Topic Last Modified: 2010-04-09
The Microsoft Exchange Server 2010 Management Pack for System Center Operations Manager monitors the Windows Application log on computers running Exchange 2010 and generates this alert when the events specified in the following Details table are logged.
To learn more about this alert, in Operations Manager, do one or more of the following:
- From the Operations Console, double-click this alert, and then
click the General tab. Review the description of the alert
that includes the variables specific to your environment.
- From the Operations Console, double-click this alert, and then
click the Alert Context tab. Review the logged events that
meet the criteria of this Operations Manager alert.
Details
|
Product Name |
Exchange |
|
Product Version |
14.0 (Exchange 2010) |
|
Event ID |
12014 |
|
Event Source |
MSExchangeTransport |
|
Alert Type |
Warning |
|
Rule Path |
Microsoft Exchange Server/Exchange 2010/Common Components/Hub Transport and Edge Transport/Transport |
|
Rule Name |
Exchange was unable to load the STARTTLS certificate from the local store because of a mismatch with what was configured on connector FQDN. |
Explanation
This Warning event indicates that there is a problem loading a certificate to be used for Transport Layer Security (TLS). Generally, this problem occurs if one or both of the following conditions is true:
- The fully qualified domain name (FQDN) that is specified in the
Warning event has been defined on a Receive connector or Send
connector on a Microsoft Exchange Server 2010 or
Exchange Server 2007 transport server, and a certificate
that contains the FQDN in the Subject Name or Subject Alternative
Name fields is not installed on that server.
- A third-party or custom certificate has been installed on the
server and it contains a matching FQDN. However, the certificate is
not enabled for the SMTP service.
TLS functionality requires that a valid certificate is installed in the computer's certificate store. For more information, see Understanding TLS Certificates.
User Action
To troubleshoot this issue, you must first examine the configuration of the certificates installed on the Exchange server and the configuration of all Receive connectors and Send connectors installed on the server. You can use the following commands to view the configuration:
Get-ExchangeCertificate | FL *
Get-ReceiveConnector | FL name, fqdn, objectClass
Get-SendConnector | FL name, fqdn, objectClass
Note To display the services that are enabled for the installed certificate, you must use the asterisk (*) when you run the FL argument on the Get-ExchangeCertificate cmdlet. The Services values will not display if the * is not specified in the task parameters.
Run the commands and compare the FQDN that is returned with the Warning event with the FQDN that is defined on each of the connectors and with the CertificateDomains values that are defined on each of the certificates. The CertificateDomains value is a concatenation of the Subject and Subject Alternative Name fields on the certificate.
The goal is to verify that each connector that is using TLS has a corresponding certificate that includes the connector's FQDN in the CertificateDomains values of the certificate. Note any connectors that are enabled for TLS but do not have a corresponding certificate where the connector FQDN is in the CertificateDomains values of the certificate.
Inspect the Services value on each certificate. If you are using a certificate for TLS, it must be enabled for the SMTP service with a Services value of SMTP.
For More Information
If you are not already doing so, consider running the Exchange tools created to help you analyze and troubleshoot your Exchange environment. These tools can help make sure that your configuration aligns with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. To run these tools, go to the Toolbox node of the Exchange Management Console. To learn more about these tools, see Managing Tools in the Toolbox.