DAG Sendmail issues 4 days after DAG creation

Have had Exchange 2013 running on a Virtual machine for a couple of months now without issues other than some serious throttling issues we bypassed exchange and resolved.

I installed a second Exchange 2013 server on a physical server and Created an active passive DAG on Sunday the 18th.  Everything tested as far as email flowing inbound and outbound, both plain text and through our ZIX server.

On Thursday the 23rd, everyone in the company received a certificate warning when logging into outlook any versin.

At the same time, noticed that any job from any of our 4 job servers that had email tasks going through the exchange server also failed with the following error.

Source: Send Duplicate Attempt Send Mail Task     Description: An error occurred with the following error message: "Service not available, closing transmission channel. The server response was: 4.3.2 Service not available".

We drained the Physical Exchange server queues and powered it down, no more certificate errors, and no more jobs failing.

Not sure where to begin looking.
  • Edited by timwtaylor Wednesday, July 29, 2015 4:16 PM
July 29th, 2015 4:15pm

I have went into Fail over cluster manager and paused the second server.

It does not have the SAN certificate installed.

I go to the first server and attempt to export the godaddy certificate and get an error that the private key is not exportable.

From what I have found, and I want to make sure I am doing this correctly, I need to make the private key exportable, and then re-issue the cert to everyone through GPO, then I can export the cert from EXG2013_01 to EXG2013_02

Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2015 11:48am

So, If I go to the first server, generate a key request, take that to go-daddy and have them re-issue a key, when they do, and I import it, there will be somewhere to make the private key exportable.  Make sure I do that, and then re-import the key to the new server. 

If I do that, will not all the outlook clients need to re-install the key, or will they trust it because it is not self signed?

When you create the request on the Exchange Server via the GUI, it automatically creates a request with an exportable private key. You take that request to GoDaddy, and once you get the certificate back, you complete the request on the server that generated the request. From there you export the cert to a file location with a pfx extenstion and give it a password.

Then you choose to import the cert to the other CAS that need it and enter the file location and password.

If its a trusted 3rd party certificate and the intermediate certs are trusted as well by the clients ( and any decent 3rd party cert will be), then you are good to go.

You can ensure you have the correct cert chain installed on the cert by testing here:https://www.digicert.com/help/

August 8th, 2015 11:37am

Hi Tim,

Andy has done a very excellent to the point explaination of what you asked. Basically you get it from Godaddy (or 3rd party cert provider) only because you don't want to install the cert on all clients. Including mobile device

Free Windows Admin Tool Kit Click here and download it now
August 12th, 2015 12:27am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics