Renew Exchange Certificate Self Sign

Exchange Server 2007: Renewing the self-signed certificate

Exchange Server 2007 issues itself a self-signed certificate for use with services like SMTP, IMAP, POP, IIS and UM. The certificate is issued for a period of one year.

The self-signed certificate meets an important need – securing communication paths for Exchange services by default. Nevertheless, one should treat these certificates as temporary. Although the self-signed certificates work perfectly well for internal SMTP communication between Hub Transport servers, and between Hub Transport and Edge Transport servers, it’s not recommended to use them for any client communication on an ongoing basis. For most deployments, you will end up procuring a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).

Should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these will need to be renewed when they expire — just as you would renew certificates from 3rd-party or in-house CAs.

1 To renew the certificate for server e12postcard.e12labs.com, a server with CAS and HTroles installed:

Get-ExchangeCertificate -domain “e12postcard.e12labs.com” | fl

Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.

Get a new certificate with a new expiration date:

Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate

To create a new certificate with an exportable private key, use the PrivateKeyExportable parameter. For example:
New-ExchangeCertificate -PrivateKeyExportable $true

If the existing certificate is being used as the default SMTP certificate, you will get the following prompt. The default SMTP certificate is used to encrypt SMTP sessions between transport servers in your organization.

Advertisements

Dsquery Command

Dsquery Command

Description: Finds domain controllers according to specified search criteria.

Syntax: dsquery server [-o {dn | rdn}] [-forest]

[-domain <DomainName>] [-site <SiteName>]

[-name <Name>] [-desc <Description>]

[-hasfsmo {schema | name | infr | pdc | rid}] [-isgc]

[{-s <Server> | -d <Domain>}] [-u <UserName>]

[-p {<Password> | *}] [-q] [-r] [-gc]

[-limit <NumObjects>] [{-uc | -uco | -uci}]

-forest

Finds all domain controllers (DCs) in the current forest.

Example:

C:\Documents and Settings\shabari>dsquery server -forest -limit 05

“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
“CN=Dcinsideactivedirectory2,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJHQ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJHQ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
“CN=DcinsideactivedirectoryG1,CN=Servers,CN=Georgia,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”

-domain <DomainName>

Finds all DCs in the domain with a DNS name matching <DomainName>.

Example:

C:\Documents and Settings\shabari>dsquery server -domain insideactivedirectory.net -u insideactivedirectory\shabari -p *

Enter Password:*******

“CN=DC1,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=,DC=insideactivedirectory,DC=com”
“CN=DC2,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=,DC=insideactivedirectory,DC=com”
“CN=DC3,CN=Servers,CN=Paris,CN=Sites,CN=Configuration,DC=,DC=insideactivedirectory,DC=com”
“CN=DC4,CN=Servers,CN=Paris,CN=Sites,CN=Configuration,DC=,DC=insideactivedirectory,DC=com”

-site <SiteName>

Finds all DCs that are part of site <SiteName>.

Example:

C:\Documents and Settings\shabari>dsquery server -site bangalore

“CN=Dcinsideactivedirectory4,CN=Servers,CN=Bangalore,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
“CN=Dcinsideactivedirectory1,CN=Servers,CN=Bangalore,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
“CN=Dcinsideactivedirectory2,CN=Servers,CN=Bangalore,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
-name <Name>

Finds DCs with names matching the value given by <Name>, e.g., “NA*” or “Europe*” or “j*th”.

Example:

C:\Documents and Settings\shabari>dsquery server -name dcinsideactivedirectory1

“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”

-desc <Description>

Finds DCs with descriptions matching the value given by <Description>, e.g., “corp*” or “j*th”.

Example:

C:\Documents and Settings\shabari>dsquery server -desc NYJ*

“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”

-hasfsmo {schema | name | infr | pdc | rid}

Finds the DC that holds the specified Flexible Single-master Operation (FSMO) role. (For the “infr,” “pdc” and “rid” FSMO roles, if no domain is specified with the -domain parameter, the current domain is used.)

Example:

C:\Documents and Settings\shabari>dsquery server -hasfsmo schema

“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”

C:\Documents and Settings\shabari>dsquery server -hasfsmo name

“CN=Dcinsideactivedirectory2,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”

C:\Documents and Settings\shabari>dsquery server -hasfsmo infr

“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”

C:\Documents and Settings\shabari>dsquery server -hasfsmo pdc

“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”

C:\Documents and Settings\shabari>dsquery server -hasfsmo rid

“CN=Dcinsideactivedirectory3,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”

-isgc

Find all DCs that are also global catalog servers (GCs) in the scope specified (if the -forest, -domain or -site parameters are not specified, then find all GCs in the current domain are used).

Example:

C:\Documents and Settings\shabari>dsquery server -isgc

“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
“CN=Dcinsideactivedirectory2,CN=Servers,CN=NYJ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com” “CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJHQ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
“CN=Dcinsideactivedirectory1,CN=Servers,CN=NYJHQ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”
“CN=Dcinsideactivedirectory2,CN=Servers,CN=NYJHQ,CN=Sites,CN=Configuration,DC=insideactivedirectory,DC=com”

Remarks:

The dsquery commands help you find objects in the directory that match a specified search criterion: the input to dsquery is a search criteria and the output is a list of objects matching the search. To get the properties of a specific object, use the dsget commands (dsget /?). If a value that you supply contains spaces, use quotation marks around the text (for example, “CN=JohnSmith,CN=Users,DC=microsoft, DC=com”). If you enter multiple values, the values must be separated by spaces

Cheerio,

Dinesh Patil

 

Outlook Anywhere – Ipv6 issue

Outlook Anywhere Bug with Windows Server 2008

As an IT admin it will happen to all of us at some point; there will be that problem that seems like you are 10 minutes away from fixing that quickly turns into 10 hours and then 2, 3, even 5+ days.  Before you know it, you have spent a week with nearly zero sleep and a lot of caffeine and then you finally realize that you are not any further along than when you started.  I spent the last week banging my head up against a wall trying to get a clients new Windows Server 2008 and Exchange 2007 SP1 environment up and running, only to find out that Microsoft has a crippling bug in Windows Server 2008 that won’t allow Outlook Anywhere (a.k.a. RPC over HTTP) to run in its default configuration.

The most unfortunate part about this is that Microsoft is still yet to release any information publicly about this problem, which is really sad because they generally do such a great job of at least posting limitations of their products on many of their wonderful blogs.  I had to search the Internet and eventually found articles that led me in the right direction but I was never able to find a blog/article that outlined the exact steps that I used to fix/diagnose Outlook Anywhere which is why I really felt the need to write this post.

 

The basis of the problem is that Windows Server 2008 (like Windows Vista) gives precedence to IPv6 over IPv4 and this is especially a problem if you have your mailbox and CAS on the same server (the normal default configuration).  Let me start from the beginning though in describing how the bug can be replicated, diagnosed, and then fixed.

Replication:

Normally, if you wanted to start using Outlook Anywhere on an Exchange 2007/Windows 2008 Server, the first command you would enter into a command prompt would be:

ServerManagerCmd -i RPC-over-HTTP-proxy

After this you would wait a few minutes while the server installs the RPC over HTTP proxy into IIS 7.  I generally restart the server at this point even though you don’t have to.

The most important part of this next step is to be patient (specifically, about 15 minutes).  Now you need to actually enable Outlook Anywhere using either the Exchange Management Console or the Exchange Management Shell.  I prefer the shell and it is easier to show on the blog so this is approximately what the command should look like:

[PS] C:\>Enable-OutlookAnywhere -Server host.domain.tld -DefaultAuthenticationMethod:Basic -SSLOffloading:$false

Now you have to wait about 15 minutes for the server to register an Event ID 3006 in the Application log:

Log Name:      Application
Source:        MSExchange RPC Over HTTP Autoconfig
Date:          3/25/2008 1:26:55 AM
Event ID:      3006
Task Category: General
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      host.domain.tld
Description:
The Outlook Anywhere feature has been enabled. The ValidPorts registry setting has been modified to reflect this change.

New value:     HOST:6001-6002; HOST:6004;host.domain.tld:6001-6002; host.domain.tld:6004

Now set up an Outlook 2007 client and connect it to the mailbox using the correct settings for Outlook Anywhere access (Autodiscover should take care of this for you if you have it set up properly).  Then at this point everything should be working, right? WRONG! Don’t make the same mistake I did and keep trying to fix something that just can’t be fixed (unless you work and Microsoft and if you do please contact me via the contact page so we can work out a hotfix together).  You can now go to your Outlook icon in the system tray and ctrl+click on it to bring up the “Connection Status” window.  In it you will notice that things aren’t connecting exactly as they should (YMMV from the picture below since I took this after-the-fact just trying to reproduce what you may see):

Directory Disconnect

Diagnosis:

This is the part that drove me crazy and I honestly couldn’t have diagnosed it on my own if it weren’t for some pointers on the Internet which I want to cite here and here.  I’d suggest you read those two links for starters since they are where I learned about the problem from, but to be honest, the reason why it took me so long to find these posts was because I was beyond baffled and was originally looking down the completely wrong paths for a solution.  I could go on and on explaining all of the things that I thought were leading to the problem, but it would be a waste of time since the bug is so obvious now.

The problem we are experiencing here is that the RPC over HTTP proxy isn’t able to communicate over port 6004 with the localhost because there is a bug that is causing the Windows Server 2008 to not listen for connections on port 6004 via IPv6.  This can be confirmed by pulling up a command prompt and typing:

netstat -a -n

The netstat command will return a bunch of source/destination IP addresses and ports, but what is really important to us is the ports relevant to the RPC over HTTP proxy which will be these parts of the output as seen below:

TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING
TCP [::]:6001 [::]:0 LISTENING
TCP [::]:6002 [::]:0 LISTENING

As we can see, the server is for some reason not listening on port 6004 via the IPv6 loopback.  This tells a couple of things, but most importantly, someone at Microsoft really screwed up by letting this one out the door without fixing it (especially since it was known about in the RC stage).  This also tells us that we can fix this problem by disabling IPv6 entirely.

You can confirm that the server isn’t listening on port 6004 by telnet’ing to localhost 6004 via (FYI, the telnet client/server are not default features in Windows 2008):

telnet localhost 6004

Fix:

IPv6 is disabled the same way in Windows Server 2008 as it is in Windows Vista, but just for good measure, I recommend that you also uncheck IPv6 TCP/IP on your NIC through the “Manage Network Connections” control panel. But to truly disable IPv6 you need to open regedit and navigate to:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

Then you will need to add a 32-bit D-WORD with the name DisabledComponents and give it a value of 0xff. This will disable IPv6 on all interfaces and all tunneling interfaces but unfortunately it still doesn’t disable the loopback interface. In order to disable the loopback interface you will need to comment out the following line in your hosts file under %SYSTEMROOT%\System32\drivers\etc\:

::1 localhost

…by changing it to:

# ::1 localhost

…and while you’re at it you may as well add a couple more lines to directly map your HOSTNAME and FQDN to your IPv4 address of the Exchange server.  In the end your hosts file should look something like this:

10.0.0.10 host.domain.tld
10.0.0.10 HOST
127.0.0.1 localhost
# ::1 localhost

I would now recommend rebooting your server so that the registry changes take effect.  Once your server has rebooted you should now be able to run ipconfig without seeing all of the extra IPv6 tunneling interfaces; the only thing that should be visible is the IPv4 network interface. You should also now be able to successfully issue a:

telnet localhost 6004

The final and most important confirmation that this all worked will be to log on to a client workstation again and open up the connection status in Outlook 2007 to make sure that both the Directory and Mail are connected via RPC over HTTPS.

Side Notes:

I have been unsuccessful at setting up NTLM passthrough authentication in Outlook Anywhere on Windows Server 2008. For some reason NTLM continually causes Test-OutlookWebServices to fail the RPC test, but when I Set-OutlookAnywhere to -DefaultAuthentication:Basic I don’t have any problems other than that users complain about having to enter their password every time Outlook opens. If anyone has any advice on this topic, please comment.

Now get off the caffeine and get some sleep.

Why are my Outbound Queues Filling up with Mail that we didn’t send?

If your emails are building up on your Exchange 2003 server and you don’t recognise any of the destination address then you have got a problem and need to resolve it.   To work out what your problem is, please double-click into one of the unknown domain name queues, then click on the Find Now button and then double-click into one of the messages that are returned.

Look at the sender of the message.  If the sender is postmaster@yourdomain.com, you are suffering from a Non Delivery Attack.  If the sender is a random user not in your organisation, then you are suffering from an Authenticated Relay attack.

Non Delivery Attack:

To prevent a Non-Delivery Attack, please turn on Recipient Filtering to reject recipients not in your organisation:

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

The reason for this is that you are currently accepting messages for anyone at yourcompany, even made up names.  If the recipient does not exist, your server is sending a Non-Delivery Report back to the sending email address and as spammers usually make up the sender address, the email message will not be able to go anywhere as the domain is invalid.  Some of the email addresses that spammers use will be valid email addresses and thus some Non-Delivery report mail will get sent out to people who did not send an email to you in the first place and they will potentially report you as a spammer.  Mail of this type is known as Backscatter and this can get you Blacklisted.  Please see  http://en.wikipedia.org/wiki/Backscatter_(e-mail) for more details.

If you also turn on Recipient Filtering, your server will reject recipients that are not setup on your server and the sending mail server will be responsible for sending a Non Delivery Report, not your server, thus shifting the problem back onto the spammer – http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html

Another tool that you can use to slow down spammers is to implement something called Tarpitting which forces a delay into the mail-flow process for anyone sending mail to an invalid address on your server.  This means that anyone targetting your server will spend lots of time waiting for a response from your server, slowing them down – http://support.microsoft.com/kb/842851

Authenticated Relay Attack:

If the sender is not postmaster@yourdomain.com and is some random address, please Open Exchange System Manager and expand Servers> Right-click the Server Name and choose Properties> Select the Diagnostics Logging tab.

In the Services window, select MSExchangeTransport, and in the Categories window increase the logging level for Authentication to maximum.  Once you have done this, keep an eye on your Application Event Logs looking for event ID 1708 and it should soon become apparent which account is being abused.  Once you know which user account is being abused, change the password for that account and then stop and restart the Simple Mail Transfer Protocol Service and then cleanup your queues (The Administrator account is the usual target for spammers).  Here is a good document to help you cleanup – http://www.amset.info/exchange/spam-cleanup.asp

Hello world!

Welcome to WordPress.com. After you read this, you should delete and write your own post, with a new title above. Or hit Add New on the left (of the admin dashboard) to start a fresh post.

Here are some suggestions for your first post.

  1. You can find new ideas for what to blog about by reading the Daily Post.
  2. Add PressThis to your browser. It creates a new blog post for you about any interesting  page you read on the web.
  3. Make some changes to this page, and then hit preview on the right. You can always preview any post or edit it before you share it to the world.