Categories
blog exchange howto server windows

SBS: complete certificate request error

So you created a certificate request on the SBS wizard and now want to complete the request by running the wizard again and importing the CRT certificate file you received, but you get an error.

The imported certificate does not match your web site

If you look in the detailed logfile named TrustedCert.log located at “C:\program files\Windows Small Business Server\Logs” you may find an error reffering to ASN1bad tag.

An exception of type ‘Type: System.Runtime.InteropServices.COMException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ has occurred.
Timestamp: 07/10/2019 11:04:25
Message: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)
Stack: at Microsoft.WindowsServerSolutions.CERTENROLLLib.Interop.CX509EnrollmentClass.InstallResponse(InstallResponseRestrictionFlags Restrictions, String strResponse, EncodingType Encoding, String strPassword)
at Microsoft.WindowsServerSolutions.CoreNetworking.CertificateProvider.InstallCertResponse(Byte[] certificateBytes)

Luckily you can manually import the certificate and restore the necessary private key from the request using the instructions below.

  1. Open an Microsoft Management Concole (mmc) as admin.
  2. Add the snap-in “certificates” and select computer account.
  3. Now go to Personal – Certificates, right click & select all tasks – import.
  4. Import the CRT file you received from the provider.
  5. Refresh the certificates list. The certificate is now present but without private key.
  6. Double-click the certificate, go to the details tab and copy the serial number. Should be something like: 1e 71 cb 7a ….
  7. Open an CMD with administrator rights and run the following the command: certutil -repairstore my “<serialnumber>”
    Where <serialnumber> is the value from step 6, i.e. 1e 71 cb 7a ….
  8. Refresh the certificate list in the MMC snap-in, the certificate should now show the key icon because the private key is present.
  9. I suggest you make an export with private key and extended properties to store for safekeeping for later use.
  10. I tried the import certificate wizard in the SBS console again, selected the CRT file, it still failed, but now the certificate was configured and the OWA was working again with the new certificate.

References:
https://support.microsoft.com/nl-nl/help/2351321/not-able-to-install-trusted-certificate-on-sbs2008
https://knowledge.digicert.com/solution/SO22327.html

Categories
blog exchange howto server windows

Exchange database dirty shutdown recovery JET_errLogFileSizeMismatch error -541

Warning: This is a technical article describing steps that you should only execute if you’re familiar and confident with the matter.

Error information:
Below is some error information that you might have seen and that’s why your search leads you here.

eseutil /ML “L:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\E02.log”
Extensible Storage Engine Utilities for Microsoft(R) Exchange Server Version 15.00
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating FILE DUMP mode…
Base name: E02
Log file: L:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\E02.log
ERROR: Cannot read log file header. Error -541.
Operation terminated with error -541 (JET_errLogFileSizeMismatch, actual log file size does not match JET_paramLogFileSize) after 0.16 seconds.

eseutil /r “L:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\E02.log”
Extensible Storage Engine Utilities for Microsoft(R) Exchange Server Version 15.00
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating RECOVERY mode…
Logfile base name: E02

Performing soft recovery…
Operation terminated with error -541 (JET_errLogFileSizeMismatch, actual log file size does not match JET_paramLogFileSize) after 0.31 seconds.

Solution:
If possible have a backup or a copy of the database before you manipulate it! Transaction log files are critical for the database, these are not just information files that you can delete!

If the DISK where the log files of your exchange database resides has run out of space you could find yourself with a corrupt log file. When you try to perform a soft recovery with eseutil /r and the path to your E0?.log (in my case E02.log) file you get an error about header information and size mismatch. The E0?.log file is the current transaction log file that Exchange was writing to when the disk ran out of space. This file is now corrupt and transactions in the file that were not applied to the database will be lost. All other older log files will have hexadecimal sequence to it such as E0?00E475A.log and so on. You can check which log files are required for the database to perform a soft recovery by reading the header information of the database in question as follows:

eseutil /mh “F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2\DB-MBBX2.edb”
replace path and filenames with your database

In the wealth of information returned you will see a line stating the state of the database, which will be Dirty Shutdown. (If it is Clean Shutdown than you do not need to perform recovery). Below the state is the line Log Required which shows the files needed.

Log Required: 190299-190336 (0x2e75b-0x2e780)

In my case the databases needs the files E020002E75B.log and newer on to E020002E780.log (this is HEX sequence). Older log files can be moved to a different hard disk if you need to free some space. Be careful, don’t delete, sorting these files in Explorer is not easy, you can’t do it by name because of the hex sequence and by date/time is not foolproof. So double-check or just expand the disk and leave all log files as-is.

Now to perform the recovery we have to move the corrupt E02.log file to a folder or other disk. Now that the corrupt file is removed and you are 100% sure that all the other required log files (see section above) are present we can perform soft recovery with the /a option to skip missing log files and bring the database back to a clean state.

eseutil /r /a E02 /l “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2” /s “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2” /d “F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2”
change the names and paths to your situation.

/r is soft recovery
/a is skip missing logfile
E02 is the base name of the logfiles, this is dependant of the database, could be E01, E02, E03 …
/l is for the log files location (where E02.log and other E02xxxx.log files reside)
/s is for the system files location (where E02.chk resides)
/d is for the database files location (where DB-MBX2.edb resides)

Output will be like this:

eseutil /R /a E02 /l “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox
\DB-MBX2” /s “l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2” /d
“F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2”

Extensible Storage Engine Utilities for Microsoft(R) Exchange Server Version 15.00
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating RECOVERY mode…
Logfile base name: E02
Log files: l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2
System files: l:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2
Database Directory: F:\Program Files\Microsoft\Exchange Server\V15\Mailbox\DB-MBX2
Performing soft recovery…
Restore Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|
……………………………………………

Operation completed successfully in 3.635 seconds.

The database is now clean, you can check again with eseutil /mh as we did before and see the state listed as Clean Shutdown.

If you want to quickly clean-up logfiles no longer needed you should perform an Exchange aware backup. If you don’t have one and you understand the consequences you can enable circular logging on the database.

Good Luck!

Categories
blog exchange howto server windows

Outlook 2013 sync problems and message that Administrator has made a change

This post describes a problem I recently experienced when migrating from Exchange 2007 to Exchange 2013. Outlook 2013 clients would pop-up a message about the administrator making changes that require a restart of Outlook continuously. Also the folder synchronization fails and you see new messages arrive in your Inbox only to dissapear again after 1 second and then come back again and so forth.

The Microsoft Exchange administrator has made a change that requires you quit and restart Outlook

outlook error synchronizing folder [0-0]

These problems started occurring right after the old public folder database was deleted on the Exchange 2007 server. I only noticed it after I had already uninstalled the Exchange 2007 server completely. Why only Outlook 2013 has this problem I don’t know, but here is what’s wrong.

On the Mailbox database on your new Exchange server there is still a value pointing to the OLD public folder database that is now deleted.
You need to fix this using Adsiedit.msc:
Go to:

Configuration >CN=Services > CN=Microsoft Exchange > CN=Your Organisation > CN=Administrative Groups > CN=Exchange Administrative Group > CN=Databases

For each mailbox database, right click and check the attributes for “MSEXCHHomePublicMDB”. You will see that the value for this attribute points to “CN=Public Folder Database*,CN=Deleted Objects,CN=Configuration,DC=YourDomain,DC=com” the old object for the public folder database that has been deleted. You must clear this value using the clear button, so it changes to “not set”, just emptying the value won’t work. Restart the Information store service or reboot the Exchange server and the problem should be solved.

Categories
blog exchange server windows

Outlook Web Access OWA error 500 when logging in

When you fill in your credentials on the login screen of Outlook Web Access or OWA (2010) and click submit you receive an Internal Server Error 500 and the URL shows /owa/auth.owa

There are no events logged in Application or System log that explain this problem.

IISreset does not help.

The problem and solution could be very simple.
Check the the service “Microsoft Exchange Forms-Based Authentication service” is started. If not, start the service and try to login to OWA again. Problem should be solved.

If the service doesn’t start or fails frequently you’ll have to investigate that further.

Categories
exchange network server windows

Uninstall Exchange 2010 on crippled 2008 R2 DC (SBS2011)

FASTTRACK ARTICLE

Exchange 2010 was installed on a domain controller, it actually was a Small Business Server 2011. Something happened to the AD database, backup not good. Server would only boot in AD restore mode.

In AD restore mode, we could login using domain credentials because the other DC (backup) was providing logon and authentication. We could even start a whole bunch of services and also the Exchange services. We seized the Roles on our other DC so that users would be able to logon without issues.In the next days we prepared to move the mailboxes away, in our case to Office365 in the cloud.
After that happened we followed the steps to remove the last Exchange server including disconnecting all mailboxes from AD users, removing public folders and such. On the final step, to uninstall Exchange it would not continue stating that the server was pending a reboot.
“A reboot from a previous installation is pending. Please restart the system and then rerun Setup.”
Restarting did not help of course, because we could only boot in to directory services restore mode.
So I had to find a way to fix the AD.

1) Checking the AD database (ntds.dit) from restore mode:
Open a CMD command prompt (As Administrator);
execute command ntdsutil
at the prompt type: activate instance ntds
at the prompt type: files

A] If you get an error about corruption ->
Move all the .log files in C:\windows\ntds\ to another directory (desktop perhaps);
Open a new CMD command prompt (As Administrator);
execute command: ESENTUTL.EXE /p C:\windows\ntds\ntds.dit
execute command: ESENTUTL.EXE /g C:\windows\ntds\ntds.dit
Try the files command again in the open ntdsutil command prompt.

B] If you get an error about being in the recovered state ->
Open a new CMD command prompt (As Administrator);
execute command: ESENTUTL.EXE /g C:\windows\ntds\ntds.dit
The integrity check will show all is normal, otherwise see step A.
Reboot the computer and set the date in the BIOS a couple of months or from before the backup-date if you tried a AD restore. Or set it a year back or so if you are unsure. Try to boot in normal mode. Normally it should boot up, but could take a while, change the date/time back to the correct values when it’s booted up.

2) Replication and authentication to other domain controllers
If you have other domain controllers to replicate to, then you might probably need to change BURFLAGGS for non-authorative restore (to fix NTFRS corruption on SYSVOL) and first reset the machine account password for the secure channel to the other domain controllers. See this post: http://ares.gobien.be:8080/2013/07/sync-issues-krb_ap_err_modified-0x80090322-target-principal-name-incorrect/

3) Now you can either try to fix everything further or go ahead and uninstall Exchange. Try the uninstall the normal way.
If you get errors about the sate of the Active Directory, try it like this:
Open a new CMD command prompt (As Administrator);
execute command: cd %programfiles%\Microsoft\Exchange Server\v14\bin
execute command: setup.com /m=uninstall /dc:otherdc.domain.local

Make sure the server is still in the “Exchange Servers” security group.
Make sure there are no entries in the hosts file for your DC’s. Because it can also trigger the following error:
Setup encountered a problem while validating the state of Active Directory: ‘server.domain.local’ isn’t a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: ‘SERVER’.

Happy uninstalling!

Log excerpt:

[12/31/2014 08:27:56.0273] [1] Active Directory session settings for 'Get-ExchangeServer' are: View Entire Forest: 'True', Configuration Domain Controller: 'SRV-APP1.contoso.com', Preferred Global Catalog: 'SRV-APP1.contoso.com', Preferred Domain Controllers: '{ SRV-APP1.contoso.com }'
[12/31/2014 08:27:56.0273] [1] Beginning processing Get-ExchangeServer -Identity:'SBS2011'
[12/31/2014 08:27:56.0273] [1] Searching objects "SBS2011" of type "Server" under the root "$null".
[12/31/2014 08:27:56.0273] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 08:27:56.0273] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 08:27:56.0273] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 08:27:56.0273] [1] Ending processing Get-ExchangeServer
[12/31/2014 08:27:56.0491] [1] [REQUIRED] There is a pending reboot from a previous installation of a Windows Server 2008 role or feature. Please restart the system and rerun Setup.
[12/31/2014 08:27:56.0523] [1] Ending processing test-setuphealth
[12/31/2014 08:27:56.0538] [0] **************

[12/31/2014 08:28:01.0312] [1] Ending processing Get-ExchangeServer
[12/31/2014 08:28:01.0702] [1] [REQUIRED] There is a pending reboot from a previous installation of a Windows Server 2008 role or feature. Please restart the system and rerun Setup.
[12/31/2014 08:28:01.0702] [1] Ending processing test-setuphealth
[12/31/2014 08:34:16.0514] [0] End of Setup

[12/31/2014 10:17:29.0782] [1] Ending processing Get-ExchangeServer
[12/31/2014 10:17:30.0047] [1] [REQUIRED] Unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is installed.
[12/31/2014 10:17:30.0047] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on SBS2011.contoso.com. The supplied credential for 'CONTOSO\Administrator' is invalid.

[REQUIRED] Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on SBS2011.contoso.com. The supplied credential for 'CONTOSO\Administrator' is invalid.

[12/31/2014 10:53:05.0881] [1] Searching objects "SBS2011" of type "Server" under the root "$null".
[12/31/2014 10:53:05.0897] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:53:05.0897] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:53:05.0897] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 10:53:05.0912] [1] Ending processing Get-ExchangeServer
[12/31/2014 10:53:06.0287] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: 'SBS2011.contoso.com' isn't a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: 'SBS2011'.
[12/31/2014 10:53:06.0318] [1] Ending processing test-setuphealth

[12/31/2014 10:54:32.0491] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:54:32.0491] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:54:32.0491] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 10:54:32.0491] [1] Ending processing Get-ExchangeServer
[12/31/2014 10:54:33.0043] [1] [REQUIRED] Active Directory does not exist or cannot be contacted.
[12/31/2014 10:54:33.0043] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: 'SBS2011.contoso.com' isn't a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: 'SBS2011'.
[12/31/2014 10:54:33.0043] [1] Ending processing test-setuphealth

[12/31/2014 10:56:00.0320] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:56:00.0320] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 10:56:00.0320] [1] Ending processing get-EdgeSubscription
[12/31/2014 10:56:00.0574] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: 'SBS2011.contoso.com' isn't a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: 'SBS2011'.
[12/31/2014 10:56:00.0670] [1] Ending processing test-se

[12/31/2014 12:31:07.0542] [1] Previous operation run on domain controller 'SVR-DC1.contoso.com'.
[12/31/2014 12:31:07.0542] [1] Previous operation run on domain controller 'SVR-DC1.contoso.com'.
[12/31/2014 12:31:07.0542] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 12:31:07.0542] [1] Ending processing Get-ExchangeServer
[12/31/2014 12:31:07.0791] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: The user-specified domain controller SRV-APP1 does not exist.

Categories
blog exchange howto server

Exchange 2010 Outlook Anywhere proxy security certificate wildcard *.domain.com

When you use a wildcard certificate on your Exchange 2007 or 2010 environment you can receive an error on outlook:
There is a problem with the proxy servers's security certificate.
The name on the security certificate is invalid or does not match the name of the target site mail.domain.com
Outlook is unable to connect to the proxy server (Error code 0)

Error1
When using internally your outlook may connect just fine using the normal RPC-TCP method.
This happens because outlook is checking the name on the certificate for mutual authentication to ensure your are connecting to the right server. Outlook gets this information from the autodiscover service.
error2
If you manually change the value to msstd:*.domain.com it works, but the autodiscover will put the other value back in a matter of minutes. Autodiscover assumes a value equal to the external name set on your CAS server (in my case mail.domain.com) and uses this.

To override this behavior use the following exchange shell command:
Set-OutlookProvider EXPR -CertPrincipalName msstd:*.domain.com
After you adjust this, you need to restart the “world wide web publishing” service, because of caching.

You could also disable this “Mutual authentication”, but it’s a good security feature, so I wouldn’t.
Set-OutlookProvider EXPR -CertPrincipalName none
Remember to restart the W3P service.

Be aware that when you set $null instead of none Exchange will go back to default behavior and use the external name from the CAS server.

reference: http://blogs.technet.com/b/umutg/archive/2011/01/31/all-about-set-outlookprovider.aspx

Categories
blog exchange howto server windows

Exchange missing public folder database after adsiedit changes

I had to use Adsiedit.msc to manually remove the Public folder database on an Exchange 2007 i was trying to uninstall. I already had a new public folder database with all replica’s present on my Exchange 2010 server, so i was confident in removing the older Exchange 2007 PF database through Adsiedit. In the meantime I also removed the “First Administrative group” since this was left from Exchange 2003.

I then proceeded to uninstall Exchange 2007 without further issues.
I was surprised and horrified to find the Exchange 2010 Public Folder database missing in the “Database management tab” on “Organization – Mailbox” in the Exchange 2010 Management console. I tried various things, such as:
1) Restart information store
2) Recreate PF DB with exact same name, but this error saying it already had a DB with that name.

I ran the Best Practices Analyzer and it told me “Site folder server deleted”. I clicked on the help and it showed me how to fix this.

Open an Active Directory editor, such as ADSI Edit.
Locate the public folder information store that you want to designate as the Site Folder Server. For Exchange Server 2000 through Exchange Server 2007, expand the following nodes in the Configuration container:
CN=Configuration,DC=,DC=com, CN=Services, CN=Microsoft Exchange, CN=, CN=Administrative Groups, CN= CN=Servers, CN=, CN=InformationStore, CN=
For Exchange Server 2010, expand the following nodes in the Configuration container:
CN=Configuration,DC=,DC=com, CN=Services, CN=Microsoft Exchange, CN=, CN=Administrative Groups, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Databases
In the right pane, right-click CN=, and then click Properties.
In the Attributes field, scroll down and select the distinguishedName attribute.
Click Edit, and then copy the entire attribute to the Clipboard.
Expand the Configuration container, and then expand CN=Configuration,CN=,CN=com, CN=Services, CN=Microsoft Exchange, CN=, CN=Administrative Groups
Right-click the administrative group you want to modify, and then click Properties.
In the Attributes field, scroll down and select the siteFolderServer attribute.
Click Edit, and then paste the value for the distinguishedName attribute into the Value field.
Double-check the contents of the Value field to ensure the paste was performed correctly, and then click OK to save the change.
Click OK to close the Administrative Group properties.
Exit the Active Directory editor and restart the Microsoft Exchange Server Information Store service on all Exchange Server computers in the site for the change to take effect.

I reran the BPA and the error was gone, but my PF database was still missing.
After some research on the internet I came by the solution thanks to “BFTech Impressions”.
Specifically in my case the “msExchOwningPFTree” attribute was empty on my PF database container and needed to be filled with the value from the “distinguishedName” attribute from the Public Folder container uner “Folder Hierarchies”, the first 2 steps in my case were not needed, these were still present.

Here is the link to the article:
http://blog.bruteforcetech.com/archives/766
Please click on the links for detailed instructions and screenshots.

These are his instructions I quote here so that in the case the original disappears the information is not lost.

Here are the instructions to fix it:
Open ADSI Edit, connect to a Domain Controller, change the context to Configuration.

Create the Folder Hierarchies under the Exchange Administrative Group
Navigate to Configuration ⇒ Services ⇒ Microsoft Exchange ⇒ [your organization] ⇒Administrative Groups ⇒ [your administrative group]
Right click on your administrative group and select New Object
Select msExchContainer as class and click Next
Enter the following as value: Folder Hierarchies, click Next, Finish

Create the Public Folders Tree Object
Right click Folder Hierarchies and select New Object
Select msExchPFTree as class, click Next
Enter the following as value: Public Folders, click Next
Click on More Attributes button, drop down the “select a property to view” list, select msExchPFTreeType and set the attribute to 1 (it should populate into the value field).
Click OK, Finish

Populate the msExchOwningPFTreeBL attribute object of the PF Store
(Tell the Public Folder database where to find the new folder hierarchy you just created)
Double click the newly created “Public Folders” object
Double click distinguishedName, copy the value to the clipboard, click Cancel
Exchange 2007: open properties of Configuration ⇒ Services ⇒ Microsoft Exchange ⇒ [your organization] ⇒ Administrative Groups ⇒ [your administrative group]⇒ Servers ⇒ [your server] ⇒ Information Store
Exchange 2010: open properties of Configuration ⇒ Services ⇒ Microsoft Exchange ⇒ [your organization] ⇒ Administrative Groups ⇒ [your administrative group] ⇒ Databases ⇒ [your Public Folder database]
Double click the msExchOwningPFTree attribute, paste the value that was copied to the clipboard in step 2
Click OK twice