SMTP certificate renewal and EDGE subscription

I have had to renew SMTP certificate on EDGE servers. Here is the procedure how to renew certificate and re-create Edge subscription. This procedure starts,when CSR is created and we have received certificate from trusted CA.

1. Import new certificate
To import certificate to local certification store run:

import-exchangecertificate -FileData ([byte[]]$(Get-Content -Path "D:\tempo\certificate_mx1_2013.cer" -Encoding Byte -ReadCount 0))

2. Connect pending request to certificate
If step 1 failed to connect certificates together inside certification store run:

certutil -repairstore my "1268f7300044bc90ff426d5f515d3729"

Explanation can be found in my previous article: https://ficility.net/2013/02/25/exchange-2010-complete-certificate-request-problem/

3. Enable new Exchange certificate for SMTP service
Before certificate can be used, it must have been enabled for particular services.

Enable-ExchangeCertificate  -services SMTP

Result:

[PS] C:\Windows\system32>Enable-ExchangeCertificate 81315B240A62B5B5AD5570AA58A06D90B4B90B7E -Services SMTP

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'C661DC9E16FB391EDA2A852C3514AD035D710F68' (expires 4/27/2013 2:59:59 AM)
Replace it with certificate: '81315B240A62B5B5AD5570AA58A06D90B4B90B7E' (expires 4/28/2014 2:59:59 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this
Edge Transport server is subscribed to an Active Directory site, you must  subscribe it again by using the
New-EdgeSubscription cmdlet in the Shell, and then restart AD LDS.
[PS] C:\Windows\system32> 

4. Restart transport service and AD LDS service
At this moment e-mail stop to flow to this EDGE server, because AD LDS is using new certificate and Edge is subscribed via old one.

5. Create subscription file (XML) on Edge server ans copy it to HUB server
We don´t need to create connectors for EDGE Subscription, since those are already created. EDGE must be subscribed to AD site within 24 hours after creation of subscription file.

New-EdgeSubscription -FileName d:\subscription_2013.xml -Site <SITE_NAME> -CreateIternetSendConnector $false -CreateInboundSendConnector $false

Result:

[PS] C:\Windows\system32>New-EdgeSubscription -FileName d:\subscription_2013.xml -Site Default-First-Site-Name -CreateIternetSendConnector $false -CreateInboundSendConnector $false

Confirm
The Edge Subscription should be completed inside your organization within the next "1440" minutes before the bootstrap
account expires.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

6. Subscribe EDGE server on HUB by subscription file (XML).
We need to re-create trusted connection between Edge server and HUB servers. Subscribtion needs to be re-created, because AD LDS needs to use new certificate instead of old one. It is enough to subscribe each EDGE server once per subsciption.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "D:\subscription_2013.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"

7. Restart EDGE server
Just to be sure all settings are applied before tests.

8. Test Edge Subscription
If the test is not successfulm you receive error.

Test-EdgeSynchronization -FullCompareMode

Successful result:

[PS] C:\Windows\system32>Test-EdgeSynchronization -FullCompareMode


RunspaceId                  : 4f4c61e7-1059-43fc-963b-877641087e2a
SyncStatus                  : Normal
UtcNow                      : 4/26/2013 6:43:50 AM
Name                        : EDGE
LeaseHolder                 : CN=HUB2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrati
                              ve Groups,CN=OR,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=SALONOVI,DC=cz
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 4/26/2013 7:12:12 AM
LastSynchronizedUtc         : 4/26/2013 6:42:12 AM
TransportServerStatus       : Synchronized
TransportConfigStatus       : Synchronized
AcceptedDomainStatus        : Synchronized
RemoteDomainStatus          : NotSynchronized
SendConnectorStatus         : Synchronized
MessageClassificationStatus : Synchronized
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 6
CookieRecords               : Number of cookies 2

9. Test mailflow

10. To start Edge synchronization manually

Start-EdgeSynchronization

Result:

[PS] C:\Windows\system32>Start-EdgeSynchronization


RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Configuration
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Recipients
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0

Links:http://technet.microsoft.com/en-us/library/bb310755(v=exchg.80).aspx

Advertisements

Exchnage 2010 SP3 and Exchange 2013 RTM coexistence issue

I know it is not supported to coexist Exchange 2010 SP3 and Exchange 2013 RTM, but I wanted to do some tests and see some issues. After installation of Exchange 2010 SP3 on my old Exchange server in LAB and then Exchange 2013 RTM servers in DAG with HAProxy load balancer in front of them, I have realized that everything works just fine.

After that I started to write article about federation trust (https://ficility.net/2013/02/08/exchange-federation-trust-part-1/) and problem started to raise.

Symptoms

I have configured federation trust according to article in the link on Exchange 2013 server and it was suppose to distribute Exchange certificate used for federation trust accross the organization, however Exchange 2013 server was not able to contact Exchange 2010 server and distribution failed.

On the other side Exchange 2010 server gathered information from AD about new Exchange certificate for federation which it was not able to find in local certification store. The result was, that MSExchangeServiceHost crashed with errors as seen in Pictures below.

Test-ServiceHealth
Role                    : Mailbox Server Role RequiredServicesRunning : False 
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeIS, MSExchangeMailboxAssistants, MSExchangeMailSubmission, MSExchangeRepl, MSExchangeRPC, MSExchangeSA, MSExchangeSearch, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM} 
ServicesNotRunning      : {MSExchangeServiceHost}

Role                    : Client Access Server Role RequiredServicesRunning : False 
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeFBA, MSExchangeProtectedServiceHost, MSExchangeRPC , W3Svc, WinRM} 
ServicesNotRunning      : {MSExchangeAB, MSExchangeFDS, MSExchangeMailboxReplication, MSExchangeServiceHost}

Role                    : Hub Transport Server Role RequiredServicesRunning : False ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM} 
ServicesNotRunning      : {MSExchangeEdgeSync, MSExchangeServiceHost}
Get-ExchangeCertificate -Server Frontend1
The target server isn't running a supported version of Exchange Server.     + CategoryInfo          : InvalidArgument: (:) [Get-ExchangeCertificate], 
ArgumentException     + FullyQualifiedErrorId : 75222B43,Microsoft.Exchange.Management.SystemConfigurationTasks.GetExchangeCertificate   

Event log sequence caused by error Event ID: 2003 followed by Event ID: 4999

error2

error1

Solution

Very simple. Export certificate for federation from Exchange 2013 RTM server and import it to Personal certificates of the local computer account on Exchange 2010 SP3 server.

After the certificate import MSExchangeServiceHost service started to run normally.