Hi all, I have an exchange 2010 environment with 2 cas servers and 2 mailbox servers split up between two sites. I have a DAG group setup and that's been working fine. I am having a problem getting OWA to work when there is a DAG failover to the mailbox server at site B. Email from outlook works fine when it's failed over, so far it seems that only OWA won't work. Trying to get that to work I noticed that the mailbox server in site b shows up in EMC as not having a cert. All other exchange servers have certs. The mailbox server in site A has only 1 self signed cert with 5 yr expiration. It looks like the one exchange 2010 creates at setup. However, I don't see one on site B mailbox server. When I tried to create a cert with new-exchangecertificate I get error that I should verify that ms exchange service host is running. When I go to services and sort them by name I see all the ms exchange services running except for ms exchange service host. It's just not there. I went back to site A's mailbox server and I find the service there and its running. So has anyone come across this before or I'm I blind? I also tried net start msexchangeservicehost and that said service name was invaild. I have no idea how site b's mailbox server is running without that service, unless it has something to do with DAG? Lastly, we are running exchange 2010 RTM without any patches as far as I can tell. EMC lists ver on all servers as Ver 14.0 build 639.21. thanks for any help.

I don't believe that there is normally a requirement to install a certificate on a mailbox server when it's not also a CAS or HT server. If the Microsoft Exchange Service Host service is not present, which it should be, then I recommend that you try reinstalling Exchange. If that doesn't fix it, you might consider removing Exchange and installing it again, or building a new Exchange server and moving everything to it.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

thanks. That's what I was thinking but I wanted to get confirmation from someone here first. This was inhertied environment and whenever I even hint at reinstalling or redoing something from scratch I get looks like I'm taking crazy pills or something. If I opt to reinstall, do I have to do anything special since the server is a DAG member? Should I remove all the copies and remove server from DAG group before doing a reinstall on it? do I need to use the same version of exchange that was installed such as 2010 RTM? I agree with you on there not being a requirment to install cert on a server with only mailbox role. However, exchange uses cert to do encryption so since I'm having a problem loggin to OWA when DAG fails over to that mailbox server, the only thing I noticed was that it didn't have a cert. When I tried to create one I got message about exchange service, which made me find out that the service isn't even showing up or installed on the mailbox server. OWA just loops at login. After login goes through instead of mailbox you get link back to OWA site saying to click here to use secure site and then it just loops after re-login. When mailboxes are pointing to mailbox server with self cert, OWA works fine. The event logs on pretty much all servers are loaded with errors that go months back. Mostly on the CAS server. They have errors about validation, free busy folders. Loads, all of which I'm going to look into and try to clean up. But they where existing probably since the old admins slapped exch 2010 on about a yr ago. I don't think those errors are pointing to my owa problem. That's why im focusing on fact other mailbox server doesn't have a cert.

It's more likely that your problem with OWA is related to you having two separate sites. You should investigate the configuration of the URLs on the various cirtual directories.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

I checked the http redirect on the default site in IIS. When I pinged the url it replied with IP of a kemp load balancer we have. Which reminded me we have one. I just found out a few days ago that we are using one when I was working on another problem we are having (accepting TLS). Now I'm thinking the kemp device is sending the request to the mailbox server that is down. It's probably not even configured with the other mailbox server in other site. I know from watching ASA monitor that when we goto our OWA site from outside, it hits our kemp device. I need to get login info from another admin for the kemp device so I can see what's setup. While working on the TLS problem we are also having, I was able to piece together our inbound mail flow. It looks like emails hit our kemp load balancer, then kemp sends to our Brightmail Gateway, Brightmail sends back to kemp, then kemp sends to our CAS/Hub, the CAS sends to our mailbox server. That's what I think is going on, until I get into the kemp and whatever else we have in the primary remote site I won't know for sure. Anyway, I still think I should resolve the issue with the ms exchange service not being installed/visible on the secondary mailbox server. I think I'm going to reinstall 2010 on it and see if it put service back and creates self cert. From other reading, I think mailbox servers should at least have a self signed cert. thanks for the ideas and I'll let you know if I make head way on this.

If you are using Exchange 2010, then the load balancer shouldn't be doing anything with traffic through the mailbox servers. In Exchange 2010, all client access, including Outlook MAPI, goes through the CAS server.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi, First, I would like to confirm the following questions: 1. Do the two sites have the same URL to access the mailbox via OWA? Have you created a CAS Array? 2. Is there any difference between the mailbox server machine in two sites, such as different server role? Is the CAS role and Mailbox role installed on the same machine? To troubleshoot the issue, please collect the following log file for research. Steps to collect IIS log ============= a). On Exchange Serves, open IIS MMC, right click Default Web Site and then click Properties. b). Click Website tab and then check Enable logging. c). Stop the Default Website and RENAME the existing IIS log files under C:\WINDOWS\system32\LogFiles\W3SVC1. d). Restart the Default Website and reproduce the problem, which will generate new IIS log file with the exact error. e). Wait for a while so that IIS Log can be synced. And then go to the following folder on Exchange Server: C:\WINDOWS\system32\LogFiles\W3SVC1. f). Upload the log to Skydrive (www.skydrive.live.com) and share the link to me for research. Thanks. NovakPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Novak, thanks for the reply and steps to try. I've been hammered last two weeks and have not been able to revist the OWA issue or anything with exchange. We've been moving users into temporary space. This weekend I am going to start working on this again and hopefully I can keep working on it if need be during nights next week. I'll try to answer your questions then explain our exchange environment in detail: As far as I know, we only have 1 url for OWA to our 2010 exchange servers (mail.exch2010.com). We also have an OWA site sitting on our exch2k3 servers that 2k3 users access (mail.exch2k3.com). The problem I am having is with the 2k10 owa site. We do not have a CAS array. Our environment consists: Exchange 2k10 and 2k3 servers. All are VMs (vmware). All 2k10 servers are RTM Ver 14.0 build 639.21. We have two sites. The first site is our primary site where all servers are, I'll call this Site1. I'll call second site Site2. Site2 will ultimately become our DR site. Site1 has an internet connection and hosts all IPs that are reachable for exchange and other hosted services we have. Site2 has internet access, but as far as I know all it's public IPs are not hosting anything. The connection between Site1 and Site2 is STS VPN (connection is very fast 2ms). This is the only way two sites talk to each other. We have other sites (offices), but 90% of our servers our based in Site1. Site1 has two 2010 servers, 1 server, e01. e01 has CAS/HUB and other server (e03) is Mailbox role only. We also have three exch 2003 servers in Site1. Two of the servers mx1 and mx2 have 4 storage groups each with about 4 dbs in each of those. The third server, mx3 is just running without any mailboxes. In theory we can shut that one down, but I'm not until I know for sure it's not doing anything else. mx2 also hosts the 2k3 OWA site. The reason we have that is because no one could get OWA working with 1 url for 2k3 and 2k10 mailboxes. That's also on my list someday. Site2 has 2 exchange 2010 servers. 1 server, e02 is CAS/HUB role and the other server, e04 is just mailbox role. All servers are filled with event log errors and warnings. All/most errors go back months to a yr. All this of course has to be addressed, but for now email has been working. Obviuosly not perfectly otherwise I wouldn't be posting. From glancing at the errors, we are getting validation errors on e01. We are having cert errors with exchange, but again it looks like our rpc over http is working. As for DAG, I setup dag group a few weeks back with e01 as the witness server and e03 holding primary copies and e04 holding passive copies. Through my testing of the failovers, email through outlook worked and we didn't miss any emails. However, when DAG fails over to e04 OWA can't get into the mailbox. It goes into loop I described in prev post. As for inbound email, it looks like emails come in and hits our Kemp device (yes we have a kemp loadbalancer I have to look that over too) then kemp forwards mail to our brightmail gateway, which brightmail then forwards back to kemp and kemp device sends to e01 (CAS/HUB) from there it goes to e03. I finally got login to kemp so I'll be looking at that this weekend. As for outbound, we send go striaght out. We don't go through the brightmail filter or any other filter. I've been working at this place for about 2 months now. The other 2 admins I work with have inheirted this envirnoment and everything else about 3 months prior. It looks like the previous administration just slapped everything together and hired consultants which threw stuff together also. Almost no documentation and any existing docs are not trustworthy. I'll get you some IIS logs and recreate error this weekend and share link. Thanks again for help and reading this long post.

Novak, thanks for the reply and steps to try. I've been hammered last two weeks and have not been able to revist the OWA issue or anything with exchange. We've been moving users into temporary space. This weekend I am going to start working on this again and hopefully I can keep working on it if need be during nights next week. I'll try to answer your questions then explain our exchange environment in detail: As far as I know, we only have 1 url for OWA to our 2010 exchange servers (mail.exch2010.com). We also have an OWA site sitting on our exch2k3 servers that 2k3 users access (mail.exch2k3.com). The problem I am having is with the 2k10 owa site. We do not have a CAS array. Our environment consists: Exchange 2k10 and 2k3 servers. All are VMs (vmware). All 2k10 servers are RTM Ver 14.0 build 639.21. We have two sites. The first site is our primary site where all servers are, I'll call this Site1. I'll call second site Site2. Site2 will ultimately become our DR site. Site1 has an internet connection and hosts all IPs that are reachable for exchange and other hosted services we have. Site2 has internet access, but as far as I know all it's public IPs are not hosting anything. The connection between Site1 and Site2 is STS VPN (connection is very fast 2ms). This is the only way two sites talk to each other. We have other sites (offices), but 90% of our servers our based in Site1. Site1 has two 2010 servers, 1 server, e01. e01 has CAS/HUB and other server (e03) is Mailbox role only. We also have three exch 2003 servers in Site1. Two of the servers mx1 and mx2 have 4 storage groups each with about 4 dbs in each of those. The third server, mx3 is just running without any mailboxes. In theory we can shut that one down, but I'm not until I know for sure it's not doing anything else. mx2 also hosts the 2k3 OWA site. The reason we have that is because no one could get OWA working with 1 url for 2k3 and 2k10 mailboxes. That's also on my list someday. Site2 has 2 exchange 2010 servers. 1 server, e02 is CAS/HUB role and the other server, e04 is just mailbox role. All servers are filled with event log errors and warnings. All/most errors go back months to a yr. All this of course has to be addressed, but for now email has been working. Obviuosly not perfectly otherwise I wouldn't be posting. From glancing at the errors, we are getting validation errors on e01. We are having cert errors with exchange, but again it looks like our rpc over http is working. As for DAG, I setup dag group a few weeks back with e01 as the witness server and e03 holding primary copies and e04 holding passive copies. Through my testing of the failovers, email through outlook worked and we didn't miss any emails. However, when DAG fails over to e04 OWA can't get into the mailbox. It goes into loop I described in prev post. As for inbound email, it looks like emails come in and hits our Kemp device (yes we have a kemp loadbalancer I have to look that over too) then kemp forwards mail to our brightmail gateway, which brightmail then forwards back to kemp and kemp device sends to e01 (CAS/HUB) from there it goes to e03. I finally got login to kemp so I'll be looking at that this weekend. As for outbound, we send go striaght out. We don't go through the brightmail filter or any other filter. I've been working at this place for about 2 months now. The other 2 admins I work with have inheirted this envirnoment and everything else about 3 months prior. It looks like the previous administration just slapped everything together and hired consultants which threw stuff together also. Almost no documentation and any existing docs are not trustworthy. I'll get you some IIS logs and recreate error this weekend and share link. Thanks again for help and reading this long post. Here is Log file. This is what I did: Stopped IIS on e01 renamed today's log file. failed over DAG to e04. Started IIS back up. tried OWA from outside network. Username was "OWAtester". I tried twice. You should see it towards end of file. Here is link to file.

We are using a kemp loadbalancer and I got into it tonight. It's listening for ports 25,http, and https then sends to our CAS/Hub server, e01. There isnt another server listed that it sends to so it's not really loadbalancing. I understand that all goes through CAS, but when it's coming from the outside on those ports traffic hits the kemp device first. Our inbound email looks like it hits first kemp, then kemp sends to brightmail filter, then brightmail sends back to kemp, kemp sends to e01 (CAS/Hub), then e01 sends email to mailbox server. For http/https traffic, it first hits Kemp then kemp sends to e01. Any mapi traffic goes straight to e01 (CAS/hub) then to mailbox server.

I got OWA working. Ed was right on previouse post about URLs. I checked them again and since my second CAS isn't internet facing it was sending requests back to my first CAS server causing a loop. This only happens when my DAG fails over to the second site. So I had to blank out external URL that was pointing back to my primary CAS server. I also had to change auth in OWA, ECP to basic and windows intergrated. I also had to blank out url in activesync settings. As for my original problem about service not showing up on 2nd mailbox server, I'm going to install SP1 on my RTM ver and hopefully that will be the same as a install to exch /SP1. If that doesn't add service back on, I'll setup another server and decomission this one. thanks for the help guys.