The Security certificate has Expired or is not yet valid

your users are receiving fallowing message when they open their outlook “The Security certificate has Expired or is not yet valid”

You also are receiving fallowing errors on your mail server

• Event Type: Error
• Event Source: MSExchangeTransport
• Event Category: TransportService
• Event ID: 12014
• Date: Date
• Time: Time
• User: N/A
• Computer: Server_Name
• Description:

Microsoft Exchange couldn't find a certificate that contains the domain name Domain_Name in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Server with a FQDN parameter of FQDN. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

• Event Type: Warning
• Event Source: MSExchangeTransport
• Event Category: TransportService
• Event ID: 12015
• Date: Date
• Time: Time
• User: N/A
• Computer: Server_Name
• Description:
• An internal transport certificate expired.
• Thumbprint:Thumb_Print_Value

Cause:  the internal certificate used by Exchange is expired due to limitation, check out bb851554

Limitations of the Self-Signed Certificate

The following list describes some limitations of the self-signed certificate.

• Expiration Date: The self-signed certificate expires 12 months after Exchange 2007 is installed. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
• Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
• Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
• Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.

Solution:

Logon to Exchange server issue fallowing command from EMS

Get-ExchangeCertificate | FL

Now pay attention to Status and  the dates and also you will need to copy and paste “Thumbprint”

Now copy paste or type below into EMS

Get-ExchangeCertificate -Thumbprint 56BB128980C53883BBF09AA0281FBC6471FB04FE | New- ExchangeCertificate

Do not forget to copy and paste the Thumbprint corresponds to your own exchange server

Type letter “Y” when it is prompted

Issue once more 

Get-ExchangeCertificate | FL

Now get rid of from the old one simply use below PS and corresponding thumbprint

Remove-ExchangeCertificate –thumbprint 56BB128980C53883BBF09AA0281FBC6471FB04FE

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

Outlook is retrieving data from the Microsoft Exchange Server

Outlook is retrieving data from the Microsoft Exchange Server mail1.smtp235.org; Christmas Balloon is not welcome for many exchange administrators.

In the past I blogged about the reasons and how to troubleshoot the issue in details here is the link to that post

Recently , we found out the same issue was raising on one of our customers network. The Exchange servers on this environment had 32 Gig memory with 16 CPU, so it was pretty easy not to start looking for server side problems, rather some other issue was causing the problem. Short story we found out  the problem was related to DC/GC , decommissioning problem DC/GC did the trick, the famous balloon  was gone.

I wanted to post some little very useful information , help me to what to look for right off the bat (-:

Note:

Server name	Outlook retrieving    data	Who is causing problem?
NetBIOS name	---------->	Exchange Server
(FQDN)	---------->	DC/GC

If the server name appears as a NetBIOS name, the data is being retrieved from an Exchange Server computer. If the server name appears as a fully qualified domain name (FQDN), the data is being retrieved from a global catalog server

Cheers,

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

Installing EXC SP2 Failed to initialize the log file: Access to the path 'C:ExchangeSetupLogs\ExchangeSetup.log' is denied.

Are you installing Exchange Sp2 on windows 2008 SBS server and getting below error?

Failed to initialize the log file: Access to the path 'C:ExchangeSetupLogs\ExchangeSetup.log' is denied.

Turn off UAC , by going control panel , user accounts, turn user account control off.

Also you will need to fallow the step mentioned on kb 973862 if you are receiving below erros.

You must update your Windows Small Business Server 2008 settings both before and after you install Exchange Server 2007 Service Pack 2 (SP2). Before installing SP2 for Exchange Server 2007, read the detailed information at http://go.microsoft.com/fwlink/?LinkId=155135.

Open Regedit on the SBS server

• HKEY_LOCAL_MACHINE
• Software
• Microsoft
• SmallBusinessServer
• Exchange  ( create this if does not exisit)
• E12SP2READY  (create this also and Value is = 1)

 

 

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

Exchange 2010 and RIM support

There are no updates or any news as far as I know yet  from RIM  in regards to Exchange 2010. RIM has  not announced any type of support for Exchange 2010.

Exchange 2010 has changed a lot compared to Exchange 2007 and hence current version of BES in not compatible with beta version of Exchange 2010.

To be honest I would love to see some testing going forward and hopefully RIM will catch up the official release day of Exchange 2010 which will be Soon (-: ( Shisss don't ask, it will be ready when it is read)

The bottom line is,  there is no support as of yet and we are hoping RIM is working on it to catch up the official Exchange 2010 release day….

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

What is business justification going from Exchange 2007 to Exchange 2010

I got perfect response to previous post from Mark Arnold whom I respect *Tons* here is the link to his article

With all respect here is my response and my vision for near future, the cost saving ( exchange 2010) and even better & improved positive mail experience with reasons I will be bringing up one more time, I believe these reasons will make the difference.

Response:

Mark , I enjoy your blogs and have respect to your knowledge you are one of most respected source in my personal opinion when it comes to Exchange (-:

I never said SAN will disappear to be clear I said it will be off the Exchange plate. My logic and experience is telling me *huge savings"* and here are reasons I am listing why?

• Having said the SAN is off the Exchange plate to me is perfectly right statement .Configuring Exchange with DAS is much cheaper and I am sure you won’t argue about it. The argument was considerations IOPS which is true, but I remember least another 50 percent I/O decrease compare the Exchange 2007 is achieved with Exchange 2010, due to major schema changes on mailbox tables. ( still need testing I totally agree), MS is so sure they don't even care about RAID configuration basically they say use JBOD exchange 2010 will run on it, to be we don't have to worry about the special RAID configuration separation logs from Databases using RAID 1, RAID 10 and so forth. Would it be better if we still go for RAID configuration provides fast read and write, I would think yes but, I have to underlined , since the application is much lighter most off the operations done within the memory not on the HD and therefore much far less I/O fear is my understanding and this is why MS says recommended mailbox size what ever the needs for business, 20 gig 30 gig , Exchange 2010 does care anymore.
• We have been using and working with NETAPP as SAN for many of our clients and have had only *Positive* it rocks , our only experience is positive to be honest, never failed us even once over years. This includes DR (snap managers) and SMBR single mailbox recovery made my life , easy over years and lead us to success in many cases. I have again nothing but positive experience so far. Good thing in life comes with cost (-: and this is true in this example.
• The dependency of SAN for exchange so far is critical for us, because many of our client’s demands high availability and again with NetAPP this is so easy to achieve. (or any other major SAN provider has similar offerings) , remember additional licensing for these capabilities contributes the cost $$$$.
• Now I will tell you, the SAN spindals Exchange servers use are SCSI not SATA due to performance considerations & fears as you would imagine related to SLA’s most of the time, the cost of these drives ,plus, support is very expensive most of the time, and also other futures I have listed to make Exchange redundant required additional licensing and cost $$$. Some of my clients would love to offload these SCSI drives and use them for SQL servers and other application would save them $$$ right of the bat.
• Now the statement “Exchange is off the SAN plate “ is going to be correct, since DAG provides redundancy I can configure Exchange servers with DAS not SAN and here is my first saving and I know this is going to be *Huge*

• Second, I might be using SAS drives not SCSI for the DAS shelves and I know the saving is going to be *Huge*
• I don’t have to purchase no more any third party utility to provide me redundancy and I don’t have to worry about performance as much as I worried before and I don’t need SAN engineer to work with me to curve the LUNS and maintain the SAN for me, because DAS comes with mush simpler software in my opinion and much easy to manage and Exchange administrator can and will do everything SAN engineer has done, and this is to me another *Saving*
• I don’t have to pay money for third party to do the archiving for me because Exchange 2010 does it out the box and I don’t have to keep or dedicate SAN for archived mail for exchange, I will simply keep them in DAS and here is another saving for me and all these third-party software cost, licensing, implementation, maintenance no longer needed and this is another *Saving* for me (-:

When I write the article I was being honest and letting everyone know what I see as my vision. Exchange 2010 is not a simple upgrade but to me it is the greatest mail application has ever existed and reasons I listed above will make Exchange off the SAN.

I remember when we asked for business justification the answer we got from MS simple and effective,

We ask for one business justification MS gave us tree of them (-:, I am sure you will remember (-:

• Cost
• Cost
• Cost

when I deploy exchange 2010 with DAS (-:, I promise to come back and update this article and mention about performance , user experience and capacity, and cost savings if there will be any (-: and I do know numbers will be much lower ( my vision) with much & far better messaging experience for large environments, including BES implementation, If I am wrong I promise to admit as well (-:

Warm regards,

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

Exchange 2010 High Availability and Why it is different from Exchange 2007?

Harold seems to post Scotts video in regards to High availability in exchange 2010. One of the most exiting future for sure build into Exchange 2010 is DAG ( database availability group)

• Remember In exchange 2007 CCR, Cluster continues replication you can have one active one passive database configuration..
• DAG gives you 16 mailbox servers thus you get 16 copies of each database on each server.

Scott Schnoll shares insights on the new High Availability option in Exchange Server 2010 that provides for better availability of Exchange databases using DAGs.

When design comes into as you can tell very flexible and smart design might be the best suit in your large environment.

Check it out real nice one, click on below picture

 

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

What is business justification going from Exchange 2007 to Exchange 2010

I remember myself having hard time to talk about going from 2003 to 2007 (-: , yet burning desire to implement exchange 2007.

The short story as the same question goes and comes back, the business reason why should anyone bring exchange 2010? I wrote many little articles to discuss why and will continue to write as I see myself more an more be implementing exchange 2010 than any other version ever before (-:

Exchange 2010 will simply save $$$$$ for your business and here are some of the major bullets how

• Use cheap storage to provide San (DAS) direct attached storage to exchange, as I said several times Exchange is off the SAN plate first time in the history……..
• Huge savings from expensive SAN , and single person will be able to take care of many things within the application without needing any third party software or tools
• Less complexity since no other product is being used for high availability and archiving.
• Exchange archiving will provide basic regulatory requirements, such as policy’s to implement security practices and satisfy auditing needs. E-mails older than 6 years ( archived e-mails cannot be deleted)
• No third party utility to manage archived e-mail, all build into exchange application
• Great looking menu, light fast OWA experience and outlook 2010 will add more joy into exchange 2010 journey.
• True DR solution is build right into product, if companies choose to implement DAG ( data availability group) they are redundant , every single mailbox and its content it available if one server goes down, end user experience is a minute interruption and valuable messaging experience right comes backup.
• Major schema changes implemented to mailbox tables, allowed huge I/O reduction , there is simply no need for SIS ( gone)
• Better delegations for IT administrator, giving more options to end users (create DL and invite others) taking away heavy load from IT administrators.
• Exchange 2010 is fully redundant right out the box just like active directory servers….. You have to take every single Exchange server down in DAG to stop end user getting their mails
• Another 50 % I/O reduction, the Exchange application operation much lighter faster application working more efficient.

So have your management understand the $$$ saving part, true build  redundancy and providing mailbox to end user as big as 20 30 GIG so they never have to delete any single mail until get retire (-: and let  your management decided not too move !!!…………………….. (-:

I truly believe when it comes to cost reduction management gives quick decision , it has always been this way and wont change….

 

 

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=916). Topology discovery failed, error SBS 2008

Problem: Exchange information store and SA is not coming up, event logs are showing topology errors, Event ID: 2114

Log Name: Application Source: MSExchange ADAccess Date: 9/4/2009 3:39:41 PM Event ID: 2114 Task Category: Topology Level: Error Keywords: Classic User: N/A Computer: SBS.to.local Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=916). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description.

Cause :

Disabling IPV6 on the TCP/IP properties of the NIC Card will create this problem on SBS 2008 installation

Solution:

Enable IPV6 on the NIC Interface

Issues After Disabling IPv6 on Your NIC on SBS 2008

Properly Disabling IPv6

SBS 2008 is designed to fully support IPv6 and has IPv6 enabled by default. Most users should never need to disable IPv6, however if you must disable IPv6 here is how to disable it properly:

Important: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 (http://support.microsoft.com/kb/322756/)

Uncheck Internet Protocol Version 6 (TCP/IPv6) on your Network Card. In Registry Editor, locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Double-click DisabledComponents to modify the DisabledComponents entry. Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps: In the Edit menu, point to New, and then click DWORD (32-bit) Value. Type DisabledComponents, and then press ENTER. Double-click DisabledComponents. Enter "ffffffff" (eight f’s), and then click OK:

• Reboot the SBS 2008 server

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

RSA SecurID Ready Implementation Guide Exchange 2007 ISA Server 2006

I spend guide a bit to get this working (-: and figured out the official published guide needs serious updates which I addressed all previous articles and putting summary together……

Anyway, if you are planning to implement RSA on your environment reading previous articles will save you tons of headache, trust me (-:, I learned the hard way and as always don’t want anyone to go trough the same path hence sharing with you guys the missing parts on this document, OWA is already standard for most of the government places and two factor authentication is way to go for most of the remote access scenarios, fisrt download the official RSA implementation guide fro here

 

Now you will need click here to get it

Now you are ready to move on , pay attention to below steps

• After downloading SDTEST.exe make sure you get this make it work !!!!! before start messing with ISA server or Exchange server, if the SDTES wont succeed you will waste your time!!!
• Ask RSA Guy to fallow the steps on the RSA guide and make sure you have sdconfig.rec file

Once you get this file copy  the file on the ISA servers below directories

• Windows\System32 folder
• C:\Program Files\Microsoft ISA Server\sdconfig directories

On the ISA server , if you have two legs as below

make sure you add static route so that the test utility is able to talk to RSA servers.

issue route print

• 172.26.7.197  gateway for internal network
• 172.26.114.202 ISA server IP

route add 172.26.114.202 mask 255.255.255.255 172.26.7.197 –p

 

• Add the following String Value registry entry on each ISA Array Member restart “wspsrv.exe”

 

• PrimaryInterfaceIP
• HKEY_LOCAL_MACHINE\Software\SDTI\AceClient
• Where the string value of PrimaryInterfaceIP is the IP address assigned to the interface that communicates with the RSA Server

 

• After restarting firewall service test once more , bingo it works

 

• before we move on  copy the local secret SecureID file from system32 into SDConfig folder.

• SECURID from <windir>\system32 to …\Microsoft ISA Server\sdconfig
• On each ISA Server, run the SDTEST.EXE utility.  This utility allows you test user authentication from an Agent Host to the RSA Authentication Manager Server.  Upon a successful user authentication, the Node Secret file (SECURID) will be created in the <windir>\system32 folde

• Read this to understand why you just did above (-:
• The SDTEST Authentication Utility is used to verify that a computer running ISA Server can authenticate to a computer running RSA Authentication Manager.  Note the following:   SDTEST.EXE requires the SDCONF.REC to be located in the …\system32 folder to run and test authentication successfully.  However, for ISA server to successfully authenticate to the RSA server, SDCONF.REC must be located in the ..\Microsoft ISA Server\sdconfig folder.  Also note that SDTEST.EXE does not require a Node Secret to authenticate, but the ISA Server does require a Node Secret to authenticate.

Now move on the ISA Server

• Backup ISA Configuration
• Configure CAS Listener
• Configure client authentication on the listener

here is the link click on the picture

Configure Exchange default website, click on the picture for details

 

Now time to test it

I hope this saves time and headache to some of you out there

Cheers,

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog

RSA OWA & ISA 2008 Exchange 2007

100; Access denied, RSA ACE/Server rejected the passcode that you supplied. Try again with a valid passcode.

One last thing I forgot to mention is to copy the local secret SecureID file from system32 into SDConfig folder.

• SECURID from <windir>\system32 to …\Microsoft ISA Server\sdconfig
• On each ISA Server, run the SDTEST.EXE utility.  This utility allows you test user authentication from an Agent Host to the RSA Authentication Manager Server.  Upon a successful user authentication, the Node Secret file (SECURID) will be created in the <windir>\system32 folder.

• The SDTEST Authentication Utility is used to verify that a computer running ISA Server can authenticate to a computer running RSA Authentication Manager.  Note the following:   SDTEST.EXE requires the SDCONF.REC to be located in the …\system32 folder to run and test authentication successfully.  However, for ISA server to successfully authenticate to the RSA server, SDCONF.REC must be located in the ..\Microsoft ISA Server\sdconfig folder.  Also note that SDTEST.EXE does not require a Node Secret to authenticate, but the ISA Server does require a Node Secret to authenticate.

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog

RSA ISA 2006 Exchange 07 CAS Configuration Part III

Now it is time to jump on ISA server and make the configurations to make RSA work. lets start with backing up ISA configurations in case (-:, things go bad ( yada boktan (-: ) , and we might need to roll back the changes to get things up and running....

Log into ISA server Open ISA Console we will backup entire ISA configuration as well as one rule which we will make the changed on , click on Arrays, server right click Export (backup)

Next

we can accomplish same for single rule

Now the first rule I have is existing OWA Rule , you can disable this rule create another one delete if you wish or modify it all these will work, I prefer modifying existing one…

right click on the existing rule go to properties

Click Properties once more and place check mark on

• HTML form Authentication
• RSA SecureID

Click on

• Authentication delegation
• Basic authentication

• Click okay to get out, log into CAS server
• Server configuration
• Client access
• open properties Exchange ( default Web Site)
• click Authentication and set it to (Basic authentication , password is sent in clear text)

click okay and issue

• iisreset /noforce

Now if you open your webmail URL you will see similar window to below

Username: Your username

Passcode: Your 6 pin secret + 6 Pin RSA Generated Code

If your 6 Pin Code is 123456 and RSA token is showing XXXYYY

Passcode:123456XXXYYY

Password: Your Password

you will see your e-mails after successful login to OWA with two ways authentication…

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog