Event ID 12016

KB ID 0000292 

Problem

Event ID 12016

There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of <domain>. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of <domain> should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task

Cause: One of the server installed certificates that has the “S” attribute (SMTP) has expired, If its the main certificate for the serve then you will need to replace it. However this is common on server that still have a copy of the certificate they self signed and used when exchange was first installed. So you are not using them anyway.

 

Solution

I’m assuming that the certificates that have expired are not the ones you are using in anger, lets make sure.

1. To see what certificates are being used for what. Launch “Exchange Management Shell” > Issue the following command;

[box] Get-ExchangeCertificate [/box]

2. Above you can see I’ve got three certificates and they all are being used for SMTP, lets make sure they are all in date.

3. Click Start > mmc {enter} > File > Add/Remove Snap-in > Certificates > Add > Select “Computer account” > Next > Accept the default of “Local computer” > Finish > OK > Expand Certificates > Personal > Certificates.

4. Look down the expiration date section and you can see which ones are out of date, compare this list to original one, and you can see which certificates need removing.

5. You can remove the expired certificated from here by right clicking > Delete.

6. OR, you can delete the certificates from within powershell with the following commandlet;

[box] Remove-ExchangeCertificate {thumbnail of certificate} [/box]

7. Then press Y and {Enter} to confirm.

8. Either when you are finished you should be looking more like this.

Note: Without an SMTP certificate with the FQDN of the server you may see Event ID 12014.

Error:

Microsoft Exchange couldn’t find a certificate that contains the domain name <name> in the personal store on the local computer. Therefore it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of <name>. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

You can simply create a self signed certificate with the FQDN of the server and import it, then set it for SMTP (Note: it WONT overwrite the one you are using). Or click here.

 

Related Articles, References, Credits, or External Links

NA

Event ID 9327

KB ID 0000480 

Problem

Seen when an Exchange server attempts to build the Offline Address book but encounters an error.

Source: MSExchangeSA
Event ID: 9327
Task Category: (13)
Level: Warning
Keywords: Classic
User: N/A
Description:
OALGen skipped some entries in the offline address list 'Global Address List'. To see which entries are affected, event logging for the OAL Generator must be set to at least medium. 

This is just an instruction to enable logging so that you can see the REAL error.

Solution

Option 1 Enable Logging via the Exchange Management Shell

1. Launch the Exchange Management Shell and check the current logging level it will probably be set to “Lowest” Issue the following command:

[box]Get-EventLogLevel[/box]

Then scroll down to “MSExchangeSAOAL Generator” and check its status.

2. To turn the logging Level Right up issue the following command:

[box]Set-EventLogLevel -Identity “MSExchangeSAOAL Generator” –Level Expert[/box]

Option 2 Enable Logging via the Exchange Management Console

1. Launch the Exchange Management Console > Server Configuration > Right click the offending server > Manage Diagnostic Logging Properties > Expand MSExchangeSA > Select OAL Generation > Tick Expert > Configure > Finish.

Then rebuild the Offline address Book

1. Launch the Exchange Management Console > Organization Configuration > Offline address book Tab > Right click “Default Offline address Book” > Update.

2. Select “Yes” when prompted.

3. Wait a few minutes the re-check the server application log, you will see this error again but there should be a more descriptive error near it to let you know what is failing.

 

Related Articles, References, Credits, or External Links

NA

Event ID 9323

KB ID 0000481 

Problem

Seen when an Exchange server attempts to build the Offline Address book but encounters an error.

Source: MSExchangeSA Event ID: 9323 Task Category: (13) Level: Warning Keywords: Classic Description: Entry ‘{Username}’ has invalid or expired e-mail certificates. These certificates will not be included in the offline address list for ‘Global Address List’.

Solution

1. Go to a domain controller, Launch “Active Directory Users and Computers”, Select View and enable “Advanced Features”. Locate the username reported in the error (In this example it’s the administrator), On the properties for that user locate the “Published Certificates” tab.

If you can’t see the published certificates tab you are probably on the Exchange Server and NOT on a domain controller.

2. You will see that this user has a certificate which you can see by pressing the view certificate button, In this case we can see that the certificate has expired.

3. I didn’t need to renew this certificate, so I simply removed it.

Then rebuild the Offline address Book

1. Launch the Exchange Management Console > Organization Configuration > Offline address book Tab > Right click “Default Offline address Book” > Update.

2. Select “Yes” when prompted.

3. Wait a few minutes the re-check the server application log, to make sure it now completes without error.

Related Articles, References, Credits, or External Links

NA

Event ID 9323

KB ID 0000481 

Problem

Seen when an Exchange server attempts to build the Offline Address book but encounters an error.

Source: MSExchangeSA
Event ID: 9323
Task Category: (13)
Level: Warning
Keywords: Classic
Description:
Entry '{Username}' has invalid or expired e-mail certificates. These certificates will not be included in the offline address list for 'Global Address List'. 

Solution

1. Go to a domain controller, Launch “Active Directory Users and Computers”, Select View and enable “Advanced Features”. Locate the username reported in the error (In this example it’s the administrator), On the properties for that user locate the “Published Certificates” tab.

If you can’t see the published certificates tab you are probably on the Exchange Server and NOT on a domain controller.

2. You will see that this user has a certificate which you can see by pressing the view certificate button, In this case we can see that the certificate has expired.

3. I didn’t need to renew this certificate, so I simply removed it.

Then rebuild the Offline address Book

1. Launch the Exchange Management Console > Organization Configuration > Offline address book Tab > Right click “Default Offline address Book” > Update.

2. Select “Yes” when prompted.

3. Wait a few minutes the re-check the server application log, to make sure it now completes without error.

 

Related Articles, References, Credits, or External Links

NA