Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

New Exchange 2003 - 2010 Install

Greetings!

I'm hoping this subscription will pay off, this is turning into quite a headache!!  

The following errors repeat frequently in Event Viewer so here goes.  
Process MSEXCHANGEADTOPOLOGY (PID=1304). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object X2010 - Error code=8007077f.
 The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.

When I run the command MegaNuk3 indicated I get: (From Here)
C:\Users\administrator>Nltest /dsgetsite
Default-First-Site-Name
The command completed successfully

MegaNuk3 indicated that this should resolve the issue but I've run this command in the past, gotten the same result, and my issue still occurs.

The other errors are:
Microsoft Exchange could not find a certificate that contains the domain name <domain> in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of <domain>. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

When I run: Enable-ExchangeCertificate -Services SMTP it asks me for a Thumbprint and I'm not sure what its wanting here.

And:

Process MSEXCHANGEADTOPOLOGY (PID=1304). The site monitor API was unable to verify the site name for this Exchange computer - Call=DsctxGetContext Error code=8007077f. Make sure that Exchange server is correctly registered on the DNS server.

This is a brand new Exchange 2010 install, I'm moving from 2003 directly to 2010.  I've been successful in moving most mailboxes to the new machine, but only ones directly managed by me and my own personal box.  Most end user boxes remain on the 2003 machine because I'm still hashing out these errors and there seems to be an issue with the certificates as it prompts every time you open outlook to allow the certificates, even if you store them in the local trust.

There is clearly several concurrent issues, any help to resolve these issues would be most helpful.  I'm placing these all in a single post to allow a more rounded scope of my issues to come to light just in case there is one central reason why they are occurring.  If you need any further information please ask, I'd really like to get this resolved.

Thanks!
0
aswitalski
Asked:
aswitalski
  • 4
  • 3
  • 3
2 Solutions
 
Deepu ChowdaryCommented:
-->Check the ADTopology service is in running state or not.
If yes, the restart it and see event viewer for any errors.

--> Run Get-exchangecertificate | fl and check which certificate is assigned for smtp service and whether it is enabled or not.
If you want to renew a certificate which is intended for smtp service just type
renew-exchange certificate -thumbprint -services.. This will renew the existing certificate.
Then you have to run Enable-exchangecertificate -services -thumbprint (of Newly renewed certificate).

-=->Check whether ADtopology service is in started state or not
0
 
Deepu ChowdaryCommented:
After Creating, renewing or enabling you have to restart Transport service.
Keep an eye on event viewer for errors after restarting respective service.
0
 
aswitalskiAuthor Commented:
ADTopology was started, after restarting I received several warnings and only this error:
The Microsoft Exchange Replication service couldn't find a valid configuration for database '95911baf-6cf3-44e7-801c-044e09181753' on server 'X2010'. Error:

Get-exchangecertificate | fl returned the following:
[PS] C:\Windows\system32>Get-exchangecertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKe
                     yAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-X2010}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-X2010
NotAfter           : 10/2/2021 4:01:09 PM
NotBefore          : 10/5/2011 4:01:09 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 269297EB4D5C179248F219320565C119
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=WMSvc-X2010
Thumbprint         : 65D59FBB022450C389C40C8B4562411DE3A80FEE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule}
CertificateDomains : {x2010, x2010.allen.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=x2010
NotAfter           : 9/28/2016 10:05:13 PM
NotBefore          : 9/28/2011 10:05:13 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 53BAD71FA14DDABE4908C749EE9F10B7
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=x2010
Thumbprint         : EA04227408D68D5FFC93B7DD0C8B5BB5ECC488B4

At this point I have not executed: renew-exchange certificate -thumbprint -services

This is still there also:
Microsoft Exchange could not find a certificate that contains the domain name mail.<domain> in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of mail.<domain>. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Thanks for the help so far!
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Deepu ChowdaryCommented:
Check this once.
0
 
ChrisCommented:
You don't really need to worry about the TLS certificate unless you use it to send mail. I think if you untick the use TLS from the send   connector then it gets rid of the error.
0
 
aswitalskiAuthor Commented:
@irweazelwallis
The option to "Enable Domain Security (Mutual Auth TLS)" is not checked in my settings.  Thanks though!

@Exchange9
My database is mounted, the clients (me so far and unattended mailboxes) are able to connect, send, receive, etc as normal.  The only moving of the Database occurred when I moved it from 2003 to 2010 and I used the Management Console to accomplish that.

Any Ideas?  After running all night I still only have the following error.  Thanks so much for the help!
Microsoft Exchange could not find a certificate that contains the domain name mail.<domain> in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of mail.<domain>. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
0
 
ChrisCommented:
as i said you don't really need to worry about that error unless you want to use TLS at any point.

If you do you just need to attached a Certifcate to the SMTP service.
If you have a UC certificate that contains the internal and external domain names of the server then you can just run the wizard to attach this to SMTP and TLS will work for those connections that have it enabled in the outside world

0
 
Deepu ChowdaryCommented:
Yes as said above no need to worry when mailflow is working fine :)
0
 
aswitalskiAuthor Commented:
The help is much appreciated, I've been monitoring the log and this continues to be the one error so I'm feeling much better about that.

Aside from a certificate warning popping up every time I start outlook I think I'm in the clear on this project.  Do either of you have any advice about the certs?  I get the first on my win7 machine, it appears twice: win7
On our TS box I get this one: TS
I've installed them on the machines but I still get it each time the clients open.  Perhaps the certs are configured wrong... its just very frustrating!

Thanks again!
0
 
ChrisCommented:
Does that name match the name of the exchange server? As that would explain the first error you can try adding a DNS alias in for that one.
The second one is the same issue with the fact that the Ts box doesn't have the intermediate certificates you should be able to install that into the machine accounts cert store for trusted root authority
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now