Does a 2012 DC generate exchange certificates on Exchange 2007 server?

Similar Messages

• Error During install Exchange 2013 through Powershell on Server 2012 "Mailbox role: Client Access service"

  Dear all
  During install Exchange 2013 through Powershell on Server 2012 I got this error in Mailbox role: Client Access service :
  The following error was generated when "$error.Clear();
  $BEVdirIdentity = $RoleNetBIOSName + "\OWA (Exchange Back End)";
  new-OwaVirtualDirectory -Role Mailbox -WebSiteName "Exchange Back End" -DomainController $RoleDomainController
  set-OwaVirtualdirectory -Identity $BEVdirIdentity -FormsAuthentication:$false -WindowsAuthentication:$true;
  " was run: "An error occurred while creating the IIS virtual directory 'IIS://MONAMBX2.mona.local/W3SVC/2/ROOT/o
  wa' on 'MONAMBX2'.".
  The following error was generated when "$error.Clear();
  $BEVdirIdentity = $RoleNetBIOSName + "\OWA (Exchange Back End)";
  new-OwaVirtualDirectory -Role Mailbox -WebSiteName "Exchange Back End" -DomainController $RoleDomainController
  set-OwaVirtualdirectory -Identity $BEVdirIdentity -FormsAuthentication:$false -WindowsAuthentication:$true;
  " was run: "The operation couldn't be performed because object 'MONAMBX2\OWA (Exchange Back End)' couldn't be fo
  und on 'MonaDc1.mona.local'.".
  Any advice please !!

  I can't answer your question but I had a similar issue when I was trying to move our mailbox database off the C: drive.  Our environment still has an Exchange 2007 server in it and when I was trying to move the database on the 2013 server, I would get
  error messages saying the database does not exist.  It seemed like it was trying to move the database on the 2007 server from the similar error messages that I was getting.  To get around it, I deleted the database and created a new one on the drive
  where we wanted it.
  I discovered this when I was configuring the Antispam settings.  I deleted our 2007 settings, added them to the 2013 shell, the settings appeared on our 2007 server.  The shell on 2013 was making changes to 2007.
  I'm not sure if there is a "Get|Set or New" command that I/we should be using when this happens.  Or maybe my issues will be fixed if I just remove the Exchange 2007 server?  I'm not ready to do that yet because I can't configure the spam filtering
  on 2013 yet with its shell not being able to make the changes that we need.
  I don't know if your environment is in coexistence mode like mine.
  Hopefully someone else out there has an answer or can tell us when/how the shell can make the appropriate changes to the 2013 server.  Does this happen after the 2007 server is removed?

• Unable to set (ssl) certificate on a SQL Server 2012 clustered instance

  Hello everyone!
  I'm trying to encrypt the SQL Server communication with SSL but I can't add the certificate in the configuration manager. I've found and tried a lot of different explaination but none of them worked. I'll described what I've done and hope someone will point
  out what I'm missing.
  Here is my situation:
  - SQL Server 2012 Enterprise Edition. Instance name = INSTANCE, FQDN =  SQINSTANCE.mydomain.com. The instance is running under a customized service account: mydomain\sql_sa
  - Two cluster nodes running Win Server 2008R2: NODE1.mydomain.com and NODE2.mydomain.com. Cluster itself is CLUSTER.mydomain.com
  What I've done:
  1) Asked the team in charge to generate a certificate issued to "SQINSTANCE.mydomain.com" with aliases to "NODE1.mydomain.com", "NODE2.mydomain.com" and "CLUSTER.mydomain.com". I get a certificate with "p7b"
  as extension
  2) Connect on "NODE2.mydomain.com" with account "mydomain\sql_sa". Opened MMC and added the certificate under "Personnal" folder. I tried to add it with "Current user" and "Local computer" settings. Saw both
  on internet since I use a specific service account
  3) Get the thumbprint of the certificate and add it under HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL11.INSTANCE\MSSQLServer\SuperSocketNetLib\Certificate. (I triple checked to remove blanks or special characters)
  4) Reboot the node
  5) Open the SQL Server Configuration Manager, go to the network properties. Certificate does not appear in the list
  I tried to check with certutil and saw the certificate in the output. Some guys talked about some private key but I don't see this particularity in my situation. I tried to check if the certificate is valid and, according to the criterias, it is.
  Does anyone can help me with this?

  Hi,
  Are you sure you've got the certificate correct?  http://msdn.microsoft.com/en-us/library/ms191192.aspx
  To use encryption with a failover cluster, you must install the server certificate with the fully qualified DNS name of the virtual server
  on all nodes in the failover cluster. For example, if you have a two-node cluster, with nodes named test1.<your
  company>.com and test2.<your
  company>.com, and you have a virtual server named virtsql, you need to install a certificate for virtsql.<your
  company>.com on both nodes. You can set the value of the ForceEncryptionoption
  toYes
  In your case, shouldn't it be created for CLUSTER.mydomain.com?
  Thanks, Andrew
  My blog...

• Checklist for Exchange Certificate issues

  Checklist for Exchange Certificate issues
  1. 
  Why certificate is important for Exchange and What are Certificates used for
  Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
  securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
  Certificates are used for several things on Exchange Server. Most customers also use certificates
  on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
  IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
  POP/IMAP
  SMTP
   2. 
  Common symptoms for
  certificate issue
  Here we can see three different types of the certificate warning, mainly from the Outlook
  side.
  a.
  Certificate mismatch issue
  b.
  Certificate trust issue
  c.
  Certificate expiration issue
  3. 
  Checklists
  In this section, checklists will be provided according to the three different scenarios:
  Certificate Mismatch Issue
  [Analysis]:
  This issue mainly occurs because the URL of the web services Outlook tries
  to connect does not match the host name in the certificate.
  [Checklist]:
  Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
  Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
  In this scenario, you need to check the host name for the following services:
  Autodiscover
  EWS
  OAB
  ECP
  UM
  If any of the urls above does not match the one in the certificate, refer to the following article to change
  it via EMS:
  http://support.microsoft.com/kb/940726
   1.
  Do not forget to restart the IIS service after applying the changes above.
   2. Make sure a valid certificate is enabled on the IIS service.
  Certificate Trust Issue
  [Analysis]:
  For the self-signed and PKI-based (Enterprise)
  certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
  certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
  greatly simplifies deployment.
  [Checklist]:
  If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
  If it is a 3^rd-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
  client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
  Certificate Expiration Issue
  [Checklist]:
  When a certificate is about to expired, we just need to renew it by referring the following article:
  Renew an Exchange Certificate
  http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
  To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
  [How to set a reminder to alert the administrator when a certificate is about to expired]:
  It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
  certificate expiration. Or there can be a large user impacts.
  Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
  If it’s not quite visible, we can refer to the following solution:
  http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
  OWA certificate revoked issue
  [Analysis]:
  IE
  includes support for server certificate revocation which verifies that an issuing
  CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
  are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
  [Solution or workaround]:
  1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
  2. If not, check whether the certificate has a private key.
  3. Remove the old certificate and import the new one.
  Workaround:
  IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
  checkbox.
  4. 
  More References
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  More on Exchange 2007 and certificates - with real world scenario
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

  (Reported previous post with link to SIS package to moderator)
  This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
  Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
  But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
  At this point, try 2.7.0 which is out now:
  http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
  Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
  I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
  Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM

• Does anybody know if I can substitute the exchange rate in a CO document?

  Dear experts,
  Does anybody know if I can substitute the exchange rate field in a CO document creation?
  We have a header substitution in FI to populate the constant 1 in the exchange rate field every time we use a specific currency. And this substitution is working fine in FI, but if in the FI document we post an expense account, it generate a controlling document and this controlling document take as an exchange rate the one that the system has, not the constant. Does anybody know if I can create the same substitution for CO documents?
  Best Regards,
  Tatiana

  Hi Tatiana ,
  I guess you cannot do that .. but never tried that ..
  Please refer OSS Note : 392273  which specifies when Validation/Substitution is called in CO
  Regards
  Sarada

• Does SCCM 2012 monitor SCCM 2007 as well?

  I have a SCOM environment and I have two SCCM environments - one is 2007 and the other is 2012R2. We are migrating from 2007 to 2012R2. I have both SCCM 2007 and 2012 MPs imported.
  One thing I've noticed is that all the objects from the 2007 MPs are labeled ConfigMgr 2007, while the objects from the 2012 MPs are just labeled ConfigMgr. And when I create a subscription to send all alerts on ConfigMgr (I filtered to only show objects
  in Microsoft.SystemCenter2012.ConfigurationManager.Library MP) it will send out notifications for all SCCM alerts. 
  So does the 2012 MP monitor 2007 as well? And if so, how can I create a subscription to only notify for 2012? I currently set up the subscription directly against the 2012 servers, but I'd like to have it go against the application instead.
  Thanks.
  - Get on the floor, do that dinosaur

  Yes, we have Exchange. But it doesn't make sense that a subscription criteria set to the ConfigMgr application would send alerts regrading Exchange. Maybe because the SCCM client is installed on those servers...?
  False alerts as in SCOM thinks one thing but its not actually the case. For example, thinking that an Exchange server is a SCCM server. And Alerting on SCCM 2007 instead of 2012. 
  - Get on the floor, do that dinosaur

• Preparing new Certificate for Exchange - how to cover the .local domain names

  I need to plan out our new certificate for our CAS servers. Exchange 2010 SP3. Our current SAN certificate has several names including our Exchange FQDN's which are exserver.domain.local. I know our CA will not let me generate SAN's with a .local anymore
  so how do I cover the Exchange internal FQDN's in the certificate? 
  I did a get-exchangecertificate and the only certificates I have are the public CA with all the SAN's and Services are IP.WS. The other two Exchange certificates are self signed but only for SMTP "S".
  You can only have one certificate for web services "W" so how do you get around the Exchange FQDN? Our internal autodiscover, availability and OOF etc....that Outlook uses all use the Exchange internal FQDN of servername.domain.local.
  Even if I generate another Exchange certificate for the server FQDN and submit it to our internal CA, I cannot enable web services on this certificate because my public certificate is already enabled for web services.
  Need some help here. I am really stumped on this one.

  Hi Shadowtuck,
  It is suggested to post in the Exchange forum:
  https://social.technet.microsoft.com/Forums/en-US/home?category=exchangeserver
  In addition, hope the link below could be helpful for you:
  Global changes in legislation regarding SAN SSL Certificates
  http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• How to create a SHA256 SAN Certificate for Exchange

  Dear.
  When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?
  It seems that it's not possible to do this through the New-exchangecertificate.
  Do you know the alternative command when using certreq for the following Exchange command:
  New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com')
  -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 
  Thanks for the feedback.
  Regards.
  Peter
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Peter,
  There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request
  as follows:
  1. Open MMC.exe. Click File >
  Add/Remove snap in…
  2. In the Available snap-ins tab, select Certificates >
  Add > Computer account > Local computer >
  Finish.
  3. Expand Certificates (Local Computer) > Personal > Certificates.
  4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.
  5. click Next > Proceed without enrollment policy > Next > Next.
  6. In Certificate Information page, click Details > Properties.
  7. Then you can fill in the needed information for your request.
  8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to
  sha256.
  9. Click OK > Next. Fill in File Name and select the request location.
  10. Finish it and send this request to the certificate authority.
  Regards,
  Winnie Liang
  TechNet Community Support

• DPM 2012 SP1 - Protecting Exchange 2010 and Exchange 2013 at the same time

  Hi,
  From which Exchange Server am I commited to copy the ESEUTIL.exe and ESE.dll to the DPM Directory for protecting the whole Exchange databases from both products (2010 and 2013) ?
  Thanks for replies.
  Regards
  Phil

  The visual c++ libraries actually need to be installed on the Exchange 2013 server.
  To protect Exchange 2013 with DPM SP1, in addition to copying the ese.dll
  and eseutil.exe files to the DPM
  bin folder, you also need to install the
  Visual C++ redistributable for Visual Studio 2012 Update 1(vcredist) on your Exchange server. You can download it from
  http://www.microsoft.com/en-us/download/ details.aspx?id=30679
  Installing vcredist on your Exchange server loads components of Visual C++ libraries. The Visual C++ libraries are needed when an application that was developed using Visual Studio 2012
  is installed on a computer that does not have Visual Studio 2012 installed. Without Visual Studio 2012 or the Visual C++ libraries, you will run into errors trying to protect Exchange 2013.
  Let us know if it works after doing this.
  NOTE: The Exchange 2013 ese.dll and eseutil.exe files will cover Exchange 2010 also.
  My Blog | www.buchatech.com | www.systemcenterportal.com
  If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion
  in a test environment before implementing!

• Is Exchange 2010 supported on Windows Server 2012 R2?

  According to the 
  Understanding Exchange 2007 upgrade prerequisites, https://technet.microsoft.com/en-US/Library/ee958305
  these are the supported windows operating systems
  64-bit edition of Windows Server 2008 Standard Service Pack 2
  64-bit edition of Windows Server 2008 Enterprise Service Pack 2
  64-bit edition of Windows Server 2008 Standard R2
  64-bit edition of Windows Server 2008 Enterprise R2
  has this list been
  upgraded to include Windows server 2012 R2?? I am planning to migrate my Exchange 2007 server to 2010.
  I have a downgrade license to 2008 STD R2, so i am wondering if i will have to downgrade the OS.
  Thanks
  B
  Bobby

  It's supported on Windows Server 2012 but NOT R2
  https://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx

• Cannot open install assistant.  I get this error message: The application cannot be installed due to a certificate problem.  The certificate does not match the installed application certificate, does not support application upgrades, or is invalid.  Pleas

  How can I downloade a trial of Adobe Elements 12? 
  I followed the instructions to download assistant...but get this message: The application cannot be installed due to a certificate problem.  The certificate does not match the installed application certificate, does not support application upgrades, or is invalid.  Please contact the application author.

  Hi alposer,
  Please remove the copy of the Adobe Download Assistant you currently have installed and then reinstall the Adobe Download Assistant.
  Regards,
  Rave

• Problem with Generate a certificate and Key

  I have a Cisco S370 and generated a certificate Key to block HTTPS pages.
  I require a CA signs the certificate generated by the Cisco S370, but the CA returns me an error and asks the key is changed to 2048, but I have no option to do this in the GUI, look in the CLI but can not find any option to change the HTTPS certificate key 2048
  You can change the certificate that was generated by the WSA S370 to 2048

  In addtition to Kush's response, we had a similar thread in the past. Please refer to:
  https://supportforums.cisco.com/message/3900340?referring_site=bss&channel=bdp#3900340
  Also, please note it would be advisable to refer to this Feature Request using Cisco Bug ID CSCzv70884 instead of
  86121.
  You can search for Bug IDs using Cisco Bug Search Tool :
  https://tools.cisco.com/bugsearch/
  From this tool, you can not only obtain info about the bug but also open TAC cases and Save the bug so you can get updates.
  Regards,
  -Valter

• Problem Generating a certificate request

  I have a couple of Windows 2003 R2 SP2 servers hosting several instances of ADAM.  I am using certreq to generate the certificate requests for these servers so I can use SSL in connecting to ADAM but I am getting an error.  This is the request.inf I am using (pretty much straight from an MS article...) to generate the request...
  ;----------------- request.inf -----------------
  [Version]
  Signature="$Windows NT$
  [NewRequest]
  Subject = "CN=servername.childdomain.rootdomain.com" ; replace with the FQDN of the DC
  KeySpec = 1
  KeyLength = 1024
  ; Can be 1024, 2048, 4096, 8192, or 16384.
  ; Larger key sizes are more secure, but have
  ; a greater impact on performance.
  Exportable = TRUE
  MachineKeySet = TRUE
  SMIME = False
  PrivateKeyArchive = FALSE
  UserProtected = FALSE
  UseExistingKeySet = FALSE
  ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
  ProviderType = 12
  RequestType = PKCS10
  KeyUsage = 0xa0
  [EnhancedKeyUsageExtension]
  OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
  I am using this command....  certreq -new request.inf request.req
  After hitting enter, it sits there for about 10 seconds and gives me this error back...
  Certificate Request Processor: Access is denied.  0x80070005 (WIN32: 5)
  [RequestAttributes]
  I have searched on this error and have not found much of anything on it.  This process seems to work fine on other servers that I have, but these two servers both generate this error.  Both servers are clean builds and only have ADAM installed on them.  I am a local admin on both servers so it doesn't appear that there should be any permission issues as implied by the error message. 
  Anyone have any ideas?
  Thanks!

  Hello Bryan,
  First of all, please make sure that the CA certificate is added into the Trusted Root certificate store on the servers. If the certificate web enrollment is enabled, please check how a certificate request works on that two server generate the error.
  Meanwhile, please verify the security permission on the MachineKeys directory:
  1.    Open Windows Explorer, and find the MachineKeys directory in the following location:
  Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys
  2.    Right-click the directory, and click Properties.
  3.    Click the Security tab, and ensure that the full control permission for the Administrators
  How to: Change the Security Permissions for the MachineKeys Directory
  http://msdn.microsoft.com/en-us/library/bb909654.aspx
  Hope it helps.

• How to generate a certificate request with more than one OU?

  We're using Sun Java System Web Server 6.1 SP4. The Corp. has it's own CA and organize their certificates in a hierarchical rule with more then one organization unit (OU) in a chain.
  So what we need is generate a certificate requeste with more than one OU, but the Web Server wizard has only one text field for it. We've already tried to fill in this field the complete chain of OUs like "ou=orgX, ou=deptY, ou=secZ" and didn't work either.
  Thank's in advance,
  Jeff!

  Do you have tried with the command line "certutil" ?
  #<SERVER-ROOT>/bin/https/admin/bin/certutil

• Does the 2012 Mac mini come with iWork?

  Does the 2012 Mac mini come with iWork?

  Can I download iWork? Or could I just download Microsoft office from the Microsoft website so I don't have to buy a disk drive?