New Exchange 2003 - 2010 Install

Greetings!

I'm hoping this subscription will pay off, this is turning into quite a headache!!  

The following errors repeat frequently in Event Viewer so here goes.  
Process MSEXCHANGEADTOPOLOGY (PID=1304). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object X2010 - Error code=8007077f.
 The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.

When I run the command MegaNuk3 indicated I get: (From Here)
C:\Users\administrator>Nltest /dsgetsite
Default-First-Site-Name
The command completed successfully

MegaNuk3 indicated that this should resolve the issue but I've run this command in the past, gotten the same result, and my issue still occurs.

The other errors are:
Microsoft Exchange could not find a certificate that contains the domain name <domain> in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of <domain>. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

When I run: Enable-ExchangeCertificate -Services SMTP it asks me for a Thumbprint and I'm not sure what its wanting here.

And:

Process MSEXCHANGEADTOPOLOGY (PID=1304). The site monitor API was unable to verify the site name for this Exchange computer - Call=DsctxGetContext Error code=8007077f. Make sure that Exchange server is correctly registered on the DNS server.

This is a brand new Exchange 2010 install, I'm moving from 2003 directly to 2010.  I've been successful in moving most mailboxes to the new machine, but only ones directly managed by me and my own personal box.  Most end user boxes remain on the 2003 machine because I'm still hashing out these errors and there seems to be an issue with the certificates as it prompts every time you open outlook to allow the certificates, even if you store them in the local trust.

There is clearly several concurrent issues, any help to resolve these issues would be most helpful.  I'm placing these all in a single post to allow a more rounded scope of my issues to come to light just in case there is one central reason why they are occurring.  If you need any further information please ask, I'd really like to get this resolved.

Thanks!
aswitalskiAsked:
Who is Participating?
 
PradeepCommented:
-->Check the ADTopology service is in running state or not.
If yes, the restart it and see event viewer for any errors.

--> Run Get-exchangecertificate | fl and check which certificate is assigned for smtp service and whether it is enabled or not.
If you want to renew a certificate which is intended for smtp service just type
renew-exchange certificate -thumbprint -services.. This will renew the existing certificate.
Then you have to run Enable-exchangecertificate -services -thumbprint (of Newly renewed certificate).

-=->Check whether ADtopology service is in started state or not
0
 
PradeepCommented:
After Creating, renewing or enabling you have to restart Transport service.
Keep an eye on event viewer for errors after restarting respective service.
0
 
aswitalskiAuthor Commented:
ADTopology was started, after restarting I received several warnings and only this error:
The Microsoft Exchange Replication service couldn't find a valid configuration for database '95911baf-6cf3-44e7-801c-044e09181753' on server 'X2010'. Error:

Get-exchangecertificate | fl returned the following:
[PS] C:\Windows\system32>Get-exchangecertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKe
                     yAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-X2010}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-X2010
NotAfter           : 10/2/2021 4:01:09 PM
NotBefore          : 10/5/2011 4:01:09 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 269297EB4D5C179248F219320565C119
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=WMSvc-X2010
Thumbprint         : 65D59FBB022450C389C40C8B4562411DE3A80FEE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule}
CertificateDomains : {x2010, x2010.allen.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=x2010
NotAfter           : 9/28/2016 10:05:13 PM
NotBefore          : 9/28/2011 10:05:13 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 53BAD71FA14DDABE4908C749EE9F10B7
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=x2010
Thumbprint         : EA04227408D68D5FFC93B7DD0C8B5BB5ECC488B4

At this point I have not executed: renew-exchange certificate -thumbprint -services

This is still there also:
Microsoft Exchange could not find a certificate that contains the domain name mail.<domain> in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of mail.<domain>. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Thanks for the help so far!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
PradeepCommented:
Check this once.
0
 
ChrisCommented:
You don't really need to worry about the TLS certificate unless you use it to send mail. I think if you untick the use TLS from the send   connector then it gets rid of the error.
0
 
aswitalskiAuthor Commented:
@irweazelwallis
The option to "Enable Domain Security (Mutual Auth TLS)" is not checked in my settings.  Thanks though!

@Exchange9
My database is mounted, the clients (me so far and unattended mailboxes) are able to connect, send, receive, etc as normal.  The only moving of the Database occurred when I moved it from 2003 to 2010 and I used the Management Console to accomplish that.

Any Ideas?  After running all night I still only have the following error.  Thanks so much for the help!
Microsoft Exchange could not find a certificate that contains the domain name mail.<domain> in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of mail.<domain>. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
0
 
ChrisCommented:
as i said you don't really need to worry about that error unless you want to use TLS at any point.

If you do you just need to attached a Certifcate to the SMTP service.
If you have a UC certificate that contains the internal and external domain names of the server then you can just run the wizard to attach this to SMTP and TLS will work for those connections that have it enabled in the outside world

0
 
PradeepCommented:
Yes as said above no need to worry when mailflow is working fine :)
0
 
aswitalskiAuthor Commented:
The help is much appreciated, I've been monitoring the log and this continues to be the one error so I'm feeling much better about that.

Aside from a certificate warning popping up every time I start outlook I think I'm in the clear on this project.  Do either of you have any advice about the certs?  I get the first on my win7 machine, it appears twice: win7
On our TS box I get this one: TS
I've installed them on the machines but I still get it each time the clients open.  Perhaps the certs are configured wrong... its just very frustrating!

Thanks again!
0
 
ChrisCommented:
Does that name match the name of the exchange server? As that would explain the first error you can try adding a DNS alias in for that one.
The second one is the same issue with the fact that the Ts box doesn't have the intermediate certificates you should be able to install that into the machine accounts cert store for trusted root authority
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.