Hi there, I wanted to setup autodiscover on SBS 2008 because I can not set out of office reply in outlook. now when i want to run Get-WebServicesVirtualDirectory, I get this messeg: unable to create Ineternet information service (IIS) directory entery. Error messege is : Access denied. -HResult: -2147024891 has anybody got experinence on this issue. please share with me. Many thanks in advance

Hello, What is user account you using ? http://premnair.wordpress.com/2010/07/03/configure-ews-autodiscover-owa-oab-ecp-on-exchange-server-2010/ check this article to verify autodiscovery and you have to use SAN certificate to avoid certificate warnings. Thanks Mhussain Thanks Mhussain

Hi Mhussian, Thanks for your reply, however, the link you sent is what I have already done, I checked Test Email Autoconfiguration in outlook and it fails. to check external URL for the EWS, i run Get-WebServicesVirtualDirectory, which is what my orignal question is that it fails. I am runing it from Admin account. Just to let you know this exchange server is on SBS 2008.

Hi Does the OOO works from OWA? Have you purchased a 3rd part certificate? Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Hi Jonas, Out office auto reply is working from OWA. but its just now working from outlook. We are using self-generated certificate.

Hi Jonas, Out office auto reply is working from OWA. but its just now working from outlook. We are using self-generated certificate. Hi Ali Are you using Self Signed SSL for exchange ? you need to use SAN (Subject Alternate Name) certificate for Exchange 2010 which is recommended by microsoft . By default, when you install Exchange 2010, client communications are encrypted using SSL when you use Microsoft Office Outlook Web App, Exchange ActiveSync, and Outlook Anywhere. Best Practice: Use SAN Certificates http://technet.microsoft.com/en-us/library/dd351044.aspx#digitalcertificatesbestpractices Thanks MHussain Depending on how you configure the service names in your Exchange deployment, your Exchange server may require a certificate that can represent multiple domain names. Although a wildcard certificate, such as one for *.contoso.com, can resolve this problem, many customers are uncomfortable with the security implications of maintaining a certificate that can be used for any sub-domain. A more secure alternative is to list each of the required domains as SANs in the certificate. By default, this approach is used when certificate requests are generated by Exchange. Thanks Mhussain

I agree with Hussain, best practice is to use SAN/UCC cert Check this one for creating CSR https://www.digicert.com/easy-csr/exchange2007.htm Installation of the cert http://www.digicert.com/ssl-certificate-installation-microsoft-unified-communications.htmJonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Hi All, I understand that I need to use SNA certificate to for outlook client to work perfectly, however, if i dont use at least I should be able to run the command, "Get-WebServiceVirtualDirectory" and get some out put. I can not run this command on SBS 2008 server. I have another standard Server 2008 using self signed certificate and its working fine. Also, I think for internal use we dont need to have a trusted certificate from external authority. we have been using for a year almost and works fine. but its just this SBS which I think keeps the virtual director in "SBS Web Applications" rather than "Default Web Sites" in IIS.

Hi, Have you applied any update for your Exchange Server? If not, I recommend you to apply the latest update for Exchange and then check the issue again. If yes, then please try to right-click the powershell.exe and choose run-as-admin and then check the issue. Also please verify if "Microsoft Exchange Security Groups\ Exchange Trusted Subsystem" group is a member of local admin group of all Exchange 2007 server. Regards, Xiu

Hi Xiu, Thanks for your messege, it seems that I can run the command "get-webservicesVirtualDirecotry" at least by right click on shell and open as administrator. and I can change Autodiscover url too, but dont know what should change it to coz i tried all url and out of office not working, Outlook Test Email Autoconfiguration fails too. Any idea how to fix or least find what are the actaul virtual directory are? Just to mention this on SBS 2008 server.

Hi, Please try to use get-exchangecertificate |fl and then post the result here. We need to match the certificate with the autodiscover URL domain name. Also please post the result of "Test E-mail autoconfiguration" here with detail error information. We need to verify what URL that Outlook try to use to retrive the OOF information. Regards, Xiu

Hi Xiu, Please find get-cer and Test email result AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {computerangels.dyndns.org, dyndns.org, ANGEL01.angels.loc al} HasPrivateKey : True IsSelfSigned : False Issuer : CN=angels-ANGEL01-CA NotAfter : 18/09/2012 23:24:52 NotBefore : 19/09/2010 23:24:52 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 4B50620A00000000000F Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=computerangels.dyndns.org Thumbprint : 5E3577A67E5B41A090B03C78DEFD53151E166414 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {computerangels.dyndns.org, dyndns.org, ANGEL01.angels.loc al} HasPrivateKey : True IsSelfSigned : False Issuer : CN=angels-ANGEL01-CA NotAfter : 18/09/2012 23:22:57 NotBefore : 19/09/2010 23:22:57 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 4B4EA64A00000000000E Services : IMAP, POP, SMTP Status : Valid Subject : CN=computerangels.dyndns.org Thumbprint : 5FFE8F79C9A09DE2F9FB6439B8A92954DFCBC7CF AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {computerangels.dyndns.org, dyndns.org, ANGEL01.angels.loc al} HasPrivateKey : True IsSelfSigned : False Issuer : CN=angels-ANGEL01-CA NotAfter : 05/04/2012 15:41:41 NotBefore : 06/04/2010 15:41:41 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 22CC043B000000000008 Services : IMAP, POP, SMTP Status : Valid Subject : CN=computerangels.dyndns.org Thumbprint : 73FEE24BA8F2899549FD11480B910D4CE10D3633 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {remote.abc.co.uk, abc.co.uk, ANGEL0 1.angels.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=angels-ANGEL01-CA NotAfter : 05/04/2012 15:10:46 NotBefore : 06/04/2010 15:10:46 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 22AFB1A8000000000007 Services : IMAP, POP, SMTP Status : Valid Subject : CN=remote.abc.co.uk Thumbprint : 91FE0150F12D459444F239C43D10A6A4AB663BD9 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {remote.computerangels.dyndns.org, computerangels.dyndns.o rg, ANGEL01.angels.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=angels-ANGEL01-CA NotAfter : 05/04/2012 15:09:59 NotBefore : 06/04/2010 15:09:59 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 22AEFCDA000000000006 Services : IMAP, POP, SMTP Status : Valid Subject : CN=remote.computerangels.dyndns.org Thumbprint : 67D4BAE1688EC496EC7B97439234468A3721B908 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {remote.abc.co.uk, abc.co.uk, ANGEL0 1.angels.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=angels-ANGEL01-CA NotAfter : 26/03/2012 16:44:20 NotBefore : 27/03/2010 15:44:20 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 61052EBD000000000004 Services : IMAP, POP, SMTP Status : Valid Subject : CN=remote.abc.co.uk Thumbprint : 5FB0392FCB6A8DE8AD658C77EAE574999D8DA8E9 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {ANGEL01.angels.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=angels-ANGEL01-CA NotAfter : 27/03/2011 16:27:45 NotBefore : 27/03/2010 15:27:45 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 61074098000000000003 Services : IMAP, POP Status : Valid Subject : CN=ANGEL01.angels.local Thumbprint : F94F12B4C9DF5CABCC1EA60DECF6AD78D60F3C26 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, ANGEL01.angels.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=angels-ANGEL01-CA NotAfter : 26/03/2012 16:24:10 NotBefore : 27/03/2010 15:24:10 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 6103F8FE000000000002 Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 968B4A7EF1009F059C7263541FE66BCE3EA2ED6E AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {angels-ANGEL01-CA} HasPrivateKey : True IsSelfSigned : True Issuer : CN=angels-ANGEL01-CA NotAfter : 27/03/2015 15:33:40 NotBefore : 27/03/2010 15:23:41 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 78E34014B49930AB42F996F8330A5098 Services : None Status : Valid Subject : CN=angels-ANGEL01-CA Thumbprint : 2BFEB1A563053139AE8F31BFA396F75EFD671CE3 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {WMSvc-WIN-QI4ZZU918FQ} HasPrivateKey : True IsSelfSigned : True Issuer : CN=WMSvc-WIN-QI4ZZU918FQ NotAfter : 24/03/2020 15:12:53 NotBefore : 27/03/2010 15:12:53 PublicKeySize : 2048 RootCAType : Registry SerialNumber : D8FD3C683158B1BE4F2A62FA7EEFA4EA Services : None Status : Valid Subject : CN=WMSvc-WIN-QI4ZZU918FQ Thumbprint : E05868F462743B471CD50C417D2DDF71B873E8F3 Test E-mail AutoConfiguration Attempting URL https://remote.abc.co.uk/autodiscoveer/autodiscover.xml found through SCP Autodiscover to https://remote.abc.co.uk/autodiscoveer/autodiscover.xml starting Autodiscover to https://remote.abc.co.uk/autodiscoveer/autodiscover.xml FAILED (0x80072F0C) Autodiscover to https://abc.co.uk/autodiscoveer/autodiscover.xml starting Autodiscover to https://abc.co.uk/autodiscoveer/autodiscover.xml FAILED (0x800C8203) Autodiscover to https://autodiscover.abc.co.uk/autodiscoveer/autodiscover.xml starting Autodiscover to https://autodiscover.abc.co.uk/autodiscoveer/autodiscover.xml FIALES (0x80072F0C) Local autodiscover for abc.co.uk starting Local autodiscover for abc.co.uk FIALED (0x8004010F) Redirect check to http://autodiscover.abc.co.uk/autodiscoveer/autodiscover.xml starting Redirect check to http://autodiscover.abc.co.uk/autodiscoveer/autodiscover.xml FIALED (0x8004005) Srv Record lookup for abc.co.uk stating Srv Record lookup for abc.co.uk Failed (0x8007251D)

Hi, First I’d like to know if you have rename your autodiscover virtual directory. I noted that from the URL it is autodiscoveer. Please let me know if you have modified the SCP manually. The certificate which thumbprint is 5E3577A67E5B41A090B03C78DEFD53151E166414 should be the correct certificate for the Exchange Server, But I found that it do not have remote.abc.co.uk/abc.co.uk/autodiscover.abc.co.uk in the certificatedomains list. It just has computerangels.dyndns.org, dyndns.org, ANGEL01.angels.local For error 0x80072F0C, please try the following steps. 1. Highlight the virtual directory (AutoDiscover/EWS/OAB) and double-click on Authentication. 2. Click on Windows Authentication to highlight it, and then click on Advanced Settings. 3. Uncheck “Enable Kernel-mode Authentication” to remove the setting. 4. Click OK to save the setting. 5. Do an IISreset /noforce Note: We should set to ignore Client certificate on Autodiscover/EWS/OAB for the IIS SSL settings. After that, please try to use Get-ClientAccessServer <CASname> |fl and then verify if the AutodiscoverServiceInternalUri is point to correct url, it should be the SCP. Also, you can try to browse the autodiscover internal URL and external URL from IE and then check the result. Besides, please try to use https://www.testexchangeconnectivity.com/ to have a check. More information to share with you: Configure Exchange Services for the Autodiscover Service http://technet.microsoft.com/en-us/library/bb201695.aspx Regards, Xiu