Solved

URGENT!! MS Exchange will not deliver/send external emails

Posted on 2013-06-14
35
1,943 Views
Last Modified: 2013-06-15
I was playing around with Certs today on my Edge server and I believe I accidentally deleted the cert that connects to the Client Hub.

Event Viewer info:
Microsoft Exchange could not find a certificate that contains the domain name STLEXED01.clearent.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector EdgeSync - Inbound to St-Louis-Datotel with a FQDN parameter of STLEXED01.clearent.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Source: MSExchangeTransport
Event ID: 12014

Queue Viewer Message:
error 451 4.4.0 primary target ip address responded with 421 4.2.1 unable to connect

Can anyone assist me on resolving this issue? I am new to exchange so my knowledge and jargon is not high level.

THANKS in advance!
0
Comment
Question by:TechOps07
  • 20
  • 15
35 Comments
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249256
Run:
Get-ExchangeCertificate | fl

from the Exchange Shell.
Check the certificates that are applied to services, SMTP is the one in question.
How many certs do you have there, and are they all self-signed?
If so, you did delete it.  Re-add it to the server, and then enable it for smtp and whatever other services are applicable.

Not sure where you bought the cert from, but hopefully it is stored somewhere locally on the server already, and you just need to re-add.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249268
TMekeel,

I just ran that command on my Mailbox server and I do not see a SMTP cert
Checked Client Hub, SMTP is there
Checked Edge, SMTP is not there.

Now how can I fix that?

Also checking the EventVwr on my Edge server I found this:

Microsoft Exchange could not load the certificate with thumbprint of 61427B21722B6DB217DB8002C19D4D347BF5B8B0 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 61427B21722B6DB217DB8002C19D4D347BF5B8B0 -services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, an ephemeral, self-signed certificate with thumbprint 401DF87FE48FFF810C916F26D65B9A76FE78DCFB is being used.

EventID: 12024
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249300
It seems to me that there is a Certificate issue and I am clueless on how to fix it.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249302
If you do not have a backup of the private key, I believe you would have to rekey to the provider and re-download and import.

Who did you buy the cert from?

Alternatively, is it the same cert as the other server?
Export that from the other server and import it to the edge.
http://technet.microsoft.com/en-us/library/dd351274(v=exchg.141).aspx
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249306
Dont forget to apply it to services after you re-import it.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249317
I know this is urgent for you so I am trying to get you advice as quickly as possible.
If you have the cert installed on the other server, then export it with the private key.

If you need help on how to do that follow this:
http://technet.microsoft.com/en-us/library/dd351274(v=exchg.141).aspx

Once exported follow this:
http://technet.microsoft.com/en-us/library/dd351183(v=exchg.141).aspx

Then add the relevant services following this:
http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249327
Once I have exported the cert where do I import it at on the Edge? Would this be the Certificates>Personal>Certificates?
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249336
I appreciate your help very much.

Our Edge Server is in a workgroup while my Mailbox and Client Hub are on the domain which is causing a problem tyring to import it via your link in your last response.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249337
You would do that though the EMC, instructions in 2nd link.

Then follow 3rd link to apply services such as smtp, iis, imap, pop to use the imported cert.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249345
That is the thing, STLEXED01 is not listed in the exchange server list to import cert to. When in the server configuration and I select the edge server is does not give me option to import exchange cert either.

I believe this is because it is in a workgroup and not the domain.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249354
ok I ran the following commands through the shell that you gave links to but still no greenlight yet.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certs\exchange.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

Got the following message:
Import-ExchangeCertificate : Cannot import certificate. A certificate with the thumbprint 8CA5333784AE4D62CEF8EFADB2071
50209471E28 already exists.
At line:1 char:27
+ Import-ExchangeCertificate <<<<  -FileData ([Byte[]]$(Get-Content -Path c:\certs\exchange.pfx -Encoding byte -ReadCou
nt 0)) -Password:(Get-Credential).password
    + CategoryInfo          : WriteError: (:) [Import-ExchangeCertificate], InvalidOperationException
    + FullyQualifiedErrorId : 770AD273,Microsoft.Exchange.Management.SystemConfigurationTasks.ImportExchangeCertificat

I enabled the SMTP services:
Enable-ExchangeCertificate -Server 'STLEXED01' -Services 'SMTP' -Thumbprint '8CA5333784AE4D62CEF8EFADB207150209471E28'

Received the following:
Current certificate: '61427B21722B6DB217DB8002C19D4D347BF5B8B0' (expires 1/18/2017 2:01:07 PM)
Replace it with certificate: '8CA5333784AE4D62CEF8EFADB207150209471E28' (expires 1/23/2015 4:54:04 PM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this
Edge Transport server is subscribed to an Active Directory site, you must  subscribe it again by using the
New-EdgeSubscription cmdlet in the Shell, and then restart AD LDS.

I did overwrite, clicked "Retry" on the Queue Viewer to see if the messages would go through, same error.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249356
Edge servers are not in the domain by design, and usually in the DMZ outside of your other servers.

Follow this post, it is exactly what you need.
http://msexchangeguru.com/2012/07/24/edge-server-tls/
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249379
TM,

Thanks, I am following that guide now and will report back soon.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249404
This got me on the right path per say. I did not work because I do not have access to the Firewall to open the ports as this Cert was Internal.

It looks like we do have an external cert from GoDaddy.com which I believe was used for the Edge to connect to internet and to our Client Hub.

Any suggestions on that?
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249405
I am wondering if I follow your advice on exporting that external cert from my Client Hub to the Edge  would that fix it.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249437
It should. Essentially what happened is you deleted the private key.
Exporting it from the CAS to a file and then importing should work, using the guide in the last link I sent. I'd assume the root certs are already there.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249447
Now that I am looking at your certain more closely, one expires 2017 and one expires 2015. So they are different. I think the best thing to do would be generate a new CSR and rekeying the cert with godaddy.
They have instructions for this on their site.
Unless the cert is the same for the edge and the Client access server, in that case you should be able to export with private key and then import as I said earlier.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 4

Author Comment

by:TechOps07
ID: 39249453
Well I did what you said prior.

Enabled-ExchangeCertificate -Thumbprint XXXXX -Services SMTP
Overwrite the existing

Remove-ExchangeCertificate -Thumbprint "OLD CERT"
Confirmed removal

Did the same thing on my Client Hub, emails going out works but still no emails coming in.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249458
I get the following error:

Could not decrypt EdgeSync credential cn=ESRA.STLEXED01.STLEXCH01.0,CN=Services,CN=Configuration,CN={E49BCD2D-6892-499E-B2C3-31202E0603E3} using Edge default certificate with thumbprint D2EB8D5A1AD519745CA46E5055C581E275DB5315, The exception is Bad Data.
. Please unsubscribe and resubscribe your Edge Transort server.

SO I am assuming I need to remove the Subscription and Readd. I will post back shortly.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249462
Did you restart AD LDS on the Edge server?
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249463
Otherwise it should work to remove-edgesubscription and then new-edgesubscription as you mentioned.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249468
I ran the following:

Remove-EdgeSubscription -Identity STLEXED01
New-EdgeSubscription -FileName "C:\edgesub.xml"

Tried to send external email to internal, still not working.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249469
I did not restart the AD LS on edge.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249476
Ok I am restarting the Edge server then I will check email again, if that doesn't work I will restart the AD LS and Transport service manually.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249480
If not, then the incorrect certificate is applied to the server.
The public key is incorrect, although resubscribing should fix that, assuming the SAN names are correct on the cert that you applied.
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249481
You ran the resubscription on the Hub Transport server correct?
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249484
How do I do that? Resubscription on Hub Transport?

I tried the New Edge Subscription from EMC but I get error:

Summary: 2 item(s). 1 succeeded, 1 failed.
Elapsed time: 00:00:00


Read file
Completed

Exchange Management Shell command completed:
Read binary stream from the file '\\10.254.250.100\c$\edgesubscription.xml'.

Elapsed Time: 00:00:00


Edge Subscription
Failed

Error:
The subscription file failed to load for the following reason: The direct trust certificate of the subscribed Edge Transport server with thumbprint 8CA5333784AE4D62CEF8EFADB207150209471E28 is a duplicate of the certificate of one of the HubTransport servers. Sharing the same certificate between Edge and Hub Transport servers is not allowed.

Exchange Management Shell command attempted:
New-EdgeSubscription -FileData '<Binary Data>' -Site 'clearent.lan/Configuration/Sites/St-Louis-Datotel' -CreateInternetSendConnector $true -CreateInboundSendConnector $true

Elapsed Time: 00:00:00
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39249488
So the certs are different as suggested above. In that case generate a new csr and rekey with godaddy, then import the new keyed cert.
redo subscription and you should be good to go.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249497
Can you explain "Certs are different as suggested above"? They are the same cert according to the error message.

I know my boss who has access to the GoDaddy cert reimported to the Edge server today after I deleted the damn certs by accident.

Do I need to export the GoDaddy Cert from Edge to the Hub?
0
 
LVL 8

Accepted Solution

by:
TMekeel earned 500 total points
ID: 39249509
No, what I said earlier that the thumbprint of the existing (deleted) cert was different, which is the one that appeared to expire 2017. You should rekey that one and import it to the edge.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249511
I am only seeing the Cert from GoDaddy expiring in 2015
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39249517
I am going to try to see if our network admin will open the ports on our domain to the edge server workgroup so I can just setup an internal Cert as that may be easier, the person w/ access to the GoDaddy cert doesn't think redownloading the cert again is going to fix anything.


Either way I think you earned you points and then some my friend. Deepest Gratitude!
0
 
LVL 4

Author Closing Comment

by:TechOps07
ID: 39249519
TMekeel went above and beyond helping me to the point I believe he earned more than 500pts!

Awesome Tech!!
0
 
LVL 8

Expert Comment

by:TMekeel
ID: 39250063
Thanks!
If the godaddy one expires 2015, then that is correct. We've already tried that one.
0
 
LVL 4

Author Comment

by:TechOps07
ID: 39250188
TMekeel,

I opened up a case w/ MS Support lastnight and what they did to resolve was create a new cert on the Edge and Hub Transport, renewed the subscription and it started to work.

New-ExchangeCertificate -Services SMTP

You had me on the right track and I wish I knew more about certs. Thank you a lot for your dedication to my issue!
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Suggested Solutions

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now