Exchange 2007 self assigned certificates
Hello
we are receiving the following event 12018.......
The STARTTLS certificate will expire soon: subject: remote.domain.com, hours remaining: BB13C8B6855C95ABDB325D7ED3254CAD19723E75. Run the New-ExchangeCertificate cmdlet to create a new certificate. We ran through the steps of creating a new certificate and
it expires in 2020.
Why are we continuing to receive this event?
Thank you
Hi,
The Event 12018 in your original posting indicates that the certificate BB13C8B6855C95ABDB325D7ED3254CAD19723E75 would be expired. You have 2020 hours to renew a certificate by using New-ExchangeCertificate cmdlet.
Please check whether there is any error when you use Exchange service. If the certificate issue still persists, please run the following command to check your Exchange certificate configuration:
Get-ExchangeCertificate | fl
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support
Similar Messages
-
Why ASA creates self assigned certificate on each reboot
Hi Everyone,
I noticed
"By default, the security appliance has a self-signed certificate that is regenerated every time the device is rebooted. We can purchase your own certificate from vendors, such as Verisign t, or you can configure the ASA to issue an identity certificate to itself. This certificate remains the same even when the device is rebooted.
Need to know the reason behind the creation of self assigned certificate on each reboot?
Regards
MAheshHello Mahesh,
As you mention that's by default and by desing,
That would help us in the case we set a SSL session to the box (Anyconnect, ASDM) as we will not need to go a step further and manually create or generate an SSL certificate,
Why?
Because the firewall will do it automatically, altough if you purchase one from a CA you can overwrite it by installing the certificate and set it as the SSL certificate for any SSL session,
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura -
Renew Exchange 2007 self signed SSL cert : Warning
Hi,
We are getting an issue with the new SSL certificate being created.
WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
'1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
connectors match that FQDN: Send to Internet.
Heres the code below:
[PS] C:\Windows\System32>get-exchangecertificate | list
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
.com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
NotAfter : 7/23/2014 1:46:15 PM
NotBefore : 7/23/2012 1:46:15 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 52F90CEC000000000005
Services : IMAP, POP, IIS
Status : Valid
Subject : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
ph
Thumbprint : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
[mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
NotAfter : 7/23/2014 11:44:05 AM
NotBefore : 7/23/2012 11:44:05 AM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 5289341C000000000003
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
ph
Thumbprint : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
[PS] C:\Windows\System32>get-exchangecertificate 1B6705DB9755A75E94F5B05081AEDED
3A0065D4A | New-ExchangeCertificate
WARNING: This certificate will not be used for external TLS connections
with an FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate
with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
precedence. The following connectors match that FQDN: Default PPLOEX2K7.
WARNING: This certificate will not be used for external TLS connections
with an FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate
with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
precedence. The following connectors match that FQDN: Send to Internet.
Confirm
Overwrite existing default SMTP certificate,
'99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB' (expires 7/23/2014 11:44:05
AM), with certificate 'F835E526BC8D3805E7AA230A17C5971872D3759C'
(expires 7/22/2015 10:17:51 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):y
Thumbprint Services
Subject
F835E526BC8D3805E7AA230A17C5971872D3759C ..... C=ph, S=NCR, L=Pasig, O...
[PS] C:\Windows\System32>get-exchangecertificate | list
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
.com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : True
Issuer : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
om
NotAfter : 7/22/2015 10:17:51 AM
NotBefore : 7/22/2014 10:17:51 AM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 6B5A6E27C63C36A54FDD3E07FF982497
Services : IMAP, POP, SMTP
Status : Valid
Subject : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
om
Thumbprint : F835E526BC8D3805E7AA230A17C5971872D3759C
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
.com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
NotAfter : 7/23/2014 1:46:15 PM
NotBefore : 7/23/2012 1:46:15 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 52F90CEC000000000005
Services : IMAP, POP, IIS
Status : Valid
Subject : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
ph
Thumbprint : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
[mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
NotAfter : 7/23/2014 11:44:05 AM
NotBefore : 7/23/2012 11:44:05 AM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 5289341C000000000003
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
ph
Thumbprint : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
Services: [PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint F835E5
26BC8D3805E7AA230A17C5971872D3759C -Service IIS, SMTP, IMAP, POP
WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate with
thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The
following connectors match that FQDN: Default PPLOEX2K7.
WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
'1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
connectors match that FQDN: Send to Internet.
[PS] C:\Windows\System32>Hi Jammizi,
I collect some information from the command results as below:
1. When run Get-ExchangeCertificate | FL command, it returned 2 certificates.
•Certificate01
Thumbprint : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
IsSelfSigned : False
Services : IMAP, POP, IIS
•Certificate02
Thumbprint : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
IsSelfSigned : False
Services : IMAP, POP, SMTP
2. When run Get-ExchangeCertificate 1B….4A (Certificate01) | New-ExchangeCertificate, got warning.
Overwrite Certificate02 (99…BB) to Certificate03 (F8…9C).
3. When run Get-ExchangeCertificate | FL command, it returned 3 certificates.
•Certificate03
Thumbprint : F835E526BC8D3805E7AA230A17C5971872D3759C
IsSelfSigned : True
Services : IMAP, POP, SMTP
•Certificate01
Thumbprint : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
IsSelfSigned : False
Services : IMAP, POP, IIS
•Certificate02
Thumbprint : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
IsSelfSigned : False
Services : IMAP, POP, SMTP
4. When run Enable Certificate03 command, got warning.
According to the information above, please notice that both Certificate01 and Certificate02 are not Self-signed certificate. And the New-ExchangeCertifiate command in Exchange 2007 server is to new an Exchange Self-signed certificate. I suggest double check
whether your org has self-signed certificates. If your org only need 3rd party certificates without self-signed certifcate, I suggest apply a new certificate from CA.
Thanks
Mavis
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Mavis Huang
TechNet Community Support -
Changing/Replacing Exchange 2007 MBX VM
Hello folks,
I'm currently having Exchange 2007 Mailbox Role
in separate VM and HUB/CAS on separate VM. The current Mailbox VM having
problem and seems the VMX file of the VM got corrupted and Backup on
Veeam and Symantec taking hell of time to finish and even the mailbox
server itself very slow. There is a tedious workaround to rectify this
issue, and seems to me the old the solution would be;
Build new VM.
Install Exchange 2007 Enterprise
Assign new Disks and create new DBs.
Move mailboxes
What precaution i should take care of during this process?
The
current Exchange 2007 Role has almost 2500 Mailboxes and the size range
between 100MB to 5GB and all the mailboxes are on different databases
almost 20 DBs are hosting those mailboxes. All the DBs are defined on
separate VMDK disks and all the Logs of those DBs are on different VMDK
disk.
What I'm planning to do is to combine multiple Databases
into single Disks to reduce the number of disks that's hosting the DBs.
What is the best approach to achieve this?
Regards,Hi,
Just go ahead.
Create a new VM, prepare Windows Server, install Exchange 2007, move to the new VM.
Find information for your reference:
XADM: How to Move Exchange Server to a New Computer That Has the Same Name
http://support.microsoft.com/kb/155216/en-us
How do I move Exchange Server to a new server?
http://windowsitpro.com/windows/how-do-i-move-exchange-server-new-server
Thanks -
Virtual Machine Manager. Assigning certificate.
Hi all.
I'm deploying hyper-v cluster with VMM managment.
I have wildcard certificate for my domain.
I've attached this certificate to AppController, installed this certificate according to this article (http://technet.microsoft.com/en-us/library/dn469415.aspx) and installed it to hyper-v
nodes.
Access to AppController works fine.
But when I try to launch Console to VM, I've got error:
Your remote desktop connection failed because the remote computer cannot be authenicated.
And I see, that there using Self-assigned certificate.
How can I change used self-assigned certificate to new wildcard?
Thanks you.Hi,
if you try to connect via RDP to the VMs, you must change the self signed certificate for the RDP listener on the VMs:
http://www.it-training-grote.de/download/RDS-2012R2-SelfSignedCertificate.pdf
(german article but hopefully the screenshots give you some ideas how to do this).
It is also possible and IMHO recommended to use Group policies to issue certificates to all VMs:
http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx?PageIndex=2
best regards Marc Grote - www.it-training-grote.de -
(There should be the warning message, without the ability to add any exceptions.)
Hi,
There are Certificate preferences in Options> Advanced, I recommend exploring these options and testing a few self-assigned certificates.
Third Party Reference:
[http://www.hackerfactor.com/blog/index.php?/categories/3-Network] -
Exchange 2007 Renew Certificate via IIS Manager
I am currently in the process of renewing the Exchange 2007 certs and have searched through forums in regards to this topic and can't seem to come across a proper answer. Is it possible to renew the Exchange 2007 cert using the IIS Manager or is Powershell
the only way of doing so? Under the "IIS Manager > expanding server name > expand websites > default website properties > Directory Security > Server Certificate" you are presented with the option to renew the existing cert. This to
me seems a lot easier than using shell to request a whole new cert. I am not a fan of the how Powershell can be a bit destructive when requesting a new cert and overwriting the existing one leaving your little ways of backing out if something goes wrong. Can
someone confirm if using IIS manager is a viable way of renewing the Exchange 2007 cert. I prefer to keep the exact settings of the existing certificates.
Thank you,
Emmanuel
Emmanuel Fumero Exchange AdministratorHi
Yes its possible in Exchange 2010 through EMC . Not sure if this works in Exchange 2007 since i haven't tried renewing through GUI in exchange 2007 and currently do not have any customers running e2k7 to check this option. Probably you can give it
a try in Exchange 2007 and see if these options are visible. Please check the following,
When you right-click your Exchange Server, you can select New Exchange Certificate, which will launch the New Exchange Certificate Wizard.
After defining a friendly name, you are ready to provide all needed information:
After clicking Finish, you will have a certificate request that you can use ti get a certificate from your own CA, or from an external CA. The Exchange Management Console will show the request as well
1.Start the Exchange Management Shell. Click Start > Programs > Microsoft Exchange Server 2007, and then click Exchange Management Console.
2.Click the link to "Manage Databases", and then go to "Server configuration".
3.Select your certificate from the menu in the center of the screen (The certificate will be listed by the Friendly Name you chose when creating the CSR), and then click the link in the Actions menu to "Complete Pending Request".
4.Browse to the certificate file you just copied to your server, then click Open > Complete.
URGENT!! You may receive the following error: "The source data is corrupted or not properly Base64 encoded." You can ignore this error
5.Press F5 to refresh the certificate list. Verify that it says "False" under "Self Signed".( if its 3rd party or feom CA)
6.To enable your certificate, return to the Exchange Management Console and click the link to "Assign Services to Certificate."
Hope this helps
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as
Answer” if a marked post does not actually answer your question. This can be beneficial to other
community members reading the thread.
Regards
Sathish -
Does a 2012 DC generate exchange certificates on Exchange 2007 server?
The reason I ask is because we have a 2008 server environment with a few 2012 servers in the mix, one being a DC. It is time to renew our self-signed certificates on our exchange server and when I attempt to do this via the Get-ExchangeCertificate command,
I get a warning stating the following:
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence.
On further investigation I noticed we have a certificate that I do not remember from years past nor do I ever remember getting that warning message before. We have not used third party CA's. Notice the items in bold, the certificate is an enterprise cert, not
self signed and linked to our 2012 DC. There appear to be no services assigned to it but we still get that warning.
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {EXCHANGESERVERNAME.DOMAIN.NAME}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=DOMAIN-DC3-CA, DC=DOMAIN, DC=NAME
NotAfter : 12/31/2014 4:36:02 PM
NotBefore : 12/31/2013 4:36:02 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 2D00XXXXXXXXXXXXXXXXXXXXXXX
Services : None
Status : Valid
Subject : CN=EXCHANGESERVERNAME.DOMAIN.NAME
Thumbprint : 4886XXXXXXXXXXXXXXXXXXXXXXXXXX
So my question is two-fold, why is this certificate here (was it generated by our 2012 DC) and will it effect anything when it expires? If so, how do I renew it?OK, so it is normal. We did add the 2012 DC to our existing server environment later on. It is not our primary DC.
So, since there are no services assigned, when it expires in a few days, there will be no effect? If there will be an issue, how do I go about renewing it exactly?
I am not aware of us requesting an Enterprise CA, however our previous manager could have. I am not familiar with the process.
Basically, I ignored the "This certificate will not be used for external TLS connections warning" and created and enabled new self-signed certs for our mail server. The warnings in the event log that the old certs are about to expire have
stopped. So that should be that then right?
So as of now, we show 3 certificates, one being the enterprise one I mentioned which will expire in a few days. (Is this normal or should we just have one self signed cert that has all services?) I have a feeling this configuration isn't optimal.
Thumbprint
Services Subject
2038XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ...WS CN=WMSvc-MAILSERVERNAME
B52BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX IP..S CN=MAILSERVERNAME
4886XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ..... CN=MAILSERVERNAME.DOMAIN.NAME -
Can we connect Outlook with Exchange 2013 with the default Self-signed certificate?
Hi,
the question is very simple, but after several days searching in this forums and in the web I have not been able to find a definitive answer YES or NOT. I know that Self-signed certificates are not for a production enviroment and only for labs and we must
purchase a third party certificate or get one from a internal CA.
Anyone can answer this question with no doubt?
Thanks in advance!
jsptHi Abhi,
I wrote this question because in a recent migration to 2013 from 2007 we've found with this problem: you can view it in the post http://social.technet.microsoft.com/Forums/exchange/en-US/1ddd1e81-1061-4461-95dd-13de653ef8fe/outlook-cant-connect-with-exchange-2013-after-migration-from-exchange-2007?forum=exchangesvrdeploy.
Also I have installed a new exchange 2013 in a lab enviroment and I also have unabled to connect from a Outlook 2013. The problem is the same Outlook is unable to detect the exchange server. Many people in this forums told me that have to be a certificate
problem and for that I posted this question. Honestly, I don't know how to do for Outlook can be connect with Exchange 2013. I don't know what I'm doing wrong.
Anyway thanks for your answer.
jspt -
Ho to renew exchange 2007 certificate
Hello,
I am having a problem with a certificate that is expired. When I open an outlook 2007 client that is connected to exchange 2007 SP1, I get a message that the certificate is expired. I can choose yes to continue but I get the message everytime the clients restarts outlook.
Can someone provide me with the steps to renew the certificate ?
Best regards,
MarkRefer below article to renew self signed cert in Exchange 2007...
Exchange Server 2007: Renewing the self-signed certificate
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com -
Unrecognized certificate when Outlook 2010 tries to connect to Exchange 2007 on SBS 2008
Hi all,
I believe this is a security issue rather than a connectivity or configuration problem.
Running Outlook 2010 on Windows 7 trying to connect to Exchange 2007 on SBS 2008, I receive the following error:
"The name of the security certificate is invalid or does not match the name of the site"
When I view the certificate I see that it was issued to "zx-server" by "zx". This is NOT my domain CA nor is it a certificate I recognize. I use a self-issued certificate (i.e. issued by the SBS box). I also receive this certificate error when I browse to
the internal website (companyweb). No other computers on the network are seeing this behaviour.
I have checked the certificate stores in certmgr and I can't find any such certificate or CA. I have also searched the entire hard drive with no luck. I have run Kaspersky AV, Malwarebytes and MS Security Essentials several times but I can't find any malware.
I also recently installed Comodo Firewall (the problem began after this).
I need to find and remove the certificate and prevent it from being presented to me every time I try to connect to the server. All help, advice and suggestions appreciated.
AideHi,
It’s really a common issue.
This issue occurs if the following conditions are true:
You replace the default self-signed Exchange Server 2007 or Exchange Server 2010 certificate with a different certificate.
Note The Setup program in Exchange Server 2007 or in Exchange Server 2010 creates a default self-signed certificate when Exchange Server 2007 or Exchange Server 2010 is installed.
The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
o
The Service Connection Point object for the Autodiscover service
o
The
InternalUrl attribute of Exchange 2007 Web Service (EWS)
o
The
InternalUrl attribute of the Offline Address Book Web service
o
The
InternalUrl attribute of the Exchange unified messaging (UM) Web service
By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the
following URL is stored:
https://NetBIOS_name.contoso.com/autodiscover/autodiscover.xml
This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate
may have an FQDN that resembles the following FQDN:
mail.contoso.com
This issue causes a name mismatch error to occur. Therefore, you receive the security warning message when you try to connect Outlook
2007 to the mailbox.
For more detailed information about the procedures to fix the issue, please refer to the following KB article:
Title: Security warning when you start Outlook 2007 and then connect to a mailbox
that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site"
URL:
http://support.microsoft.com/kb/940726
Regards,
James
James Xiong
TechNet Community Support -
Renew certificate on two Exchange 2007 CAS servers
Hi, there:
Our environment: Exchange 2007 SP3 with two HUB/CAS servers, let's assum server name for these two CAS servers are: CAS1 and CAS2.
Please note these two CAS servers are NOT running with NLB.
Now the certificate(not self-signed) on these two servers are about to expired and I am planing to install new certificate on them.
The old certificate is issued by internal CA server.
My plan is as below:
On CAS1:
I am going to use "New-ExchangeCertificate" with -privatekeyexportable to generate the certificate request file then submit the request file to CA, after I get the
.pfx file run "Import-ExchangeCertificate" to import the new certificate, after the old certificate is expired, run "enable service"
to let exchange use the new certificate.
On CAS2:
repeat the above procedure.
I did a serach on technet and found this:
http://social.technet.microsoft.com/Forums/exchange/en-US/20adfb3d-2fa6-4ff9-b785-cb47a772ed58/3rd-part-certificate-renewal-for-exchange-2007-cas?forum=exchangesvrgenerallegacy
the procedure mentioned in this thread is different. it export the newly created certificate from CAS1 and import it into CAS2.
however the CAS server mentioned in that thread run with NLB.
The two CAS servers in our environment is NOT NLB.
Any suggestions?Both plans will work. You can generate a cert for each individual CAS with the correct subject names on each cert relative to the CAS that you will enable it on or create one cert with the correct subject names that cover both CAS and export and import
the cert from one CAS to the other. Up to you.
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
Some clients migrated from 2007 is presented with the self signed certificate in 2013
I have migrated from 2007 to 2013. I did a couple of test migrations and on the ones with domain member computers Outlook is giving a certificate warning. The certificate they are presented with is the default self signed certificate on the 2013 server.
Even though I have added a trusted public certificate to Exchange and checked of to use With IIS.
I see that the default certificate is also checked of to use With IIS and it cant be removed in ECS. Shouldnt this be removed from IIS all together when adding a New certificate? And why does some Clients gets presented With the self signed and some With
the Public? For instance owa is presented With the Public cert. Also and Outlook I tested from outside the domain.
RegardsOnly the UCC certificate should be bound to IIS.
Are any clients using POP or IMAP, which also use SMTP? In this case clients can be presented with the "wrong" certificate as well.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Hi there
Quick scenario.
We have created a task sequence prestaged media .wim file (SCCM 2007, client OS is Windows XP).
Recently some of these swap-out machinses, on delivery and start up, have started showing this message:
'Certificate has expired for this media'.
This is because the self-signed certificate created during the prestaged media creation process has expired.
My question is: is it possible to mount the image using dism or imagex and then inject an updated sertificate?
Best regards
Johnthe disk that has the prestaged media applied must be the boot partition.
create a task sequence to stage the prestaged media. In this task run a format and partition step which configures both the system disk and the os disk, though make the os disk the active boot partition. Then apply the prestage wim.
On your deploy task, somewhere after the OS has applied create a group that runs only if the media is OEM (from memory _SMSTSMedia =
OEMMedia)
in this group run the command bcdboot C:\Windows /s F: /f ALL where f: is the drive letter assigned to the system disk, then run another step that removes the drive letter and reboots. The deploy task will now continue and you will be booting to the system
partition.
So I wanted to get back to working on this issue. I noticed that when I said it Worked that it was actually still booting from C drive instead of the reserved partition. For the past few days I have been trying to get the prestaged to work like
a network deploy but fail every time. I cannot get the prestaged to boot from any other partition other then the partition where windows was imaged too.
So where I am at today. When I do as suggest above the D drive (The reserved Boot volume) return on reboot. it will not stay hidden. also the OS is till booting from C and does not change to the D drive or no drive letter drive with the above
commands. I think there is some other command missing that tells it to boot from a new location that is not bcdboot.
Has anyone seen any guides for how to use prestaged and bitlocker enabled task sequence? I think that would help me figure out my current issues as with bitlocker you must have this other partition. -
DPM 2012 - Protect Exchange 2007 in untrusted domain (either via Creds or Certificates)
Hi,
I am trying to protect an Exchange 2007 Server which is in an untrusted domain.
I have tried using both credentials (isNonDomainServer) and via Certificates and have no joy. Both methods work in terms of getting the agent installed and communicating with DPM. The agent shows OK in the console and I can browse
fine when creating a new PG.
The problem I have is that "All Exchange Storage Groups" is not available as a selection to backup, obviously neither are any of the information stores.
First question, is backup of Exchange supported in an untrusted domain? This says it is: http://technet.microsoft.com/en-us/library/hh757801.aspx but I read conflicting advice elsewhere.
Second question, this is the biggie - any ideas on how to get Exchange visible as a selection?
So far I have:
Confirmed that LCR is not configured (I am not sure if it *was* at some point though, because there is a disk on the server labled LCR)
Checked in the DPM agent directory locally and I can see that ExchangeCmdletsWrapperCurr.errlog is created and/or updated when I expand the server name on the DPM server and the server and information stores are listed in the file. This tells me communication
is fine, and that the DPM agent on the exchange server can "see" exchange
Checked the Exchange VSS writer and it is listed and in a healthy state
Thanks!Upgraded to System Centre 2012 R2 and no difference. I am assuming that its a compatability\support issue, i.e its not supported. The documentation says otherwise, but its confusing to say the least.
d
Maybe you are looking for
-
Insert forms and the back button
Hi, I have a page that is transparent to the user and does a standard DW insert using ASP. It uses <body onLoad="document.form1.submit()"> to do this. The user clicks on a link, this page does the insert, and then they are redirected to a results pag
-
I downloaded a free tv show from itunes store onto my laptop. When I click it to play, it says my computer is not authorized and itunes will open for me to authorize it. I go to authorize it and itunes tells me it is already authorized...which it i
-
STMS: how to hide the Import All Requests button in the import queue view?
Hi All, I'd like to know how to hide the "Import all requests" button in the import queue view. Thanks a lot for your answers. G.
-
Trouble installing iTunes to Windows Vista PC
When trying to install iTunes 11 to my Windows Vista PC, I get stuck in a continuous loop of clicking to install and accepting the terms of service. Nothing ever installs, it just checks for software and asks me to confirm the terms of service over a
-
Having both 1.4.2 and 1.5 plugins
With 1.4.2 JRE plugin I was able to switch to other plugin versions for testing purposes. Now with the 1.5 plugin I dont know how to change my JRE. Any ideas?