locked
public folder replication issues RRS feed

  • Question

  • I have installed a new 2008r2 box with exchange 2007 on a single server installation. I plan to decommission ASAP a 2003 server DC with exchange server 2003.

    The 2008r2 is now a DC and I have moved over the mailbox stores. I am trying to move all the roles to the exchange 2007 server.

    I am trying to move over the Public folder stores which are proving a problem. In servers/public folder store I have attempted to move all replicas to the new 2007 exchange server which is listed. This has been done a number of days ago and still nothing on the 2007 server. I have followed this article http://exchangeserverinfo.com/2007/12/05/transition-from-exchange-2003-to-exchange-2007--moving-the-public-folders-mailboxes--oab-part3.aspx however all the replicas in public folder Instances are still on the 2003 exchange server and have not moved.

    Any help appreciated.

    Wednesday, August 17, 2011 1:58 PM

All replies

  • Did you make the server a DC before or after installing Exchange?

    Replication traffic goes over SMTP, therefore a smart host on the SMTP virtual server on the Exchange 2003 server will stop replication. Third party software can do so as well. AV for example has been known to get in the way.

    Look in message tracking. That will show you if the replication traffic is moving. It sticks out - SERVER-IS as the from address so is easy to find.

    Simon.

     


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Wednesday, August 17, 2011 3:38 PM
  • Make sure that Mail flow is working fine between both the servers.
    Keep in mind Public Folder Replication works on Mail Flow, if Mail Flow is not working than Public Folder Replication won;t work.

    Do you see anything in application log?


    Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com
    Wednesday, August 17, 2011 5:39 PM
  • Thanks for your help guy's its invaluable.

    Simon I promoted the machine to a DC before Installing Exchange. I do have a smart host. I created a secondary SMTP instance, removed the smart host bur still no joy. I have a large number of Messages stuck. In addition I cannot connect via outlook though I think that is a different issue re Https. I rekeyed my single SSL through Go daddy.

    I am getting Event ID 12041

    Microsoft Exchange could not find a certificate that contains the domain name s80.adn.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default S80 with a FQDN parameter of s80.adn.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    In IIS I can see the s80 cert as well as the go daddy cert. I did make a mistake in the initial configuration of the cert as I created a cert request from IIS and not the power shell. I will perform a request from the power shell and rekey, however this does not solve the problem with the internal transport issue which is the main priority right now
    Thursday, August 18, 2011 4:20 PM
  • On the event id 12041:
    http://support.microsoft.com/kb/555855

     


    Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com
    Thursday, August 18, 2011 4:47 PM
  • Hi Gulab,

    I have 2 certificates for my ,the default name.domain.local and the godaddy single cert, Am I correct in saying that I should be using the local server hostname/domain for internal smtp delivery? or should i be be using the owamail.domain.com for boith internal and external.

    Thanks

    Thursday, August 18, 2011 5:02 PM
  • Hi Gulab,

    I have 2 certificates for my exchange, the default name.domain.local and the godaddy single cert Am I correct in saying that I should be using the local server hostname/domain for internal smtp delivery? or should i be be using the owamail.domain.com for both internal and external.

    Thanks


    Thursday, August 18, 2011 5:03 PM
  • Why would you be using two Cert on one server.
    I would recommend using GoDaddy. Yes you can keep the same URL for Internal and External
    Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com
    Thursday, August 18, 2011 5:20 PM
  • Why would you be using two Cert on one server.
    I would recommend using GoDaddy. Yes you can keep the same URL for Internal and External
    Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com


    In IIS there are two certificates the local default site server.domain.local and my godaddy cert.

    I performed the http://support.microsoft.com/kb/555855 with my goddady cert rebooted and still no joy.

    I cannot connect to exchange via internal outlook. I cannot connect via fqdn on IE the server itself or any internal clients. I have both IPV4 and IPV6 installed.

    I ran some tests on testexchange.

    Testing RPC/HTTP connectivity.

     

    The RPC/HTTP test failed.

     

    Test Steps

     

    Attempting to resolve the host name owamail.domain.com in DNS.

     

    The host name resolved successfully.

     

    Additional Details

     

    IP addresses returned: IP

     

    Testing TCP port 443 on host owamail.domain.com to ensure it’s listening and open.

     

    The port was opened successfully.

     

    Testing the SSL certificate to make sure it's valid.

     

    The certificate passed all validation requirements.

     

    Test Steps

     

    ExRCA is attempting to obtain the SSL certificate from remote server owamail.domain.com on port 443.

     

    ExRCA successfully obtained the remote SSL certificate.

     

    Additional Details

     

    Remote Certificate Subject: CN=owamail.domain.com, OU=Domain Control Validated, O=owamail.domain.com, Issuer: SERIALNUMBER=0796nuumber, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.

     

    Validating the certificate name.

     

    The certificate name was validated successfully.

     

    Additional Details

     

    Host name owamail.domain.com was found in the Certificate Subject Common name.

     

    Certificate trust is being validated.

     

    The certificate is trusted and all certificates are present in the chain.

     

    Test Steps

     

    ExRCA is attempting to build certificate chains for certificate CN=owamail.domain.com, OU=Domain Control Validated, O=owamail.domain.com.

     

    One or more certificate chains were constructed successfully.

     

    Additional Details

     

    A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.

     

    Analyzing the certificate chains for compatibility problems with versions of Windows.

     

    Potential compatibility problems were identified with some versions of Windows.

     

    Additional Details

     

    ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

     

    Testing the certificate date to confirm the certificate is valid.

     

    Date validation passed. The certificate hasn't expired.

     

    Additional Details

     

    The certificate is valid. NotBefore = 8/5/2011 3:58:43 AM, NotAfter = 10/21/2011 11:51:47 AM

     

    Checking the IIS configuration for client certificate authentication.

     

    Client certificate authentication wasn't detected.

     

    Additional Details

     

    Accept/Require Client Certificates isn't configured.

     

    Testing HTTP Authentication Methods for URL https://owamai.domain.com/rpc/rpcproxy.dll.

     

    The HTTP authentication methods are correct.

     

    Additional Details

     

    ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLM

     

    Testing SSL mutual authentication with the RPC proxy server.

     

    Mutual authentication was verified successfully.

     

    Additional Details

     

    Certificate common name owamail.domain.com matches msstd:owamail.domain.com.

     

    Attempting to ping RPC proxy owamail.domain.com.

     

    RPC Proxy was pinged successfully.

     

    Additional Details

     

    Completed with HTTP status 200 - OK

     

    Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server owamail.domain.com.

     

    The attempt to ping the endpoint failed.

     

    Tell me more about this issue and how to resolve it

     

    Additional Details

     

    The RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime process.

    Just to be clear

    Installed 2008R2 promoted to DC fully patched then exchange 2007 the applied all service packs and rollups.

    Made sure was good on both servers via nslookup netdiag

    Moved mailboxes to exc 2007

    I think I screwed up on ssl, Instead of using the godaddy cert on exchange 2003 I rekeyed this via godaddy then imported this along with the Intermediate cert. via http://help.godaddy.com/article/4877.

    Read through articles http://exchange.sembee.info/2007/install/singlenamessl.asp  

    Going nuts here!!

     

    Thursday, August 18, 2011 8:45 PM
  • Within the GoDaddy SSL certificate system is a tool to test your certificate - that will confirm if the certificate and intermediates have been installed correctly.

    The error code that you have posted is usually a sign that the Outlook Anywhere system cannot see the domain controller. Ensure that in the network configuration the ONLY DNS server listed is the server itself. No external DNS servers, routers etc. Exchange will only use itself. If this is not the only domain controller then ensure that it is a global catalog. If it isn't, change it and then reboot the server.

    You didn't need to create another SMTP virtual server, just remove the smart host from the one that you have. If you have two SMTP virtual servers then that is probably one of the causes of the problems. The SSL certificate will not have an effect on replication traffic.

    You need to ensure that the servers can see each other and telnet to each other on port 25 using IP address, name and FQDN.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Thursday, August 18, 2011 10:16 PM
  • Hi Simon,

    Thanks for your help.

    I used the godaddy tool and all is good.

    I started looking deeper in the logs as well as dcdaig indicated some Kerberos issues. Which no doubt was the culprit in causing replication All DNS as I said was working fine all servers IP pointing to themselves which was confirmed with NSlookup. I have the default gateway pointing to the router; this is standard practice on a single server right? All roles are now with the 2008r2 server.

    I noticed there was a time issue and when I check the dates on both servers they were a month apart so obviously this was a big issue. Strange thing is I set the time to the same as the 2003 box as part of the setup. What could possibly be causing it to switch back a month?

    With regards to the SMTP server I need to route mail through a 3rd party as my ISp will not support this function.

    You didn't need to create another SMTP virtual server, just remove the smart host from the one that you have. If you have two SMTP virtual servers then that is probably one of the causes of the problems”

     If not creating another smtp instance, what would be the correct way to achieve outgoing mail?

    All servers can telnet through IP, fqdn and server name with no issues.

    Thanks again

    Friday, August 19, 2011 5:32 PM
  • You use an Send Connector on Exchange 2007 to get email to go out. If you want email to leave Exchange 2003 directly then you create an SMTP Connector. In a migration phase never have a smart host on the SMTP virtual server, even if you have more than one, as Exchange will get confused.

    Only domain controllers should be setting the time. If the servers are domain controllers then you should configure them to use an external time server (ie not time.windows.com, which I find useless). Use pool.ntp.org.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Monday, August 22, 2011 8:34 PM
  • Are you installing the Exchagne 2007 server in a DC server? if yes, you should also set it up as a GC server;

    Besides, it is always recommended to keep your legacy Exchange server shutting down for about two weeks before decommission it.


    Fiona
    Tuesday, August 23, 2011 7:07 AM
    Moderator
  • It is a GC server. I learnt quickly to keep the server around for while  just in case.

     

    My initial issues are resolved so thanks Simon.

    The big issue I have been having for the past few day's. Clients cannot contact port 6002. things I have tried.

    telnet mail.domain.com 6002 fails, both 6001-6004 telnet with no issues.

    Created in regedit rpcproxy 6001-6002-6004. I noticed there is no Netbios entry in Hkey_local_machine_/software/Microsoft/RPC although there is one in the 2003 server, could this be a problem?

    Tried many things to get this resolved with no luck. In outlook connection status I only have https mail listed and no directory which I also believe is down to port 6002 being blocked.

    https .://mail.domain.com/rpc/rpcproxy.dll not working and it will not let me authenticate. just a blank screen. Google chrome for some reason lets me authenticate which is strange. Any Ideas as i have all but ran out of fixes to try.

     


    Wednesday, August 24, 2011 11:47 PM