Exchange Federation Metadata Analysis — autodiscover.almayadeen.net
===================================================================

Source: https://autodiscover.almayadeen.net/autodiscover/metadata/json/1

Federation Details:
  Name: Exchange
  Realm: almayadeen.net
  Service ID: 00000002-0000-0ff1-ce00-000000000000
  Issuer: 00000002-0000-0ff1-ce00-000000000000@almayadeen.net

CRITICAL FINDING - Second Exchange Server:
  Internal Endpoint: https://bhs-ex05.ittihadtv.local:444/autodiscover/metadata/json/1
  Protocol: OAuth2
  Port 444: Exchange Backend HTTPS (internal only, not internet-facing)
  This reveals BHS-EX05 exists alongside BHS-EX09
  BHS-EX09 = Frontend (CAS/Mailbox), BHS-EX05 = Likely backend/DAG member

Auth Certificate:
  Thumbprint (x5t): B2BBL_9jBZevT87C3_XGGbydTjY
  Subject: Microsoft Exchange Server Auth Certificate
  Created: January 3, 2022
  Expires: January 3, 2027
  Size: 813 bytes (X.509 DER)
  Note: This cert is used for Exchange OAuth (server-to-server auth)

Additional Endpoints Discovered:
  /ews/mrsproxy.svc: MRS Proxy (mailbox migration) — 401 but responding
    X-WSSecurity-Enabled: True
    X-OAuth-Enabled: True
  /powershell: Exchange Remote PowerShell — 400 (needs WSMAN)
    Leaks: ClientAccessServer=BHS-EX09, BackEndServer= (empty)
  /Microsoft-Server-ActiveSync: Mobile sync — Basic auth only
    Realm: autodiscover.almayadeen.net
  /autodiscover/autodiscover.json: Returns mail.almayadeen.net as primary

Server Architecture:
  BHS-EX05: Backend (federation/OAuth endpoint, port 444)
  BHS-EX09: Frontend CAS (public-facing, all services)
  mail.almayadeen.net: Primary mail FQDN (from autodiscover)
  AD Domain: ITTIHADTV.local
  
  This suggests a Database Availability Group (DAG) with at least 2 servers.
  BHS prefix = likely both in same datacenter (OVH Beauharnois, Canada)