Solved

Exchange 2003 certificate error since moving SBS2003 to Hyper-V VM

Posted on 2015-01-01
9
209 Views
Last Modified: 2015-01-06
I am in the process of migrating SBS2003 with Exchange 2003, to a Server 2012 Hyper-V host, running Server 2012 DC and Exchange 2013.
As part of the process, I have moved SBS2003 into a VM. Most of it is now working ok: DHCP, Shares, printers, etc., but Exchange 2003 is not. I am getting a Security Certificate error, saying that the certificate is expired.  When I view the certificate through the error message, it shows a certificate that expired 2 years ago.
I can connect to the VM SBS2003 from client but when I open Outlook (2010) it gives the Security Certificate error and can't connect to Exchange. If I create another Outlook profile, it wont connect either.

I only renewed the security certificate a couple of months ago, but the expired certificate is not the same one.
Prior to moving the SBS to the VM I had seen the same or similar error a few times, but I was able to continue and everything worked ok. I think I saw it when I set up Outlook for an existing user on a different PC. I think I had also seen it when using OWA. But in both cases it didn't stop me from connecting to Exchange. Now it does stop me connecting.

I've viewed he certificate in IIS and it is the correct, current cert.

I think there is an old certificate that is installed somewhere that I need to remove, and maybe point Exchange at the current certificate.

OWA now does not work either. I get the logon screen, but then get a 503 error when I try to logon.
Cheers,
Greg
0
Comment
Question by:gregmiller4it
  • 4
  • 3
  • 2
9 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40527250
Hey Greg,

Just wanted to mention that there is no direct upgrade path from Exchange 2003 to Exchange 2013, so I assume you are going to Exchange 2010 first and doing a double hop?

It does not sound like the certificate is installed correctly on Exchange 2003. When you go to OWA are you getting a certificate error? Is it the expired cert that shows up?

What certificate do you see on the Default Web Site of the SBS box?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 40527665
Have you re-run the Connect to the Internet Wizard since virtualising the SBS 2003 server?

You should be able to re-run the wizard and re-select the correct SSL certificate and that may be all you need to do.

Virtual SBS 2003 is an unsupported configuration as it was never tested by Microsoft, so that may be part of the problem, although I am sure there are plenty of other people running it virtually quite happily.

Alan
0
 

Author Comment

by:gregmiller4it
ID: 40527736
Just wanted to mention that there is no direct upgrade path from Exchange 2003 to Exchange 2013, so I assume you are going to Exchange 2010 first and doing a double hop?
Thanks Gareth, Yes I was aware of that and I am planning to go to Exchange 2010 and then to Exchange 2013. But I thought it would be wise to make sure Exchange 2003 was working properly in the VM before I took the next step and potentially compound the problem.

It does not sound like the certificate is installed correctly on Exchange 2003. When you go to OWA are you getting a certificate error? Is it the expired cert that shows up?
When I went to OWA when it's running on the VM, I didn't get any certificate error; it came up to the logon page ok, but when I put in my credentials it went straight to the 503 error page - no certificate error. Previously, when it was running on the physical box, I have seen a certificate error at logon time, but I think it might have been the first time from that client. I tried it again tonight (running from the physical SBS box) and got into OWA without any certificate error, but this is from a client PC that I have run OWA from previously.

What certificate do you see on the Default Web Site of the SBS box?
When I look at IIS properties of the Default Web Site I see the correct certificate which is current.

Have you re-run the Connect to the Internet Wizard since virtualising the SBS 2003 server?
No I haven't. I'll give that a try on Sunday. IT would be great if it is that simple.

Virtual SBS 2003 is an unsupported configuration as it was never tested by Microsoft, so that may be part of the problem, although I am sure there are plenty of other people running it virtually quite happily.
Yep, I realise that it is an unsupported configuration, but I have found plenty of posts that would suggest there are people doing it successfully. I only want to do it for long enough to convert to Exchange 2010 and then to Exchange 2013, and to move the rest to Server 2012.

Thanks guys, I won't be able to get back on site till Sunday, but I'll try and have another go at it then.
0
 

Author Comment

by:gregmiller4it
ID: 40529836
I just checked OWA with Exchange running in the VM again. I was wrong: I do get a certificate error when I open the OWA page. It tells me it is unsafe to proceed, but if I proceed anyway, I get to the logon page with the HTTPS crossed out in the address bar. If I try to logon I get "HTTP/1.1 503 Service Unavailable".

I have re-run the Configure E-mail & Internet Connection Wizard to re-select the correct SSL certificate, but it still doesn't work. I created a self-signed certificate and it updated both the Default Web Site and the Companyweb in IIS, with a 5 year certificate. But that didn't fix the problem with Outlook...I'm still getting the same error in Outlook and the certificate it shows is nothing like the new self-signed one I created or the working one from Thawte.
It really looks like Outlook/Exchange is using an expired certificate which is hiding somewhere other that IIS....

I'm wasting soooooo much time on this and am thinking that I might press on with the migration to server 2012 and see if  I can get it to work with Exchange 2010, before moving on to Exchange 2013.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40530263
Normally a 503 is an indication that one of the Exchange services, such as the Information Store, is not started. When you did the P2V, did you shut down the original server? Or did you give the new virtual clone a new IP and server name?
0
 

Author Comment

by:gregmiller4it
ID: 40530833
I disconnected the original server from the network before I started it in the VM. I went back and forth a few times to test/check stuff and each time I shut down the VM before reconnect the physical SBS box to the network.
I'm not sure of the cause behind it, but I have had to move on now. It was my original intention to get SBS working in the VM and do the migration of everything from there. Since I couldn't get Outlook/Exchange to work, I have reverted to the physical SBS box and begun the migration there.
I have added a VM running Server 2012 R2 as a second DC. I will have to install Exchange 2010 with SP3 and migrate Exchange 2003 to that. Hopefully I don't run into too much trouble with the SSL certificate in Exch2010.

So, it seems that this question has become redundant and probably won't be solved....
Admins/Experts, what should I do with this question now?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40530911
Probably best to accept Alan's comment. As he said it was unsupported.

One last question. What migration guide are you using from 2003 to 2010? Here is one I wrote myself. Might help with the certificate concerns you have as well.

Here is part 1
https://supertekboy.com/2014/03/31/migrating-exchange-2003-2010-part/
0
 

Author Comment

by:gregmiller4it
ID: 40530939
I have been looking at several different guides..because I actually  have not found one anywhere that does the whole thing, i.e. from SBS 2003 through to a Server 2012 R2 Hyper-V host with several Server 2012 R2  VMs for DC, Exchange 2013, RDS and Apps, etc.

Here are some of the guides I've checked out:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_28076490.html

https://demazter.wordpress.com/2010/04/29/migrate-small-business-server-2003-to-exchange-2010-and-windows-2008-r2/

http://blogs.msmvps.com/mweber/2012/07/30/upgrading-an-active-directory-domain-from-windows-server-2003-or-windows-server-2003-r2-to-windows-server-2012/

http://community.spiceworks.com/how_to/show/32049-migrate-from-sbs-2003-to-exchange-2013-on-server-2012-with-ease

http://zytelnetworks.com/kb/?p=275

I will also have a good look at your guide. Thanks for that.

And at your suggestion, I will accept Alan's comment.

Cheers,
Greg
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40533881
Sorry - I would have come back to the question if I'd received notifications.  Sadly my email from from EE stopped on the 2nd Jan and hasn't returned (yet).
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now