Friday, May 22, 2009

How OAB Distribution Works

Exchange 2007 has a new way of distribution the OAB (Offline Address Book) compared to previous versions of exchange. It now distributes itself via an IIS website. Below I will be explaining this process along with the steps to set it up.

There are 4 components that make this work:
  • OABGen
  • Exchange File Distribution Service
  • OAB Virtual Directory
  • Autodiscover

OABGen

OABGen is the process that creates or generates the offline address book. OabGen.dll is actually invoked by the Exchange System Attendent. This process takes place on a single mailbox server in your exchange organisation. There can only ever be one mailbox server responsible for generating the OAB.

To view what mailbox server is generating the OAB, open exchange management console, expand organisational configuration, click mailbox then click the offline address book tab.

You can see in my organisation, KBOMBSERVER is generating the OAB. To change which mailbox server is responsible for generating the OAB, simply right click on the address book and click Move.


Here we can browse for new server responsible for generating the OAB.

The mailbox server running as your OABGen server will contain an SMB share called ExchangeOAB.

This is the folder where the client access servers acting as OAB distribution servers download the latest copy of the OAB. This share points to C:\Program Files\Microsoft\Exchange Server\ExchangeOAB by default. As a user you will not be able to access it as only exchange computer accounts have NTFS rights to it.

You can change the schedule when OABGen runs. By default its 5am every night. To change the schedule right click the address book, hit properties.


You can configure this to always run using powershell also however I do not recommend this as for large organisations OAB generation can result in extra load. I recommend leaving it on the default setting 5AM as nightly backups are ususally finished by this point and users dont ususally start work till around 6am at the earliest.

Lastly before I move on to the file distribution service, there is one more powershell command that comes in handy when dealing with OABGen. That command is:

Update-OfflineAddressBook

This is a manual method for regenerating your offline address book. It is great for testing and trouble shooting OABGen issues rather then having to wait for the schedule for it to automatically generate.

Note: This command updates the OfflineAddressBook from the Global Address List data that is generated from the Global Catalog. If Update-OfflineAddressBook does not update the data correctly, try updating the Global Address List using:

Update-GlobalAddressList -Identity "Global Address List"

Exchange File Distribution Service

The exchange file distribution service is a service that runs only on client access servers marked as distribution servers. To configure a client access server as a distribution server simply open exchange management console and navigate to Organisational Configuration --> Mailbox --> Offline Address Book, right click the offline address book and click Properties, then click the distribution tab.

Here you can simply add in client acces servers to the list. Idealy you want a client access server in each site configured as a distribution server. Because my environment is small, my mailbox server is also a client access server. However in large environments you would ususally have a client access server in every site ususally running the hub transport role on the same server.

One thing I would like to point out, the configuration for this is under Organisational Configuration --> Mailbox. The distribution points configuration on this distribution tab does not apply to Mailbox servers. Ideally it should be located under Organisational Configuration --> Client Access however I think Microsoft just wanted to keep all the OAB configuration together.

What the file distribution service does is copy the the OAB generated by the OABGen mailbox from \\oabgenerationserver\ExchangeOAB to the distribution server. By default it is copied to C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB. Also by default the file distribution service downloads the OAB from this share every 8 hours or 480 minutes. This can be changed, and different values can be set for each CAS OAB Distribution server. Say you wanted to set all CAS OAB Distribution servers to re-download the OAB from the OABGen server every 30 minutes. The command for this would be:

Get-OABVirtualDirectory Set-OabVirtualDirectory -PollInterval 30

This will configure every CAS OAB distribution server in your organisation to redownload the OAB every 30 minutes. However this is silly seeming OABGen by default only regenerates every 24 hours at 5am by default. In an environment where you have fast links between sitse, and say you have a mailbox server not holding mailboxes, only running as an OABGen server, you could configure this box to generate 24/7 so its data is always up to date and you could configure your client access servers to pull down every 30 minutes.

Also you can tell a client access server to manually download the latest OAB from the OABGen server for distribution. This can be done by running:

Update-FileDistributionService servername

Where servername is the name of the CAS distribution server you want to re-download the latest OAB.

OAB Virtual Directory

This is just the OAB directory in IIS. This is where the clients download the OAB from.

This directory points to C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB by default, the same place where the file distribution service places the files downloaded from the OABGen server. One thing that I have noticed though, is by default Authenticated Users do not have access to this folder, so how are they ment to download the OAB? Make sure you give authenticated users access to the OAB folder. This is only the case with server 2003... on server 2008 it adds IIS_USRS (a special IIS group) to the OAB folder to allow users to download. But on Server 2003 as of this writing Exchange 2007 SP1 with Update Rollout 7 only grants by default Administrators and SYSTEM full access by default. Ensure you add Authenticated Users with Read and List Content privilages or users will not be able to download the OAB and will revert to public folders if available.

Server 2008 permissions for OAB:

Autodiscover

Auto discover is responsible for letting Outlook 2007 clients know where to download the OAB from. If I hold down CTRL and right click on the Outlook icon in my system tray I am able to click Test E-Mail AutoConfiguration.

Here you can see the location autodiscover is giving me for my OAB download. Autodiscover uses the AD Sites and Services topology to give you the closest client access server acting as an OAB distribution server. If you are recieving the wrong server URL here, its because your AD topology is setup incorrectly.

It is also possible to change this URL for certain client access servers. This is great if you want to enable SSL for extra security, just ensure that the subject alternative name on the certificate matches the URL your providing otherwise your outlook clients will recieve certificate warnings.

Set-OABVirtualDirectory -Identity “CASSERVERNAME\OAB (Default Web Site)” -InternalURL https://mail.mydomain.local/OAB -RequireSSL $true

Lastly, if you are using Outlook Anywhere, port 443 will be forwarded to a CAS somewhere which could also be running OMA (outlook mobile access) or OWA (Outlook Web Access). This CAS if its a large organisation would probably consist of a NLB cluster. If this is the case and you are running Outlook Anywhere, on the same server that port 443 is forwarded to you must enable an ExternalURL for external autodiscovery to give out. This allows users externally to also download the OAB. Ensure that SSL is used to protect the confidential information contained in the OAB. To enable OAB for external distribution on the server 443 is forwarded to use this command:

Set-OABVirtualDirectory -Identity “CASWEBSERVER\OAB (Default Web Site)” -ExternalURL https://mail.mydomain.com/OAB -RequireSSL $true

I hope this post helps you understand and configure this OAB distribution process correctly, I decided to blog it because there is not many documents on the internet that explain it properally, and many fo them go into way to much detail and just confuses you... well it did me. If you have any questions email me, clint@kbomb.com.au

8 comments:

  1. Splendid Post...I have bookmarked it. Love the way you explained it...very easy to understand. One Question: How is it decided which Mailbox Server will run the Oabgen or who decides it?

    ReplyDelete
  2. You elect which mailbox server generates the OAB on the OAB itself. If you right click the OAB in exchange management console and click move you can elect another mailbox server to generate it.

    If you have more then one OAB then you can have more then one OABGen server because you can elect each OAB to be generated by a different mailbox server.

    ReplyDelete
  3. Thanks for the reply Clint...I have a lab consisting of 4 MBX servers in 2 DAGs (Active-Active DC), 2 cas arrays with 4 CAS/HB servers spread across 2 sites - by default only one MBX server was elected to be the oabgen server -who/what decided that as default obviously I did not do that default selection? BTW the Server elected as the default Oabgen was not the 1st MBX Server that I built...

    ReplyDelete
  4. Generally the first mailbox server you build becomes the OABGen server. You must have built the second mailbox server within a short period of time after the first mailbox server. You didnt modify/play with any of the Offline Address Book settings did you?

    ReplyDelete
  5. Concise explanation, thanks. I've been trying in vain to find a resolution to an OAB issue that plagues our server and have been confused by other posts. Can you think of a reason (on Exchange 2007 / SBS2008) that the permissions on the OAB virtual directory would reset upon a server reboot such that domain users are no longer able to download the OAB? The only fix I've had any success with is to manually add back appropriate permissions for autheticated users after each reboot. The IIS_IUSRS group also has rights, but this does not seem to matter.

    ReplyDelete
  6. Great post full of useful tips! My site is fairly new and I am also having a hard time getting my readers to leave comments. Analytics shows they are coming to the site but I have a feeling “nobody wants to be first”. Vaultscape.com

    ReplyDelete
  7. Excellent post, you've given me a lot to look at here with my current issue. I can't get the client side to show current OAB, but I'm wondering if it has to do with my SMB permissions. Thanks for the info!

    ReplyDelete
  8. To understand how OAB Distribution works in Exchange 2013, please refer to my article "How OAB Distribution Works in Exchange 2013" which can be found here:

    http://clintboessen.blogspot.com.au/2014/03/how-oab-distribution-works-in-exchange.html

    ReplyDelete