 | Availability Service FAQsThis FAQ is broken down into the following sections: - Understanding Availability Service(AS)
- Troubleshooting AS – getting information from the client and server
- Configuring SSL, Certificates to make AS work
- Configuring cross-forest AS
- What is changing with post-Beta2 AutoDiscover/AS?
1. Understanding Availability Service and
Auto-Discover
What is the Availability Service ?Availability Service is a Web Service that is responsible for providing free/busy information to
the Outlook 2007 client and OWA 2007. Ofcourse, since Availability Service(AS) is part of the
Exchange 2007 Programming Interface, it will be available as a public web service to allow third-
party tools to integrate with it and as a programming interface for interested developers.
The schema for the availability service can be found at:
https://<your domain>/ews/services.wsdl You can find more information regarding Exchange Server 2007 SDK Beta 2 at the following
URL:
http://msdn.microsoft.com/exchange
So, if I have Outlook 2007, does it imply I am using Availability
Service for free/busy?OUTLOOK 2007 will use AS only for EXCHANGE 2007 mailboxes. If you are using
OUTLOOK 2007 but still have a Titanium(Exchange 2003) mailbox, OUTLOOK 2007 falls
back to public folders for your free/busy information.
However, if Outlook 2007 is running over Exchange 2007, AS is used for free/busy.
What happens if I have both EXCHANGE 2007 and Titanium
(Exchange 2003) in my toplogy?
Exchange 2007 supports live free/busy using Availability Service. Availability Service can
retrieve free/busy from a user’s mailbox. The advantage of retrieving free/busy from the user’s
mailbox is that unlike free/busy from public folders, there are no syncing delays. So, live free/busy
data from a user’s mailbox is always up-to-date.
Whether you get live free/busy or free/busy from public folders depends on the client/server
combination being used. Here’s a table to help understand what method is used for free/busy.
Client
| Logged-In Mailbox
| Target Mailbox
| FB Retrieval
| Outlook 2007
| Exchange 2007
| Exchange 2007
| Availability Service reads free/busy from the
target mailbox
| Outlook 2007
| Exchange 2007
| Exchange 2003
| Availability Service makes http connections
to /public vdir of Exchange 2003 mailbox
| Outlook 2003
| Exchange 2007
| Exchange 2007
| Legacy behavior : Lookup free/busy in local
S+ public folders
| Outlook 2003
| Exchange 2007
| Exchange 2003
| Legacy behavior : Lookup free/busy in local
S+ public folders
| OWA 12
| Exchange 2007
| Exchange 2007
| Calls AS API which reads free/busy from
the target mailbox
| OWA 12
| Exchange 2007
| Exchange 2003
| Calls AS API which makes http
connection to the /public vdir of the
Exchange 2003 mailbox
| Any
| Exchange 2003
| Exchange 2007
| Legacy behavior : Lookup free/busy
in local S+ public folders
|
If you have Exchange 2007 and Exchange 2003 servers within the same forest, then please consult
the table above to determine how free/busy is retrieved.
For Outlook 2007/OWA 2007 clients over Exchange 2007 mailbox, Availability Service will fetch
or read the free/busy information from the calendar data in the user’s mailbox. Both OWA and
Outlook 2007 will publish or write free/busy to public folders. If an Outlook 2007/Exchange 2007
user requests free/busy for a Exchange 2003 user, Availability Service looks up public folders for
the Exchange 2003 user’s free/busy information. This request is done over HTTP to the
public /vdir on that user’s mailbox. In Exchange 2007 Beta2, please make sure there is atleast one
Schedule+ Free/Busy public folder replica in each administrative group for this to work.
Cross-forest free/busy: You will need to ensure that free/busy information is replicated between the
forests. For OL2007/Exchange 2007 users to see free/busy of Exchange 2003 users in the other
forest, please use the following command to configure Availability Service. This command should
be run as a one-time setup step on any server in the Exchange 2007 forest:
Add-AvailabilityAddressSpace -ForestName:<forest name e.g. foo.com> -AccessMethod:PublicFolder
In the above example, for tiuser1@foo.com, Availability Service will fetch free/busy from public
folders.
For cross-forest free busy between two Exchange 2007 forests, please see the discussion below.
How does AutoDiscover affect Availability Service?Outlook 2007 discovers the Availability Service URL using the Auto-Discover service. Auto-
Discover is like a DNS Web Service for Outlook to find various services like Availability Service,
UM and OAB. It tells Outlook where to go for various web services such as UM, OAB and
Availability.
For Beta2, Outlook attempts to connect to auto-discover by trying two “well-known” URLs(based
on the SMTP <domain> of the user) one after another until it succeeds:
https://autodiscover.<domain>/autodiscover/autodiscover.xml
https://<domain>/autodiscover/autodiscover.xml
Outlook posts an XML request that includes the user’s e-mail address (and in some cases legacy
DN) that AutoDiscover uses to look up information about the user. Auto-discover returns back
configuration information about the user and URL(s) to connect to various services. Please note
that Outlook does not cache the AutoDiscover response but periodically makes AutoDiscover
requests.
I would like to point out that this well-known URL approach has been revised for RTM and will
change with Outlook 2007 B2TR (Technical Refresh)/Exchange 2007 RTM.
What additional functionality is provided by the Availability Web
Service?Exchange 2007 calendaring functionality for free/busy, meeting suggestions and Out-of-Office
(OOF) depends on Availability Web Service.
I’ve heard I can grant granular free/busy permissions for Exchange
2007 users. How?You can grant granular free/busy - None, Free/Busy(default), Free/Busy with Subject-Time-
Location, and Full Details(Reviewer) permissions to users. You can do this by going to the
Calendar Properties->Permissions Tab and selecting the kind of free/busy you want to grant.
Can I write a program to directly interact with the Availability Web
Service?Yes. You can generate proxy classes by using the WSDL from the following location:
https://<CAS_SERVER>/ews/services.wsdl
2.Troubleshooting Availability ServiceHow does cross-site Availability Service work?If a user in site1 requests free/busy for a user in site2, then Availability Service in site1 sends a
proxy requests to the Availability Service in site2, gathers the response and returns the results.
The following slide illustrates this: 
I am using OUTLOOK 2007. How can I tell what URL is being used
for Availability Service?In Outlook 2007, Ctrl-Right-click on the Outlook system tray icon. 
Make sure that your email address is the one entered in the E-mail Address field. Make sure that
“Use AutoDiscovery” is the only box checked and then click on “AutoConfigure”. Progress on
each URL is displayed in the Log tab.
The retrieved settings are then displayed in the “Results” tab.
On the Exchange 2007 CAS server, you can use the following Test-OutlookWebServices
diagnostic tool. Please note that in Beta2, the tool is still “Work In Progress” and your feedback is
appreciated.
Test-OutlookWebServices
AutoDiscover provides Outlook 2007 with configuration information needed to connect to
Exchange. Test-OutlookWebServices is a diagnostic task to verify that AutoDiscover is configured
properly and can service Outlook client requests.
The Exchange Administrator can use the Test-OutlookWebServices task to verify/troubleshoot
valid configuration for AutoDiscover, Availability Service, RPCHTTP and OAB distribution to
make sure Outlook clients can connect to Exchange services.
The administrator can scope the test as follows:
- Individual user – specify the individual user in the identity parameter.
Test-outlookWebServices
In this case, the task picks a user(usually at the top of the list) from the current site.
Test-OutlookWebServices -identity: user1@company.com
In this case, the task does AutoDiscovery as user1 and makes an Availability Service request
on behalf of user1 for user1’s free/busy.
- CAS server – specify the name of a CAS server in the identity. In this case, a mailbox user
will be randomly chosen in the same site as the CAS server.
Test-OutlookWebServices -ClientAccessServer:”cas01.foo.com”
- All CAS servers in site - Administrator will enumerate CAS servers and test each one.
- Cross-site Availability Service – Use identity parameter to specify user in site 1. Use target
address to specify different user in site 2 who is target of AS request. Reverse users to
check that AS requests are successful from both sites. (see example below)
Test-OutlookWebServices -identity:user1@site1.company.com
-TargetAddress:user2@site2.company.com
In this case, the task does AutoDiscovery as user1 and makes an Availability Service request
on behalf of user1 in site1 for user2’s free/busy. The request is actually proxied to cross-site
to an instance of Availability Service in site2 and the response is returned to the requesting
Availability Service in site1.
If no recipient is provided in the identity parameter, the task will pick a user from the current site.
The task will return information about any problems with SSL certificates. If the task is successful
in retrieving an AutoDiscover response, it will proceed to determine the validity of the returned
service URLs. Availability Service validation
The task verifies that a request can be successfully submitted to the AS URL. The response may
not contain actual data depending on the calendar permissions that have been set. If a target
address is specified, the target address is taken from the identity parameter. The request is made
for one day of free busy data and the data is not returned in the task output.
RPCHTTP, OAB, UM endpoint validation
For the RPCHTTP, OAB and UM URLs, the task will verify that a connection can be made. The
presence of an OAB file is not verified, nor are the UM or RPCHHTP settings checked for
correctness.
The output of the task is organized as follows to make it compatible with MOM:
ID: <Event ID>
ype: Success/Error/Information/Warning
Message: The text corresponding to the event id.
Here are some common events for Auto-Discover: ID: 1000
Type: Error
Message: If no AutoDiscover URL(s) are available – None on the SCP object and the
autodiscover.domain.com and domain.com are not reistered. ID: 1001
Type: Warning
Message: Autodiscover can only be connected over a non-SSL connection. ID: 1002
Type: Warning
Message: Supplied a contact’s target address to test-OLWS ID: 1003
Type: Information
Message: The email address to be used for Autodiscover. ID: 1004
Type: Error
Message: CLR reports a RemoteCertificateNameMismatch and the server name is not on the SSL
certificate. ID: 1005
Type: Error
Message: All other SSL errors. ID: 1006
Type: Warning/error/success
Message: Autodiscover was contacted but returned an error/garbage/worked. (Reports status for
Autodiscover) ID: 1007
Type: Information
Message: The caller specified a CAS server. Test-OLWS will only use the specified CAS server. ID: 1010
Type: Error
Message: Cannot figure out the identity provided to the task. ID: 1011
Type: Warning/Error
Message: AS through a warning/error for a specific FB response. ID: 1012
Type: Warning
Message: test-OLWS did not understand all of the XML returned by Autodiscover. Usually, this
means there was a change to the Autodiscover protocol but test-OLWS was not updated.
ID: 1013
Type: Error
Message: An unknown web exception happened while contacting a URL. I can see free/busy using OWA but not using OUTLOOK 2007. Why?OWA runs against the Availability Service API(s) on the CAS server. OUTLOOK 2007 runs
against the Availability Service Web Service and relies on the Autodiscover service to find the
Availability URL. Often times, free/busy issues in OL2007 are not related to the Availability
Service per say, but are rather an issue with Autodiscover. In all likelihood, this is a problem with
configuration.
You can run the following Monad commands to get more information.
Test-OutlookWebService (explained earlier)
Get-webservicesvirtualdirectory – This cmdlet returns the information for the Exchange Web
Services(EWS) virtual directory object in the Active Directory. You can get information about the
internal and external URLs for AS (which is part of EWS).
Please read on for more details on these commands.
How can I provide a log file for OUTLOOK 2007-AS?In outlook go to Tools->Options->Other->Advanced Options and check enable logging
Click ok and get out of the dialogs.
Now, try getting free/busy.
Open %temp% folder.
Look in the olkdisc.log and olkas\<latest log file>
A few common errors are explained here:
80072EE7 – ERROR_INTERNET_NAME_NOT_RESOLVED indicates a problem with DNS
configuration. You could try turning off proxy resolution on your client machine or fix the proxy
settings.
80072F17 – ERROR_INTERNET_SEC_CERT_ERRORS indicates a problem with SSL
certificates. Please see the discussion below for more details.
80072EF3 – The requested operation cannot be carried out because the handle supplied is not in
the correct state. Generally, this is a temporary and recoverable situation.
80072EFD – ERROR_INTERNET_CANNOT_CONNECT
8004010F – MAPI_E_NOT_FOUND
0x800C82003 – Networking errors
I just configured a NLB called mail.foo.com. How can I configure
the AS URL to be mail.foo.com?We have a task that will let you do this.
Set-WebServicesVirtualDirectory –id:”EWS*” -externalUrl:"https://mail.foo.com/ews/exchange.asmx”
-internalUrl:"https://mail.foo.com/ews/exchange.asmx” The Internal Url is used from the intranet and the external Url is used from the Internet. If you
intend on using the same URL for both internal and external traffic, please make sure that your
DNS is properly configured to route internal traffic directly to the internal website and make sure
that the url is properly accessible both internally and externally.
Ofcourse, in order for Auto-Discover and Availability Service to work, you have to make sure that
the DNS is properly configured such that mail.foo.com and autodiscover.mail.foo.com point to the
CAS servers in the NLB. Please also note that the step above explains the configuration for
Exchange Web Services(EWS). EMS tasks are available to configure other services on the CAS
server such as OWA, OAB, RPC/HTTP.
You can also try and test if the URL for Autodiscover and AS is accessible by trying to access it
through a web browser such as “Internet Explorer”. That is a good way to see if there is any
prompt for a certificate.
Please also note that there may be some configuration involved with the NLB (ISA or a third-party
load-balancer) I'm having name resolution issues/DNS issues. I cannot resolve
autodiscover.<domain> from the CAS server running Availability Service.
Cross-forest/cross-site requests are failing. Ofcourse, the ideal thing to do here is understand and fix your network and DNS. However, you can also
try the following:
1) get scp working (only for post-Beta2 Exchange 2007)
2) add an entry to system32\drivers\etc\hosts file to redirect. eg.
<ipaddress> autodiscover.domainanme
How can I see logging and tracing information for Availability
Service?In order to debug free/busy failures, please look for event logs on your CAS server with Event
Source “MSExchange Availability”.
Some events that indicate configuration issues:
4001 – Availability Service could not discover an Availability Service in the remote forest. You
need to make sure that AutoDiscover in the remote forest is working correctly.
4003 – Indicates a failure to look up free/busy information for legacy mailboxes. This information
comes from public folders. The root cause could be the public folders are not configured correctly
or AS has not been configured to look up public folders for the legacy mailboxes. You may need
to run the add-AvailabilityAddressSpace cmdlet and configure AS to lookup public folders.
4004 – Unable to find a public folder server for the organizational unit.
4005 – Could not find information in Active Directory to allow cross-forest requests. Please
configure cross-forest AS as described earlier in this document.
4011 – Indicates failure to find an AvailabilityAddressSpace object that is needed to proxy AS
request to a different forest. Please use add-AvailabilityAddressSpace to configure cross-forest
AS as described earlier in this document.
Sometimes, it is useful to turn on tracing and send the trace logs to PSS/Exchange support.
3. Configuring Cross-Forest Availability
Service
Cross-Forest Availability Service 
How do I configure cross-forest availability service?
Cross-forest availability can be across trusted or untrusted forests. The granularity of free/busy
information is determined by whether cross-forest free/busy has been configured as per-user or
org-wide. Per-user free/busy is possible only in a trusted cross-forest topology and makes it
possible for Availability Service to make cross-forest requests on behalf of a particular user. This
essentially makes it possible for a user in a remote forest can grant more granular or detailed free-
busy to a cross-forest user. On the other hand, with org-wide free/busy, Availability Service can
make cross-forest requests only on behalf of a particular organization. With org-wide free/busy, a
user’s default free/busy information is returned and it is not possible to control the granularity of
free/busy information given to users in the other forest.
TRUSTED CROSS-FOREST
You can configure AS for per-user free/busy using the following commands:
Get-ClientAccessServer | add-adpermission -accessrights extendedright -extendedright "ms-Exch-
EPI-Token-Serialization" -User "<remote forest domain>\Exchange CAS Servers"
On the local (requesting) CAS:
In order to configure per-user free/busy, you will need to run the following command:
Add-AvailabilityAddressSpace –forestname <remote forest> -AccessMethod PerUserFB –
UseServiceAccount:$true
If needed, you can also turn off proxy by using a key in the web.config file
(<addkey=”bypassproxyforcrossforestrequests” value=”1”>)
To configure 2-sided cross-forest, repeat these steps in the other direction.
_______________________________________________________________
- (To create a Trust)
- Run domain.msc and raise both the domain and forest functional levels to Windows 2003.
- Open Properties on one domain and go to the Trusts tab. Create a 1-way(the target
forest should trust the source forest) or 2-way forest trust between the two forests.
- (GALsync)
Run Identity Integration Server to create custom recipients
- Requirements for running IIS: Windows 2003 Enterprise Server, .NET Framework
1.1, SQL server SP3
- Create a management agent (MA) for each domain:
i. type GAL sync
ii. select Users container
iii. select a target container (e.g. make an OU named ‘Contacts’)
iv. add the SMTP mail suffix for the domain
v. Tools | Options | Enable Provisioning Rules Extension
vi. Run -> Full Import (Stage Only), on each MA (import means import from this
MA’s forest to the SQL database)
vii. Run -> Full Import and Full Synchronization, on each MA
viii. Run -> Export (export means export from the SQL database to this
management agent’s forest only)
ix. Done!
- (For public folder free-busy replication)
Set up IORepl
UNTRUSTED CROSS-FOREST
On the cross-forest (target) CAS:
Set the orgwide account on the availability-config object:
set-availabilityconfig -orgwideaccount "mail.foo.com\orgwide_user" (for example)
Add the availability address space config object for the other forest. First check what the
msExchAvailabilityOrgWideAccount is on the Availability Configuration object on the target
forest - these are the credentials you need to specify with get-credential:
$a = get-credential (enter the credentials for orgwide_user in domain mail.foo.com)
add-availabilityaddressspace -forestname <remote forest – mail.foo.com, for example>
-accessmethod orgwidefb -credential:$a
Exchange 2007 Forest - Exchange 2003 Forest
Please make sure that public folder replication works correctly between the Exchange 2007 and
Exchange 2003 forests.
This command should be run as a one-time setup step on any server in the Exchange 2007 forest:
Add-AvailabilityAddressSpace -ForestName:<forest name e.g.
foo.com> -AccessMethod:PublicFolder
How does AS determine which Exchange 2003 server (PF server) to
issue the free/busy request to?The OU is obtained from the legacy dn of both the server and the user. The users in a AS request
are grouped according to their admin group (sam e as OU in legacy Exchange). AS uses the
legacydn of the servers to bucket the PF(s) and then uses the user’s legacydn to key into the PF
bucket.
In Beta-2, AS will try only the first PF in the list. For RTM, AS is making this functionality more
robust by trying other servers in the list if there was an exception looking up free/busy information
on the first public folder server. The workaround for this issue in Beta2 is to make sure all public
folders have S+ Free/Busy information replicated.
Please refer to the following KB articles for more details about Schedule+ Free Busy folders:
http://support.microsoft.com/kb/813152/en-us
http://support.microsoft.com/kb/322196/en-us
4. Configuring SSL/Certificates to make
Availability Service/Autodiscover work
Can anyone give me a simple explanation for how Autodiscover
would typically be deployed? Do I really need two autodiscover
sites? If so, why? What is the deal with the self-issued cert? If a
customer was to deploy this, would they typically get rid of the self-
issued cert and replace it with a cert from a trusted CA (Verisign,
Thawte, etc)?Autodiscover can be deployed off the same site as other exchange services
(domain.com/autodiscover) or a separate site (autodiscover.domain.com/autodiscover). If your
email domain and your organization's public site are the same and the public site is highly trafficked,
then you may not want to host autodiscover off the org's public site. Hence a separate
namespace/site is recommended for autodiscover service.
Based on your deployment scenario, you can have a single site or two sites. If you include a
firewall, like ISA, into the equation, the FW will have the 2 listeners (one for autodiscover and the
second one for the other exchange services such as owa, ews, sync, etc) and certs assigned to it.
The CAS servers can be configured with one site on it with a cert that includes both namespaces
(using subject alternate name in the certificate). Find attached diagram which depicts this.
It is not recommended to run external sites with self-signed certs, so customers would use certs
from a trusted CA. One can leave the self-signed cert on the machine, but the services can be
updated to use the new certificate.
new-ExchangeCertificate creates certificates or cert request. Enable-ExchangeCertificate assigns
an existing cert to various services. We would expect most orgs to use cert issued by internal CAs
on the intranet sites.
I have a Exchange 2007 CAS server and I run Auto-Discover, OWA and EWS on that server.
How can I get AutoDiscover and Availability Service to work because I will need separate
certificates for autodiscover.foo.com and myapps.foo.com(URL for EWS/Availability Service).
It is possible to get a certificate working with more than one machine/host name – and thus a single
ISA listener and a single IIS web site. The way this is done is by adding additional DNS names to
a certificate’s “Subject Alternative Name” property.
As an example, here’s a cert from one of our servers – SSL works for any of the host names listed
below: 
Since you need to get certificates for Internet-facing connections from a trusted 3rd party Certificate
Authority the question is whether you can get your CA to issue you such a cert. You could ask –
or if you’ve got a good relationship with them, you could generate a cert request and see if they’ll
give you a properly formatted certificate with the extra Subject Alternative Name values.
Assuming you can get such a certificate, the work on your side would be to create a proper
certificate request. We added tasks to Beta 2 to do just this. On your ISA server, you’ll likely
need to map myapps.foo.com and autodiscover.foo.com. (I’m guessing you have Internet DNS
entries that point to an IP address for this.) On your CAS server, you’ll probably need
myapps.foo.com, autodiscover.foo.com, machine1.corp.foo.com and maybe machine1.
To create a certificate request from E2007 Beta 2 MSH command line for the Internet
hostnames/ISA server:
new-ExchangeCertificate –generaterequest –base64Encoded:$true -domainname
myapps.foo.com,autodiscover.foo.com -filepath c:\certreq_internet.txt
for the intranet/CAS hostnames:
new-ExchangeCertificate -generaterequest –base64encode:$true
-domainname myapps.foo.com,autodiscover.foo.com,
machine1.corp.foo.com, machine1 -filepath c:\certreq_intranet.txt
For the intranet/CAS certificate, you should be able to cut ‘n’ paste the request on one of your
trusted organizational Windows Certificate Servers via the “Advanced Certificate Request” web
page, where it says “Submit a certificate request by using a base-64-encoded CMC or PKCS #10
file, or submit a renewal request by using a base-64-encoded PKCS #7 file.” You’ll get back a .CER file that you can import to each machine.
On the ISA server, you’ll need to import the cert following usual steps.
On the CAS server, you can do the following to import and assign certificates to CAS services:
import-exchangecertificate -path c:\certificate.cer |
enable-exchangecertificate -services iis,pop,imap 5. What is changing post-Beta2
So, if I understand correctly, in order to get Outlook2007/Exchange
2007 free/busy to work correctly, I need to buy a certificate and
make sure it works? I just have a test deployment and don’t want
to buy certificates at this time.Yes, we realize the limitation of this design. So, with Outlook 2007 B2TR (Technical Refresh for
Beta2), it is possible to use self-signed certificates if you are running Outlook 2007 on domain-
joined machines. When running on the Intranet, OL2007 will ignore certificate mismatches.
Outlook 2007 depends on being able to find the Autodiscover service to use many new features in
Exchange 2007. Unfortunately, Autodiscover doesn’t work out-of-box for intranet or Internet
clients. This means that features that make Exchange2007 shine, like the Availability Service and
OOF++ will not be used by Outlook out-of-box.
To get these working, a successful E12 deployment requires that an Autodiscover service be
locatable in DNS, based on the extracting the domain from an Outlook 2007 user’s e-mail address
– e.g. exchange.microsoft.com or autodiscover.exchange.microsoft.com from
tmyerson@microsoft.com. Along these lines, customers are familiar with configuring Internet DNS
to get outside mail flowing to their org and exposing their org’s OWA and Server ActiveSync on
the ‘Net. Reusing or setting up an additional Internet host records for Internet access to
Autodiscover will happen in due course.
When a user runs Outlook 2007 on the intranet however, his client will resolve an Internet host
like autodiscover.microsoft.com – and the request for there is a good chance the user will be
prompted for credentials if she is proxied via anything less than ISA Server 2004. The current
solution to this problem is for administrators to create a Host or Alias record in their internal DNS
that points to the internal IP address or addresses or Client Access Service hosting the
Autodiscover server. Customers do not generally need to configure internal DNS to get mail
flowing inside their organizations.
The complexity of manual steps required for DNS-based deployment means that customers will
need help to get Autodiscover working – and more help to keep it working. Each new recipient
domain (microsoft.com, exchange.microsoft.com, windows.microsoft.com) means an additional,
manual DNS change is required.
We’ve been brainstorming ways to eliminate Autodiscover’s dependency on DNS in the intranet,
as it is very unlikely that we will be able to make an intranet DNS-based solution work out of the
box in a large number of customer deployments. The ongoing maintenance of this solution will
become an administrative burden.
Once Outlook is able to connect to the Client Access Server hosting the Autodiscover service as
well as the Availability service – there’s the problem of encrypting the pipe. In most out-of-the-box
cases, Exchange will configure self-signed certificates to use for SSL and these will cause Outlook
to prompt the user about a misconfigured server. Users will either be alarmed by or be trained to
ignore the prompt – resulting in many helpdesk and PSS calls.
As well, the current DNS-based solution poses problems for Exchange hosting organizations that
have dozens or hundreds of e-mail domains – deploying an SSL certificate for each one of these is
not only cost-prohibitive, but also error prone.
We can make the Autodiscover service work reliably out of the box on our customers’ intranets –
by having clients search the Active Directory (AD) for Autodiscover “Service Connection Points.”
See the MSDN reference on this topic. Established precedents for using Service Connection
Points in exactly this way exist – intranet discovery of Microsoft UDDI Registry, SQL Server, AD
Application Mode (ADAM), Internet Authentication Service (IAS), etc. – and confirm the validity
of this option.
The change to Autodiscover deployment is as follows:
1. At CAS setup time, Autodiscover setup must correspondingly look for or create a Service
Connection Point (SCP) object, under the container:
CN=Autodiscover,CN=Protocols,CN=<CAS_SERVER>,CN=Servers,CN=Exchange Administrative Group,CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services, [Configuration Naming Context]
where:
a. objectCategory=Service-Connection-Point
b. cn=[machine physical FQDN]
c. serviceClassName=Exchange Autodiscover
d. Keyword={77378F46-2C66-4aa9-A6A6-3E7A48B19596}
If found, this is the object to update as it contains the forest’s authoritative list of Autodiscover
service URLs. If not, then the object should be created in this location, with the
serviceBindingInformation attribute set to:
https://[machine physical FQDN]/autodiscover/autodiscover.xml
Where [machine physical FQDN] is the server’s ComputerInformation.
PhysicalFullyQualifiedDomainName value. This value is the physical DNS name of the machine.
Administrators may at a future time change this value to match the NLB name of the machine.
2. Ensure before saving the object that the well-known Authenticated Users account has
effective “read” permission to the object or log a warning, as this will mean that not all users will be
able to search for and read the item.
3. CAS Uninstall must look up and remove the object added, and if no CAS server is left,
delete Autodiscover container. Please use the following cmdlet to export your SCP settings to another forest: export-AutoDiscoverConfig For example: [MSH] $a=Get-Gredential
At this point, the admin should use the username and password for the account with necessary rights for the target forest:
Export-AutoDiscoverConfig –TargetForestDomainController dc-01.corp.contoso.com -TargetForestCredentials $a -MultipleExchangeDeployments:$true Here is a slide that illustrates how Autodiscover will work with the SCP changes:
 | | |
| Name | Version | Size | Date | User |
|---|
| OofTrace.zip | 1 | 9416 | 8/21/06 1:31 PM | ashishco | | OOF Trace |
| |
| | |
