Tuesday, January 19, 2016

Exchange 2013 Re-Install and Failed Certificates

Hi folks,

I have recently was working on the re-installation of Exchange 2013 binary files on a server. After configuring Mailbox role: Transport service setup failed and other service wound't installed.

This is where c:\ExchangeSetupLogs\ExchangeSetup.log (setup log generated by Exchange setup program) came to my rescue. Looking into the file I have located the following records:

[01/19/2016 14:09:38.0912] [2] Installing certificate signed by CA NAME/rpa is incorporated by reference, FULL SUBJECT NAME'.  Certificate is valid from 7/10/2014 11:14:39 AM until 1/7/2016 4:09:08 PM.
[01/19/2016 14:09:38.0912] [2] [ERROR] The certificate is expired.
[01/19/2016 14:09:38.0912] [2] [ERROR] The certificate is expired.
[01/19/2016 14:09:38.0912] [2] Ending processing Install-ExchangeCertificate
[01/19/2016 14:09:38.0927] [2] Active Directory session settings for 'Install-AuthCertificate' are: View Entire Forest: 'True', Configuration Domain Controller: 'DC01.contoso.com', Preferred Global Catalog: 'DC01.contoso.com', Preferred Domain Controllers: '{ DC01.contoso.com }'
[01/19/2016 14:09:38.0927] [2] User specified parameters:  -DomainController:'DC01.contoso.com'
[01/19/2016 14:09:38.0927] [2] Beginning processing Install-AuthCertificate
[01/19/2016 14:09:38.0958] [2] Ending processing Install-AuthCertificate
[01/19/2016 14:09:38.0958] [1] The following 1 error(s) occurred during task execution:
[01/19/2016 14:09:38.0958] [1] 0.  ErrorRecord: The certificate is expired.
[01/19/2016 14:09:38.0958] [1] 0.  ErrorRecord: System.Security.Cryptography.CryptographicException: The certificate is expired.
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
[01/19/2016 14:09:38.0958] [1] [ERROR] The following error was generated when "$error.Clear(); 
          Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
          if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
          {
            Install-AuthCertificate -DomainController $RoleDomainController
          }
        " was run: "System.Security.Cryptography.CryptographicException: The certificate is expired.
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
[01/19/2016 14:09:38.0958] [1] [ERROR] The certificate is expired.
[01/19/2016 14:09:38.0958] [1] [ERROR-REFERENCE] Id=BridgeheadExchangeCertificate___36d297b411f94919bc8c6ba9c9c39131 Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[01/19/2016 14:09:38.0958] [1] Setup is stopping now because of one or more critical errors.

The key records were that Exchange setup has stumbled over the expired Exchange certificate. Therefore in order to fix it I had to scrap it from the local certificate store. To do this I have added Certificates console to MMC and pointed it to the Computer store of the local computer. Prior to this I uninstalled Exchange binaries (it uninstalled only Transport Services role) and IIS.



Then I navigated to the Personal store and Certificates container and removed expired certificate along with certs generated during previous installation attempts.



After removing a faulty certs I restarted a server and executed installation command as follows:

setup.exe /mode:install /roles:Mailbox,ClientAccess /IAcceptExchangeServerLicenseTerms /InstallWindowsComponents /DoNotStartTransport

As the result all the roles were successfully installed and server got into the fully functional state.

I hope it helps you if you're stuck with the same issue as I did.

Enjoy!