question

AdamTyler-3751 avatar image
0 Votes"
AdamTyler-3751 asked AdamTyler-3751 commented

Stuck trying to connect rpc/tcp after mailbox move

Hi everyone, I'm running into an issue with Outlook connectivity after mailbox moves from Exchange 2010 to Exchange 2016. Hoping someone can clarify where I've gone wrong. Basically the new Exchange 2016 server is isolated by strict firewall policy internally and only allows connections from clients on ports TCP:80,443. Once a mailbox is moved from Exchange 2010 to 2016, I had expected the mailbox to connect to Exchange 2016 using mapi over http which doesn't require the additional ports for rpc/tcp. Unfortunately I am seeing intermittent issues where Outlook will continue to try rpc/tcp connections to Exchange 2016 after the mailbox move and fail.

Note, there are no firewall restrictions in place between Exchange servers or Exchange servers and domain controllers.

Originally it was a single Exchange server environment, as soon as we get fully migrated to Exchange 2016 and the coexistence phase is complete, it will be again. We're using different namespaces for Exchange 2010 vs 2016. Autodiscover for the most part isn't configured, I am relying only on the (service connection point) SCP to redirect Outlook clients to where they need to go. No SRV, A record, or otherwise exist for Autodiscover. All Outlook clients reside on the LAN or connect over VPN, no external connectivity for Outlook Anywhere is permitted.

Example naming convention
Exchange 2010: mail2010.domain.local, mail2010.domain.com
Exchange 2016: mail2016.domain.local, mail2016.domain.com

The .com url used for the purposes of a certificate and resolves internally (DNS).

Get-ClientAccessService
Name: mail2010
fqdn: mail2010.domain.local
OutlookAnywhereEnabled: True
AutodiscoverInternalURi: https://mail2016.domain.com/autodiscover/autodiscover.xml <--- Points to new server

Name: mail2016
fqdn: mail2016.domain.local
OutlookAnywhereEnabled: True
AutodiscoverInternalURi: https://mail2016.domain.com/autodiscover/autodiscover.xml



Example output of impacted mailbox.
85319-image.png


85412-image.png


Although I don't know if this matters, the authentication mechanism for the Outlook Anywhere virtual directory on Exchange 2016 was changed to NTLM. Understand it must be set to NTLM in the coexistence phase with 2010. This is for instances when Exchange 2016 will proxy connections to Exchange 2010 as far as I understand. I don't know that it ever would, all Outlook clients should have a direct connection available to both Exchange servers on the internal network.

Here is an example of a mailbox that was moved and the resulting error in Outlook..
85431-image.png


However sometimes it works just fine, here is another user that is connected and happy in the same environment.
85421-image.png


Regards,
Adam Tyler


office-exchange-server-administrationoffice-exchange-server-connectivity
image.png (16.7 KiB)
image.png (5.8 KiB)
image.png (16.5 KiB)
image.png (28.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndyDavid avatar image
0 Votes"
AndyDavid answered AdamTyler-3751 commented

I suspect its this issue:
https://support.microsoft.com/en-us/topic/outlook-logon-fails-after-mailbox-moves-from-exchange-2010-to-exchange-2013-or-exchange-2016-bd3f59ed-c521-4349-5c00-c49717b5e04d

If you see it again, simply:

Restart-WebAppPool MSExchangeAutodiscoverAppPool

You can do this anytime, clients wont be affected.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndyDavid Thanks for the tip, interesting.

One other thing I noticed about the mailbox that failed just after posting this, it just so happened to be hidden from the GAL. Other mailboxes that moved successfully were not. I'm testing now after unhidden from GAL, will see if that works. Then I will try AppPool trick.

Regards,
Adam Tyler

0 Votes 0 ·

Nope, Unhiding from GAL made no difference. I even moved the mailbox back to 2010 database just to confirm the old Outlook profile came back and started working and it did. Moved the mailbox back to 2016 with user shown in GAL and ran into the same issue.

Running this on the Exchange 2016 server fixed it.
Restart-WebAppPool MSExchangeAutodiscoverAppPool

Took one restart of Outlook after running this command and it came up and worked as expected. Thanks @AndyDavid !

1 Vote 1 ·