Link to home
Create AccountLog in
Avatar of Louis Bourekas
Louis Bourekas

asked on

Certificates in Exchange 2019 EAC not loading

I have recently installed Exchange 2019 in a virtual environment, and although mailflow is working, I'm unable to install any certificates as whenever I click on Certificates in EAC, I get the following error:
"Your request couldn't be completed.  Please try again in a few minutes".  Upon further investigation, I have found the following in Event Viewer:

Log Name:      Application
Source:        MSExchange Control Panel
Date:          8/05/2020 11:14:55 AM
Event ID:      5
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FPX2019-01.abc123.localv2
Description:
Current user: 'abc123.localv2/Users/Administrator'
Web service call 'https://fpx2019-01.abc123.localv2:444/ecp/DDI/DDIService.svc/GetList?ActivityCorrelationID=e2249fc8-d046-2623-4ae1-0a2e71e4f055&schema=CertificateServices&msExchEcpCanary=KNvcZj-rAEy6Bqd8FEECJvBDxd_p8tcIPRPdnTVZJeEqZNNtyk-32qR6YFOK9AUIzOu0QUZKmsg.(https://localhost/ecp/DDI/DDIService.svc/GetList?ActivityCorrelationID=e2249fc8-d046-2623-4ae1-0a2e71e4f055&schema=CertificateServices&msExchEcpCanary=KNvcZj-rAEy6Bqd8FEECJvBDxd_p8tcIPRPdnTVZJeEqZNNtyk-32qR6YFOK9AUIzOu0QUZKmsg.)' failed with the following error:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ArgumentOutOfRangeException: The added or subtracted value results in an un-representable DateTime.
Parameter name: value
   at System.DateTime.AddTicks(Int64 value)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneRuleGroup.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.FindLeastBiasForLocalTime(DateTime dateTime, TimeSpan& bestBias)
   at Microsoft.Exchange.ExchangeSystem.ExDateTime..ctor(ExTimeZone desiredTimeZone, DateTime dateTime)
   at Microsoft.Exchange.ExchangeSystem.ExDateTime.op_Explicit(DateTime dateTime)
   at Microsoft.Exchange.Management.DDIService.CertificateHelper.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.Exchange.Management.DDIService.Activity.DoPostRun(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind)
   at Microsoft.Exchange.Management.DDIService.Workflow.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)
   at Microsoft.Exchange.Management.DDIService.WSListDataHandler.ExecuteCore(Workflow workflow)
   at Microsoft.Exchange.Management.DDIService.WSDataHandler.Execute()
   at Microsoft.Exchange.Management.DDIService.DDIServiceHelper.GetListCommon(DDIParameters filter, SortOptions sort, Boolean forGetProgress)
   at Microsoft.Exchange.Management.DDIService.DDIService.GetList(DDIParameters filter, SortOptions sort)
   at SyncInvokeGetList(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.Exchange.Management.DDIService.Activity.DoPostRun(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind)
   at Microsoft.Exchange.Management.DDIService.Workflow.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)
   at Microsoft.Exchange.Management.DDIService.WSListDataHandler.ExecuteCore(Workflow workflow)
   at Microsoft.Exchange.Management.DDIService.WSDataHandler.Execute()
   at Microsoft.Exchange.Management.DDIService.DDIServiceHelper.GetListCommon(DDIParameters filter, SortOptions sort, Boolean forGetProgress)
   at Microsoft.Exchange.Management.DDIService.DDIService.GetList(DDIParameters filter, SortOptions sort)
   at SyncInvokeGetList(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

System.ArgumentOutOfRangeException: The added or subtracted value results in an un-representable DateTime.
Parameter name: value
   at System.DateTime.AddTicks(Int64 value)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneRuleGroup.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.FindLeastBiasForLocalTime(DateTime dateTime, TimeSpan& bestBias)
   at Microsoft.Exchange.ExchangeSystem.ExDateTime..ctor(ExTimeZone desiredTimeZone, DateTime dateTime)
   at Microsoft.Exchange.ExchangeSystem.ExDateTime.op_Explicit(DateTime dateTime)
   at Microsoft.Exchange.Management.DDIService.CertificateHelper.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)
   at System.DateTime.AddTicks(Int64 value)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneRuleGroup.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.GetRuleForUtcTime(DateTime utcDateTime)
   at Microsoft.Exchange.ExchangeSystem.ExTimeZoneInformation.FindLeastBiasForLocalTime(DateTime dateTime, TimeSpan& bestBias)
   at Microsoft.Exchange.ExchangeSystem.ExDateTime..ctor(ExTimeZone desiredTimeZone, DateTime dateTime)
   at Microsoft.Exchange.ExchangeSystem.ExDateTime.op_Explicit(DateTime dateTime)
   at Microsoft.Exchange.Management.DDIService.CertificateHelper.GetListPostAction(DataRow inputRow, DataTable dataTable, DataObjectStore store)

Flight info: Features:[[Global.DistributedKeyManagement, False],[Global.FrontdoorDefaultURL, False],[Global.GlobalCriminalCompliance, False],[Global.MultiTenancy, False],[Global.PopulateGroupMasterSid, False],[Global.WindowsLiveID, False],[Eac.AllowMailboxArchiveOnlyMigration, True],[Eac.AllowRemoteOnboardingMovesOnly, False],[Eac.AllowSender, False],[Eac.AntiSpamBulkThresholdUI, False],[Eac.AntispamTenantAllowBlockLists, False],[Eac.AtpPolicyForO365, False],[Eac.BulkPermissionAddRemove, True],[Eac.CaseHoldQuery, False],[Eac.CaseHoldSearch, False],[Eac.CmdletLogging, True],[Eac.ComplianceAllPublicFolderSearch, False],[Eac.ComplianceAllPublicFolderSearchForHold, False],[Eac.ComplianceCase, False],[Eac.ComplianceCaseClosing, False],[Eac.ComplianceCaseSources, False],[Eac.ComplianceExportIndividualMessageFormat, False],[Eac.ComplianceExportZipFormat, False],[Eac.ComplianceMnc, False],[Eac.ComplianceNewValidator, False],[Eac.ComplianceSearchRefiners, False],[Eac.ComplianceSearchStatistics, False],[Eac.ConditionCards, False],[Eac.ConditionCardsForCaseHoldQuery, False],[Eac.ConvertMailboxUI, False],[Eac.CrossPremiseMigration, False],[Eac.CustomizableMaxMsgSizeUI, True],[Eac.CutomizableSenderAuthenticationInNewDistributionGroup, False],[Eac.DefensibilityReport, False],[Eac.DeleteMessage, False],[Eac.DeleteQuarantineMessage, False],[Eac.DevicePolicyMgmtUI, False],[Eac.DiscontinueSafetenantConnectorUI, False],[Eac.DiscoveryDocIdHint, False],[Eac.DiscoveryMultiHoldSearch, False],[Eac.DiscoveryMultiQuerySearch, False],[Eac.DiscoveryMultiQueryV2Export, False],[Eac.DiscoveryPFSearch, True],[Eac.DiscoverySearchStats, False],[Eac.DiscoveryV1Export, True],[Eac.DistributionToUnifiedGroupMigrationEac, False],[Eac.DKIMSigningConfigUI, False],[Eac.DLPBlockForUnifiedCompliance, False],[Eac.DlpFingerprint, False],[Eac.DlpPolicyDetailsAndError, False],[Eac.DLPUnifiedCompliancePreview, False],[Eac.DLPWarnForUnifiedComplianceAvailability, False],[Eac.EACClientAccessRulesEnabled, True],[Eac.EacConciergeControl, False],[Eac.EacFeedbackControl, False],[Eac.EacPswsProxy, False],[Eac.EDiscoveryEacDecommisionExemption, True],[Eac.EdiscoveryExportPaging, False],[Eac.EdiscoveryExportV2AnalyzeWithZoom, False],[Eac.EdiscoveryExportV2ClientExportToolLiteEngine, False],[Eac.EdiscoveryExportV2General, False],[Eac.EdiscoveryHold, False],[Eac.EdiscoveryPreviewSearchUI, True],[Eac.EdiscoverySearchUI, False],[Eac.EDiscoverySPOMultiGEOEnabled, False],[Eac.EnableForInternalSendersInUI, False],[Eac.ExportDedupe, False],[Eac.ExportReportOnly, False],[Eac.FileFilter, False],[Eac.GeminiShell, False],[Eac.GrantSendOnBehalfToForSharedMailbox, False],[Eac.GroupsBulkUpgradeWizard, False],[Eac.GroupsInOutlookPromotionBanner, False],[Eac.HoldForModernGroups, False],[Eac.InactiveMailboxForCaseHold, False],[Eac.InactiveMailboxPickerEmailAddress, True],[Eac.InactiveMailboxSearch, False],[Eac.IsDedicatedTenant, False],[Eac.ManageMailboxAuditing, False],[Eac.ModernGroupCreateOnBehalfOf, False],[Eac.ModernGroupDelegatedUserSupport, False],[Eac.ModernGroupDomainSelectionSupport, False],[Eac.ModernGroupEnableDeliveryManagement, False],[Eac.ModernGroupManagement, False],[Eac.ModernGroupMoreEditOptions, False],[Eac.ModernGroupNonMailboxUserSupport, False],[Eac.ModernGroups, False],[Eac.ModernGroupsAllowAddingGuestInO365GroupMembership, False],[Eac.ModernGroupsAllowCreationByNonAADAdmin, False],[Eac.ModernGroupsPromotion, False],[Eac.ModernGroupsPromotionV2, False],[Eac.ModernGroupsSendOnBehalfOf, False],[Eac.ModernGroupsSkipVerifyOwnerLimit, True],[Eac.NewAuditingOptInUIOptIn, True],[Eac.NewAuditingReportUIOptIn, True],[Eac.NonExchangeWorkloadsUI, False],[Eac.Office365DIcon, False],[Eac.OrgIdADSeverSettings, False],[Eac.PreviewQuarantineMessage, False],[Eac.PreviewQuarantineMessageAdvanced, False],[Eac.PreviewSnapshotSearchUI, False],[Eac.PromoteProtectionCenter, False],[Eac.ProtectionCenterForceRedirect, False],[Eac.ProtectionCenterOptIn, False],[Eac.ProtectionCenterOptOut, False],[Eac.PublicFolderHoldManagement, False],[Eac.QuarantineMalware, False],[Eac.RemoteDomain, False],[Eac.RestoreUnifiedGroup, False],[Eac.RetentionPoliciesEacDecommisionExemption, True],[Eac.RetentionTagsEacDecommisionExemption, True],[Eac.RmsDecode, False],[Eac.SafeAttachments, False],[Eac.SafeAttachmentsDynamicDelivery, True],[Eac.SafelinkConvergedView, True],[Eac.SafeLinks, False],[Eac.SafeLinksBlockListFlexibleUrlPattern, False],[Eac.SafeLinksDoNotRewriteUrlByFlexibleUrlPattern, False],[Eac.SafeLinksScanUrls, True],[Eac.SelectivelyExportItemsById, False],[Eac.SetAtpPolicyForO365CmdletWACOption, False],[Eac.ShowExternalStorageWarningInGCC, False],[Eac.SingleFolderExport, False],[Eac.SPOPickerSearchAllTenantContent, False],[Eac.SupervisoryReview, False],[Eac.SupportAdfsIdentityInEcpProxy, False],[Eac.TestTransferToE164Extension, False],[Eac.ToggleABQWarning, False],[Eac.UCCAlertsReportingUI, False],[Eac.UCCAuditReports, False],[Eac.UCCIngestionUI, False],[Eac.UCCPermissions, False],[Eac.UCCTestProbeUI, False],[Eac.UnifiedAuditPolicy, False],[Eac.UnifiedAuditReportUI, False],[Eac.UnifiedComplianceCenter, False],[Eac.UnifiedDlpGA, False],[Eac.UnifiedPolicy, True],[Eac.UnifiedRetention, False],[Eac.UnlistedServices, True],[Eac.UseDoNotRewriteUrlsParamInSafeLinksPolicyCmdletAndUI, False],[Eac.WorkloadUIInUrlTraceTab, False],],  Flights:[],  Constraints:[[LOC, EN-AU],[MACHINE, FPX2019-01],[MODE, ENTERPRISE],[PROCESS, MSEXCHANGEECPAPPPOOL],[USER.ADMINISTRATOR^A, TRUE],[USER.ADMINISTRATOR^Aabc123.COM.AU, TRUE],[USERTYPE, BUSINESS],], IsGlobalSnapshot: False

Open in new window


Can anyone assist in resolving this?
Avatar of Amit
Amit
Flag of India image

I found this KB: https://ucsteps.com/2019/02/14/event-id-5-msexchange-control-panel/

Check if this helps.

This was occurring because the computer object was added to a group that is denying this key/token ms-Exch-EPI-Token-Serialization
As Microsoft said, the following group have the token denied by default.
Domain Admins
Schema Admins
Enterprise Admins
Organization Management

Open in new window


Avatar of Louis Bourekas
Louis Bourekas

ASKER

Running the script suggested doesn't work.  I get the following error:

At line:1 char:28
+ Get-ADPermission -Identity <ExchangeComputerObject> | where {($_.Exte ...
+                            ~
The '<' operator is reserved for future use.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : RedirectionNotSupported

I have also found that my Exchange server has been added to the following groups:

 The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        System Mandatory Level
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        FPX2019-01$
        $C31000-V84GKA9FI2IN
        Domain Controllers
        Exchange Trusted Subsystem
        Managed Availability Servers
        Exchange Servers
        Exchange Windows Permissions
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
        Authentication authority asserted identity
        Denied RODC Password Replication Group

Any other ideas?
Is your Exchange server running on a domain controller?

Also you ran the command as you copied it - you need to change to include your server name

Get-ADPermission -Identity "YOUR_SERVER_NAME" | where {($_.ExtendedRights -like "ms-Exch-EPI-Token-Serialization") -and ($_.Deny -like "True")} | ft -autosize User,ExtendedRights
Yes, it is on a domain controller.

I'll retry the script and see.
ok, so I have re-run the script, and now getting this:

User                                  ExtendedRights
----                                  --------------
abc123\Domain Admins           {ms-Exch-EPI-Token-Serialization}
abc123\Schema Admins           {ms-Exch-EPI-Token-Serialization}
abc123\Enterprise Admins       {ms-Exch-EPI-Token-Serialization}
abc123\Organization Management {ms-Exch-EPI-Token-Serialization}
abc123\Domain Admins           {ms-Exch-EPI-Token-Serialization}
abc123\Schema Admins           {ms-Exch-EPI-Token-Serialization}
abc123\Enterprise Admins       {ms-Exch-EPI-Token-Serialization}
abc123\Organization Management {ms-Exch-EPI-Token-Serialization}
abc123\Domain Admins           {ms-Exch-EPI-Token-Serialization}
abc123\Schema Admins           {ms-Exch-EPI-Token-Serialization}
abc123\Enterprise Admins       {ms-Exch-EPI-Token-Serialization}
abc123\Organization Management {ms-Exch-EPI-Token-Serialization}

Not sure what to do from here....do I need to look into each of the security groups listed in my previous post and remove any of the above users?  Will this screw up anything else?
Can anyone help with this?
Thank you. So should I setup another server as a member server, then install exchange 2019 on that, then remove exchange off the domain controller?
Or should I setup another dc, then demote the server exchange is on?
It is bit tricky, as you have DC running and you cannot bring down your DC. Follow this:

1) Setup one more DC. Move FSMO role to new DC.
2) Then you remove Exchange from this server. Keep second DC also, it is always advisable to have two DC, for HA.
3) Then install new member server and join to domain. Install Exchange server on new member server and follow other steps related to Exchange.

Note: Use above steps, if you don't have user mailbox on current Exchange server. If you have users and Exchange is in production, then steps will be different.
So exchange cannot be installed on member server, mailboxes transferred (only a few), then exchange uninstalled?
ASKER CERTIFIED SOLUTION
Avatar of Amit
Amit
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer