Outlook gets stuck at Send / Receive while downloading Offline Address Book [OAB] for Hours

Issue Description: Outlook Users complain that outlook gets stuck at Send / Receive for Hours. Close observation shows that outlook it trying to connect to Exchange for downloading OAB, but it is not happening and it stay there. [Emails would still flow during this Issue]

Cause:
The CAS OAB folder loses permission on every Polling / Restarting of File Distriubution Service. This Issue started after applying Exchange 2010 Service Pack, in my case it was SP2.

Resolution:
The CAS OAB folder [C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB]
and its sub folders should all have read permission for "Authenticated Users". Manually adding this permission would ensure that Full OAB is downloaded.

But after the next polling these security permissions are removed when File Distribution service copies OAB file from the generation server to the CAS Server(s) or even if the FDS service is restarted or if the CAS Server is restarted.

To resolve it completely follow the steps below. [The commands are Highlighted in white]


On the Exchange Management Shell --> create variables as below

$oab1 = Get-OfflineAddressBook "Default Offline Address Book"

$oab1.DistinguishedName

This will display the Distinguished name of the Default OAB

• CN=OAB1,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com

$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com"

 To display the current permission - Run the bleow command.

get-adpermission $container -user "NT AUTHORITY\Authenticated Users"| where {$_.ExtendedRights -match 'ms-Exch-Download-OAB'} |fl

• User                : NT AUTHORITY\Authenticated Users
  Identity            : \Default Offline Address Book
  Deny                : False
  AccessRights        : {ExtendedRight}
  IsInherited         : True
  Properties          :
  ChildObjectTypes    :
  InheritedObjectType :
  InheritanceType     : All

To correct the permission - Run the Below command.

add-adpermission $container -user "NT AUTHORITY\Authenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'

• Identity             User                 Deny  Inherited
  --------             ----                 ----  ---------
  \Default Offline ... NT AUTHORITY\Auth... False False

After the above shell commands are run, update the Default OAB, then restart the FDS on all the CAS Servers. Then check now the Offline Address book is downloaded fine in Outlook.

Please leave any comments if required.

Thank you.