Configuration tips and common troubleshooting steps for multiple forest deployment of

Autodiscover service

Overview

The Autodiscover service for Microsoft Exchange Server 2007 provides automatic profile configuration for
Microsoft Office Outlook 2007 clients that are connected to your Exchange messaging environment.

When you install the Client Access server (CAS) role on a computer running Exchange 2007, a new virtual
directory is created under the Default Web Site in Internet Information Services (IIS). In the Active Directory a
Service Connection Point (SCP) object is created that allows all domain-connected clients running Outlook 2007 to
query the Active Directory and configure the Outlook profile automatically.

Many organizations have complex topologies with multiple forests where the Exchange is running in a resource
forest and an accounts forest which contains the user accounts for the organization. In the multiple trusted forest
scenario, the user accounts and Microsoft Exchange are deployed in multiple forests. Exchange 2007 features such
as the Availability service and Unified Messaging rely on the Autodiscover service to access user accounts across
forests. In this scenario, the Autodiscover service must be available to users across multiple trusted forests.

The intention of this post is not to explain how Autodiscover works, how to implement it for multiple forests, or
troubleshoot every scenario. It is a brief, practical list of tips for use during the deployment and covers some
common examples and methods to resolve issues.

For more details how Exchange 2007 Autodiscover works and deployment considerations, see the white paper:
Exchange 2007 Autodiscover Service and Deployment Considerations for the Autodiscover Service

Configuration tips

Those tips assume that the Exchange 2007 is installed in the Fourthcoffe.com Exchange 2007 Resource forest and
the user accounts are located in the Nwtraders.com Accounts forest.

1. Verify that DNS Name resolution works between the Exchange 2007 resource forest and the Account forest.

2. A one-way outgoing trust relationship is required between the Exchange 2007 forest and the accounts forest. Test
the trust relationship between forests. For detailed steps, see Create a one-way, outgoing, forest trust for both sides
of the trust.

3. Verify that the mailbox you are testing is a Linked Mailbox (a mailbox that is assigned to an individual user in a
separate, trusted forest) and the user from the account domain has full access and you are testing the correct SMTP
address configured for the mailbox. See Understanding Recipients.

4. Review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP)
object for each Exchange 2007 Client Access server.

CN=<CAS_SERVER>,CN=Autodiscover,CN=Protocols,CN=<CAS_SERVER>,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<ORG>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Fourthcoffee,DC=com

 Keywords contains by default the site name in which the Client Access server resides. The keywords
attributes controls the site affinity to help the Outlook 2007 to find the best CAS.
 ServiceBindingInformation contains by default the Autodiscover URL
https://cas_server.domain/autodiscover/autodiscover.xml

5. When you install the Client Access role, a self-signed certificate is installed by default which has a common name
that maps to the NETBIOS name of the server. The self-signed certificate also includes the FQDN of the server as
an additional DNS name that is stored in the certificate's Subject Alternative Name field. This enables domain-
connected clients to successfully connect to the Autodiscover service without receiving any certificate warnings if
the certificate has not expired and the FQDN of the server you are connecting to is stored in the Subject Alternative
Name of the certificate. For details see: Autodiscover and Certificates
6. After you run the command Export-Autodiscoverconfig, make sure that all Service Connection Point objects were
created on the Accounts forest (Nwtraders.com).

CN=Fourthcoffee.com,CN=Microsoft Exchange
Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com

7. Review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP)
object on the Accounts forest (Nwtraders.com).

 Keywords in this case should contain all authoritative Accepted domains SMTP address created under
Organization Configuration – Hub Transport – Accepted Domains tab.
 ServiceBindingInformation will contain the LDAP://Fourthcoffee.com (Exchange 2007 resource forest).

8. From the Outlook 2007 client on the Account forest (Nwtraders.com) verify that you can connect to the Exchange
2007 resource forest port 389. Ex: Telnet Fourthcoffee.com 389.

9. From the Outlook 2007 client on the Account forest (Nwtraders.com) confirm that you are able to access the
Autodiscover URL https://cas_server.domain/autodiscover/autodiscover.xml from step "4"
ServiceBindingInformation attribute.

10. Every time you created a new authoritative Accepted domain under Organization Configuration – Hub Transport
– Accepted Domains tab you have to run the Export-AutodiscoverConfig cmdlet. For more details see: Managing
Accepted Domains

Common troubleshooting steps

1. Checking DNS name resolution. Since the PDC Emulator controls the trust relationship between the domains,
check if the PDC emulator from each forest can ping the domain name.

 From PDC on Fourthcoffee.com ping nwtraders.com

 From PDC on Nwtraders.com ping Fourthcoffee.com (Exchange 2007 resource forest)
 From the Outlook 2007 client on Nwtraders.com ping Fourthcoffee.com

Note: If this step fails you need to review your DNS name resolution.

 DNS client configuration

 DNS server Primary, Secondary and Stub zones;
 DNS Forward and Root Hints options.

2. Test Trust relationship between the two forests. A one-way outgoing trust is required between the Exchange
forest and the accounts forest. For detailed steps, see Create a one-way, outgoing, forest trust for both sides of the
trust.

Run domain.msc on a domain controller to validate the domain trust relationship or Netdom.exe command.

Netdom trust trusted_domain_name /domain: trusting_domain_name /verify

The trust between nwtraders.com and fourthcoffee.com has been successfully
verified
The command completed successfully.

3. Verify that the Master Account has full access to the Linked Mailbox as well as the smtp address using the
cmdlets Get-Mailbox and Get-MailboxPermission. See How to Create a Linked Mailbox.

Get-Mailbox <mailbox_user> | fl
PrimarySmtpAddress : Char@fourthcoffee.com
RecipientType : UserMailbox
RecipientTypeDetails : LinkedMailbox
IsLinked : True
LinkedMasterAccount : NWTRADERS\Char
Get-Mailboxpermission <mailbox_user> | fl
AccessRights : {FullAccess, ExternalAccount}
InheritanceType : All
User : NWTRADERS\Char
Identity : Fourthcoffee.com/Users/Char

4. To review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP)
object for each Exchange 2007 Client Access server, you can use the ldifde.exe command, Adsiedit.msc or Get-
ClientAccessServer cmdlet.

Ldifde.exe –f scp.txt –d
"CN=<cas_server>,CN=Autodiscover,CN=Protocols,CN=<cas_server>,CN=Servers,CN=E
xchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=vandyr136711org,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Fourthcoffee,DC=com"

Get-ClientAccessServer | fl *Auto*
AutoDiscoverServiceCN : CAS_SERVER
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://cas_server.fourthcoffee.com/Autodisc
over/Autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}

Note: Keywords and ServiceBindingInformation

5. Review the Exchange certificate on the Client Access server using the command Get-ExchangeCertificate and
verify the following attributes: CertificateDomain, Services, Status, IsSelfSigned, Issuer and Subject. For more
details see: Autodiscover and Certificates

Get-ExchangeCertificates | fl
CertificateDomains : {mail.fourthcoffee.com, TX136711-MS1, TX136711-
MS1.fourthcoffee.com, Fourthcoffee.com, autodiscover.Fourthcoffee.com }
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Fourthcoffee, DC=Fourthcoffee, DC=com
Services : IMAP, POP, IIS
Status : Valid
Subject : CN=mail.fourthcoffee.com

6. To review Keywords and ServiceBindingInformationService attributes in the Service Connection Point (SCP)
object on the Accounts forest, you can use the ldifde.exe command, Adsiedit.msc.

Ldifde –f scp_account.txt –d "CN=Fourthcoffee.com,CN=Microsoft Exchange

Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com"
dn:CN=Fourthcoffee.com,CN=MicrosoftExchange
Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com
distinguishedName:
CN=Fourthcoffee.com,CN=Microsoft Exchange
Autodiscover,CN=Services,CN=Configuration,DC=Nwtraders,DC=com
keywords: Domain=Nwtraders.com
keywords: Domain=Fourthcoffee.com
keywords: 67661D7F-8FC4-4fa7-BFAC-E1D7794C1F68
serviceBindingInformation: LDAP://Fourthcoffee.com

7. Every time you created a new authoritative Accepted domain under Organization Configuration – Hub Transport
– Accepted Domains tab you have to run the Export-AutodiscoverConfig cmdlet

On an Exchange 2007 Client Access server in the source forest, run the following command to retrieve the
credentials that you will use to run the Export-AutodiscoverConfig cmdlet:
$a = Get-Credential

Export-AutoDiscoverConfig -DomainController <FQDN> –

TargetForestDomainController <String> -TargetForestCredentials $a
-MultipleExchangeDeployments $true

Related reading:

White Paper: Exchange 2007 Autodiscover Service

http://technet.microsoft.com/en-us/library/bb332063.aspx#HowtoConfigureExchangeServices

How to Configure the Autodiscover Service for Multiple Forests

http://technet.microsoft.com/en-us/library/aa996849(EXCHG.80).aspx

How to Configure the Autodiscover Service to Use Site Affinity

http://technet.microsoft.com/en-us/library/aa998575(EXCHG.80).aspx

How to Configure the Autodiscover Service for Cross Forest Moves

http://technet.microsoft.com/en-us/library/bb201665(EXCHG.80).aspx

How to Deploy Exchange 2007 in an Exchange Resource Forest Topology

http://technet.microsoft.com/en-us/library/aa998031.aspx

Understanding Recipients
http://technet.microsoft.com/en-us/library/bb201680(EXCHG.80).aspx

How to Create a Linked Mailbox

http://technet.microsoft.com/en-us/library/bb123524(EXCHG.80).aspx

How to Convert a Mailbox to a Linked Mailbox

http://technet.microsoft.com/en-us/library/bb201694.aspx

Autodiscover and Certificates

http://technet.microsoft.com/en-us/library/bb332063.aspx#ADAndCertificates