Exchange 2007 RPC over HTTPS issues
Adam Stasiak
I have two all-in-one (client access, mailbox, hub transport) exchange servers (psmail and momail) at two different sites.
If i try:
rpcping -t ncacn_http -o RpcProxy=mail.evpod.com -P "astasiak,evpod,*" -H 1 -F 3 -a connect -u 9 -v 3 -s psmail -I "astasiak,evpod,*" -e 6001
rpcping -t ncacn_http -o RpcProxy=mail.evpod.com -P "astasiak,evpod,*" -H 2 -F 2 -a connect -u 10 -v 3 -s psmail -I "astasiak,evpod,*" -e 6004
(mail.evpod.com is the external address for psmail.)
I get error 1722. Same thing happens if I use fqdn (psmail.evpod.local).
If I try against the other server (momail) the 6001 ping succeeds (6004 still fails).
Same thing happens if I use external address of MOMAIL. I can't rcpping it on either, but can ping PSMAIL on 6001.
I can connect with telnet to both server on 6001,2, and 4. (However 6002/4 just display cursor on connect, only 6001 prints ncacn_http)
rpcping with just -E works just fine on both servers.
I've checked authentication and certificate on both RPC virtuals.
I've turned IPv6 off and on again.
I've even uninstalled and reinstalled the RPC-HTTP proxy.
I've checked validports many times.
I've checked IIS logs and the requests seem to be just fine.
I'm at my wits end.
There are two things I can't explain:
one of the suggestions from testexchangeconnectivity.com was DNS issues.
when I try to ping (normal ICMP ping) PSMAIL from itself it resolves to the IPv6 address fe80::1%1. Same for MOMAIL.
Both servers are Exchange 2007 SP3 (v8.3 build 83.6) with the most recent update rollup. Running on Windows 2003 R2. Separate DCs (one on Windows 2008, one on 2003).
When I run rpcdump it comes back "0 registered endpoints found."
Update:
Well, totally removing IPv6 seemed to get the rpcping to 6001 to work. However it is still not able to work on 6004 (NSPI).
This post:
Suggests:
1.On the Mailbox servers: a DWORD entry needs to be created on each Mailbox server named "Do Not Refer HTTP to DSProxy" at HKLM\System\CCS\Services\MSExchangeSA\Parameters\ and the value set to 1
2. On CAS server, set following registry keys:
a. The ValidPorts setting at HKLM\Software\Microsoft\RPC\RPCProxy needs setting so that the entries referring to 6004 point to DC servers in addition to the mailbox server.
b. The PeriodicPollingMinutes key at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeServiceHost\RpcHttpConfigurator\ needs setting to zero to prevent RpcHttpConfigurator from updating the Valid Ports key automatically.
3.On the Global Catalog servers: a REG_MULTI_SZ entry needs to be created on each GC named NSPI interface protocol sequences at HKLM\System\CCS\Services\NTDS\Parameters\ and the value set to ncacn_http:6004. After that, please restart the GC.
While I can certainly do the above, I need to add the appropriate ports on the GC servers to the Valid Ports Key. Is that determined by HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\TCP/IP Port? (currently 53211) Or by "NSPI interface protocol sequences"? (which would make it 6004, same as on exchange server) Or by something else?