none
Exchange 2007 EventID 12014錯誤 RRS feed

  • 問題

  • 您好
    先說明我手邊的環境2台Mailbox Roll,2台Hub Roll,1台CAS Roll,OWA Server的憑證是向外部認證機構購買(如VeriSign)。最近查Hub Server時再Eventlog裡面發現不少12014的錯誤。
    翻了一些文章應該是憑證更新的問題,並於OWA及2台HUB都執行"Get-ExchangeCertificate" ,結果如下:

    OWA
    Thumbprint                                                           Services  Subject
    ----------                                                              --------   -------
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX32790  IP.W.      CN=webmail.xxx.com, O...
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX52522   .....        CN=OWA

    HUB1
    Thumbprint                                                          Services   Subject
    ----------                                                              --------   -------
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8A5E2  ....S        CN=HUB1

    HUB2
    Thumbprint                                                          Services   Subject
    ----------                                                              --------   -------
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD44C1  ....S       CN=smtp15.XXXX.com, O=...
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD7FEA   ....S       CN=HUB2
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXF9074    ....S       CN=HUB2

    查了相關解答可以透過"Enable-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -Services "SMTP" 來修正錯誤訊息。
    我的疑問是這錯誤訊息是再2台HUB Server上看到的,此指令應是再2台HUB上執行???而我應該要Copy那個Thumbprint???

    煩請釋疑,謝謝。
    2009年5月12日 下午 02:19

解答

  • 不建議~
    除了CAS對外的需要FQDN
    以及Hub的Send Conenctor需要FQDN之外
    其它的不建議你改用CA的憑證


    Jammy羅濟棠

    感謝回覆,那我應該要從哪邊去做修正? 不好意思仍然有點混亂。 (目前信件寄送是都沒有問題,只是一直Eventlog一直跳錯誤出來)

    謝謝。
    你有先檢查過了憑證的FQDN了嗎?
    你可以先找出目前用中的憑證,利用Get-ExchagneCertificate找出該憑證的姆指紋並紀碌下來
    然後利用下列指令cmdlet來進行複製
    Get-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxx | New-ExchangeCertificate
    其中xxxxxx為前一步驟中所記碌下來的姆指紋

    Jammy羅濟棠
    2009年5月14日 下午 03:36

所有回覆

  • 建議您先提供完整的 Event log內容
    Jammy羅濟棠
    2009年5月12日 下午 03:14
  • 您好
    Event log內容如下,錯誤的ID都相同,但內容不同處我用粗體標示

    Microsoft Exchange couldn't find a certificate that contains the domain name smtp15.xxx.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Exchange2007External with a FQDN parameter of smtp15.corel.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    Microsoft Exchange couldn't find a certificate that contains the domain name webmail.xxx.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Allow Relay Server with a FQDN parameter of webmail.corel.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    Microsoft Exchange couldn't find a certificate that contains the domain name HUB1.xxx.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of Q9OTTMAILHUB1.corelcorp.corel.ics. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    感謝指教
    2009年5月12日 下午 03:21
  • 您好
    Event log內容如下,錯誤的ID都相同,但內容不同處我用粗體標示

    Microsoft Exchange couldn't find a certificate that contains the domain name smtp15.xxx.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Exchange2007External with a FQDN parameter of smtp15.corel.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    Microsoft Exchange couldn't find a certificate that contains the domain name webmail.xxx.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Allow Relay Server with a FQDN parameter of webmail.corel.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    Microsoft Exchange couldn't find a certificate that contains the domain name HUB1.xxx.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of Q9OTTMAILHUB1.corelcorp.corel.ics. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    感謝指教

    我的猜測是你的憑證中的主體別名中並未包含上述三筆的FQDN記錄,所以才會造成這個Event
    你可以經由 MMC叫出該電腦本機的憑證,然後打開去檢查主體別名的那一欄看看是否如此
    Jammy羅濟棠
    2009年5月13日 下午 03:50
  • 您好
    Event log內容如下,錯誤的ID都相同,但內容不同處我用粗體標示

    Microsoft Exchange couldn't find a certificate that contains the domain name smtp15.xxx.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Exchange2007External with a FQDN parameter of smtp15.corel.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    Microsoft Exchange couldn't find a certificate that contains the domain name webmail.xxx.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Allow Relay Server with a FQDN parameter of webmail.corel.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    Microsoft Exchange couldn't find a certificate that contains the domain name HUB1.xxx.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of Q9OTTMAILHUB1.corelcorp.corel.ics. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    感謝指教

    我的猜測是你的憑證中的主體別名中並未包含上述三筆的FQDN記錄,所以才會造成這個Event
    你可以經由 MMC叫出該電腦本機的憑證,然後打開去檢查主體別名的那一欄看看是否如此
    Jammy羅濟棠

    我查了電腦本機憑證,發現這幾台Exchange發給自己的憑證過期(時效是一年)。是否我需要直接向CA SERVER申請憑證??
    2009年5月14日 上午 10:34
  • 不建議~
    除了CAS對外的需要FQDN
    以及Hub的Send Conenctor需要FQDN之外
    其它的不建議你改用CA的憑證


    Jammy羅濟棠
    2009年5月14日 下午 02:54
  • 不建議~
    除了CAS對外的需要FQDN
    以及Hub的Send Conenctor需要FQDN之外
    其它的不建議你改用CA的憑證


    Jammy羅濟棠

    感謝回覆,那我應該要從哪邊去做修正? 不好意思仍然有點混亂。 (目前信件寄送是都沒有問題,只是一直Eventlog一直跳錯誤出來)

    謝謝。
    2009年5月14日 下午 03:02
  • 不建議~
    除了CAS對外的需要FQDN
    以及Hub的Send Conenctor需要FQDN之外
    其它的不建議你改用CA的憑證


    Jammy羅濟棠

    感謝回覆,那我應該要從哪邊去做修正? 不好意思仍然有點混亂。 (目前信件寄送是都沒有問題,只是一直Eventlog一直跳錯誤出來)

    謝謝。
    你有先檢查過了憑證的FQDN了嗎?
    你可以先找出目前用中的憑證,利用Get-ExchagneCertificate找出該憑證的姆指紋並紀碌下來
    然後利用下列指令cmdlet來進行複製
    Get-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxx | New-ExchangeCertificate
    其中xxxxxx為前一步驟中所記碌下來的姆指紋

    Jammy羅濟棠
    2009年5月14日 下午 03:36
  • 相當感謝您的協助,對於釐清問題非常有助益。
    謝謝!!!
    2009年5月18日 下午 02:59
  • 您好

    我的EXCHANGE 2010也遇到相同問題~很多的12014
    Get-ExchagneCertificate 取出的憑證資料有兩筆,請問是否兩個都要做處理?

    2010年10月28日 上午 09:30