Jude's Blog

Posts Tagged ‘exchange 2013

450 4.7.320 Certificate validation failed

leave a comment »

Issue


The environment was running Exchange Server 2016 (n-1)CU with Office 365 in a hybrid mode. The issue came up when users on-prem noticed that they are unable to receive emails from their own O365 cloud users. Looking more into this, figured out the following user mail flow scenarios;

  • On-prem users can send/receive mails within on-prem and to/from internet users
  • O365 cloud users can send/receive mails within O365 and to/from internet users
  • On-prem users cannot send/receive emails to/from O365 users

So obviously, this had to do something with the hybrid connector since that’s the tunnel that bridges the two environments.

So back to the basics, lets trace down the error messages and see if we can get a clue. In order to see where our mails are stuck, you need to first check the delivery reports. Log in to the O365 Exchange ECP as administrator and navigate to Message Tracing. On the message tracing log, you will see something like below;

11

We’re almost there now. The above indicates that why O365 is not delivering the mails to on-prem environment is because as on the first item, we have configured to use TLS between the hybrid environments. Thus due to whatever reason, the certificate presented from the on-prem public IP does not match the certificate that is been binded in the Hybrid Configuration. Now in order to validate this, we need to look at two points;

  • Ensure that the certificate is not expired
  • Check Hybrid Configuration certificate settings: To validate that you have the correct certificate open up the Exchange PowerShell module on your on-prem and run the below command;

Get-HybridConfiguration

12

Now as you can see, the Hybrid configuration is configured with the correct certificate. So nothing to worry on that.

  • Exchange Connector TLS settings: The next connection point would be our internal Exchange Server receive connector. Why this connector is important is that when O365 is trying to connect with the exchange server for mail delivery, it will try out TLS for authentication. This is because we have TLS enabled; meaning we should have the correct certificate binded to the corresponding Receive Connector. In many cases this would be the Default FrontEnd connector. Run the below command and ensure that the property tlscertificatename is set correctly and is the same as the above certificate.

Get-ReceiveConnector -Identity “<ExchangeServerName>\Default Frontend <ExchangeServerName>” | fl

In my case, the certificate was all fine and is set for the one as expected.

So, the certificate itself, exchange setup and office 365 hybrid setup is all configured as expected. Yet somehow, Office 365 is telling me that the certificate is not correct.

This is where we would need to properly test TLS in a more informative manner. We will now see how we can use a method where we can see the TLS communication that is made to our on-premises.

Enter CheckTLS web testing provider. The provider has many tools to check TLS mechanisms but in our case, we are looking at the receiving part. Thus we will head over here.

https://www.checktls.com/TestReceiver

What it does?

TestReceiver performs all the steps that Internet email systems go through to send email. It records every command and byte of data it sends and every answer and byte of data that the other email system sends. TestReceiver never actually sends an email, it just gets as close as possible, learning as much about the remote system as it can.

Because CheckTLS focuses on security, TestReceiver tries to establish a secure (TLS) connection with the recipient’s system. Along with recording everything, it looks at the security of the recipient’s system for things like: certificate contents and signers, encryption algorithms, key lengths, hostname mis-matches, incorrect wild-card usage, weak cyphers, etc.

So is this safe? absolutely. Since it only checks whatever is already published by your organization. It doesn’t grab your email ID, username or passwords.

  1. So head over to the site and under the Input fields, type your domain name in the eMail Target
  2. Ensure that under the Output Format you have selected Detail (this will provide you a verbose log of the connection status, more meaningful)
  3. Click Run Test.
  4. Give it some time to run the test and notice the logging which happen in the background. This is the session initiation that happens in real time.
  5. Once the test is completed, look in the detailed log.13

 

And we have found the culprit. Just have a closer look at the above image. You can see that the TLS authentication does start however the certificate validation fails. The reason is that the issuing certificate is not our Exchange Certificate, but a self signed certificate by the barracuda appliance which is front-ending to external connections.

When Office 365 tries to initiate a TLS session, it is getting this self signed certificate thus the required URLs are not found (mail.domain.com) hence it drops the connection and throws out;

450 4.7.320 Certificate validation failed.

If this is your case, bump up your network team and ask them to bind the correct certificate from the appliance. Once its configured properly, run the below tests again to validate that everything is all good.

  • CheckTLS Receive validation – Ensure correct certificate is thrown out
  • Office 365 Connector Validation

If everything is successful, send out couple of emails and you will see that mailflow is working as expected. For the mails that were queued, give some time and it’ll start flowing.

Got any inputs? Please feel free to let me know your ideas.

Cheers..

Advertisements

Exchange Server Upgrade | Step-by-Step

with one comment

The guide will cover upgrading an Exchange Server 2013 CU8 into Exchange 2013 CU15.

In a nutshell, this is the procedure:

  1. Prepare the existing environment
    1. Download the latest binaries
    2. Remove Interim Updates
  2. Perform Upgrade
    1. Enable Exchange Server maintenance mode (High Availability)
    2. Upgrade Schema
    3. Install Exchange Binaries
    4. Enable Exchange Server services

Prepare the existing environment

Download Exchange Server SP/RU/CU binaries

When you are performing an Upgrade, you can go ahead and install the latest Cumulative Update (CU). You DO NOT, need to install all previous CU’s one by one in an incremental way. This is because a CU is a full installation of Exchange Server plus a collection of all the updates, patches and changes that has been made available so far.

For an Example, if you are on Exchange Server 2016 RTM, you can straight away install CU4. Because CU4 will contain all changes made in each of the CU’s previously released.

Exchange 2016

Version Blog post
Exchange 2016 CU4 Released: December 2016 Quarterly Exchange Updates
Exchange 2016 CU3 Released: September 2016 Quarterly Exchange Updates
Exchange 2016 CU2 Released: June 2016 Quarterly Exchange Updates
Exchange 2016 CU1 Released: March 2016 Quarterly Exchange Updates
Exchange 2016 RTM Exchange Server 2016: Forged in the cloud. Now available on-premises

Exchange 2013

Version Blog post
Exchange 2013 CU15 Released: December 2016 Quarterly Exchange Updates
Exchange 2013 CU14 Released: September 2016 Quarterly Exchange Updates
Exchange 2013 CU13 Released: June 2016 Quarterly Exchange Updates
Exchange 2013 CU12 Released: March 2016 Quarterly Exchange Updates
Exchange 2013 CU11 Released: December 2015 Quarterly Exchange Updates
Exchange 2013 CU10 Released: September 2015 Quarterly Exchange Updates
Exchange 2013 CU9 Released: June 2015 Exchange Cumulative Update and Update Rollups
Exchange 2013 CU8 Released: Exchange Server 2013 Cumulative Update 8
Exchange 2013 CU7 Released: Exchange Server 2013 Cumulative Update 7
Exchange 2013 CU6 Released: Exchange Server 2013 Cumulative Update 6
Exchange 2013 CU5 Released: Exchange Server 2013 Cumulative Update 5
Exchange 2013 SP1 Released: Exchange Server 2013 Service Pack 1
Exchange 2013 CU3 Released: Exchange Server 2013 Cumulative Update 3
Exchange 2013 CU2 Released: Exchange Server 2013 Cumulative Update 2
Exchange 2013 CU1 Released: Exchange Server 2013 Cumulative Update 1
Exchange 2013 RTM Exchange Server 2013 Reaches General Availability

Remove Interim Updates

Now that you have downloaded the binaries, you need to get rid of the Interim Updates that may have been installed in your environment. In some cases, if an Interim Update is installed, Microsoft Exchange Server CU’s or SP’s cannot be installed. Therefore, before installing the binaries, read the release notes for any information on removal of interim updates. Below steps will guide for that;

  1. In Control Panel, double-click Programs and Features.
  2. In the Currently installed programs list, click Interim Update for Exchange Server 201X (KBxxxxxx), where xxxxxx is the Knowledge Base article number that is associated with the IU.
  3. Click Remove.
  4. At a command prompt, run sn.exe -Vu * to enable strong name verification.
  5. Run sn.exe –Vl to verify that strong name verification is enabled.

Perform Upgrade

Enable Exchange Server maintenance mode (High Availability)

If you have standalone servers in your environment, then an upgrade will require you to go in for a downtime. Why? Because the services needs to be stopped during the upgrade process. In such a scenario, skip to the Upgrade section.

However, if your environment consists multiple servers in terms of 2xCAS or 2xMBX or 2x(CAS+MBX) or any of a combined scenario, it is highly advised that you perform upgrading of the servers one by one. This will ensure that your environment will stay online using the rest of the high available servers taking the downtime away.

There’s a catch in here. Let’s say we have a 2 Mailbox Server scenario: Server A and B. You decide to mount all databases into ServerA and upgrade Server B. Although this seems an okay way to do, it is not the case. Reason is that the Active Manager and other Exchange backend workers doesn’t know that you are doing a planned maintenance. Thus, the workers will think that the server is in a failed state. Can we fix this? Absolutely. You have to take the services on Server B or the server that you are about to do the upgrade into ‘Maintenance Mode’.

Below steps will guide you to do so;

  1. Run Exchange PowerShell as Administrator.
  2. Run below command to drain connections on the Hub Transport service
    Set-ServerComponentState <SERVER> -Component HubTransport -State Draining -Requester Maintenance

  3. Run below command to disable cluster services
    Suspend-ClusterNode <SERVER>

  4. Run below command to prevent databases from being mounted on the server. It will also immediately move any mounted databases on the server to other servers if copies exist and are healthy.
    Set-MailboxServer <server> -DatabaseCopyActivationDisabledAndMoveNow $true

  5. Verify that no mailbox databases are mounted on the server.

    Get-MailboxDatabaseCopyStatus

  6. Run below command to block databases being automatically activated on the specified Mailbox server.
    Set-MailboxServer <server> -DatabaseCopyAutoActivationPolicy Blocked

  7. Run below command to put the state of all components together to Inactive.
    Set-ServerComponentState <server> -Component ServerWideOffline -State Inactive -Requester Maintenance

  8. Close PowerShell.

Upgrade Schema

Now that the server has been put to maintenance mode and you are ready to proceed with the Upgrade process. First thing we need to do is, update the schema. This is critical because without the required schema updates, the setup will not proceed.

  1. Run command prompt as Administrator.
  2. Run below command
    Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

  3. Run below command
    Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms

  4. Run below command
    Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

  5. Navigate to the Exchange installation binaries folder.
  6. Run setup.exe.
  7. On the Check for Updates window, select your choice and click OK.
  8. On the Upgrade window, click Next.
  9. On the License Agreement page select “I accept ….” and click Next.
  10. On the Readiness Check page, ensure no prerequisites are pending. Click Next to proceed.
  11. Now the installation will proceed.
  12. Once the installation is finished, click Finish.
  13. Restart the server.

 

Now that the server has been upgraded successfully we can resume Exchange services back to normal mode. Follow the below steps.

  1. Run Exchange PowerShell as Administrator.
  2. Run below command to enable connections on the Hub Transport service.
    Set-ServerComponentState <SERVER> -Component HubTransport -State Active -Requester Maintenance

  3. Run below command to enable cluster services
    Resume-ClusterNode <SERVER>

  4. Run below command to enable databases from being mounted on the server.
    Set-MailboxServer <server> -DatabaseCopyActivationDisabledAndMoveNow $false

  5. Run below command to enable databases being automatically activated on the specified Mailbox server.
    Set-MailboxServer <server> -DatabaseCopyAutoActivationPolicy Unrestricted

  6. Run below command to put the state of all components together to Activate.
    Set-ServerComponentState <server> -Component ServerWideOffline -State Active -Requester Maintenance

  7. Close PowerShell.

Now that your server is back in the game. It’s time to upgrade the second server. Perform the steps above from the beginning to do so.

Happy Upgrading!! J

Written by judeperera

January 6, 2017 at 11:45 am

Can I Add Remove Exchange Server 2013 Roles ? Watch out!

leave a comment »

With the all new architecture, Exchange Server 2013 RTM now only has 2 Primary Server Roles; Client Access and Mailbox. This however took a slight change of path with the Messaging team finally deciding to add Edge Transport role to the stack as well. Still, comparing to the previous Exchange Server versions, this is a totally different architecture in terms of almost everything.

One major thing that someone should very well focus on is the design. You should be pretty much sure on what roles that you are going to assign for your servers with the options of;

  • Install Standalone Server Roles*
  • Combine Server Roles

*Edge role cannot be collocated/combined with any other server role.

Now even with the above option, there is a tricky point for you when it comes to installing and uninstallation of the roles.

  1. You CAN install one exchange server role (MBX/CAS), and later add the other  role(CAS/MBX) to the existing server.

add

BUT

  1. You CANNOT remove a server role  in a multi-role server with both CAS and MBX installed.

remove

This scenario should be taken quite seriously since there should be no room for any changes once you install both roles. So let’s say what if you came across in a situation like this? Well, the only option is to remove/uninstall the server completely and re-deploy. Which! is going to be a pain for sure!

 

The above is valid for the following Exchange Server 2013 versions as mentioned here;

  • Exchange Server 2013 RTM
  • Exchange Server 2013 CU 1
  • Exchange Server 2013 CU 2

If it’s still the same for CU 3 and SP1? Well, I shall post ASAP and if you were able to check it out, let me know.

Cheers!!!

 

Written by judeperera

May 6, 2014 at 12:13 pm

Step by Step Guide for Installing Exchange Server 2013 Preview

with 78 comments

Update(2014-11-07): Covers the RTM installation.

The following section describes a step-by-step guide for the installation of Microsoft® Exchange Server 2013 Preview. The installation considers a single server deployment of Exchange Server 2013 with the Mailbox and Client Access Server roles collocated. Additional details of the topology and architecture of the lab environment which was used in the installation is described here;

Read the rest of this entry »

Written by judeperera

July 19, 2012 at 7:45 pm

Lync Server 2013 Preview Download Available Now

leave a comment »

It indeed has been a wonderful day for me with Microsoft. And that’s true for all IT Pro’s as well who are eager to test drive the next version of their skilled technology. With Office 2013 going as a ppublic beta, Microsoft has made Exchange Server 2013, Lync Server 2013 and SharePoint 2013 Preview versions as well for us to play before everything gets RTM’ed.

And for all Lync enthusiasts, they can get the download of the latest public preview right from the following image (click to download) which requires you to sign-in using a Live-ID.

Additionally, the following material are available online for references as well;

 

Want more?

Check out the official Lync 2013 Preview page over at http://lync.microsoft.com/en-us/Pages/Lync-2013-Preview.aspx

Happy Testing everyone 🙂

Written by judeperera

July 16, 2012 at 8:31 pm