Active Sync & OWA Problems After Exchange Server Move

No, i didn't have SSL set up before for OWA.  It's not working internally either.  I reset the default virtual directories in IIS per Microsoft's KB 883380 but still not working.  Internally it tells me "service unavailable" when I try to access OWA.  

Yes, I double-checked the router and those ports are pointing to the new server.

Just got a little worse.  Something has email messed up now too because people are getting emails stuck in the Outbox when sending.  I tried to email myself from my personal account just a minute ago and got a bounce message that says "the email system was unable to deliver the message but did not report a specific reason."  Now this is seeming like my router????  Email had been working fine up until today it seems.

it sounds like one or multiple services on the Exchange server itself aren't running.  Check your services and check your application and system event logs for exchange service errors.

In the new location for your Exchange server - is the GC/PDC readily available for the new server to "see"?  Or is it it's own server and you haven't transferred the GC role to it yet?

What changes did you make in the last 24 hours that may have caused mail to stop flowing.

also for complicated problems I highly suggest the Microsoft Exchange Best Practices Analyzer - it has saved my butt on a few occasions when it was something fairly obvious that I kept missing...

http://www.microsoft.com/downloads/details.aspx?FamilyID=dbab201f-4bee-4943-ac22-e2ddbd258df3&DisplayLang=en

I tried changing several things in the router and IIS since last night to get the OWA working but I can't remember everything I did.  I just know now that even internal mail isn't working.  All Exchange services are started.  I've verified the router is set correctly so now I'll try the Best Practices Analyzer.

look through those error logs too... there's definitely something going on there if mail flow was working before and it's not now.

Otter, only real errors for today in event viewer are a few (event id 2214 and 2268) about the WWW service not responding or ISAPI filters for the site/service failing to load.  There's also some from yesterday afternoon and one just after midnight that say:

Process MAD.EXE (PID=2320). All Global Catalog Servers in use are not responding:
oldexchangeserver.rohnlaw.com

Last night there were four errors related to IMAP/POP services:  

1.  An error occurred while starting the Microsoft Exchange IMAP4 Service: the call to IIS_SERVICE::IsActive() failed with error 0x426.

2.  The service metabase path '/LM/IMAP4SVC/' could not be opened.  The data is the error code.

3.  An error occurred while starting the Microsoft Exchange POP3 Service: the call to IIS_SERVICE::IsActive() failed with error 0x426.

4.  The service metabase path '/LM/POP3SVC/' could not be opened.  The data is the error code.

I noticed that these services weren't started this morning and manually started them with no problems.  I noticed you mentioned the GC earlier.  The old exchange box is still up and running and is still a DC.  The new one is also a DC and there's a third server that is a DC as well.  I can't remember how you check whih one is the GC but I'll investigate that and see while I'm waiting for you to check out this post and see if you have any recommendations.  I fixed my Blackberry Enterprise Server but somehow messed up Exchange altogether....what a Thanksgiving Day!

The old exchange server was the GC but I just added the new one as an additional GC (I know you really only need 1 per physical location but I don't want to remove the old one as a GC just yet).  External mail tests run just fine and identify the correct exchange server so it's not the router.  I still think the problem is with IIS and/or Exchange itself even though exchange services seem to be running fine and the store mounts, etc.  There is one error in the event log that I'm checking out (http://support.microsoft.com/kb/841576) and this may well be the problem.  I am reinstalling Exchange as per that KB and will report back after.

Ok, per my last post that resolved the Exchange issue.  I still can't get OWA working (internally or otherwise) or Active Sync devices.  Any ideas what may be wrong?

I've now got a certificate properly installed on the server and still can't access OWA or AS.  I have researched it all day and just cannot figure out what is wrong.

I reran BPA again and no critical errors and I rebuilt the IIS directories - still not working.  The only errors in event viewer:  

Event Type:      Error
Event Source:      W3SVC-WP
Event Category:      None
Event ID:      2268
Date:            11/29/2008
Time:            4:36:54 PM
Description:
Could not load all ISAPI filters for site/service.  Therefore startup aborted.

Event Type:      Error
Event Source:      W3SVC-WP
Event Category:      None
Event ID:      2214
Date:            11/29/2008
Time:            4:36:54 PM
Description:
The HTTP Filter DLL C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll failed to load.  The data is the error.

are these 2 which I am convinced are probably at the root of the problem since HTTP depends on the WWW service and I also notice that when I try to click on properties for any of the public folders it gives me this error message:  "The HTTP service used by Public Folders is not available, possible causes are that Public stores are not mounted and the Information Service is not running."  The stores are mounted and the service shows as running.....this is beginning to drive me bonkers!  

Fixed the WWW service issue by installing .NET 2.0.  Still no OWA or Active Sync though.  Now that I've corrected all viewable errors, I really don't know what to try.

Otter, I think I'm getting closer and I think your original comment about the SSL certificate might be the problem.  The reason I say this is because now I can somewhat get my iPhone to recognize the exchange server although it's stuck trying to authenticate my password which I know is a classic sign of an SSL issue.  Here's the relevent facts though:

1.  On the previous Exchange server, I didn't have SSL configured and OWA and AS worked fine.

2.  I'm not that experienced with certificates and the certificate that is installed on the new Exchange server was the temporary one issued by the server itself (the one that expires in 3 years).  The name of it is exactly the same as the name of the Exchange server.

3.  We use TZO dynamic DNS service.  The remote address for our server is formatted as SERVERNAME.TZO.COM.  The address that active sync devices used to use was OLDEXCHANGESERVERNAME.TZO.COM.  Replacing it now with NEWEXCHANGESERVERNAME.TZO.COM got me somewhat connected but now I can't authenticate and Best Practices Analyzer gives me a certificate principal mismatch error because the certificate is just for NEWEXCHANGESERVERNAME.  

Here's my questions now:  

1.  Do I need the certificate to be issued for NEWEXCHANGESERVERNAME.TZO.COM and if so, how do I accomplish that?

2.  Do I really need to use SSL?  I know it's recommended but we didn't use it before and things worked fine.

I got both OWA and AS working however I had to turn off all SSL to get it to work.  I suppose I need to figure out how to get the SSL certificate set up correctly so I can re-enable SSL.  If you can clarify how I need to set up the certificate based on our TZO config, I'd appreciate it.

glad to hear it!  Many/most AS devices won't accept a self-assigned certificate... you would need to actually buy one from a "trusted" source (one that the device already has root certs installed on it from)... this could cost you anywhere from $300 (for GoDaddy as long as your device has a GoDaddy root cert on it) or $1,500 or more for a VeriSign cert.

You can circumvent this with a computer's browser because you can force it to accept the "un trusted" cert that you assign to yourself.

No matter what though, it should be written with your fully qualified domain name (mailserver.domain.com) as the computer on the other end will see it this way.

---

That said...

*  You can use OWA and AS without SSL... but all your communication will be open-channel in pure ASCII or HTML text.  If I put a sniffer on your node I could extract all your messages... even if you send very personal information through email.  Even if you make a calendar appointment or add a contact.  It's too easy.

*  I've never run an Exchange server on a dynamic IP or with a Dynamic IP/DNS Helper like TZO or DynDNS.  This would be certain to add complication to the routine and might even lend to you getting black or gray-listed.  I can't really give you good advice on this particular aspect for this reason (I don't know!)

:)

Thanks again man for updating me and for staying with it... I took my kids to the movies this afternoon and decorated my house with lights.

No, thank you Otter for hanging with me.  This is my first post on EE that went on this long and drove me literally crazy trying to figure it out.  I did some digging and apparently you can't get a commercial cert using a dynamic DNS service.  I've never had problems getting blacklisted or greylisted with it (we have TZO because we have two different ISPs, each with their own static IP for failover purposes).  I may have to give this setup some further thought so we can move to using SSL.  

Oh, by the way, I'm a female....LOL .....not that it matters but when I read "thanks again man for updating me...." I had to laugh.  Happy holidays to you - you rock!

oi!  so sorry... I'm a male pig.  Thanks for being cool.