Link to home
Start Free TrialLog in
Avatar of gregmiller4it
gregmiller4itFlag for Australia

asked on

Exchange 2003 certificate error since moving SBS2003 to Hyper-V VM

I am in the process of migrating SBS2003 with Exchange 2003, to a Server 2012 Hyper-V host, running Server 2012 DC and Exchange 2013.
As part of the process, I have moved SBS2003 into a VM. Most of it is now working ok: DHCP, Shares, printers, etc., but Exchange 2003 is not. I am getting a Security Certificate error, saying that the certificate is expired.  When I view the certificate through the error message, it shows a certificate that expired 2 years ago.
I can connect to the VM SBS2003 from client but when I open Outlook (2010) it gives the Security Certificate error and can't connect to Exchange. If I create another Outlook profile, it wont connect either.

I only renewed the security certificate a couple of months ago, but the expired certificate is not the same one.
Prior to moving the SBS to the VM I had seen the same or similar error a few times, but I was able to continue and everything worked ok. I think I saw it when I set up Outlook for an existing user on a different PC. I think I had also seen it when using OWA. But in both cases it didn't stop me from connecting to Exchange. Now it does stop me connecting.

I've viewed he certificate in IIS and it is the correct, current cert.

I think there is an old certificate that is installed somewhere that I need to remove, and maybe point Exchange at the current certificate.

OWA now does not work either. I get the logon screen, but then get a 503 error when I try to logon.
Cheers,
Greg
Avatar of Gareth Gudger
Gareth Gudger
Flag of United States of America image

Hey Greg,

Just wanted to mention that there is no direct upgrade path from Exchange 2003 to Exchange 2013, so I assume you are going to Exchange 2010 first and doing a double hop?

It does not sound like the certificate is installed correctly on Exchange 2003. When you go to OWA are you getting a certificate error? Is it the expired cert that shows up?

What certificate do you see on the Default Web Site of the SBS box?
ASKER CERTIFIED SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gregmiller4it

ASKER

Just wanted to mention that there is no direct upgrade path from Exchange 2003 to Exchange 2013, so I assume you are going to Exchange 2010 first and doing a double hop?
Thanks Gareth, Yes I was aware of that and I am planning to go to Exchange 2010 and then to Exchange 2013. But I thought it would be wise to make sure Exchange 2003 was working properly in the VM before I took the next step and potentially compound the problem.

It does not sound like the certificate is installed correctly on Exchange 2003. When you go to OWA are you getting a certificate error? Is it the expired cert that shows up?
When I went to OWA when it's running on the VM, I didn't get any certificate error; it came up to the logon page ok, but when I put in my credentials it went straight to the 503 error page - no certificate error. Previously, when it was running on the physical box, I have seen a certificate error at logon time, but I think it might have been the first time from that client. I tried it again tonight (running from the physical SBS box) and got into OWA without any certificate error, but this is from a client PC that I have run OWA from previously.

What certificate do you see on the Default Web Site of the SBS box?
When I look at IIS properties of the Default Web Site I see the correct certificate which is current.

Have you re-run the Connect to the Internet Wizard since virtualising the SBS 2003 server?
No I haven't. I'll give that a try on Sunday. IT would be great if it is that simple.

Virtual SBS 2003 is an unsupported configuration as it was never tested by Microsoft, so that may be part of the problem, although I am sure there are plenty of other people running it virtually quite happily.
Yep, I realise that it is an unsupported configuration, but I have found plenty of posts that would suggest there are people doing it successfully. I only want to do it for long enough to convert to Exchange 2010 and then to Exchange 2013, and to move the rest to Server 2012.

Thanks guys, I won't be able to get back on site till Sunday, but I'll try and have another go at it then.
I just checked OWA with Exchange running in the VM again. I was wrong: I do get a certificate error when I open the OWA page. It tells me it is unsafe to proceed, but if I proceed anyway, I get to the logon page with the HTTPS crossed out in the address bar. If I try to logon I get "HTTP/1.1 503 Service Unavailable".

I have re-run the Configure E-mail & Internet Connection Wizard to re-select the correct SSL certificate, but it still doesn't work. I created a self-signed certificate and it updated both the Default Web Site and the Companyweb in IIS, with a 5 year certificate. But that didn't fix the problem with Outlook...I'm still getting the same error in Outlook and the certificate it shows is nothing like the new self-signed one I created or the working one from Thawte.
It really looks like Outlook/Exchange is using an expired certificate which is hiding somewhere other that IIS....

I'm wasting soooooo much time on this and am thinking that I might press on with the migration to server 2012 and see if  I can get it to work with Exchange 2010, before moving on to Exchange 2013.
Normally a 503 is an indication that one of the Exchange services, such as the Information Store, is not started. When you did the P2V, did you shut down the original server? Or did you give the new virtual clone a new IP and server name?
I disconnected the original server from the network before I started it in the VM. I went back and forth a few times to test/check stuff and each time I shut down the VM before reconnect the physical SBS box to the network.
I'm not sure of the cause behind it, but I have had to move on now. It was my original intention to get SBS working in the VM and do the migration of everything from there. Since I couldn't get Outlook/Exchange to work, I have reverted to the physical SBS box and begun the migration there.
I have added a VM running Server 2012 R2 as a second DC. I will have to install Exchange 2010 with SP3 and migrate Exchange 2003 to that. Hopefully I don't run into too much trouble with the SSL certificate in Exch2010.

So, it seems that this question has become redundant and probably won't be solved....
Admins/Experts, what should I do with this question now?
Probably best to accept Alan's comment. As he said it was unsupported.

One last question. What migration guide are you using from 2003 to 2010? Here is one I wrote myself. Might help with the certificate concerns you have as well.

Here is part 1
https://supertekboy.com/2014/03/31/migrating-exchange-2003-2010-part/
I have been looking at several different guides..because I actually  have not found one anywhere that does the whole thing, i.e. from SBS 2003 through to a Server 2012 R2 Hyper-V host with several Server 2012 R2  VMs for DC, Exchange 2013, RDS and Apps, etc.

Here are some of the guides I've checked out:
https://www.experts-exchange.com/questions/28076490/Migrate-SBS-2003-to-Windows-Standard-2012-with-Exchange-2013.html

https://demazter.wordpress.com/2010/04/29/migrate-small-business-server-2003-to-exchange-2010-and-windows-2008-r2/

http://blogs.msmvps.com/mweber/2012/07/30/upgrading-an-active-directory-domain-from-windows-server-2003-or-windows-server-2003-r2-to-windows-server-2012/

http://community.spiceworks.com/how_to/show/32049-migrate-from-sbs-2003-to-exchange-2013-on-server-2012-with-ease

http://zytelnetworks.com/kb/?p=275

I will also have a good look at your guide. Thanks for that.

And at your suggestion, I will accept Alan's comment.

Cheers,
Greg
Sorry - I would have come back to the question if I'd received notifications.  Sadly my email from from EE stopped on the 2nd Jan and hasn't returned (yet).