Tuesday 25 January 2011

HMC: Autodiscover works but Exchange 2007 users cannot download the OAB


A few months back I was hit with an OAB issue, I actually raised a case to PSS as it was so odd but ended up resolving it myself before they called.

I was tasked with performing a 'staged migration' from HMC3.5 and Exchange 2003 to HMC4.5 and Exchange 2007 for a Customer. This was theoretically possible because Cobweb have both solutions deployed in the same Forest (cool huh).

Normally we would perform the HMC upgrade and then move mailboxes to Exchange 2007 with a period of confirmed outage to the customer, moving them in a big bang migration approach. But this customer was so large and needed continous messaging that this was not possible.

So I devised the following.

1. Upgrade the mailboxes for their users during the day to Exchange 2007
2. Keep them under HMC3.5 (this went through major testing in our Labs) and locking them out from Control Panel Management
3. Once all mailboxes we upgraded, confirm all was OK and then perform a 30 second 'flip' moving all their HMC data to HMC4.5 and the corresponding panel.

This needed pin point accuracy as not to cause them any outages. It was also crucial the permission group changes from HMC3.5 to 4.5 was performed flawlessly as access to Public Folders, the GAL, and other objects was controlled this way.

When in the lab I noticed an issue IF the customer was an HMC3.5 and Exchange 2003 customer prior to HMC4.5 and Exchange 2007 going into the Forest and Exchange Org.

Any customer I upgraded in testing that were created after the HMC4.5 installation worked fine. It just affected pre-4.5 customers. It caused an issue with the Offline Address Book.

Here is what Autodiscover gave back when looking at an upgraded mailbox

It’s missing the OAB URL.

The OAB was there and accessible for all Exchange 2003 users yet to have their mailboxes moved, and version4 was available. If I checked connection status I could see the Public Folder referral happen before I download the OAB from the Exchange 2003 server. So I knew this was working. It just didn't work once for users once their mailbox was moved to Exchange 2007.

Exchange 2007 CAS and Mailbox can perform a referral to an OAB on an Exchange 2003 server. So I knew this wasn't an incompatibility problem. This was also a single AD site, so there was no crazy Exchange 2007 to 2003 referrals happening across AD sites.

So what was the issue?

It turns out that the 'Exchange Domain Servers' Security Group was not granted permissions on the legacy OAB. This was due to the OAB existing prior to HMC4.5 and Exchange 2007 going into the Forest and Exchange Org. Any customer created after this had no issues.

Adding the correct permissions to allow this Security Group access fixed the issue. Adding the permissions via ADSIEdit, "Configuration Container, Services, Microsoft Exchange, Address List Containers, Offline Address Book, select customer OAB"

Now when I go back to Outlook I can see OAB availability and download it successfully.

As a side note both the GAL and AL also had this permission discrepancy. But it did not seem to create any ill side effects. As a best practice measure I also set the correct permisssions on these objects also.

Oliver Moazzezi MVP - Exchange Server

No comments: