active Directory Domains and Trusts
If an organization has multiple domains this is where those are managed. [1]
Active Directory Sites and Services
When Retain is searching for the user list for a job, as shown in the worker log, it will look in the Services container, which can be accessed in this tool.
One thing to note the Services node is not visible by default:
- To make the services node visible,
- Select the domain (which should be the top container in the left side bar)
- Go to the View menu
- Click "Show Services Node"
Now you will be able to follow the trail that Retain took looking for the user list when the job started. This is described under Worker Log below.
MS Remote Connectivity Tester
Microsoft has a useful tool called the Remote Connectivity Tester [2] This online tool that can be helpful to narrow down issues. It is something the customer can use to narrow down the troubleshooting search. It will test the ways it expects to be able to access a system. It will give a very complete report and you will have to go digging to find the particular error. Many of which will be the tool trying to access the system using standard but unavailable entrances.
LDAP
LDAP (Lightweight Directory Access Protocol) is a platform independent way to access directory services. [3]
LDAP Basics
WorkerLog
You will find a starting point for troubleshooting LDAP issues in the worker log.
The log will return an error something like this (only horizontally formatted):
10:07:52,746 LiveEWSUserSelection - javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=InformationStore, CN=EXCH01, CN=Servers, CN=Exchange Administrative Group (EYDIBOHF23SBDLT), CN=Administrative Groups, CN=Gwava Organization, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=gwava, DC=local' ]; remaining name 'CN=Mailbox Database, CN=First Storage Group, CN=InformationStore, CN=EXCH01, CN=Servers, CN=Exchange Administrative Group (EYDIBOHF23SBDLT), CN=Administrative Groups, CN=Gwava Organization, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=gwava, DC=local'
What you will want to do is see if you can use LDAP Browser or one of the other tools to reach those containers in Active Directory, it is important to do that with the ImpersonationApplication user because that is what Retain uses to traverse the tree. If logged in as an administrative user you will not be able to tell if the ImpersonationApplication user can traverse the tree to those containers. The location data is read from right to left, eg from most specific to least specific: CN=Mailbox Database is more specific then DC=gwava, DC=local.
LDAP Browser
This is just a browser and allows you to read and traverse your Active Directory forest.
The thing is to log in using the credentials you gave Retain, if you can do that it will work for an archive job. But in real life it will be more difficult than that.
- Log in as the Administrator user to find the actual credentials and path of the ApplicationImpersonation account.
- Then go back and figure out how to log in to AD with them and see all of the tree.
- Then make sure Retain is set with those properties and use the EWSEditor Log Viewer Tool to find how it works or fails.
Impersonation Account troubleshooting
If a customer is having issues with the Impersonation Account User this is a useful tool to troubleshoot the problem.
- Log into the Active Directory forest as an administrator so you have full rights.
- Drill down to the user retain uses for the ImpersonationAccount. The things you are looking for are:
- userPrincipalName: that is the name you should be using to log into Exchange. It should look like their email address.
- memberOf: the user must be a member of CN=Application Impersonation
- userAccountControl: should be NormalAccount (it cannot be an admin account or it will not work due to Microsoft security features) and NoPasswordExpiration (so you never have to worry about jobs failing because the worker can't log in anymore)
- homeMDB: this shows that the retain user has a mailbox account on the server which is required.
- In the Exchange Module/Impersonation tab. The Global Catalog User needs to be the userPrincipalName of the ImpersonationAccount user and the Global Catalog Password is the matching password.
- Now to test the Impersonation account user, create a new session in LDAPBrowser. File/New/New Profile and login using the Impersonation User credentials (but in this case it will be the distinguishedName). The user should be able to navigate to the Users container and any OU containers users reside in. If the Impersonation User can access all these containers then Retain will be able to archive all of them as well.
User AD Data export
If there is a particular user that has issues you can log into LDAPBrowser and export their data.
- Go to that user and File/Export Data.
- A wizard will appear and you will want to export as a .csv file.
- Save to a place you can find it again later.
homeMDBBL export
To find out what users are part of a mail box database go to a user that is known to be part of that database, and double-click on the homeMDB property. That will jump you to a different place in the directory tree which is normally hidden. Something along the lines of:
CN=Mailbox Database 0766879867, CN=Databases, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups, CN=sol, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=ad, DC=sol, DC=net
There will be a list of homeMDBBL showing the users in that database. From here you can do a data export that will provide a list of all users in that database.
SCP
Service Connection Point
EWS
Exchange Web Services is how clients systems can connect to an Exchange server. [6]
Exchange Management Shell
You can get a quick overview of the customers Exchange system by asking it. In the Exchange Management Shell, not the regular powershell, on the Exchange server run the following command:
Get-WebServicesVirtualDirectory | fl >C:\ews.txt
The results should look something like this:
RunspaceId : 33ac48e8-9ff0-461f-b604-6ea6ef8a3bf4
CertificateAuthentication :
InternalNLBBypassUrl :
GzipLevel : Low
MRSProxyEnabled : False
Name : EWS (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
MetabasePath : IIS://EXMS.support.LOCAL/W3SVC/1/ROOT/EWS
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.0 (Build 775.38)
Server : EXMS
InternalUrl : https://mail.support.com/EWS/Exchange.asmx
ExternalUrl : https://mail.support.com/ews/exchange.asmx
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=EXMS,CN=Servers,
CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
CN=Administrative Groups,CN=Exchange,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=support,DC=LOCAL
Identity : EXMS\EWS (Default Web Site)
Guid : 62be879a-5a5c-495a-8cca-481bfd1c40c2
ObjectCategory : support.LOCAL/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged : 3/20/2014 1:49:19 PM
WhenCreated : 2/21/2014 11:22:32 AM
WhenChangedUTC : 3/20/2014 8:49:19 PM
WhenCreatedUTC : 2/21/2014 7:22:32 PM
OrganizationId :
OriginatingServer : LA-DC1.support.LOCAL
IsValid : True
ObjectState : Changed
RunspaceId : 33ac48e8-9ff0-461f-b604-6ea6ef8a3bf4
CertificateAuthentication :
InternalNLBBypassUrl :
GzipLevel : Low
MRSProxyEnabled : False
Name : EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
MetabasePath : IIS://EXMS2.support.LOCAL/W3SVC/1/ROOT/EWS
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.0 (Build 775.38)
Server : EXMS2
InternalUrl : https://mail.support.com/EWS/Exchange.asmx
ExternalUrl : https://mail.support.com/EWS/Exchange.asmx
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=EXMS2,CN=Servers,
CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
CN=Administrative Groups,CN=Exchange,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=support,DC=LOCAL
Identity : EXMS2\EWS (Default Web Site)
Guid : 35cf96b1-29b4-442e-81c2-93298a8526af
ObjectCategory : support.LOCAL/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged : 3/20/2014 1:49:37 PM
WhenCreated : 3/13/2014 10:30:45 AM
WhenChangedUTC : 3/20/2014 8:49:37 PM
WhenCreatedUTC : 3/13/2014 5:30:45 PM
OrganizationId :
OriginatingServer : LA-DC1.support.LOCAL
IsValid : True
ObjectState : Changed
This is a quick report of the systems settings. The important thing to check is that BasicAuthentication is set to True.
EWSEditor
Sometimes you may have to dig deeper into a system to determine what is wrong.
EWSEditor [7] is a powerful and more dangerous tool that LDAP Browser since it can change entries.
- Log in as the Impersonation user to the Impersonation Mailbox. This is a very picky tool so you will have to do it right, see LDAP Browser.
- Use the Autodiscover Viewer Tool to attempt to access other mailboxes on the system and look in the EWSEditor Log tool to see what steps it is going through to reach the user.
Login into EWSEditor with Impersonation Rights
To test the Impersonation User you want to log into EWSEditor with the impersonation user mailbox with the impersonation user credentials.
- Specify the Service URL: to be something along the lines of https://10.1.4.200/EWS/Exchange.asmx and set the Exchange version to your own.
- Check Use the following credentials instead of the default Windows credentials
- User Name is the mailNickName or sAMAccountName and fill in the password and domain.
- Check Use impersonation to log on to another mailbox using the credentials specified on the credentials tab by identifying the mailbox Id below.
- Id Type: set to PrincipalName
- Id: set to the impersonation user's UPN e.g., Retain@ad.sol.net
Autodiscover Tool
EWSEditor has an autodiscover tool under Tools/Autodiscover Viewer.
- Uncheck Default Windows Credentials and enter the Impersonation User Credentials
- Enter the SMTP address of the mailbox you are attempting to access and the Exchange version you are running and press run.
- If you are successful you will see data returned.
- Otherwise an error will be returned. For more detail you can go back to the EWSEditor and select Tools/EWSEditor Log Viewer and see the steps it attempted in detail.
Autodiscover
Autodiscover is a way Microsoft provides that allows for software objects to be configured. [8]
We expect an address like https://autodiscover.mail.gwava.net/EWS/exchange.asmx or https://autodiscover.mail.gwava.net/autodiscover/autodiscover.xml
IIS
Autodiscover is part of IIS, so when changes are made you will have to restart IIS.
To restart IIS immediately run PowerShell as Administrator and
run the command "IISRESET" and it will restart IIS immediately.
Ports
Autodiscover ports in Firewall [9]
- External Interface is Protocol- Https, TCP/UDP-TCP,Port-443
- Internal Interface Protocol- HTTPS, TCP/UDP-TCP, Port-4443
Endpoint Error during migration
If the customer has multiple email domains but only one one AD domain you will see this error.
Autodiscover needs to be added to your DNS .srv file. Microsoft has a kb on that subject [10]
In the DNS manager create a new Forward Lookup Zone The general format is:
- Service: _autodiscover
- Protocol: _tcp
- Port Number: 443
- Host: mail.gwava.com
Exchange Autodiscover kbs
Other Items
Some basic KBs:
