• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RPC Hell

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Installation >> RPC Hell Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
RPC Hell - 7.Nov.2008 8:07:57 PM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
Good afternoon all,

I finally have to turn to the boards once again, and hopefully this time I won't end up with an ID10t error.  We recently installed a clustered Exchange 2003 solution, along with a front end server (WHICH IS ON A DIFFERENT TRUSTED SUBNET THAN BOTH THE CLUSTER AND CURRENT EXCHANGE SERVERS),  which is up and running great.  We have another server that our mailboxes are on, but before I can migrate the mailboxes, I need to ensure that RPC over HTTP is running.  It would be nice if we could do this seamlessly as well, and here's what I've gotten done so far:

mail.domain.com used to point to my single Exchange box, and I had forms based auth and RPC/HTTP configured and running great.  After putting in the cluster and FE server, I configure the FE server as the new point of entry (as well as bridgehead) for OWA with FBA and RPC/HTTP.  So externally, and internally now too (DNS changes) mail.domain.com points to my new FE server.  Great.  We also have a spam filter (Barracuda) that now points to the FE server and mail is flowing fine.  I logged into an outside system, my own at home, and sure enough, I didn't even have to re-import the certificate and I was able to connect to the Exchange server over RPC/HTTP, previously configured.  All good up to this point.

So I moved a couple of resource and test mailboxes to the cluster.  I tried to connect RPC/HTTP to those accounts, and no go.  I deleted my RPC/HTTP profile in Outlook 2007 and tried re-creating it, no go.

What I did to configure RPC/HTTP:

1.  Installed RPC/HTTP on the FE server and removed it from the BE server.
2.  Configured the FE as a FE RPC server and the BE as a BE RPC server through the system manager (server/specific server/properties/rpc-http)
3.  Set up the registry for a FE/BE config such as:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]
"ValidPorts"="server-fe:100-5000;
server-be:6001-6002;
server-be.domain.local:6001-6002;
server-dc:6001-6002;
server-dc.domain.local:6001-6002;
server-be:6004;
server-be.domain.local:6004;
server-dc:6004;
server-dc.domain.local:6004;
mail.external.com:6001-6002;
mail.external.com:6004;
server-dc:593;
server-dc.domain.local:593;
server-be:593;
server-be.domain.local:593;
mail.external.com:593;"
4.  Changed ports 80 and 443 to forward to NAT (external IP address > internal IP address of FE server) on our hardware firewall
5.  Copy or Move a certificate from a remote server site to this site using the Server Certificate wizard.  Moved the cert from the original RPC server that was issued by our internal CA that has worked without any problem.  I am able to log in to my OWA server on any machine with our CA cert chain installed without being prompted for a cert.
6.  Enabled SSL on the RPC virtual directory.  Also set up the VD for NTLM auth.
7.  Verified that I get a 401 when I try to go to https://mail.domain.com/rpc

When I try and set up RPC, I get the error "The connection to MS Exchange is unavailable".  What I've done to troubleshoot:

1.  Everything listed in this article:

http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part1.html

2.  Used rpcping utility as described here:

http://support.microsoft.com/default.aspx?kbid=831051

Though there were not too many great examples, I was able to successfully rpcping the server, but was having trouble getting all the way through to the backend ports

3.  Gone through troubleshooting steps here:

http://technet.microsoft.com/en-us/library/bb124649(EXCHG.65).aspx

After running RPCDump, I'm pretty sure it's right, but I've only seen the results you're supposed to see on the backend?  What about the communication between the FE and BE?  This is where I think the break down is.  When I run a netstat, I don't see any open connections between the FE and the BE server on any ports

There is nothing being blocked between the two subnets, but it would be difficult to move this server out of that subnet at this point, as it serves other purposes there.  I've verified this server's existence in "AD Sites & Services" as it was necessary to even get Exchange installed in the first place.  Anyone with any ideas?   I think I covered everything...
Post #: 1
RE: RPC Hell - 8.Nov.2008 5:04:43 PM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
If you are running fe/be why are you making manual changes?
The GUI will do everything for you. Ensure that the same level of patches is on both server.

To reset it you need to remove the RPC proxy on both the frontend and the backend and set the GUI to "not part of RPC-HTTP" topology. Then run IISRESET to write the changes to the IIS metabase before reinstalling the RPC Proxy.

Do you have anything between the servers? A firewall for example? You haven't tried to put a frontend server in a DMZ?

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to Xaneth)
Post #: 2
RE: RPC Hell - 9.Nov.2008 1:20:40 AM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
I've installed RPC/HTTP in several scenarios (not FE/BE), and have always had to make the manual changes to the registry. In fact M$ has an article about these reg changes on TechNet. Not in the DMZ, its on a different VLAN on the same switch, with routes in the switch, no firewall in between. Thanks for the point on backing up the metabase and resetting IIS. The BE used to have RPC installed previously, but I've since uninstalled RPC on all the BE servers since I put the FE in. Do I need to reset IIS on both BE servers at this point? I noticed that after uninstalling RPC, the virtual directories got left behind. This is something I haven't given thought to.

(in reply to Xaneth)
Post #: 3
RE: RPC Hell - 9.Nov.2008 1:23:49 AM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
In fact I always reference amset.co.uk to get RPC going, I've had the best results using their methods. It includes the registry additions I listed. Were you referring to something else I am doing manually?

< Message edited by Xaneth -- 9.Nov.2008 1:29:28 AM >

(in reply to Xaneth)
Post #: 4
RE: RPC Hell - 9.Nov.2008 7:56:09 AM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
amset.info instructions are mine.
If you are doing single server setup, then you have to use the registry changes.
However for fe/be you don't. The GUI does that work for you. The Technet instructions are probably RTM for FE/BE, when you always needed to use the registry, then Microsoft put in a GUI for their preferred scenario.

The virtual directories are left behind, while it shouldn't cause a problem I do tend to remove them myself.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to Xaneth)
Post #: 5
RE: RPC Hell - 9.Nov.2008 1:41:29 PM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
Right on, I got to meet the man! I've had to use the instuctions on your site over recent years, because they are the only ones that work without a FE. I'll strip the reg entries out then and reset IIS on all servers (I'm assuming?). It helps to know that the GUI sets it up proper in a FE/BE config.

(in reply to Sembee)
Post #: 6
RE: RPC Hell - 9.Nov.2008 2:27:32 PM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
No joyous gleeful celebration.  Removed RPC on the FE proxy server, set all to Not Part of an Exchange managed RPC-HTTP topology and ran IISRESET on all servers.  Reinstalled RPC proxy on the FE server, let the GUI make the registry changes, and changed the GUI back to RPC FE server and RPC BE server for the BE's.  Still a no go.  I'm also unable to connect via RPC on the local network.  I'm really beginning to think something about the subnet is causing the problem.  The server has been added to the site through AD Sites and Services, but something's happening between the FE and the BE.  It's possible that my firewall is interfering somehow, but I don't see how, since the VLAN's are on the same switch with routes between VLAN's that allow all traffic.

< Message edited by Xaneth -- 9.Nov.2008 7:18:57 PM >

(in reply to Xaneth)
Post #: 7
RE: RPC Hell - 10.Nov.2008 1:22:46 PM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
I have done RPC over HTTPS with FE/BE many times, and the GUI always works. However what I haven't done is the split subnet.
Therefore the first thing I would be looking to do is move the server on to the same subnet and confirm if it works or not. While you have the subnet issue it will always be something that cannot be ruled out as the source of problem.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to Xaneth)
Post #: 8
RE: RPC Hell - 10.Nov.2008 1:55:11 PM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
Yes, that's what we're going to try as I get some time.  Some other issues came up that I have to take care of.  I'll keep the thread updated.

(in reply to Sembee)
Post #: 9
RE: RPC Hell - 10.Nov.2008 8:36:26 PM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
OK, so I got it almost completely up and running.  I had more time to work with it today and despite being on another subnet, I'm able to connect to the back end server as long as I specify the name of the back end server when I set up the client.  I used to simply use "mail.domain.com" and the FE would resolve the BE server name for me.  I'd prefer it if it worked that way, but we will ultimately only have one BE cluster, so I would just have to modify the instructions just a bit.  It would be nice if I didn't have to reconfigure the RPC clients after the move, but I'm not ruling it out as something we may need to do.  What I'm curious about is how the FE resolves BE names, doesn't it use DSProxy to the GC to lookup the name and find the server it's located on?  Wonder what I'm missing here.

(in reply to Xaneth)
Post #: 10
RE: RPC Hell - 11.Nov.2008 5:28:02 PM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
Since DSProxy uses port 6004, and all the BE servers are listed in the ValidPorts registry entry (automatically), I'm not sure why I'm having trouble.  What about port 593?  The auto-configuration does not add that port for the domain controller.  I'm assuming that the FE server queries AD to find where the user's mailbox is?  Or is it using DSProxy?

The reason I configured this registry key manually as well is that at the bottom of the page at http://www.amset.info/exchange/rpc-http-server.asp, you have a listing for

Front-End / Back-end Server Configuration
Where there are two Exchange servers and a separate domain controller.

But as you said, letting Exchange do it through the GUI works, with the exception of port 593, as well as mail.domain.com entries and server-fe:100-5000.

We will just need to update our documentation about how to connect via RPC to include the fact that they will need to know which BE server their mailbox is hosted on (which really doesn't make sense), in order to make it work.  I was just hoping that the FE would do name resolution automatically so that it would make life easier.  I also noted the article here http://support.microsoft.com/?kbid=319175, but this applies to Exchange 2003 and adding the registry key and restarting the SA service didn't help in my situation.

(in reply to Xaneth)
Post #: 11
RE: RPC Hell - 11.Nov.2008 7:54:28 PM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
In my experience, the frontend server does the name resolution.
I usually point all Outlook clients at the frontend server in any configuration scripts, then let Outlook sort out which server the mailbox is actually on. Doesn't matter which this is RPC over HTTPS or the usual connection method.

However before you start looking at a problem with RPC over HTTPS, if you configure Outlook in the usual way internally and put the frontend server in as the server, does Outlook change it to the correct one? If not then there is a problem somewhere.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to Xaneth)
Post #: 12
RE: RPC Hell - 12.Nov.2008 2:22:56 AM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
Interesting.  I tried pointing it to the internal name of the front end server here and it's not resolving.  I've tried it these two ways:

FQDN outside FE hostname (not resolving):



FQDN inside FE hostname (not resolving):



The only thing that actually works, is if I specify the BE server like so (resolving):


(in reply to Sembee)
Post #: 13
RE: RPC Hell - 12.Nov.2008 2:25:34 AM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
And Sembee, really appreciate the help.  Learned quite a bit about how M$ automatically works when you use a FE/BE solution.

(in reply to Xaneth)
Post #: 14
RE: RPC Hell - 12.Nov.2008 10:28:27 AM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
If it doesn't resolve when you point Outlook at the frontend server inside, then you have a problem somewhere else. That would explain why it doesn't work on RPC over HTTPS either - it is using the same system.

I would start by running the Exchange Best Practises tool - http://www.exbpa.com/ and see whether that flags anything that needs resolving.

The separated VLANs continue to be a concern - it is the only thing that you have done differently to what I do. You should be able to point Outlook at any Exchange server in the org and Exchange will tell Outlook where the mailbox is located.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to Xaneth)
Post #: 15
RE: RPC Hell - 12.Nov.2008 10:38:29 AM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
I'll start with the Exchange tools to see what's up. I did move the FE onto the same VLAN with the same results, so you're right, it must be something else.

(in reply to Sembee)
Post #: 16
RE: RPC Hell - 13.Nov.2008 5:32:14 PM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
Not finding any problems with any of the tools.  I'm thinking I'm going to need to move the FE into the same subnet and start all the way over from scratch.  It simply won't resolve BE hostnames properly.

(in reply to Xaneth)
Post #: 17
RE: RPC Hell - 13.Nov.2008 6:13:28 PM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
That may well be the best option - I personally consider frontend servers disposable and will rebuild them frequently if required.

Do ensure that you remove Exchange correctly, using add/remove programs rather than just wiping the machine. That will ensure it comes out of the Exchange org correctly.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to Xaneth)
Post #: 18
RE: RPC Hell - 17.Nov.2008 8:03:06 PM   
Xaneth

 

Posts: 130
Joined: 4.May2004
From: Everett, WA
Status: offline
Hm.  Uninstalled the FE server and reinstalled from the ground up.  Moved the server permanently into the corporate network, so it's on the same VLAN.  Same problem, won't resolve the BE servers automatically, but I can enter the server name manually and RPC will work.  Guess that's just going to have to do, we are moving mailboxes from our old server to the new cluster only.  We do have one other Exchange server in Korea, but it's configured for RPC locally with it's own DNS entry and working fine, so we will know who is on what BE server.  Was just hoping to make the move seamless.

(in reply to Sembee)
Post #: 19
RE: RPC Hell - 18.Nov.2008 5:26:46 PM   
Nazim

 

Posts: 170
Joined: 23.Oct.2008
Status: offline
After reinstalling the FE did you designate the managed front-end servers through ESM

http://support.microsoft.com/kb/841652

< Message edited by Nazi -- 18.Nov.2008 5:33:41 PM >

(in reply to Xaneth)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Installation >> RPC Hell Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter