The certificate is invalid for exchange server usage Exchange 2010 SAN/UC

by butsch 22. July 2013 22:44

Error after importing a SAN/UC Certificate in Exchange 2010:

Error 1: "The certificate is invalid for exchange server usage"

This is because of a missing ROOT and Intermediate CA not imported.

Now Error After you resolved you get:

Error 2: "The certificate status could not be determined because the revocation check failed"

That means the Certificate Service (Certutil) can reach some URL from Microsoft or from the Cert PKI provider (Example Comodo)

Error: When your see the second error you are unable to"Export" a certificate in EMC / Exchange 2010 GUI. (Like for Load Balancer or CAS-Array)

HINT> If the certificate Status is NOT valid you still are able to "ENABLE"  the imported Certificate with Powershell.  We are unsure if Export would work.

See http://www.butsch.ch/post/Generate-SAN-UC-Certificate-SSL-on-Exchange-2010.aspx on how to do that.

 

First error comes "The certificate is invalid for exchange server usage" because suddenly your up to date Windows Server does not have an actual updated ROOT CA from some Cert Publishers.

 

  1. Import the Root CA Files you got together with the provider on your Exchange 2010 CAS Server.

 

  1. If you have a ROOT CA (Certificate Authority) you may publish the Root CA through your OWN CA to the Windows Domain. Type CERTUTIL in command to find out if you have/had one and then please ask the PKI-Engineer in your environment to help (If you have one ;-)

 

Here is how to manual import on the Exchange 2010 CAS:

The file you got from your PKI-Provider together with your certificate.

Start > mmc

 

Import the Root CA you got from your ISP to your Exchange 2010 CAS Server.

  1. ROOT CA (Most with Root in the name) to "Trusted >Root Certification Authorities")

Import the second Certificate you got from the Provider to "Intermediate"

After this you see in the Exchange 2010 EMC under Server (on right side)

The certificate status could not be determined because the revocation check failed

 

 

Check which Certificate paths the Exchange wants to have access to AND open those on the FIREWALL/WEBFILTER or use the correct PROXY Settings. Open the URL string you see in a Browser and check if you can download the files. Just make sure your Exchange 2010 can reach those URLs.

certutil -URLcache CRL (Check)

 

Here is an output from certutil -URLcache

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl

http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

 

Also and esp. for Comodo Certificates check and validate where your CERT itself want to go and OPEN those URL.

certutil -verify -urlfetch c:\edv\13296984.crt (13296984.crt filename of your provider Certificate)

----------------  Certificate AIA  ----------------

 Failed "AIA" Time: 0

   Error retrieving URL: The operation timed out 0x80072ee2 (WIN32: 12002)

   http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt

  ----------------  Certificate CDP  ----------------

 Failed "CDP" Time: 0

   Error retrieving URL: The operation timed out 0x80072ee2 (WIN32: 12002)

   http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl

 ----------------  Certificate OCSP  ----------------

 Failed "OCSP" Time: 0

   Error retrieving URL: The operation timed out 0x80072ee2 (WIN32: 12002)

   http://ocsp.comodoca.com


   Revocation Check Failed "Certificate (0)" Time: 0
    [0.0] http://crt.usertrust.com/AddTrustExternalCARoot.p7c

  Verified "Certificate (1)" Time: 0
    [0.1] http://crt.usertrust.com/AddTrustExternalCARoot.p7c

  Revocation Check Failed "Certificate (0)" Time: 0
    [1.0] http://crt.usertrust.com/AddTrustUTNSGCCA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (0bbc)" Time: 0
    [0.0] http://crl.usertrust.com/AddTrustExternalCARoot.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 63
    [0.0] http://ocsp.usertrust.com

 

OPEN these URL on the Firewall also:

http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt
http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl
http://ocsp.comodoca.com
http://crt.usertrust.com/AddTrustExternalCARoot.p7c
http://crt.usertrust.com/AddTrustUTNSGCCA.crt
http://crl.usertrust.com/AddTrustExternalCARoot.crl
http://ocsp.usertrust.com

 

PROXY 

If you have a PROXY do not to EXCLUDE your > Exmaple > *.domain.local from the PROXY or your Exchange EMC want work anymore!

If you can't open the CAS Server to those URL or you don't have the right to do so. Check how to configure the Proxy Setting with NETSH.

 

http://exchangeserverpro.com/exchange-2010-certificate-revocation-checks-and-proxy-settings/
http://www.geekmungus.co.uk/microsoft-exchange/exchange2010-ucccertificatethecertificateisinvalidforexchangeserverusage
http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx
http://blogs.technet.com/b/exchange/archive/2010/07/26/emc-and-certificates-with-failed-revocation-checks-in-exchange-2010.aspx
http://support.microsoft.com/kb/979694/en-us
http://msexchangeguru.com/2012/11/12/certificate-revocation/

 

 

 

certutil -urlcache crl delete (Clean Cache)

certutil -urlcache ocsp delete (Clean Cache)

Tags:

Exchange 2007 | Exchange 2010 | Server 2008 R2

KB2775511 W7 / 2008 R2 Hotfix Sammlung POST SP1 Pack (90 patches)

by butsch 23. May 2013 06:47

http://support.microsoft.com/kb/2775511

WIN7 32 & 64BIT / Server 2008 R2 ML / language Neutral

 Das soll es verbessern:

  • Logon Schneller
  • Policy Handling mit viel Policies auf clients schneller
  • Web-based Distributed Authoring and Versioning (WebDAV)
  • DFSN-client
  • Ordnerumleitung
  • Offline-Dateien und Ordner (CSC)
  • SMB-client
  • Umgeleiteten Drive Buffering Subsystem (RDB)
  • multiple UNC Provider (MUP)

Es gibt neu ein Enterprise Pack Update, welches vorwiegend fuer Firmen Umgebungen gedacht ist. Darin sind rund 90 Patche resp. Hotfixe enthalten.

Gibt einige Blogs die schreiben, dass einzelne enthaltene Hotfixe darin mit Ihrer Drittsoftware Probleme macht. Meist kleinere Datenbank Formate.

Fehler dann auch bei SMB 2.0:

http://blogs.msdn.com/b/winsdk/archive/2013/05/13/roll-up-update-kb-2775511-reports-with-smb-2-0-data-truncation.aspx

http://windowssecrets.com/forums/showthread.php/153760-Beware-KB-2775511-a-special-hotfix-rollup-post-Windows-7-SP1

 

Eventuell wenn jemand gerade an einigen W7 client ist und überhaupt nicht weiter kommt – Vor dem neu aufsetzen > Als letztes den HOTFIX Patch installieren.

Bei den einzelnen Patchen steht teils nicht installieren oder nur in Test Umgebung resp wenn Problem vorhanden. Daher an sich lieber nicht für alle und jeden...

 Ich vermute, dass dies ein SP2 Pre Check auf Kosten der Kunden ist. Aber immer noch besser als 10 Hotfixe Pro Problem anzufordern wenn es eilt…

Man kann diesen nicht direkt downloaden sondern muss in via Windows Update Catalog im WSUS integrieren lassen (Import). ,am kann das File aber aber ab einem client von

C:\Windows\Downloaded Installations drab kopieren oder mit Glueck (oder wissen ;-) das entsprechen File auf dem WSUSCONTENT finden.

These single Patches are included and people who have an idea of Deployment or Server Managment know what the single terms are.

The page is Language Neutral and has for some patches diffrent languages

language="neutral"

It's for Windows 7 32BIT and 64BIT and i think same patch for 2008R2? At least the package goes for sure in that direction FailoverCluster-Core-WOW64-Package or the FX RDP.

 

Microsoft-Windows-OfflineFiles-Package" language="zh-TW" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-Printing-Foundation-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-Printing-Server-Features-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-Printing-PremiumTools-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-RemoteFX-VM-Setup-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" versionScope="nonSxS"
Microsoft-Windows-TerminalServices-MiscRedirection-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-TerminalServices-Gateway-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-TerminalServices-RemoteApplications-Client-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-GroupPolicy-ClientTools-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-Printing-ServerCore-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-ServerCore-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-ServerFoundation-Base-LanguagePack-Package" language="he-IL" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-FailoverCluster-Core-WOW64-Package" language="ar-SA" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-ServerCore-WOW64-Package" language="ar-SA" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
icrosoft-Windows-WinPE-LanguagePack-Package" language="tr-TR" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-WinPE-Package" version="6.1.7601.17514" processorArchitecture="amd64" language="neutral" buildType="release" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS"
WinPE-Dot3Svc-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35"
WinPE-MDAC-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35"
WinPE-WMI-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35"
Microsoft-Windows-Client-Features-Package" version="6.1.7601.17514" processorArchitecture="amd64" language="neutral" buildType="release" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS"
Microsoft-Windows-Printing-Server-Role-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-ServerDesktopExperience" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
Microsoft-Windows-WirelessNetworking-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release"
 
 

Tags:

Hotfixes / Updates | Server 2008 R2 | WSUS

Powershell Links for Exchange 2007/2010

by butsch 25. October 2011 22:22

Hot wo automate a Powershell on Windows Server:

http://exchangeshare.wordpress.com/2008/12/08/how-to-schedule-powershell-script-for-an-exchange-task/

Free ActiveRoles Management Shell for Active Directory 32/64-bit from Quest:

http://www.quest.com/powershell/activeroles-server.aspx
http://ss64.com/ps/quest.html

How to load the Powershell Plugins into the Shell (As example Exchange and the Quest)

 

http://technet.microsoft.com/en-us/library/bb963745.aspx

Add-PSSnapIn -Name Microsoft.Exchange.Management.PowerShell.Admin,Quest.ActiveRoles.ADManagement

http://poshcode.org/2231

Here is how to skip/catch the error if the SNAP in has laready been registered.

 

  1. #Load Exchange PS Snapin
  2. If (@(Get-PSSnapin -Registered | Where-Object {$_.Name -eq "Microsoft.Exchange.Management.PowerShell.E2010"} ).count -eq 1) {
  3.     If (@(Get-PSSnapin | Where-Object {$_.Name -eq "Microsoft.Exchange.Management.PowerShell.E2010"} ).count -eq 0) {
  4.          Write-Host "Loading Exchange Snapin Please Wait...."; Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010}
  5.          }
  6.  
  7. #Load Exchange PS Snapin
  8. If (@(Get-PSSnapin -Registered | Where-Object {$_.Name -eq "Microsoft.Exchange.Management.PowerShell.Admin"} ).count -eq 1){
  9.     If (@(Get-PSSnapin | Where-Object {$_.Name -eq "Microsoft.Exchange.Management.PowerShell.Admin"} ).count -eq 0) {
  10.         Write-Host "Loading Exchange Snapin Please Wait...."; Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin}
  11.         }

 

Removing mailbox export and import requests from command New-MailboxExportRequest -Mailbox $Identity -FilePath $pstshare$user".pst"

http://thoughtsofanidlemind.wordpress.com/2010/12/21/removing-mailbox-export-and-import-requests/

Tags:

Exchange 2007 | Exchange 2010 | Scripting | Server 2008 R2

Exchange Running Powershell from Batch on Server 2008/R2, 32/64BIT

by butsch 19. October 2011 02:35

Exchange Running Powershell from Batch on Server 2008/R2 32/64BIT, c:\windows\Sysnative Patch

If your recieve the error while running a Powershell from Batch:

WARNING: The following errors occurred when loading console D:\ProgramFiles\Microsoft\Exchange Server\bin\exshell.psc1:
Cannot load Windows PowerShell snap-in Microsoft.Exchange.Management.PowerShell.Admin because of the following error:
No snap-ins have been registered for Windows PowerShell version 2.
Command 'c:\batch\butsch.ps1' could not be executed because so me Windows PowerShell snap-ins did not load.

You may have to call the Powershell from within the Batch this way:

my_batch.cmd

:: 64BIT  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
:: 32BIT  C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe
:: 32BIT  C:\Windows\Sysnative\WindowsPowerShell\v1.0\PowerShell.exe < Server 2008 and R2 64BIT if you call the Powershell from DOS Batch.
c:
cd "D:\Program Files\Microsoft\Exchange Server\bin"
C:\Windows\Sysnative\WindowsPowerShell\v1.0\PowerShell.exe -PSConsoleFile "D:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -noexit -command "c:\batch\butsch.ps1"

The sysnative was the soltion and not registering Components new or compiling the batch with 64BIT (In some surounding code with .exe)


The Hotfix which is mentioned in almost 70% of the Blogs is for Server 2003 and not for 2008.

http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/41c9cd78-74ad-4903-8a77-be6c09724669

 

Tags:

Exchange 2007 | Exchange 2010 | Server 2008 R2

Microsoft Hotfix Updates and important KB entrys in Fall 2011

by butsch 20. September 2011 22:48

A heavily fragmented file in an NTFS file system volume may not grow beyond a certain size

http://support.microsoft.com/kb/967351/en-us

Von interesse fuer SQL und Exchange Betreuer. Doch kein Gerücht! nun offiziell ;-) Defrag Firmen haben Freude.

A heavily fragmented file in an NTFS file system volume may not grow beyond a certain size caused by an implementation limit in structures that are used to describe the allocations.

 

System Update Readyness Tool

Ist KEIN precheck fuer 2008R2 oder W7 sondern behebt bestehende Fehler in Windows Komponenten, welche Updatess durch WSUS verhindern automatisch. Z.B. bei Framework. Korrigiert falsche MSI Source Pfade!

http://support.microsoft.com/kb/947821/en-us

 

Cached Logon Credentials

Update vom 12.09.11 fuer die Cached Credentials. Ein Laptop kann sich maximal 50 mal ohne Domain Controller anmelden. Dies kann man steuern und ist vielen nicht bekannt. Bei der Planung vom Hoe Site Offices wird dies oft vergessen.

http://support.microsoft.com/kb/172931/en-us

 

Blue/Black Screen nach Update von Service Pack 1 fuer Windows 7 oder Server 2008R2

http://support.microsoft.com/kb/975484/

975484 Your computer may freeze or restart to a black screen that has a "0xc0000034" error message after you install Service Pack 1 on Windows 7 or Windows 2008 R2

 

Windows 7 or Windows Server 2008 R2 stops responding when an application performs many I/O operations to a network share

http://support.microsoft.com/kb/2582112/

This issue occurs because of a new behavior of the Server Message Block (SMB) mini-redirector (mrxsmb.sys) in Windows 7 and in Windows Server 2008 R2.
In Windows 7 and Windows Server 2008 R2, a power request object is created and then destroyed for every SMB network file operation. When an application performs heavy I/O to the network share, many threads that read or write to the network share create many power request objects. Therefore, the Power service cannot process the power request objects as fast as they are generated.

Tags:

Client Management | Hotfixes / Updates | Server 2008 R2