Shulou(Shulou.com)06/02 Report--

Environment description

=

2 AD servers, system Windows Server 2012 R2, forest and domain functional level Windows Server 2012 R2

Exchange version is Exchange 2016 CU6

Problem description

=

After the Exchange installation is complete, OWA\ ECP cannot be opened, PS can be opened normally, and the management web page produced by the installer can be opened normally.

In the application log, you can see events such as 2004, 1309, 2005, etc.

Analysis of problems

=

When Exchange 2016 is installed, a self-issued certificate "Microsoft Exchange Server Auth Certificate" is created for authentication between servers and OAuth integration within the organization

If the "Exchange Server Authcertificate" certificate is missing, there will be a problem of ECP/OWA access errors; at the same time, we will also see 2004, 2005, 1309 and other events in the application log

Therefore, we need to check the certificates of all servers with the following command. If only some of the servers are missing, please export (including the private key) from the normal server and then import the machine in question. If all the servers are missing, please install the solution operation in the next section.

Get-ExchangeCertificate (Get-AuthConfig). CurrentCertificateThumbprint

Problem handling steps

=

Log in to Exchange Server and start the Exchange Management Shell

Create a new certificate using EMS cmdlet.

New-ExchangeCertificate-KeySize 2048-PrivateKeyExportable $true-SubjectName "CN = Microsoft ExchangeServer Verification Certificate"-DomainName "* .DOMAINNAME.COM"-FriendlyName "MicrosoftExchange Server Verification Certificate"-Service SMTP

You will be prompted to overwrite the default SMTP certificate, type "N" and press Enter to answer "No"

Copy the certificate fingerprint as needed to enter the certificate fingerprint later

Use this cmdlet to save the current date to an object

$date = Get-Date

Run cmdlet to set the authentication configuration for the Exchange server. You will be prompted that the effective date of the new certificate will be at least "48" hours in the future and may not be deployed on all required servers. Ignore this prompt and type Yes to continue or press Enter. The default answer is yes.

Set-AuthConfig-NewCertificateThumbprint certificate_thumbprint-NewCertificateEffectiveDate$ date

Use the following command to publish a new certificate:

Set-AuthConfig-PublishCertificate

If you have an old certificate, you need to run the following cmdlet to clear the previous certificate:

Set-AuthConfig-ClearPreviousCertificate

After the certificate configuration is completed in the Exchange Management Shell, restart the IIS service, which repairs the certificate warning message from the event Viewer.

It should be noted that the above actions may not take effect immediately and will take some time (within 48 hours).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.