No. It does load-balancing within the outgoing AD site.
So, if you have this:
Site1: HT1, HT2
Site2: HT3
You would never to LB to HT3 from HT1 or HT2 (or versus).
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Maglinger, Paul
Sent: Friday, October 24, 2014 3:14 PM
To: [email protected]
Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
Doesn't Exchange by default look at all hub transport servers in the domain and
load balance across all? Somehow this server wasn't getting hit before the
cert update and now it is. I'm wondering if something got set back to default
and now it's trying to load balance to it now. That would explain why some
users are getting it and some are not and why it's not happening to the same
users consistently, right?
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael B. Smith
Sent: Friday, October 24, 2014 1:47 PM
To: [email protected]
Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
Why is it in round-robin at all, if it is for DC failover?
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Maglinger, Paul
Sent: Friday, October 24, 2014 1:28 PM
To: [email protected]
Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
Looking at this more, could it be hitting the problematic server (ROMAIL3)
because of round robin? I'm wondering if there was something set up before the
SHA2 upgrade that either excluded this server from being part of the round
robin or possibly weighted it high enough where it only would hit it if there
was a problem with the CAA. What I've found searching so far only covers
weighting using a hardware solution or 3rd party. Can I set up the weight of
the ROMAIL3 server so that round robin won't hit it equally?
-Paul
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Maglinger, Paul
Sent: Wednesday, October 22, 2014 4:41 PM
To: [email protected]
Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
With all the recent discussion on autodiscovery - is there something there that
might deserve investigation?
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Maglinger, Paul
Sent: Wednesday, October 22, 2014 4:06 PM
To: [email protected]
Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
I've played with wireshark a bit - but not proficient. If someone doesn't come
up with something brilliant I may have to contribute to the Bill and Melinda
Gates PSS Fund.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael B. Smith
Sent: Wednesday, October 22, 2014 3:46 PM
To: [email protected]
Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
0 for 3.
All I've got left is intermediate certs, which I believe someone else already
mentioned.
Personally, I'd be running some netmon/wireshark/MessageAnalyzer to figure out
what's going on. Don't know how comfortable you are with that scenario.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Maglinger, Paul
Sent: Wednesday, October 22, 2014 4:39 PM
To: [email protected]
Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
No, and the NetBios setting is set to "Default". We don't use DHCP for servers
so it shouldn't be an issue.
No, there haven't been any XP systems in this environment for some time.
Good thought on WINS - I hadn't considered that. I looked on our 2003 domain
controllers and couldn't find an entry in WINS for the any of the servers
mentioned.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael B. Smith
Sent: Wednesday, October 22, 2014 3:22 PM
To: [email protected]
Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
Are the servers using WINS and do they have NetBIOS / TCP enabled?
My first two guesses are "yes and yes".
Insofar as SHA-2, are the computers that are having issues running WinXP?
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Maglinger, Paul
Sent: Wednesday, October 22, 2014 1:49 PM
To: New Exchange List ([email protected])
Subject: [Exchange] Certificate prompt after upgrading cert to SHA2
Hoping for some help to understand what is going on here.
Rekeyed my SHA1 certs to SHA2 and imported them into my certificate store.
They showed up in Exchange and I assigned IMAP, POP, IIS and SMTP to it. So
much for that.
Exchange 2010 SP2 UR8 - 2 sites, flat domain.
Each site has 2 CAS/HUB, 2 MB, and 1 CAS/HUB/MB. The 2 CAS/HUB servers are
configured as a CAA.
What I'm seeing is that SOME users that are opening Outlook 2010 in site A are
getting a certificate error "The name of the security certificate is invalid or
does not match the name of the site" from the CAS/HUB/MB server (ROMAIL3) in
site A. All things working correctly they shouldn't even see that server.
The CAS/HUB servers have 2 NICs - one of which on each is set up with Windows
Load Balancing for the CAA (designated as LB in the name).
DNS is set up as the attached diagram shows. The LB IP addresses are not in
DNS.
When the problem started showing up the event logs on HQMAIL1 were getting
2601, 2604, and 2501 errors every 15 minutes - all having to do with the
MSEXCHANGEADTOPOLOGY service:
2501 - The site monitor API was unable to verify the site name for this
Exchange computer - Call=DsctxGetContext Error code=8007077f. Make sure that
Exchange server is correctly registered on the DNS server.
2604 - When updating security for a remote procedure call (RPC) access for the
Microsoft Exchange Active Directory Topology service, Exchange could not
retrieve the security descriptor for Exchange server object HQMAIL1 - Error
code=8007077f. The Microsoft Exchange Active Directory Topology service will
continue starting with limited permissions.
2601 - When initializing a remote procedure call (RPC) to the Microsoft
Exchange Active Directory Topology service, Exchange could not retrieve the SID
for account <WKGUID=1A9E54D37856378B478743286FF00932782,CN=Microsoft
Exchange,CN=Services,CN=Configuration,...> - Error code=8007077f.
The Microsoft Exchange Active Directory Topology service will continue
starting with limited permissions.
I checked DNS and the entries for HQMAIL1 and HQMAIL2 were missing. I re-added
them and pushed out the changes. I then rebooted HQMAIL1 and the error went
away in the event log - but on rebooting Outlook I still got the certificate
pop-up.
I left to get supper and figured I'd work from home using VPN. Coming in that
way my Outlook didn't throw the cert error. Going through things on HQMAIL1 I
found that if I pinged HQMAIL1 by name from itself it returned with a
123.100.200.31 instead of what DNS should have returned as 123.100.200.1.
Searching I found that I could change the priority of the NICs, which I did and
it started pinging correctly from itself. I rebooted HQMAIL1 to clear up any
lingering effects of the NIC priority and started getting the 2501, 2604, and
2601 errors again. They occurred until I restarted the MS Exchange AD Topology
service (which restarted a boat-load of others) and then it cleared up.
I'm still hearing from some users, not all, about getting the certificate
pop-up. I'm not getting it myself currently. I'm not understanding where or
why people are getting pointed to ROMAIL3.
Hopefully this makes sense to you guys.
-Paul
