Honestly, I think you are overthinking this :)
I would use the recommended approach that I posted above in the future and you wont have issues like this:
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I have an Exchange 2016 CU19 environment, on premise only, in one domain, one site.
I wanted to deploy an additional exchange in the same site, for testing purpose, to not disturb the users, and test the kerberos auth in wthe production.
Before deploying, this server, we blocked port 80 and 443 and the firewall level, and I added a IPsec policy on the test server (EXCH-test), blocking ports TCP 443, 25 and 2525 from any incoming IP/port.
Around 5-10 min after installing the exchange setup, we changed the Exch-test SCP to a URL, pointing to the other Exchange servers (EXCH-serv).
That, apparently was enough to cause Outlook disconnection, for around 10% of all users, which is a lot. I removed the Exch-test, and yet, the problem last for another hour. Outlook was still trying to connect to Exch-test.
No problem of DC replication, no GPO regarding autodiscover behavior.
I understand that before changing the EXCH-test SCP, some Outlook clients tried to retrieve the autodiscover xml from EXCH-test. what I don't get is, from my understanding:
I think recycling the autodiscover app pool on all Exch servers would have solved the problem, but I don't get why Outlook clients tried to connect to Exch-test (and failed as it was blocked).
Thank you.
Chris
Honestly, I think you are overthinking this :)
I would use the recommended approach that I posted above in the future and you wont have issues like this:
The Outlook autodiscover check is about an hour, so you may been seeing that.
Autodiscover timing
Autodiscover runs at the following times:
During account creation.
At set intervals to collect changes to URLs that provide Exchange Web Service features (OOF, Availability Service, and so on). If this process is successful, another try is made one hour later. If the attempt isn't successful, the next try is made 5 minutes later. Each attempt can potentially be staggered by as much as 25 percent because of the background task infrastructure used by all Microsoft Office applications.
In response to certain connectivity failures. In various scenarios, when a connection attempt fails, Outlook starts an Autodiscover task to retrieve new settings in any attempt to correct the connection problem.
When another application invokes it by using MAPI. For more information about MAPI, see the following MSDN article: Outlook MAPI Reference.
Thank you AndyDavid for you quick answer.
I checked the autodiscover link: "An attempt is then made to each URL that's returned by the SCP lookup to try to retrieve the Autodiscover payload"
and with "The Outlook autodiscover check is about an hour".
How come users that were trying to connect, got a autodiscover from Exch-test? (I assume they succeeded, as users probably lost connection for an hour at least, and restarting Outlook did not solved it). Blocking port 443 and 80 was not enough?
I forgot to add a weird event MSExchangeADTopology I noticed on the Exch-serv: saying the LDAP service was down on Exch-test...it seems they considered Exch-test as a DC...I have no clue why...
Thank you.
Chris
Hi @ChKhayat-8418 ,
For a test environment with no ports blocked, I changed the serviceBindingInformation of EX2 and EX3 to point to EX1.
I could successfully contact with Exchange server:
The whole processes were done on EX2.
But as you said that the outlook was still trying to connect with exch-test but not exch-server, I'm considering if it is related with SCP, what does "I removed the Exch-test" mean?
And I think you should open Port 443 to use autodiscover or connect with SCP, whatever, I believe it should be the key to the vault.
Best regards,
Lou
Hi ZhengqiLou-MSFT,
We changed the SCP for Exch-test to point to the Exch-serv, but we had 5-10min between the end of Exch-test installation and the DC replication.
We blocked port 443, first to avoid the Outlook popup to all users, which worked, and I assumed, Outlook after failing getting autodiscover response from Exch-test, would try the next SCP url.
I'm not sure if Outlook was able to get an autodiscover response from Exch-test, as in the xml response, under 'WEB' provider, internalOWA is Exch-test server fqdn, thus my questions: