Exchange 2003 Outlook 2007 on Terminal Services Domain Controller
Vincent
of servers. On one of the servers I had Windows 2003 x64 with
Terminal Services and outlook 2007 and about 40 users with their email
setup properly. Outlook connects to an exchange 2003 server on a
different box.
The problem arose when I had to promote this server to a domain
controller. I also enabled it as a Global Catalog server (and yes I am
aware of the security issues of have T.S. on a DC but i had to do it
due to lack of budget).
All of the pre-existing users can successfully open outlook 2007.
however when I try to login a newly created user and setup outlook to
connect to the exchange server it repeatedly pops up with a logon box
and no matter what username I put in.
Then I get the following error message if I cancel:
"Outlook cannot log on. Verify you are connected to the network and
are using the proper server and mailbox name. The connection to
Microsoft Exchange is unavailable. Outlook must be online or connected
to complete this action"
I've scoured much of the web, and followed these two kb articles with
no luck. Actually KB 927612 describes my problem to a T, but
unfortunately does not solve it.
http://support.microsoft.com/?id=927612
http://support.microsoft.com/default.aspx?scid=kb;EN-US;297801
Anyway, I hope someone can point me in the right direction. Thanks in
advance. -Vincent.
![Lanwench [MVP - Exchange]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Lanwench [MVP - Exchange]
> Hi, I have a client, who, for budget reasons only has a limited amount
> of servers. On one of the servers I had Windows 2003 x64 with
> Terminal Services and outlook 2007 and about 40 users with their email
> setup properly. Outlook connects to an exchange 2003 server on a
> different box.
>
> The problem arose when I had to promote this server to a domain
> controller. I also enabled it as a Global Catalog server (and yes I am
> aware of the security issues of have T.S. on a DC but i had to do it
> due to lack of budget).
Youch. There are times when it's really a consultant's job to say no. Why
did you have to promote the server? It's recommended practice to have two
DCs, true - but given the choice I would have stuck with one DC and kept the
other server for TS. You shouldn't have users logging into a DC, and you
can't properly lock down TS if it's running on a DC.
They could get a cruddy old workstation box & a license for W2003 and
install that as a DC if you want two.
> All of the pre-existing users can successfully open outlook 2007.
> however when I try to login a newly created user and setup outlook to
> connect to the exchange server it repeatedly pops up with a logon box
> and no matter what username I put in.
>
> Then I get the following error message if I cancel:
>
> "Outlook cannot log on. Verify you are connected to the network and
> are using the proper server and mailbox name. The connection to
> Microsoft Exchange is unavailable. Outlook must be online or connected
> to complete this action"
>
> I've scoured much of the web, and followed these two kb articles with
> no luck. Actually KB 927612 describes my problem to a T, but
> unfortunately does not solve it.
>
>
> http://support.microsoft.com/?id=927612
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;297801
>
>
> Anyway, I hope someone can point me in the right direction. Thanks in
> advance. -Vincent.
Do you have TS profiles defined for these users in ADUC? (It's actually
easier/better to do this via GPO.) This is a must.
I suggest you post in microsoft.public.windows.terminal_services for more
help - this isn't really an Exchange issue. Good luck.
Vincent
<lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:
>
> - Show quoted text -
Ha, Yeah I knew i was going to get called out on that one, however the
other server that is a DC is W2k and is 9 years old, so I need to have
a DC that will do the job when it is gone and saying no to business is
a non option in this type of economy (especially since the company is
in the Building and Materials Industry and has a spending freeze)
As to your response, I'm not sure the TS Profiles solution is relevent
to my problem, since, by all means it seems that it's some sort of
communications problem as opposed to a profile problem (if i
understood you correctly) I will try posting this in the TS group.
Thanks a lot. v.
Jamestechman
that is not able to log in; try hard coding your old GC. If that
doesn't work; try hard coding your new GC. Post results.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Messaging Subsystem\Profiles\<profile_name>\
dca740c8c042101ab4b908002b2fe182
Add
Value name: DS Server
Data type: REG_SZ (string)
Value data: FQDN of the global catalog server
James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com
> Thanks a lot. v.- Hide quoted text -
Vincent
>
> - Show quoted text -
I tried putting in that reg entry for the 2 GC's servers that we have
with no luck. For testing purposes (and since I am disabling it) I
installed outlook 2002 on our old windows 2000 server and it connected
with no problem. am I to assume that this is a Outlook 2007 problem?
Andy David {MVP}
>I tried putting in that reg entry for the 2 GC's servers that we have
>with no luck. For testing purposes (and since I am disabling it) I
>installed outlook 2002 on our old windows 2000 server and it connected
>with no problem. am I to assume that this is a Outlook 2007 problem?
Can you create the profiles? Does Check Name work and underline and
resolve the names?
Do you have any other program or add-in on the TS that might be hooked
into Outlook or using mapi?
Vincent
Hi, The Check Name is the part where it repeatedly asks for the logon
information to which no logon, including administrators log, works.
I successfully setup this user up on a PC with outlook 2007 with no
problem. It just seems to be a problem on this terminal server. I
also don't have any programs that are hooked into outlook or MAPI.
Other users that were previously setup on this server are functioning
properly. If I turn on the "Connection Status" diagnostics window
during set, it just displays the following:
Server Name: My Server Name
Type: Directory
Interface: <blank>
Conn: TCP/IP
Status: Connecting
<every other field is blank>
If I try to use the "Test Email Autoconfiguration" It will display the
message
""an encrypted connection to your exchange is not available"
I have also tried to manually configure the email settings and set the
"Logon Network Security" to Kerberos or NTLM with no luck (at that
point it does not pop up with the Logon Box anymore)
I also tried netdiag and dcdiag on this server and everything passes.
I'm stuck here. Anyone have any ideas. Are there any more detailed
diagnostics I can get? Thanks.
Andy David {MVP}
>
>I'm stuck here. Anyone have any ideas. Are there any more detailed
>diagnostics I can get? Thanks.
DNS ok? You can resolve the Exchange server correctly and GCs etc..
( I know other clients work but OUtlook 2007 is a different beast).
Dual Nics?
Correct entries on those NICs for DNS, gateways etc....
Is this Windows 2003 SP2?
Vincent
Using NSlookup from the TS I can correctly resolve all of the servers
by name (The TS itself as a DNS server).
The server has 2 nics but only one is in use, the other one is
disabled.
The exchange server is Windows 2003 Standard Edition SP2, with
Exchange 2003 SP2. the Terminal Services server is Windows 2003
x64.SP2
Andy David {MVP}
well, im getting stuck. This all started after you promoted this TS to
a GC right?
And of course it was rebooted and nothing in the event logs I imagine.
And you have run ExBpa against the Exchange server and accounted for
and SNP issues?:
Vincent
>
> - Show quoted text -
Yes, it started after I promoted it. I have rebooted the DC, but I
will try to reboot exchange this weekend and see if it solves the
problem. The exchange server was rebooted 2 weeks ago and after I
promoted the TS server to a DC, but not since I followed the steps in
the http://support.microsoft.com/?id=927612 article and not since I
made it a Global Catalog server
I have just run the Exchange Best Practices Tool and nothing major
popped up. As far as the SNP, should I download the tool that disables
that on either server? It's my understanding that this is installed
by default on W2k3 SP2 and causes some random problems.
the event logs are clean on both servers, and i've looked at them
directly after trying to connect to see if anything was popping up.
Andy David {MVP}
Ah, it hasnt been rebooted since it was made a GC?
I would start there.
>
>I have just run the Exchange Best Practices Tool and nothing major
>popped up. As far as the SNP, should I download the tool that disables
>that on either server? It's my understanding that this is installed
>by default on W2k3 SP2 and causes some random problems.
Well, if your drivers are up to date and they support it, you shoul
dbe good. You could always simply disable the Chimney stuff to start.
Rich Matheisen [MVP]
<ada...@pleasekeepinngcheesebucket.com> wrote:
[ snip ]
>>Yes, it started after I promoted it. I have rebooted the DC, but I
>>will try to reboot exchange this weekend and see if it solves the
>>problem. The exchange server was rebooted 2 weeks ago and after I
>>promoted the TS server to a DC, but not since I followed the steps in
>>the http://support.microsoft.com/?id=927612 article and not since I
>>made it a Global Catalog server
>
>Ah, it hasnt been rebooted since it was made a GC?
>I would start there.
There's something that's stuck in the recesses of my mind from years
ago. Check the "HKLM\Software\Microsoft\Exchange\Exchange Provider"
registry key on a user with the problem. The RPC_Binding_Order value
probably has the full complement of protocols in it
("ncalrpc,ncacn_ip_tcp,ncacn_spx,ncacn_np,netbios,ncacn_vns_spp").
Shorten that to just "ncacn_ip_tcp" or "ncacn_ip_tcp,ncacn_np" and see
if that makes a difference.
There used to be something fishy about using the ncalrpc protocol to
bind to a local directory service. Using just ncacn_ip_tcp always used
to make the problem disappear. Now, if I could only remember what the
problem was that this fixed!
---
Rich Matheisen
MCSE+I, Exchange MVP
Vincent
<richn...@rmcons.com.NOSPAM.COM> wrote:
> On Fri, 12 Dec 2008 16:54:00 -0500, Andy David {MVP}
>
> <ada...@pleasekeepinngcheesebucket.com> wrote:
>
> [ snip ]
>
> >>Yes, it started after I promoted it. I have rebooted the DC, but I
> >>will try to reboot exchange this weekend and see if it solves the
> >>problem. The exchange server was rebooted 2 weeks ago and after I
> >>promoted the TS server to a DC, but not since I followed the steps in
> >>made it a Global Catalog server
>
> >Ah, it hasnt been rebooted since it was made a GC?
> >I would start there.
>
> There's something that's stuck in the recesses of my mind from years
> ago. Check the "HKLM\Software\Microsoft\Exchange\Exchange Provider"
> registry key on a user with the problem. The RPC_Binding_Order value
> probably has the full complement of protocols in it
> ("ncalrpc,ncacn_ip_tcp,ncacn_spx,ncacn_np,netbios,ncacn_vns_spp").
> Shorten that to just "ncacn_ip_tcp" or "ncacn_ip_tcp,ncacn_np" and see
> if that makes a difference.
>
> There used to be something fishy about using the ncalrpc protocol to
> bind to a local directory service. Using just ncacn_ip_tcp always used
> to make the problem disappear. Now, if I could only remember what the
> problem was that this fixed!
> ---
> Rich Matheisen
> MCSE+I, Exchange MVP
Thanks guys, but unfortunately a reboot and the registry edit did not
fix this problem. I'm lost, I'm going to try and upgrade the network
drivers this week to see if that works. I might have to call ms if
that doesn't fix it. Luckily i haven't had to setup any new users in
the last week, but I have a feeling my lucks going to change soon.
Vincent
> On Dec 12, 9:01 pm, "Rich Matheisen [MVP]"
>
>
>
>
>
> <richn...@rmcons.com.NOSPAM.COM> wrote:
> > On Fri, 12 Dec 2008 16:54:00 -0500, Andy David {MVP}
>
> > <ada...@pleasekeepinngcheesebucket.com> wrote:
>
> > [ snip ]
>
> > >>Yes, it started after I promoted it. I have rebooted the DC, but I
> > >>will try to reboot exchange this weekend and see if it solves the
> > >>problem. The exchange server was rebooted 2 weeks ago and after I
> > >>promoted the TS server to a DC, but not since I followed the steps in
> > >>made it a Global Catalog server
>
> > >Ah, it hasnt been rebooted since it was made a GC?
> > >I would start there.
>
> > There's something that's stuck in the recesses of my mind from years
> > ago. Check the "HKLM\Software\Microsoft\Exchange\Exchange Provider"
> > registry key on a user with the problem. The RPC_Binding_Order value
> > probably has the full complement of protocols in it
> > ("ncalrpc,ncacn_ip_tcp,ncacn_spx,ncacn_np,netbios,ncacn_vns_spp").
> > Shorten that to just "ncacn_ip_tcp" or "ncacn_ip_tcp,ncacn_np" and see
> > if that makes a difference.
>
> > There used to be something fishy about using the ncalrpc protocol to
> > bind to a local directory service. Using just ncacn_ip_tcp always used
> > to make the problem disappear. Now, if I could only remember what the
> > problem was that this fixed!
> > ---
> > Rich Matheisen
> > MCSE+I, Exchange MVP
>
> Thanks guys, but unfortunately a reboot and the registry edit did not
> fix this problem. I'm lost, I'm going to try and upgrade the network
> drivers this week to see if that works. I might have to call ms if
> that doesn't fix it. Luckily i haven't had to setup any new users in
>
> - Show quoted text -
I found a workaround for this. I went to a previously setup user on
the server and went to the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
\Windows
Messaging Subsystem\Profiles\
I selected the profile name (mine was called outlook) and exported
this key.
I then dropped the reg file into the users my documents, logged in as
them, and then doubleclicked to import that key into the new users
profile.
Then I went into mail properties to change the name to the correct
user. The "check name" found the user with no problems (aka no login
box) and I was able to login to the mailbox successfully.
My next question is, based on my workaround above, can anyone think of
a more permanent solution to this problem? or why it may be happening
in the first place?
Rich Matheisen [MVP]
<vfri...@proactiontech.com> wrote:
[ snip ]
>I found a workaround for this. I went to a previously setup user on
>the server and went to the following registry key:
>
>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
>\Windows
>Messaging Subsystem\Profiles\
>
>I selected the profile name (mine was called outlook) and exported
>this key.
>
>I then dropped the reg file into the users my documents, logged in as
>them, and then doubleclicked to import that key into the new users
>profile.
>
>Then I went into mail properties to change the name to the correct
>user. The "check name" found the user with no problems (aka no login
>box) and I was able to login to the mailbox successfully.
>
>My next question is, based on my workaround above, can anyone think of
>a more permanent solution to this problem? or why it may be happening
>in the first place?
Sounds more like there's something in the profile that's causing the
problem.
Check the value in the key that starts with dca74....... The value
001f662a should be the fqdn of the global catalog. If it's not, remove
the value from the key.
Is the "Closest GC" value set to 1 in
HKLM\Software\Microsoft\Exchange\Exchange Provider? Set it to 0. That,
together with the missing 001f662a value should force the client to
ask the Exchange server for a referral to a GC.
Vincent
>
> - Show quoted text -
I doubt it is something with the outlook profile, since this setup
happened on another newly created user.
I also tried to manually set that "001f662a" to my GC on a new profile
by copying the binary value on a working account and copying it to a
non working account, and it still continued to ask me for a login.
Also, the "Closest GC" registry entry you're talking about, I assume
that's a DWORD, right? Do I need to restart the exchange services for
this to go into affect?
Rich Matheisen [MVP]
<vfri...@proactiontech.com> wrote:
[ snip ]
>I doubt it is something with the outlook profile, since this setup
>happened on another newly created user.
No doubt. But I have in idea what's in the profile you copied to make
this work.
>I also tried to manually set that "001f662a" to my GC on a new profile
>by copying the binary value on a working account and copying it to a
>non working account, and it still continued to ask me for a login.
I didn't say to change it, I said to delete it.
>Also, the "Closest GC" registry entry you're talking about, I assume
>that's a DWORD, right?
If it's not there then it doesn't matter.
>Do I need to restart the exchange services for
>this to go into affect?
What exchange services are running at the client's session? None, I
hope.