asked on SBS 2008 RWW and exchange stops functioning for approximately 1 hour then recovers .
The server has external Drives which are used for SBS backups . The drives are periodically swapped out , around the time this happens the RWW and exchange basically stops functioning for an period of time before self recovering . The drive swap is the only external factor that happens around the event but I am not sure there is any relationship .
The features of this issue are :
A person types in remote.the company.com and the browser just spins and spins with no timeout . The person just waits forever for a login screen .
Simultaneously the exchange system stops sending or receiving mail with no error messages on the clients side .
Have run Fix my network wizard and found no certificate errors .
This server is heavily used for remote access and email so I want to make sure that i am fixing this issue instead of doing anything that would break either exchange or RWW. Server downtime must be minimum .
The event logs show the following error messages during the event :
Log Name: Application
Source: Microsoft-Windows-Certific
Date: 8/21/2015 11:18:37 AM
Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: MAIN.local
Description:
Certificate for local system with Thumbprint 2d 5a 90 80 e0 59 68 09 aa a7 10 e9 bf 48 94 15 d1 c4 f0 ae is about to expire or already expired.
Log Name: Application
Source: Microsoft-Windows-Certific
Date: 8/21/2015 11:18:37 AM
Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: -MAIN.local
Description:
Certificate for local system with Thumbprint ad 4d 74 86 1b 77 d7 87 c4 07 2a 17 b9 fb 9a 7d 9f af 41 82 is about to expire or already expired.
Log Name: Application
Source: Microsoft-Windows-Certific
Date: 8/21/2015 11:18:37 AM
Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: -MAIN.local
Description:
Certificate for local system with Thumbprint 36 a2 4d af e3 ff 3e f4 81 9d 7a c1 84 49 14 87 3a 3b ee c0 is about to expire or already expired.
Log Name: Application
Source: MSExchangeTransport
Date: 8/21/2015 11:18:31 AM
Event ID: 12016
Task Category: TransportService
Level: Error
Keywords: Classic
User: N/A
Computer: -MAIN.local
Description:
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of remote.the.com. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of remote.the.com should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
The features of this issue are :
A person types in remote.the company.com and the browser just spins and spins with no timeout . The person just waits forever for a login screen .
Simultaneously the exchange system stops sending or receiving mail with no error messages on the clients side .
Have run Fix my network wizard and found no certificate errors .
This server is heavily used for remote access and email so I want to make sure that i am fixing this issue instead of doing anything that would break either exchange or RWW. Server downtime must be minimum .
The event logs show the following error messages during the event :
Log Name: Application
Source: Microsoft-Windows-Certific
Date: 8/21/2015 11:18:37 AM
Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: MAIN.local
Description:
Certificate for local system with Thumbprint 2d 5a 90 80 e0 59 68 09 aa a7 10 e9 bf 48 94 15 d1 c4 f0 ae is about to expire or already expired.
Log Name: Application
Source: Microsoft-Windows-Certific
Date: 8/21/2015 11:18:37 AM
Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: -MAIN.local
Description:
Certificate for local system with Thumbprint ad 4d 74 86 1b 77 d7 87 c4 07 2a 17 b9 fb 9a 7d 9f af 41 82 is about to expire or already expired.
Log Name: Application
Source: Microsoft-Windows-Certific
Date: 8/21/2015 11:18:37 AM
Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: -MAIN.local
Description:
Certificate for local system with Thumbprint 36 a2 4d af e3 ff 3e f4 81 9d 7a c1 84 49 14 87 3a 3b ee c0 is about to expire or already expired.
Log Name: Application
Source: MSExchangeTransport
Date: 8/21/2015 11:18:31 AM
Event ID: 12016
Task Category: TransportService
Level: Error
Keywords: Classic
User: N/A
Computer: -MAIN.local
Description:
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of remote.the.com. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of remote.the.com should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
ExchangeRemote AccessSBS
Last Comment
Andre P
it seems that your certificate is expired. Is it self signed certificate or third party certificate?
ASKER
I launched the MMC snapin and found the certificates with these thumbprints .
They expired in September and October of 2013 (2 years ago ) respectively .
They were both self signed.
The network solutions cert does not expire until march of next year.
They expired in September and October of 2013 (2 years ago ) respectively .
They were both self signed.
The network solutions cert does not expire until march of next year.
Kindly check if certificate is assigned to exchange services like IIS, SMTP
Get-ExchangeCertificate | fl
Paste results here.
Get-ExchangeCertificate | fl
Paste results here.
ASKER
Welcome to the Exchange Management Shell!
Full list of cmdlets: get-command
Only Exchange cmdlets: get-excommand
Cmdlets for a specific role: get-help -role *UM* or *Mailbox*
Get general help: help
Get help for a cmdlet: help <cmdlet-name> or <cmdlet-name> -?
Show quick reference guide: quickref
Exchange team blog: get-exblog
Show full output for a cmd: <cmd> | format-list
Tip of the day #45:
Forgot what the available parameters are on a cmdlet? Just use tab completion! T
ype:
Set-Mailbox -<tab>
When you type a hyphen (-) and then press the Tab key, you will cycle through al
l the available parameters on the cmdlet. Want to narrow your search? Type part
of the parameter's name and then press the Tab key. Type:
Set-Mailbox -Prohibit<tab>
[PS] C:\Windows\system32>Get-Ex
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {servername-MAIN.servernam
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=servername-servername-M
NotAfter : 7/18/2016 9:19:00 PM
NotBefore : 7/19/2015 9:19:00 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 1575D2AA000100000046
Services : IMAP, POP
Status : Valid
Subject : CN=servername-MAIN.servern
Thumbprint : D4C96D607D5B02B2B1BA6A7E83
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {servername-servername-MAI
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=servername-servername-M
NotAfter : 7/18/2020 9:26:02 PM
NotBefore : 7/19/2015 9:16:02 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 6149168B0E3F54BF4604AE46D6
Services : None
Status : Valid
Subject : CN=servername-servername-M
Thumbprint : 9105BFF322ACB73B90B07AD9C6
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {localhost}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=localhost
NotAfter : 2/6/2025 7:00:00 PM
NotBefore : 2/7/2015 7:05:48 PM
PublicKeySize : 1024
RootCAType : None
SerialNumber : 087C922D5CA7FE8544893C40AD
Services : None
Status : Valid
Subject : CN=localhost
Thumbprint : 60794ED6E4BCAA9FB9BF86F642
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.mycompany.com, mycompany.c
om, servername-MAIN.servername
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=servername-servername-M
NotAfter : 10/4/2013 10:02:29 PM
NotBefore : 10/5/2011 10:02:29 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 17B390A300000000001D
Services : IMAP, POP, SMTP
Status : DateInvalid
Subject : CN=remote.mycompany.com
Thumbprint : 2D5A9080E0596809AAA710E9BF
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.mycompany.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Network Solutions DV Server CA, O=Network Solutions L.L
.C., C=US
NotAfter : 3/19/2016 7:59:59 PM
NotBefore : 10/5/2011 8:00:00 PM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 7CD5D0B8EBF24819F776D2B7F6
Services : IIS, SMTP
Status : Valid
Subject : CN=remote.mycompany.com, OU=nsProtect Secure X
press, OU=Domain Control Validated
Thumbprint : 8B9B6E91FE283B1FD9CB4374E6
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.mycompany.com, mycompany.c
om, servername-MAIN.servername
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=servername-servername-M
NotAfter : 9/28/2013 1:39:23 PM
NotBefore : 9/29/2011 1:39:23 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 610EF47B00000000001B
Services : IMAP, POP, SMTP
Status : DateInvalid
Subject : CN=remote.mycompany.com
Thumbprint : 36A24DAFE3FF3EF4819D7AC184
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {Sites, servername-MAIN.servername
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=servername-servername-M
NotAfter : 9/3/2011 3:05:04 PM
NotBefore : 9/3/2009 3:05:04 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 610441DF000000000002
Services : IMAP, POP, SMTP
Status : DateInvalid
Subject : CN=Sites
Thumbprint : AD4D74861B77D787C4072A17B9
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {servername-servername-MAI
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=servername-servername-M
NotAfter : 9/3/2014 3:14:49 PM
NotBefore : 9/3/2009 3:04:49 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 4256196235CDE8A9450C7315DA
Services : None
Status : DateInvalid
Subject : CN=servername-servername-M
Thumbprint : 8BA2B125D5D4AA3F3B355E904E
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {WMSvc-WIN-L54IFZ0IDFD}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=WMSvc-WIN-L54IFZ0IDFD
NotAfter : 8/31/2019 8:38:39 PM
NotBefore : 9/2/2009 8:38:39 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : CDB4CBC95A9520A54B028E2C6C
Services : None
Status : Valid
Subject : CN=WMSvc-WIN-L54IFZ0IDFD
Thumbprint : F2D13CEE5212F1AE8695881DCE
[PS] C:\Windows\system32>
Full list of cmdlets: get-command
Only Exchange cmdlets: get-excommand
Cmdlets for a specific role: get-help -role *UM* or *Mailbox*
Get general help: help
Get help for a cmdlet: help <cmdlet-name> or <cmdlet-name> -?
Show quick reference guide: quickref
Exchange team blog: get-exblog
Show full output for a cmd: <cmd> | format-list
Tip of the day #45:
Forgot what the available parameters are on a cmdlet? Just use tab completion! T
ype:
Set-Mailbox -<tab>
When you type a hyphen (-) and then press the Tab key, you will cycle through al
l the available parameters on the cmdlet. Want to narrow your search? Type part
of the parameter's name and then press the Tab key. Type:
Set-Mailbox -Prohibit<tab>
[PS] C:\Windows\system32>Get-Ex
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {servername-MAIN.servernam
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=servername-servername-M
NotAfter : 7/18/2016 9:19:00 PM
NotBefore : 7/19/2015 9:19:00 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 1575D2AA000100000046
Services : IMAP, POP
Status : Valid
Subject : CN=servername-MAIN.servern
Thumbprint : D4C96D607D5B02B2B1BA6A7E83
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {servername-servername-MAI
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=servername-servername-M
NotAfter : 7/18/2020 9:26:02 PM
NotBefore : 7/19/2015 9:16:02 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 6149168B0E3F54BF4604AE46D6
Services : None
Status : Valid
Subject : CN=servername-servername-M
Thumbprint : 9105BFF322ACB73B90B07AD9C6
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {localhost}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=localhost
NotAfter : 2/6/2025 7:00:00 PM
NotBefore : 2/7/2015 7:05:48 PM
PublicKeySize : 1024
RootCAType : None
SerialNumber : 087C922D5CA7FE8544893C40AD
Services : None
Status : Valid
Subject : CN=localhost
Thumbprint : 60794ED6E4BCAA9FB9BF86F642
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.mycompany.com, mycompany.c
om, servername-MAIN.servername
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=servername-servername-M
NotAfter : 10/4/2013 10:02:29 PM
NotBefore : 10/5/2011 10:02:29 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 17B390A300000000001D
Services : IMAP, POP, SMTP
Status : DateInvalid
Subject : CN=remote.mycompany.com
Thumbprint : 2D5A9080E0596809AAA710E9BF
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.mycompany.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Network Solutions DV Server CA, O=Network Solutions L.L
.C., C=US
NotAfter : 3/19/2016 7:59:59 PM
NotBefore : 10/5/2011 8:00:00 PM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 7CD5D0B8EBF24819F776D2B7F6
Services : IIS, SMTP
Status : Valid
Subject : CN=remote.mycompany.com, OU=nsProtect Secure X
press, OU=Domain Control Validated
Thumbprint : 8B9B6E91FE283B1FD9CB4374E6
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.mycompany.com, mycompany.c
om, servername-MAIN.servername
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=servername-servername-M
NotAfter : 9/28/2013 1:39:23 PM
NotBefore : 9/29/2011 1:39:23 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 610EF47B00000000001B
Services : IMAP, POP, SMTP
Status : DateInvalid
Subject : CN=remote.mycompany.com
Thumbprint : 36A24DAFE3FF3EF4819D7AC184
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {Sites, servername-MAIN.servername
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=servername-servername-M
NotAfter : 9/3/2011 3:05:04 PM
NotBefore : 9/3/2009 3:05:04 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 610441DF000000000002
Services : IMAP, POP, SMTP
Status : DateInvalid
Subject : CN=Sites
Thumbprint : AD4D74861B77D787C4072A17B9
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {servername-servername-MAI
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=servername-servername-M
NotAfter : 9/3/2014 3:14:49 PM
NotBefore : 9/3/2009 3:04:49 PM
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 4256196235CDE8A9450C7315DA
Services : None
Status : DateInvalid
Subject : CN=servername-servername-M
Thumbprint : 8BA2B125D5D4AA3F3B355E904E
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {WMSvc-WIN-L54IFZ0IDFD}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=WMSvc-WIN-L54IFZ0IDFD
NotAfter : 8/31/2019 8:38:39 PM
NotBefore : 9/2/2009 8:38:39 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : CDB4CBC95A9520A54B028E2C6C
Services : None
Status : Valid
Subject : CN=WMSvc-WIN-L54IFZ0IDFD
Thumbprint : F2D13CEE5212F1AE8695881DCE
[PS] C:\Windows\system32>
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Just for the heck of it ,download and run the SBS best practices analyzer and post results.
http://www.microsoft.com/en-us/download/details.aspx?id=6231
http://www.microsoft.com/en-us/download/details.aspx?id=6231
ASKER
David Johnson
This server is running 24/7 as a remote access system .
If I run get-certificate on the server ,is there a chance it will break the remote access for the users ?
I support this server remotely . Could it then lock me out ?
I will also run Best Practices shortly .
We are currently migrating to a cloud backup system and this has become temporarily not as hot an issue .
Will be tackling it in a week .
This server is running 24/7 as a remote access system .
If I run get-certificate on the server ,is there a chance it will break the remote access for the users ?
I support this server remotely . Could it then lock me out ?
I will also run Best Practices shortly .
We are currently migrating to a cloud backup system and this has become temporarily not as hot an issue .
Will be tackling it in a week .
updating certificates will not lock you out of the system under any circumstances. Especially since these certificates are invalid/expired at this time.. I can see where if a certificate expires that it could cause connection problems with clients that rely on a valid certificate
ASKER
I will be acting on this in the beginning of the month for budgetary reasons .
I have not abandoned this thread
I have not abandoned this thread