Archive for the ‘Exchange 2007’ Category

HOWTO Renew the Certificate on Exchange 2007 Edge Transport Server using Powershell

May 27, 2012

I have a small Exchange Server 2007 deployment with one edge transport server and one client access server. The Edge Transport server certificate had expired and I needed to create another one.

We first get the existing certificate by using the powershell command:

Get-ExchangeCertificate

which returns a list of current certificates. I had two certificates so I needed to use:

Get-ExchangeCertificate -thumbprint "your-thumbprint-here"

to get the correct one. After verifying that I had the latest certificate I piped this certificate into the New-ExchangeCertificate command via:

Get-ExchangeCertificate -thumbprint "your-thumbprint-here" | New-ExchangeCertificate

This created a new certificate with an expiry date of +5 years, but also included the warning:

WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this Edge Transport server is subscribed,  you must subscribe it again by using the New-EdgeSubscription cmdlet in the Exchange Management Shell, and then restart the Microsoft Exchange ADAM service.

So there is some more work to do. First you need to export the Edge Subscription data from the current server using the command:

New-EdgeSubscription -filename "your-edge-subscription.xml"

which exports the Edge Subscription information to the nominated file when run on your Edge Transport Server (the command is smart enough to know it needs to export the data and not import it). Then you copy this file to your Hub Transport server and run the same command, this site appending the Site name:

New-EdgeSubscription -filename "your-edge-subscription.xml" -site "your-site-name"

By default the site name is “Default-First-Site-Name” but you can check your sites that are configured to use the edge Transport server by opening up Exchange Management Console, Organization Configuration, Hub Transport and clicking the “Edge Subscriptions” tab. This will show the site same in the “Active Directory Site” column.

Everything seemed to be OK, but checking my Exchange Edge Transport Application event log showed the following error every five minutes:

The EdgeSync credential cn=ESRA.UNEX-EXCH-EDGE.UNEX-EXCH-02.0,CN=Services,CN=Configuration,CN={E0C281D5-5D17-4B14-A6F6-B88474F6C122} could not be decrypted by using the certificate with thumbprint 5DD5B1A15F7F4065559293DF77FDD72B3EFA8E8E. The exception is Bad Data.

. To resolve this problem, unsubscribe and resubscribe your Edge Transport server.

I checked the certificate, and sure enough there was an issue – the Root Authority for the certificate that was generated was not trusted. As the Root Authority was actually the certificate itself, I had to export the certificate and then import it into the Trusted Root Certificate Authorities in order to get it to accept the certificate. Opening the original certificate in Personal/Certificates showed the certificate to be valid.

Advertisements

Exhange Server 2007 Edge Transport Missing Accepted Domains

August 2, 2010

After some major network reconfiguration, I needed to re-subscribe my Exchange 2007 Edge Transport server with my Exchange 2007 Hub Server. Everything went well, but after using the Exchange powershell command:

Start-EdgeSynchronization

I got errors complaining that it couldn’t find ADAM instances in my configuration.

I checked my Edge Transport server “Accepted Domains” list and my domains weren’t listed. They were listed on the Hub server. I used the powershell command:

Get-AcceptedDomains

on both servers with the same result – Hub was OK, Edge was missing the accepted domains.

I used Putty to telnet to my exchange server from an external PC and tried the following:

EHLO

MAIL FROM:email.address@otherdomain.com

RCPT TO:internal.address@mydomain.com

After entering the RCPT TO information (NOTE: make sure you use a “real” internal email address here), there was a slight pause and I received a “5.7.1 Unable to relay” error message. I believe this was because there were no accepted domains in the list, so the server didn’t know how to work out whether it should be taking care of the email address or dropping it (as a non-open mail relay).

To fix this problem, I renamed the names (not the domain name itself) of the accepted domain entries i.e. “my.domain.com” to “my-other.domain.com” for all my accepted domains. After another:

Start-EdgeSynchronization

I got warnings that it couldn’t remove the non-existent domains, but it did create the accepted domains. I then changed the names back to their original on the Hub server, ran Start-EdgeSynchronization again, and it was all better.

I tested again with my Putty telnet session, and it accepted my RCPT TO and allowed me to send the email. All fixed!