This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 64%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hello,
I have an Exchange 2016 CU19 environment, on premise only, in one domain, one site.
I wanted to deploy an additional exchange in the same site, for testing purpose, to not disturb the users, and test the kerberos auth in wthe production.
Before deploying, this server, we blocked port 80 and 443 and the firewall level, and I added a IPsec policy on the test server (EXCH-test), blocking ports TCP 443, 25 and 2525 from any incoming IP/port.
Around 5-10 min after installing the exchange setup, we changed the Exch-test SCP to a URL, pointing to the other Exchange servers (EXCH-serv).
That, apparently was enough to cause Outlook disconnection, for around 10% of all users, which is a lot. I removed the Exch-test, and yet, the problem last for another hour. Outlook was still trying to connect to Exch-test.
No problem of DC replication, no GPO regarding autodiscover behavior.
I understand that before changing the EXCH-test SCP, some Outlook clients tried to retrieve the autodiscover xml from EXCH-test. what I don't get is, from my understanding:
I think recycling the autodiscover app pool on all Exch servers would have solved the problem, but I don't get why Outlook clients tried to connect to Exch-test (and failed as it was blocked).
Thank you.
Chris
Honestly, I think you are overthinking this :)
I would use the recommended approach that I posted above in the future and you wont have issues like this:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 32%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGG%3C/text%3E%3C/svg%3E)
we have 2 exchange servers server0.domain.com and server1.domain.com we have DAG with witness server on site. active database is on server0 Both servers are exchange 2016 on server 2016 However, i tried to model a disaster for one server being down. I put server1 offline, took the network off. Some computers (we have 120 clients.) say server not available. despite server0 is primary server and well computers try to access server1 and fail. Some access server0 and are OK. what to do?
problem only happens internally. Externally all is good.
Is there a way when one server being down and having DAG things be OK?
Otherwise what sense has a DAG?
please advise.
Thank you @Andy David - MVP , this is a good document!
This was also a scenario I thought of first, but I was conviced by blocking my ports with IPsec would have isolated ly Exch-test server, which clearly did not....by why...is a mystery.
Do we agree at least on the fact that closing ports TCP 443 and TCP 80, in theory, was enough to avoid Outlook clients connections or autodiscover to Exch-test?
Thank you.
Chris
Yes, blocking ports should have worked, however I think when doing that you are depending alot on outlook gracefully handling that, and Outlook is sometimes not so good at being graceful :)
I found an interesting link:
https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/type-pox
"WEB
E-mail is accessed from a Web browser by using the URL that is specified in the Server (POX) element.
This is only applicable when the AccountType (POX) element is set to email."
I understand it's the URLs for Outlook on the Web, so it has no impact on Outlook clients.
Now what I think, Outlook clients got an autodiscover respond from Exch-serv, with this WEB protocol config like above...ok...but the EXPR, EXHTTP protocol are correctly configured.
Thus, why they tried to connect to Exch-test (checked on "connection status")...It really bothers me...
Thank you again for all your responses.
Chris
Now, maybe:
if so, how can I block that, knowing that ports 443, 25 and 2525 were blocked from Exch-serv to Exch-test.
-<Protocol>
<Type>WEB</Type>
-<Internal>
<OWAUrl AuthenticationMethod="AuthMethod">https://exch-test.domain.com/owa/</OWAUrl>
<OWAUrl AuthenticationMethod="AuthMethod">https://owa.domain.com/owa/</OWAUrl>
-<Protocol>
Hi ZhengqiLou-MSFT,
We changed the SCP for Exch-test to point to the Exch-serv, but we had 5-10min between the end of Exch-test installation and the DC replication.
We blocked port 443, first to avoid the Outlook popup to all users, which worked, and I assumed, Outlook after failing getting autodiscover response from Exch-test, would try the next SCP url.
I'm not sure if Outlook was able to get an autodiscover response from Exch-test, as in the xml response, under 'WEB' provider, internalOWA is Exch-test server fqdn, thus my questions: