Exchange 2007: This Ca Root Certificate Is Not Trusted. To enable Trust, Install This Certificate In The Trusted Root Certification Authorities Store.

Summary: Exchange 2007 CAS server uses a self signed cert. Depending on what services your CAS role plays you may get the following error:

"This Ca Root Certificate Is Not Trusted. To enable Trust, Install This Certificate In The Trusted Root Certification Authorities Store"


Cause: In this instance, I had my CAS server using a Self Signed Cert for the Address book distributin in the Default Web Site while using a Valid third party commercial Cert for OWA. This worked fine using the article below.

Exchange 2007 and SSL Certificates
http://www.sembee.co.uk/archive/2007/01/21/34.aspx


However when viewing FREE\Busy info, the Cert error would appear with the error:

"This Ca Root Certificate Is Not Trusted. To enable Trust, Install This Certificate In The Trusted Root Certification Authorities Store"


Solution:

1. Go to the Default Web Site in IIS and remove the Self Signed Cert. Right click the Default Web Site, Directory Security, Server Certificate, Next, and Remove the cert.

2. Open Certificates in MMC. Go to Run, MMC. File Add Remove Snap In, Add Certificates; Computer Account; Local Computer and Click OK.

3. Once your Certificates MMC is open Go to Personal Certificates. Right Click Request New Cert, Next, Friendly Name = Hostname of your Server and Next and Finish.

4. Copy the new cert to the Trusted Root Certification Authorities Certificates.

5. Go back to the Default Website in IIS, Properties, Diretory Security, Server Certificate. Assign an existing certificate and choose the new cert that was created.

6. Issue IISRESET from your command prompt.



James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

Active Directory: Convert Global Groups to Universal Groups Bulk

Summary: There may come a time when you need to convert your Global Groups into Universal Groups such as if you're in a multi-domain Forest. This is because the Global Catalog server does not have a copy of Global Groups in other domains. This can cause a problem with Distribution list expansion.


Tip: To bulk change your Global Security or Distribution Groups into Universal Groups; you can use Admodify using the custom attribute tab of "groupType"


Download Admodify:

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify


1. Launch ADMODIFY.EXE
2. Click Modify Attributes
3. Domain List=Choose your Domain; Domain Controller=Choose your DC
4. Check only Groups; Check Advanced Features; Click Traverse Subcontainers
5. Click the Green Arrow and now highlight your Domain
6. Click Custom LDAP query.

Global Security Groups

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=-2147483646))


7. Click Add to list and click OK
8. Select All and click next.
9. Click Custom Tab. Click Make a customized attribute modification

Attribute Name: groupType
Attribute Value: -2147483640


Click Ok. This will convert your Global Security Groups to Global Universal Groups.

Use the following Chart to convert your Global Distribution Groups.


[Group Scope] [Group Type] [groupType value] [sAMAccountType attribute]

[Universal] [Distribution] [8] [268435457]
[Universal] [Security] [-2147483640] [268435456]
[Global] [Distribution] [2] [268435457]
[Global] [Security] [-2147483646] [268435456]
[Domain Local] [Distribution] [4] [536870913]
[Domain Local] [Security] [-2147483644] [536870912]


James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: Messages Not Received to Distribution Group

Summary: After installing a CAS server; sending to particular distribution groups do not work. Adding yourself to the group; you do not received messages. No NDR messages are received as well.

When Telnetting and sending the message

Telnet: CASServer 25
Mail from:youraccount@yourdomain.com
Rcpt to:DLGroup
Data
.
.
Message Sucessfully Queued


Users do not receive messages that belong to the Distribution Group


Solution: Verify that the group is a Universal Group if you're in a multi-domain forest. There were no issues sending to the DL prior to the introduction of a 2007 CAS.



James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: POP3 ERR Command is not valid in this state

Summary: POP applications report ERR "Command is not valid in this state" after supplying credentials. To verify you try telnetting to POP port 110 of your CAS server:

Telnet CASServer 110
User Myaccount
Pass Mypass
ERR Command is not valid in this state


Resolution: Open your Exchange Shell and enter:

Set-PopSettings -LoginType PlainTextLogin

Restart your POP3 service


James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: ActiveSynch Does Not Work With Exchange 2003 Mailboxes

Summary: Exchange 2007 ActiveSync does not with with mailboxes on Exchange 2003. When entering username and password; password keeps prompting.

To verify Activesync; go to
https://hostname/Microsoft-Server-ActiveSync on your CAS server. If you receive HTTP 501/HTTP 505 Activesync is working.


Resolution: Enable Integrated authentication on your Microsoft-Server-Activesync
Virtual Directory on all your BackEnd 2003 Servers


James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com