exchange 2013 Receive connector Transport Service certificate problem after migration from ex2007 to 2013


i'm getting the eventID 12014 Transport-service - with a certificate which isn't in the list of of exchange certificates in EX2013.
Error Message: Exchange could not find a certificate which is not in the personal information store of local computer.
This is the root-certificate of the internal Trusted CA.

The root certificate isn't assigned to smtp services but the affected connector does not have a certificate assigned for start_TLS.

The standard certificate in ex2013 has all services included also smtp,  but not assigned to connectors

The standard certificate in ex2013 is missing one domain on alternate names which is in the root certificate

The affected connector has starttls=false. Is it enough to set it to $true?

it's really confusing for me. In the past i tried to install new certificate and add tls to all connectors=true and all users getting problems in outlook. they have to install the certificate.
Some important mails are passing the firewall but not arriving to client mailboxes. I think thats depends on the certificate problem
with receive connectors.

thanks in advance for your help
Who is Participating?
Jian An LimConnect With a Mentor Solutions ArchitectCommented:
So you will use option 1

run the following command
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn <>

To Roll back
get-receiveconnector VX01\Default Frontend VX01 | set-receiveconnector -fqdn VX01.bctk.lokal
David Johnson, CD, MVPOwnerCommented:
With a domain one normally adds the CA root certificate to the users trusted root providers store via group policy
Jian An LimSolutions ArchitectCommented:
Root certificate usually don't cause any trouble

the receive connector of the FQDN must match the certificate, then TLS will work.

if you provide your receive connector in question with |fl
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Mandy_Author Commented:
ok . how could i match the receive connector with the certificate?
Jian An LimConnect With a Mentor Solutions ArchitectCommented:
if you type
get-receiveconnector | fl identity,fqdn, tlscertificatename

paste it as result

get-exchangecertificate | where {$_.RootCAType -like "ThirdParty"}| fl
Mandy_Author Commented:
Thanks,  the tlscertificate is the root_certificate of our trustedCA and it's assigned to the connector.
This root CA is not an Exchange certificate. I think we have to assign the Exchange cert instead
to this connector but how we can do that?

the important strings:

RequireTLS                              : False
Bindings                                : {[::]:25,}
SuppressXAnonymousTls : False
TlsCertificateName : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK

AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {[::]:25,}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
SmtpUtf8Enabled                         : False
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : True
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
ProxyEnabled                            : False
AdvertiseClientSettings                 : False
Fqdn                                    : VX01.bctk.lokal
ServiceDiscoveryFqdn                    :
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>, OU=Technik, O=BCT GM,
                                          L=GEL, S=Brownsword, C=UK
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : Unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 128 KB (131,072 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 5
MaxLogonFailures                        : 3
MaxMessageSize                          : 36 MB (37,748,736 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : Verbose
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : VX01
TransportRole                           : FrontendTransport
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:00
MaxAcknowledgementDelay                 : 00:00:00
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default Frontend VX01
DistinguishedName                       : CN=Default Frontend VX01,CN=SMTP Receive
                                          Connectors,CN=Protocols,CN=VX01,CN=Servers,CN=Exchange Administrative Group
                                          (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=bctk,CN=Microsoft
Identity                                : VX01\Default Frontend VX01
Guid                                    : 9aef83a0-692d-417c-a2ab-662f46fa6ec2
ObjectCategory                          : bctk.lokal/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
OrganizationId                          :
Id                                      : VX01\Default Frontend VX01
OriginatingServer                       : VSRV01.bctk.lokal
IsValid                                 : True
ObjectState                             : Unchanged

Open in new window

Jian An LimConnect With a Mentor Solutions ArchitectCommented:
your FQDN do not match your certificate, which is the first problem

FQDN = VX01.bctk.lokal
TlsCertificateName                      : <I>CN=bctk-VSRV01-CA, DC=bctk, DC=lokal<S>, OU=Technik, O=BCT GM, L=GEL, S=Brownsword, C=UK

you have 2 option,
change your FQDN to match the certificate (easiest)
or get a certificate that match the FQDN.

Usually I will just use a 3rd party certificate like the one you use to access your webmail
that will just work.
Mandy_Author Commented:
The certificate is the root-cert of the internal CA but is not an Exchange certificate
Mandy_Author Commented:
Jian An LimSolutions ArchitectCommented:
provide script to solve this issue
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.