Thursday, July 21, 2011

How Outlook 2007 & 2010 clients Connect Using Autodiscover Internally

Published by Ed

My colleague asked me the other day few questions about Autodiscovery and how it works internally as he was having some issues connecting his Outlook client to the exchange mailbox server internally. My colleague was confused about a number of facts around autodiscover service. This has prompted me to write “to the point articles” about this wonderful service.

How do Outlook 2007 and 2010 clients connect using autodiscover service internally? What is needed and what should be configured? Do we need an “A” record for autodiscover.ADdomain.local? These were few of the questions I got.

First of all, when Outlook 2007&2010 clients are started, they query AD for SCP object (will explain in a separate blog). Every CAS server in the environment will have a corresponding SCP object. The SCP object has an attribute named “serviceBindingInformation” which is an HTTPS URL, normally pointing to the CAS server itself.

We can configure this url using the Exchange Shell, by setting the “AutodiscoverServiceInternalURI” parameter of the CAS server. It is this url which the Outlook clients connect to, to get the urls for Exchange services (OAB, OOF, Availability Service etc) provided by the autodiscover service.

So, the first step in configuring autodiscover internally is to set “AutodiscoverServiceInternalURI” parameter of the CAS server. If there are more than one CAS server, then it has to be set on all servers. Normally, we point this url to the load balancer and cover it in the SAN/UCC certificate. This means that we can configure this parameter with the url we’re using for OWA internally, as it will hit the load balancer. Whichever url we go for (a new one or use existing internal URLs), it has to be in the SAN/UCC certificate.

The url doesn’t have to have the format of autodiscover.ADdomain.local. There is no specific format for this url, it is just a url that can be routed internally. For example, I have domain in my lab and I have configured an “A” record called “webmail” which points to my load balancer VIP I use “” as my “AutodiscoverServiceInternalURI” and I have this url as part of my SAN/UCC certificate. I ran the command below to configure it.

As a good practice that I ran the Get-ClientAccessServer cmdlet to make sure you’re getting the entire CAS server in your AD site. Get-ClientAccessServer | Set-ClientAccessServer –AutoDiscoverServiceInternalUri

To make sure your command was excuted correctly, you need to get the autodiscover service internal url by typing

Get-ClientAccessServer | fl autodisc*
If you have split-DNS (which means that your OWA urls are same internally and externally), you can configure “AutodiscoverServiceInternalURI” parameter to be your OWA url. If I had split-DNS, I would configure it to be “”. The url “” will be in my SAN cert, as that is the same url for all my Exchange services like OWA, EAS, OA. I think you get the point.

In short, you can configure “AutodiscoverServiceInternalURI” parameter of the CAS server to be any url, as along as it reaches the CAS server (either directly or through load balancing) and is covered in the SAN certificate. You don’t need a split-dns model just to have autodiscover working internally. I think this is where most of the admins are getting confused. Split-DNS is something “nice to have”, so that users will use the same urls irrespective of whether they are internal or external for OWA, ECP, EAS, OA and the SAN cert will only have public urls.

Once the autodiscover url is set internally, you need to set the internal (and external for external access) urls for the different Exchange virtual directories, like ActiveSync, WebServices, OWA, OAB, UM etc. I hope this clear the doubts of many exchange admins.

Note: You can use an internal PKI certificate covering “AutodiscoverServiceInternalURI” url and a third party certificate in your reverse proxy like TMG.


Sunday, July 17, 2011

ERROR: Microsoft Lync 2010 must be installed by running the appropriate Lync setup executable

You experience the following symptoms:
A local Windows Installer (MSI) installation for Microsoft Lync 2010 can fail, and the following warning is displayed in the Microsoft Lync 2010 Setup dialog box:Microsoft Lync 2010 must be installed by running the appropriate Lync setup executable

Use the Lync 2010 UseMSIForLyncInstallation Group Policy setting to enable or block MSI deployments for Lync.msi as follows:

Name: UseMSIForLyncInstallation
Default: 0
Range: 1 or 0
Registry Location:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator
To do this, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type UseMSIForLyncInstallation, and then press ENTER to name the registry entry.
5. Right-click UseMSIForLyncInstallation, and then click Modify.
6. In the Value data box, type 1 if that value is not already displayed, and then click OK.
7. Exit Registry Editor.
8. Restart the Windows client.


Monday, July 11, 2011

Offline Address book (OAB) Generation in Exchange and Outlook 2010

Offline Address book (OAB) Generation in Exchange and Outlook 2010

Offline Address book allows users to download the address book offline into the local machine. This local copy of the OAB File is used by outlook lookups when you are not connected to the network (working offline). It’s a complete copy of the global Address book.

I will try and explain how the OAB is generated, synchronized and made available for distribution to outlook users.

One Mailbox Server in the Organization is identified as OAB Generation Server. This is usually first mailbox server deployed in the organization or any mailbox server assigned with the OAB generation role during the later stage.

OABGen service running on the mailbox server helps to generate, creates and update all OAB files. OABGen service is part of the System Attendant Service. Any OAB files that are generated by default will be located in path “\Program Files\Microsoft\Exchange Server\V14\ExchangeOAB”.

OABGen communicates with the active directory and generates the address book for all the mailbox enabled users accounts, contact and other exchange resources in the Exchange organization. The files are compressed file with the extension .LZX format.

Now let’s I’m going to attempt and explain how OAB is distributed to the clients ?

There are two ways for Distribution in Exchange 2010. They are through web based distributions and through public folder distribution. Web based distribution is only supported with outlook 2007 clients and higher. OAB distribution through public folder is done by Exchange 2003 and is supported by all versions of outlook.

To keep this short and meaningful, I’m only going to talk about the web based distribution as public folder distribution is old news and not used anymore. Plus we are upgrading all outlook clients to Outlook 2010.

OAB files are generated in Exchange 2010 Mailbox server and outlook do not connect directory to the mailbox servers anymore. The solution approach is to use Client Access Server role with web based distribution. On the Client Access Server, a virtual directory called OAB runs with in the default web site. This virtual Director helps in distributing the OAB file.

How does the OAB virtual directory gets the OAB data files from the mailbox server ?

This is done by Microsoft Exchange File Distribution Service running on the Client access Servers. Microsoft Exchange File Distribution Servers polls the OABGen Server and copies the OAB data from the mailbox servers to CAS server. Once the complete OAB files are copied, if any data is then updated only that data is synchronized with CAS server. The synchronization or pol frequency is 8 hrs by default and you can change it if required using the following PowerShell cmdlets.

Set-OABVirtualDirectory "OAB (Default Web Site)" -PollInterval 360

If you get curious and wanted to know how the Web based distribution looks like. hold CTRL key and right click on outlook Icon system tray and Select “Email auto configuration” option from the menu.

Enter the User email address and password and click on Test. On the result tab you should be able to see what the OAB URL your outlook is connected to download the OAB from Exchange.

This is the quick info on how the OAB work in Exchange 2010. I hope this article helps you.

What are MailTips and what can be set in Exchange 2010

Mailtips are informative messages which come up when a user composes a new message.

For example, if you are going to send an email to a user whose mailbox is full, you are going to get an NDR saying that the destination user’s mailbox is full.

Now mailtip will give this when you are composing your message itself, so you don’t have to really send that email out.

Another example is, by mistake, if you are able to send an email to a large distribution list with 1000s of members in it, mailtip will warn you about it.

MailTip Scenarios

Below are the different scenarios possible.

Invalid Internal Recipient

The Invalid Internal Recipient MailTip is displayed if the sender adds a recipient that appears to be internal to the organization but doesn’t exist in Active Directory.

This could happen if the sender addresses a message to a user who is no longer with the company but whose address resolves due to name resolution cache or an entry in the sender’s Contacts folder. It can also happen if the sender types an SMTP address with a domain for which Exchange is authoritative and the address doesn’t resolve to an existing recipient.

The MailTip indicates the invalid recipient and gives the sender the option to remove the recipient from the message.

Mailbox Full

The Mailbox Full MailTip is displayed if the sender adds a recipient whose mailbox is full and the Exchange organization administrator has implemented a Prohibit Receive restriction for mailboxes over a specified size.

The MailTip indicates the recipient whose mailbox is full and gives the sender the option to remove the recipient from the message.

The MailTip is accurate at the time of display. If the message isn’t immediately sent, the MailTip will be updated every two hours. This also applies to messages that were saved in the Drafts folder and reopened after two hours.

Automatic Replies

The Automatic Replies MailTip is displayed if the sender adds a recipient who has turned on automatic replies.

The MailTip indicates the recipient has automatic replies turned on and also displays the first 250 characters of the automatic reply configured by the recipient.

The MailTip is accurate at the time of display. If the message isn’t immediately sent, the MailTip will be updated every two hours. This also applies to messages that were saved in the Drafts folder and reopened after two hours.


A custom MailTip is displayed if the sender adds a recipient for whom a customized MailTip is configured.

A custom MailTip can be useful for providing specific information about a recipient. For example, you can create a custom MailTip for a distribution group explaining its purpose to reduce its misuse.

By default, custom MailTips aren’t displayed if the sender isn’t allowed to send to that recipient. In that case, the Restricted Recipient MailTip is displayed. However, you can change this configuration and have the custom MailTip also display. For more information about configuring custom MailTips, see Configure Custom MailTips for Recipients.

Restricted Recipient

The Restricted Recipient MailTip is displayed if the sender adds a recipient for which delivery restrictions are configured prohibiting this sender from sending messages.

The MailTip indicates the recipient to which the sender isn’t allowed to send messages and gives the sender the option to remove the recipient from the message. It also clearly informs the sender that the message won’t be delivered if sent.

If the restricted recipient is an external recipient, or if it’s a distribution group that contains external recipients, this information is also provided to the sender. However, the following MailTips, if applicable, are suppressed:

  • Automatic Replies
  • Mailbox Full
  • Custom MailTip
  • Moderated Recipient
  • Oversize Message

External Recipients

The External Recipients MailTip is displayed if the sender adds a recipient that’s external, or adds a distribution group that contains external recipients.

This MailTip informs senders if a message they’re composing will leave the organization, helping them make the correct decisions about wording, tone, and content.

By default, this MailTip is turned off. You can turn it on using the Set-TransportConfig cmdlet. For details, see Configure Organizational Settings for MailTips.

Large Audience

The Large Audience MailTip is displayed if the sender adds a distribution group that has more than the large audience size configured in your organization. By default, Exchange displays this MailTip for messages to distribution groups that have more than 25 members. For information about configuring the large audience size for your organization, see Configure Organizational Settings for MailTips.

The size of distribution groups isn’t calculated each time. Instead, the distribution group information is read from the Group Metrics data. For more information about Group Metrics, see Understanding Group Metrics.

Moderated Recipient

The Moderated Recipient MailTip is displayed if the sender adds a recipient that’s moderated.

The MailTip indicates which recipient is moderated and informs the sender that this may result in delay of the delivery.

If the sender is also the moderator, this MailTip isn’t displayed. It’s also not displayed if the sender has been explicitly allowed to send messages to the recipient (by adding the sender’s name to the Accept Messages Only From list for the recipient).

Reply-All on Bcc

The Reply-All on Bcc MailTip is displayed if the sender receives a Bcc copy of a message and selects Reply to All.

When a user selects Reply to All to such a message, the fact that the user received a Bcc of that message is revealed to the rest of the audience to which the message was sent. In almost all cases, this is an undesirable situation, and this MailTip informs the user of this condition.

Oversize Message

The Oversize Message MailTip is displayed if the message the sender is composing is larger than configured message size limits in your organization.

The MailTip is displayed if the message size violates one of the following size restrictions:

  • Maximum send size setting on the sender’s mailbox
  • Maximum receive size setting on the recipient’s mailbox
  • Maximum message size restriction for the organization
  • Maximum Request Length setting (for Microsoft Office Outlook Web App only)

Check below screenshot, i tried to email an internal user, and that user is currently disabled, so it says that the user is disabled.

Description: 1

To enable mailtips, you can use below cmdlet:


Set-OrganizationConfig -MailTipsAllTipsEnabled $true

To customise large audience sise setting for mail tip, try below cmdlet.


Set-OrganizationConfig -MailTipsLargeAudienceThreshold 50

Meaning that when you try to send an email to more than 50 users, it will alert you via mailtip.

Monday, December 21, 2009

HOWTO: OCS and Exchange Remote Connectivity tests

Exchange Sever

Office Communications Server (OCS)

Thursday, August 20, 2009

Virtualising existing domain controllers

Against VMwares recommendations I written up the safest way to virtualise a Domain Controller without demoting it to a standlone server as described here.

Part 1. Install VM Converter

1. Install the standalone VM converter tool on trhe domain controller

Part 2 Boot server in Directory Recovery services mode

1. On your machine, select Run from the Start menu, type Mstsc /console, and click OK.

2. Type the FQDn of the DC

3. Log on to the server using a Domain admin account

4. On the DC, select Run from the Start menu, type sysdm.cpl, and click OK.

5. On the Advanced tab, click Settings in the Startup and Recovery section. Click Edit. This opens the boot.ini file in Notepad.

6. Add the following line to the end of the boot.ini file: /SAFEBOOT:DSREPAIR Save and close the boot.ini file.

7. Disable the FRS services

8. Reboot the server.

9. Rdp to the server again (make sure you use the /console switch)

10. When you reconnect, the server should state that it’s in safe mode. Log on using the recovery console account

Part 3 Convert the domain controller

1. Use the Vmconvertor to convert the server

2. Resize disks as appropriate

3. Once conversion is complete shutdown the physical server and physically disconnects it from the network and do not reconnect for any reason!

Part 4 Clean up new virtual DC

1. Boot the new VM server in a network Isolated state the server should still be DSRM mode as we haven't removed the /SAFEBOOT:DSREPAIR from the boot .ini

2. Uninstall all HP software except HP Data Protector or other providor software

3. remove hidden Nics using Devcon

4. Assign the correct server to the VM NIC. Very important as this is a DNS server

5. Reboot server

6. Check event logs for hardware related issues

7. If all looks good remove the /SAFEBOOT:DSREPAIR from the boot.ini

8. Reenable the FRS services

9. Reboot the server and place back on the network. ( From this point forward we cannot role back to the original server)

Part 5.

1 . Check replication!

2. Check FRS Replication! If required do a non authoritative restore of Sysvol

3. Destroy the original Domain Controller!!!

4. Never Clone a DC as a Backup!!!



Sunday, July 12, 2009

How to find and kill a hung VM on ESX 3.5;jsessionid=AC54B73461657AECCF0CB98763CE2C2C

First you must find the PID

ps auxfww | grep Name_of_the_VM


Try first

vmware-cmd /path/to/config/file.vmx stop soft

try Second
vmware-cmd /path/to/config/file.vmx stop hard

kill Techniques:

If the above doesn't work you may need to issue a kill –9

kill -9