Doesn't Exchange by default look at all hub transport servers in the domain and load balance across all? Somehow this server wasn't getting hit before the cert update and now it is. I'm wondering if something got set back to default and now it's trying to load balance to it now. That would explain why some users are getting it and some are not and why it's not happening to the same users consistently, right?
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Friday, October 24, 2014 1:47 PM To: [email protected] Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 Why is it in round-robin at all, if it is for DC failover? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Friday, October 24, 2014 1:28 PM To: [email protected] Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 Looking at this more, could it be hitting the problematic server (ROMAIL3) because of round robin? I'm wondering if there was something set up before the SHA2 upgrade that either excluded this server from being part of the round robin or possibly weighted it high enough where it only would hit it if there was a problem with the CAA. What I've found searching so far only covers weighting using a hardware solution or 3rd party. Can I set up the weight of the ROMAIL3 server so that round robin won't hit it equally? -Paul -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Wednesday, October 22, 2014 4:41 PM To: [email protected] Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 With all the recent discussion on autodiscovery - is there something there that might deserve investigation? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Wednesday, October 22, 2014 4:06 PM To: [email protected] Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 I've played with wireshark a bit - but not proficient. If someone doesn't come up with something brilliant I may have to contribute to the Bill and Melinda Gates PSS Fund. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, October 22, 2014 3:46 PM To: [email protected] Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 0 for 3. All I've got left is intermediate certs, which I believe someone else already mentioned. Personally, I'd be running some netmon/wireshark/MessageAnalyzer to figure out what's going on. Don't know how comfortable you are with that scenario. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Wednesday, October 22, 2014 4:39 PM To: [email protected] Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 No, and the NetBios setting is set to "Default". We don't use DHCP for servers so it shouldn't be an issue. No, there haven't been any XP systems in this environment for some time. Good thought on WINS - I hadn't considered that. I looked on our 2003 domain controllers and couldn't find an entry in WINS for the any of the servers mentioned. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, October 22, 2014 3:22 PM To: [email protected] Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 Are the servers using WINS and do they have NetBIOS / TCP enabled? My first two guesses are "yes and yes". Insofar as SHA-2, are the computers that are having issues running WinXP? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Wednesday, October 22, 2014 1:49 PM To: New Exchange List ([email protected]) Subject: [Exchange] Certificate prompt after upgrading cert to SHA2 Hoping for some help to understand what is going on here. Rekeyed my SHA1 certs to SHA2 and imported them into my certificate store. They showed up in Exchange and I assigned IMAP, POP, IIS and SMTP to it. So much for that. Exchange 2010 SP2 UR8 - 2 sites, flat domain. Each site has 2 CAS/HUB, 2 MB, and 1 CAS/HUB/MB. The 2 CAS/HUB servers are configured as a CAA. What I'm seeing is that SOME users that are opening Outlook 2010 in site A are getting a certificate error "The name of the security certificate is invalid or does not match the name of the site" from the CAS/HUB/MB server (ROMAIL3) in site A. All things working correctly they shouldn't even see that server. The CAS/HUB servers have 2 NICs - one of which on each is set up with Windows Load Balancing for the CAA (designated as LB in the name). DNS is set up as the attached diagram shows. The LB IP addresses are not in DNS. When the problem started showing up the event logs on HQMAIL1 were getting 2601, 2604, and 2501 errors every 15 minutes - all having to do with the MSEXCHANGEADTOPOLOGY service: 2501 - The site monitor API was unable to verify the site name for this Exchange computer - Call=DsctxGetContext Error code=8007077f. Make sure that Exchange server is correctly registered on the DNS server. 2604 - When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object HQMAIL1 - Error code=8007077f. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. 2601 - When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=1A9E54D37856378B478743286FF00932782,CN=Microsoft Exchange,CN=Services,CN=Configuration,...> - Error code=8007077f. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. I checked DNS and the entries for HQMAIL1 and HQMAIL2 were missing. I re-added them and pushed out the changes. I then rebooted HQMAIL1 and the error went away in the event log - but on rebooting Outlook I still got the certificate pop-up. I left to get supper and figured I'd work from home using VPN. Coming in that way my Outlook didn't throw the cert error. Going through things on HQMAIL1 I found that if I pinged HQMAIL1 by name from itself it returned with a 123.100.200.31 instead of what DNS should have returned as 123.100.200.1. Searching I found that I could change the priority of the NICs, which I did and it started pinging correctly from itself. I rebooted HQMAIL1 to clear up any lingering effects of the NIC priority and started getting the 2501, 2604, and 2601 errors again. They occurred until I restarted the MS Exchange AD Topology service (which restarted a boat-load of others) and then it cleared up. I'm still hearing from some users, not all, about getting the certificate pop-up. I'm not getting it myself currently. I'm not understanding where or why people are getting pointed to ROMAIL3. Hopefully this makes sense to you guys. -Paul
