Exchange 2007 to 2013

I have setup a new Exchange 2013 server to replace a exchange 2007 server

Old Server: Server 2008 & Exchange 2007
New Server: Server 2012 & Exchange 2013

Current Situation:
1) Mail is all pointed at the new server, and is currently being passed to the old server (I didn't set this up it's just working)
2) New user accounts work on the new server and send/receive, can be used on ipads/Phones/webmail but not outlook - certificate errors
3) Old users can be used in outlook using the old server but are receiving mail, cant use webmail or iphones as the mail.domain.com is pointed at the new server
4) Administrator mailbox is moved to the new server and can use webmail but not IPads/Phones/outlook

I have created a new certificate request on the new server but I cannot verify it as when I go to https://newserver/certsrv and submit a certificate request I receive the error "no certificate templates could be found. you do not have permission to request a certificate from this CA, or an error occured while accessing the active directory."

I have went through the following:
http://support.microsoft.com/en-us/kb/811418 (they are both the same case)

http://theadminsguide.net/2012/08/29/no-certificate-templates-could-be-found-you-do-not-have-permission-to-request-a-certificate-from-this-ca/ ( I ahve it running as a network service)

I have also made sure anonymous authentication is disabled and using windows authentication on the certsrv and certenroll in IIS

I have added some more certificate templates in the certsrv addin and they show up, but not the web server one which I need, I have even deleted it and re-added it but only new additions show up

Many Thanks

James
LVL 1
clivingIOSAsked:
Who is Participating?
 
clivingIOSAuthor Commented:
OK I managed to get the migrated administrator mailbox to open in outlook by installing the cert locally on the machine, I am moving a user now to test and make sure it moves ok, once that is done hopefully I can move them all then it will just be the phones/ipads I will have to check
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
When you have 2007 and 2013 co-existence you need to create a new SSL certificate with the following DNS SAN names...
legacy.example.com
mail.example.com
autodiscover.example.com

You generate this certificate from the new Exchange 2013 server. When you get the cer/crt file back you import this back into the Exchange 2013 server. You will need to enabled the services for this using the Enable-ExchangeCertificate cmdlet. You can also use the UI if you choose to.

You will then need to export the certificate (with the private key) and import the new certificate into all of the Exchange Servers that hold the CAS role (2007 and 2013).

You then have to enable the certificate on all of the CAS servers as well.

Once that is in place you will need to configure your virtual directories for Exchange 2007 (https://legacy.example.com/owa/oab/etc) You will then use the (https://mail.example.com/owa/oab/etc) for Exchange 2013 virtual directories.

You will leave the autodiscover set to autodiscover.example.com for both. It is also recommeneded that you use Exchange 2013 for ActiveSync as well so ensure that you only setup Exchange 2013 activesycn virtual directory.

I would also suggest that you go through the Exchange Deployment Assistant and make sure that you have gone over all of the steps accordingly.

https://technet.microsoft.com/en-us/office/dn756393.aspx

Will.
0
 
clivingIOSAuthor Commented:
the issue is that the 2013 server isn't allowing people to access their emails via outlook because of this certificate problem, without being able to get the certificate on the new server I cannot use outlook so cannot move the users mailboxes yet?

I cannot issue the certificate because of not being able to submit a certificate request
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Will SzymkowskiSenior Solution ArchitectCommented:
How have you configured your virtual directories on your Exchange 2013 server? Have you actually installed and SSL certificate on this server? The FQDN that you are using on the virtual directories needs to be the same name that is on the certificate mail.example.com (2013) or legacy.example.com (2007).

You do not need to have access to the UI to generate a CSR. you can also do this from Powershell or IIS.

Generate CSR using IIS
https://www.digicert.com/csr-creation-microsoft-iis-7.htm

Will.
0
 
clivingIOSAuthor Commented:
Can I use IIS or Powershell to convert my .req to a .cer ?
0
 
clivingIOSAuthor Commented:
the certificates on the server are the ones that were created during exchange install, They all say valid but I read that I had to create a certificate because self-signed ones cant be used anymore.

I dont want to pay someone to sign the certificate hence me trying to use the CA
0
 
clivingIOSAuthor Commented:
I have setup the legacy.domain.com for the old server as i originally skipped, now if I logon to webmail using an existing account it says legacy.domain.com is in a redirect loop
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
I had to create a certificate because self-signed ones cant be used anymore
Yes these are slef-signed certs that are created during the installation of Exchange. They can only be used internally not externally.

I dont want to pay someone to sign the certificate hence me trying to use the CA
Certificates are fairly cheap and if you can afford to use Exchange server then do it right an purchase a SAN/UCC cert.

That is what you need to do when proceeding with this.

Will.
0
 
clivingIOSAuthor Commented:
I understand that they are fairly cheap however I have been told to set it up without using one - at least for now, are you saying that cant be done?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Not saying it cannot be done but you will say yourself a lot of headache using a 3rd party SSL cert.

CareExchange has a complete walk-through for setting up an Internal CA and also shows how to setup/install the AD CS.
http://careexchange.in/how-to-use-a-internal-windows-ca-certificate-authority-in-windows-2012-with-exchange-2013/

Will.
0
 
clivingIOSAuthor Commented:
That's actually the guide I followed, only when I get to step 18 i get the no templates found error:

Step 18:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Ok sounds good.

Will.
0
 
clivingIOSAuthor Commented:
Ended up buying a certificate just to make things run smoothly, much prefer the older versions and the way they work the new ECP is terrible.

Thanks for your help
0
 
clivingIOSAuthor Commented:
a few factors to the fix
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.