OWA Error – There are too many active sessions connected to this mailbox

Recently one of the shared mailbox which resides on Exchange 2016 while trying to access from web mail the users were getting the below error.

This was a shared mailbox accessed by multiple team members.

mm

This issue happened for only one mailbox and it was fine for rest of the users.

Looked into the IIS logs for the affected mailbox and there were multiple connections coming from different sources.

IIS logs location can be found on below location
C:\inetpub\logs\logfiles\W3SVC1

Further looked  into the Event Viewer and found the event id 9646 with the below message for source MSExchangeIS
Client Type OWA Exceeded the maximum objects of 16 per session
So looked into the default connection OWA limit of the mailbox to see default values

The Default value can be seen by running the below command

Get-ThrottlingPolicy

See the values of RcaMaxConcurrency and OwaMaxConcurrency for Global Throttling Policy and the Default Throttling Policy

What is RcaMaxConcurrency ?

The RcaMaxConcurrency is a parameter which controls how many Simultaneous parallel connections an RPC Client Access user can establish against an Exchange server at same time.

These connections are considered when the server receives the request from the user until the connection is closed(Eg: The connection is considered as terminated only when the User closes the browser,goes offline,sign outs)
If users attempt to make more concurrent requests than their policy allows, the new connection attempt fails. However, the existing connections remain valid.

A valid value is an integer from 0 to unlimited. The default value is 40.

What is OwaMaxConcurrency ?

The OwaMaxConcurrency is a  parameter specifies how many concurrent connections an Outlook on the web user can have against an Exchange server at one time. A connection is held from the moment a request is received until a response is sent in its entirety to the requester. If users attempt to make more concurrent requests than their policy allows, the new connection attempt fails. However, the existing connections remain valid.

The OwaMaxConcurrency parameter has a valid range from 0 through unlimited . The default value is 20. To indicate that the number of concurrent connections should be unthrottled (no limit), this value should be set to $null.

Solution:
Create a new policy with some more values for RcaMaxConcurrency and OwaMaxConcurrency and then assign some or all users to that rather than changing the default policy

Create a new Throttling Policy
New-ThrottlingPolicy -Name HighUsage -OwaMaxConcurrency 50 -RcaMaxConcurrency 100

Apply this policy only to the affected users
Set-Mailbox -Identity tonysmith -ThrottlingPolicy HighUsage

There is one more method which will override the default throttling policy which can be applied on the registry but this will be applicable for all mailboxes :

Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
On the Edit menu, point to New, and then click DWORD Value.
Type Maximum Allowed Service Sessions Per User, and then press ENTER.
On the Edit menu, click Modify.
Type the decimal value that specifies the number of sessions that you want to use, and then click OK.
Exit Registry Editor.

Since this will be applicable for all mailboxes better to avoid this registry entry.

Note:
For the above behavior as a first step its always better to reach the affected end user , verify from how many devices and PC he has connected, Try to disable and re-enable the owa feature for a while and see the results. If still we keep getting the event id 9646 for the affected user then we can create a throttling policy and assign the user to the policy.

Thanks & Regards
Sathish Veerapandian
MVP – Office Servers & Services 

Frequent Popups in Outlook -The Microsoft Exchange Administrator has made a change that requires you quit and restart Outlook

This error message can  frequently appear for users after the mailbox migration from Exchange 2010 to 2013 or 2016 .

The actual cache is that this error will be coming up only for few users and it appears to be perfectly fine for rest of the users.The thing is that the Outlook will appear to be working fine , users will be able to send/receive emails except for this annoying message keeps prompting the users very often.

On Further Analysis identified that this occurs only for users who have  multiple delegated accounts mapped  under Outlook.The User mailbox resides  on different database and the mapped Delegated accounts resides on different databases.

The delegated account is not fully established the connection to the new Mailbox Databases after the migration due to some reason and the users delegated mailbox table did not receive the delegate permissions accounts information. We can further look  a deep analysis on the mailbox tables on the affected user by using MFCMAPI  and looking into ACL tables but then that will consume a lot of time.

Mostly the below two solutions will  fix this issue:

1)Recreate the Outlook profile which will reestablish the connectivity to the new databases for the delegated accounts and update the mailbox table for this user.
2)Moving the mailbox to a different database which will reset the mailbox table receive folder values , update the ACL tables for delegate accounts and solve the issue.

But still not sure what is causing this issue
Also there is one more possibility which might cause this issue
The msExchHomePublicMDB attribute on Exchange 2016 databases should not have the legacy public folder object(Exchange 2010).

If we find this value in Exchange 2016 databases we can go ahead and remove them ,Since there are no more OAB end points  that depends on PF’s and no more Outlook clients that require PF’s in Exchange 2013,2016 Environment.

Inorder to remove them perform the below:

Open ADSIEDIT.MSC – Configuration Container – Navigate to Configuration Container – Expand Services – Microsoft Exchange – Domain – Administrative Group – Exchange Admininstrative Group – Databases – Right click on the databases seen on the righ pane and choose properties – Look for msExchHomePublicMDB and if it has any values clear them. Make sure to clear this values for all the other databases we have.

$_109.jpg

Very IMP note:

This above troubleshooting is applicable only for users migrated from Exchange 2007/2010 to 2013/2016 and not for the below  scenarios in any cases.

1) Issue occurs after the mailbox was moved to a new Exchange site or forest with same Exchange versions Exchange 2010.
3) Issue occurs after Changes were made to the public folder databases in Exchange 2010.
4) Issue occurs after Changes were made to the Exchange server endpoint.
5) Lync wasn’t restarted after the mailbox was moved or after the Exchange server endpoint was changed.
6) You’re running an older version of the Outlook client.
7) The service re-balances mailboxes on databases at various sites.

Thanks & Regards
Sathish Veerapandian
MVP  – Office Servers & Services

Customize Meeting responses to HTML tag in Exchange 2016

By default when a meeting room response is received the end user receives a plain message that says your request was accepted.

This response  is ok for the internal users since they are aware of where the meeting room is located.
But when a external person or vendor is invited for the meeting it makes really difficult for that person to find the office and meeting room location.

This blog focuses on adding the meeting room location for the meeting room response in html,so that the external users can find the location of the office and the meeting room easily.

If we require to add only the additional response with basic plain text we can use the below command and add the required text message.

Set-CalendarProcessing -Identity “phoenix” -AddAdditionalResponse:$true  -AdditionalResponse:”Welcome to Phoenix Meeting Room”

But the above command will not help us in adding any html tags and company logos for the meeting response.

In order to add the custom HTML tag we can perform the below steps:

Adding html tags in meeting response is possible by accessing that resource mailbox via ECP through delegated admin account for that resource mailbox.

https://yourdomain.com/ecp/phoenix@exchangequery.com

After opening the resource mailbox via ECP navigate to settings

meeting2

After that enable the tick add additional text and add the required html tag.

Adding the direct link here will not run the HTML and show the actual links in the meeting response.The big change here from Exchange 2010 version is that we need to add the actual html code as shown in the below example.

meeting3

Just playing around with the simple html and adding the required values will suffice this requirement.

Also we can refer a background image company logo uploaded in the sharepoint sites to these meeting responses which will give a better look.

In below case have added only the office location so that the users can drive in easily and reach for the meeting and the company logo  fetched from SharePoint sites for better look with the below HTML tag.

<DIV><FONT size=2 face =Tahoma>For the office location, <A href="https://enter yourgooglemapslocationhere">Click here</A>
Address:
ExchangeQuery.
Jumeriah lake Towers
Opposite to Downtown
<div ><img src="https://exchangequery.sharepoint.com/Shared%20Documents/%24_109.jpg"></img></a></div>
</FONT></DIV>

After adding the above html  users get the meeting room location and the company logo at the bottom in their meeting response like below example.

meeting4

Make sure to use the supported  image formatting as per the below tech net source

http://technet.microsoft.com/en-us/library/bb124352.aspx#Images

Hope this helps

Thanks & Regards
Sathish Veerapandian
MVP – Office Server and Services

Migration status of mailboxes movement in Exchange 2016

Mailbox replication service is the service responsible for moving the mailboxes,mailbox imports,mailbox exports  and restore requests.

This article focuses on the migration status of the migration batch in Exchange 2016.

The move request statistics can be viewed by running the below command

Get-MoveRequestStatistics | Select DisplayName,StatusDetail,PercentComplete

Below were the status reasons of the migration notified for delayed migration batches:

Stalledduetotarget_dataguaranteewait:
From Exchange 2010 there is an Data Guarantee API that is used by Mailbox Replication service (MRS) to check the health of the database copy architecture based on a defined setting of the database.
This API is called by the MRS to see the following information:
Check Replication Health – Confirm that the prerequisite number of database copies is available.
Check Replication Flush – Confirm that the required log files have been replayed against the prerequisite number of database copies.
After this message If a Satisfied response is returned within the 15 minute stalling period, MRS will automatically resume the move request.

This is usually triggered during the move request to determine the health of the target database copies to which the mailboxes are moving from the legacy servers.
If the Data Guarantee API returns a NotSatisfied or a Retry response, MRS will queue the move request and retry the query every 30 seconds.

The parameters controlling these values can be seen in “MSExchangeMailboxReplication.exe.config” file located at “C:\Program Files\Microsoft\Exchange Server\V15\Bin”

Parameter Name                                        Default         Min        Max
DataGuaranteeCheckPeriod                     00:00:05      00:00:01   02:00:00
DataGuaranteeTimeOut                         00:10:00      00:00:00   12:00:00
DataGuaranteeLogRollDelay                   00:1:00       00:00:00   12:00:00
DataGuaranteeRetryInterval                   00:15:00      00:00:00   12:00:00
DataGuaranteeMaxwait                         1.00:00:00    00:00:00   7:00:00
EnableDataGuaranteeCheck                 True                    False       True

Stalledduetotarget_mdbreplication:
This value is also returned from Data Guarantee API on checking the replication health of the target database copies if they are member of DAG and have database copies.
We might get this message if the MRS service is waiting to get this information from the target server about the replication status of the database copies.

So in this case the passive copy must be:
1)Healthy.
2)Must have a replay queue with 10 mins of replay lag time.
3)Have a copy queue length less than 10 logs.
4)Have an average copy queue length less than 10 logs.

Below are the parameters controlling in the msexchangemailboxreplication config file:
mdb latency health threshold
mdbfairunhealthylatencythreshold
mdbhealthyfairlatencythreshold
mdblatencymaxdelay

So at the end all the database copies must be healthy if we are randomly distributing mailboxes to the target destination.

Stalledduetohigherpriorityjobs:

We might get this status if the Exchange server Workload management introduced from Exchange 2013 is making  the exchange system resources busy on other exchange operations and hence the move requests are affected.

First preferred option is we can submit the new move requests by modifying the Priority to emergency or highest by running the below command.
New-MoveRequest -Identity Mailbox -TargetDatabase “DB Name” -BatchName Test -Priority Highest

StalledduetoCI:
This is caused due to Content Indexing on the database copies, so to solve this by turning it off on the Mailbox Database till the migration is complete for that DB where the mailbox resides.

To turn it off run the below command :
Set-MailboxDatabase “your mailbox database” -IndexEnabled:$False

Note: This should be re-enabled once the migration has completed
This error might not happen in Exchange 2016 environments since the indexing process has been completely changed from Exchange 2016.

Stalledtotarget_disklatency:

This might happen if there are any issues in the disk performance ,causes the disk latency ,the response time from the source is getting high and the migration batches are getting timed out. This delays the movement of the mailboxes.Should start checking the target exchange 2016 disk performance IOPS etc. If we get this then there is some serious problems in the exchange 2016 performance .And this depends on the designed storage architecture, how the database copies are distributed with how many mailboxes in each copies.

Relinquishedwlmstall:

We might get this because of large delays due to unfavorable server health or budget limitations.
In most practical cases we can notice this status when moving a large mailboxes batch of size more than 5GB.

These are the parameters controlling this:
WlmThrottlingJobTimeOut
WlmThrottlingJobRetryInterval

The best solution for this is to move the large mailboxes on batches so that the system resources are sufficient to handle the migration.

Below are the major parameters that is controlling the migration on the Exchange 2016 servers:

“MSExchangeMailboxReplication.exe.config” file located at “C:\Program Files\Microsoft\Exchange Server\V15\Bin”

MaxRetries – 60, 0, 1000
MaxCleanupRetries – 480, 0, 600
RetryDelay – 00:00:30, 00:00:10, 00:30:00
MaxMoveHistoryLength – 5, 0, 100
MaxActiveMovesPerSourceMDB – 20, 0, 100
MaxActiveMovesPerTargetMDB – 20, 0, 100
MaxActiveMovesPerSourceServer – 100, 0, 1000
MaxActiveMovesPerTargetServer – 100, 0, 1000
MaxActiveJobsPerSourceMailbox – 5, 0, 100
MaxActiveJobsPerTargetMailbox – 2, 0, 100
MaxTotalRequestsPerMRS – 100, 0, 1024

Important tips to note down before migration:
1)Ensure there is no file level antivirus running on the migrating target servers.
2)Copy a 1GB file from the source server to the target server and verify the copy speed to ensure there is no network issues.
3)Make sure there is no backup jobs running during the migration batch period.
4)Better to initiate a small migration batch first of say 500 users and then open the perfmon during this period and monitor the memory,cpu,storage to make sure the resources are sufficient.

Note: Do not modify any values in the MSExchangeMailboxReplication.exe.config for any reasons. Better to open a call with Microsoft if any issues is identified in the maibox migration batches.

Thanks & Regards
Sathish Veerapandian
MVP- Office servers and Services

Read MAC EMLX apple email from Windows and MAC devices

What is EMLX File?

Mac Operating System come configured with Apple Mail or the Mail.app since version 10.0. Like many OSs, Mac OSX includes Apple Mail as its default-messaging platform for desktop communication. The set of qualitative attributes in Apple Mac has already made it a standard messaging platform amongst users of Apple Mac system. The improvement adopted by Mac OS version has resulted in it gaining a great number of users, thus, making Apple Mail to become the most clear communication medium by Mac users, owing to its uncomplicated reachability. All these aspects have bring out Apple Mail in notice of investigators due to the fact that Mac supported applications confront complications during the procedure of investigation due to lack of a dedicated available.

Location of EMLX File

A file with the EMLX extension is an Apple Mail Email file created with Apple’s Mail program for Mac OSX.  EMLX files are plain text files which store just a single email message. They are normally found on a Mac in ~user/Library/Mail/ folder, available below the /Mailboxes/ [mailbox]/Messages/ subfolder or sometimes within the subfolder /[account]/INBOX.mbox/Messages/.

Why need arise to view EMLX file?

Many reasons are available, making it obligation for the users to search for an EMLX Viewer as per their requirements mentioned below:

  • EMLX file corruption or failed to open. And users have the urgency to view the crucial email messages, without waiting for the installation of the particular email client.
  • View EMLX email messages received as an attachment, which are damaged in between transit.
  • Need to open Apple Mail EMLX file in Windows OS, saved in any external storage device.

Free EMLX Viewer – Open EMLX Files from Apple Mail to read Messages

EMLX Viewer Windows is an easy to use program which provide the possibility to open and view EMLX files from Apple Mail on Windows. However, it also works with the regular EML file format. This is a portable and freeware solution which comes in a handy if you do not have the Apple Mail client installed to view EML messages, especially since it does not require you to set up the mail account. You only need to point to the file and open it.

1.png

Although EMLX File Reader does not require installation, you must know that it creates cache files in the same directory as itself when opening EMLX files. As far as Interface is concerned, the mail tool adopts clean window with a native structure, where you can get started by opening an EMLX file or the entire folder which contain multiple emails. The emails are neatly organized in a tree view structure on the left and can be accessed from the right. In addition to the message, you can view graphical content, attachments, and header information such as sender, receiver, subject and date.

If you need to deal with large amounts of text, you can make use of built-in search function to look up information across the whole raw messages or only in the shown headers. Search results can be restricted by specifying the start and the end date. Moreover, you can change the date format and refresh all the displayed messages if any modification were made in the meantime. EMLX files are automatically converted to EML format, so simply double click an entry present in the list to open the location in Windows Explorer and view the messages and attachments in EMLX.

There are no compatibility issues involved in the software as the utility can easily run on all the version of Windows operating system ranging from Windows NT to Windows 10.

Source URL – http://www.bitrecover.com/free/emlx-viewer/

Thanks & Regards
Rollins Duke
Technical Analyst

Skype for Business Unable to present Desktop – Call failed to establish due to a media connectivity Failure

All Skype for Business Clients from remote locations were unable to present the screen sharing through meet now ,peer to peer and conference.
This a new deployment and users were unable to present desktop.

Below were the test scenarios:

1st test – from remote users n/w to my home n/w – received error (we couldn’t connect to the presentation because of n/w issues. Please try again later)
2nd test – from remote users n/w to my office n/w – received error (we couldn’t connect to the presentation because of n/w issues. Please try again later)

Below troubleshooting were done :

1)Did a telnet to lyncdiscover.domain.com on port 80 and 443 – ( This was done just to make sure the clients when logging in gets all the updated info of the pool,SFB config etc..,)
2)Did a telnet to meet.domain.com on port  443 – successful
3)Did a telnet to join.domain.com on port  443 – successful
4)Did a telnet to av.domain.com on 443 successful

Assume the below scenario deployment:
1)The edges were in DNSLB and were in scaled consolidated topology using NAT.
2)UDP 3478 for AV service external IP.
3)TCP 443 for external IP’s.
4)Port 50k was blocked in my case since no legacy OCS clients.
5)No edge hair pin traffic is allowed for Audio and Video Public Ips.

DMZsc1.png

Did a Snooper trace from the affected remote client and got the following info on the snooper logs

Getting  error as call failed due to media connectivity failure when both the end points are remote.

snoop

Now this is the time for me to dig into the analysis of in which protocol fashion the SFB clients establishes the connection.So started to explore on STUN,TURN & ICE since ever i was having a glossy look on these topics.

So what kind of protocols they use:

SFB/Lync uses all these 3 protocols to establish a media connectivity:

ICE:
The stands for Interactive Connectivity Establishment protocol for communications. All Lync/SFB clients are ICE clients and use ICE to try and establish connectivity between itself and another ICE client.Remember this is the main protocol which functions as the core and wraps the other 2 to establish a path.

STUN:
The new name for this acronym is Session Traversal Utilities for NAT.
This will allow the SFB client to discover the available public IP for the SFB media path inorder to establish the connectivity.

TURN:
Traversal Using Relay around NAT.
This will establish a chain of connection between the external client and the client inside the network.By using this edge servers will create a chain and will offer ports on UDP and TCP for the media path. Once this chain is established it promises the remote client to send its media connection to the internal network client.

So now we can understand clearly that the External Corporate firewall requires a Hairpin traffic to be allowed for the A/V edge Public Ips for the STUN and TURN to work in the required  UDP  TCP path.

Since these are the most commonly used RFC standard protocols SFB clients also uses them. These all are IETF standards protocols and hence Microsoft also uses them.
Now the SFB clients will use the below process to establish a media connectivity with the remote client:

Candidate Discovery:
Where the clients discover their available public IP addresses for media connectivity. These include both STUN and TURN addresses of the Edge server.

Candidate Exchange:
This is the place where both the SFB clients sends each other list of addresses on which they can be communicated for this media path.
Remember this will happen bidirectional.

Connectivity Checks:
This is where both the candidates(clients) try to establish a connection on all these addresses simultaneously (not one by one).
Finally the result would be the SFB client will pick any one of the available route and establish a connection with the client whoever is responding first.

Candidate Promotion:
This is the Final stage of the SFB client and happens after the call is established and its running.
Here the clients if identify any path which is more optimum and quick they decide to change that route which gives the better experience to the user.

These candidate information can be seen in snooper logs

We can see 3 types of candidate information

The first one below is for port 50k and can be ignored if you are not having this option

DMZsc1.png

The second one is for audio and last one will be for video. We will have the same like one for audio with label main mentioned as audio.

DMZsc1.png

Lets say if we have only port 50k opened and not 443 for UDP then we can see only those  50k candidate lists.

TCP-ACT indicates that with this candidate pair the client is able to send RTP and RTCP traffic

DMZsc.png

By having a look at it we can confirm that the candidate is a STUN pair. TCP-ACT and typ srfx raddr is the thing that indicates they are STUN pair.

In this case if the candidate discovery fails in all the cases we can find  BYE sip in the snooper logs and which mentions opaque=epid followed by guid

There are 2 solutions for this problem to work:

Allow Port 50k inbound:

We can  allow the media communications on this edge Audio/Video Ip only on port 50 K. But at real times when users connecting from different network for the media path they need to cross firewalls where they might have only the standard 80 & 443 allowed and these ports might be blocked.

Allow the hair pin edge traffic:

Allow the traffic on the edge server external firewall  to traverse the traffic between the two AV Edge servers public IP addresses. This will give the appropriate candidate lists for the clients connecting via different edge servers on UDP port 3478 through this hair pin traffic.

Note:

1)If we have only one edge server installed we do not need to follow this steps since all the clients will connect only to one edge server node and no issues will be identified. Just make sure the UDP 3478 is opened for this communication.

2)SFB  clients will always try to establish media path  via UDP as preffered if its available. If UDP isn’t available it tries to switch to TCP and establishes the connectivity.

Thanks & Regards
Sathish Veerapandian
MVP- Office Servers & Services.

Configure SCOM to monitor servers in the DMZ

SCOM requires Mutual Authentication to Trust and Communicate with the agents for Monitoring and reporting.Initially SCOM tries to establish kerberos authentication with the agents. This happens for all internal agents which is joined in the domain.
For the workgroup machines which are in the DMZ network SCOM use the certificate based authentication for secure communication and then it monitors them.

Below are the high level steps:

1)Configure your firewall to pass traffic from DMZ agents(DMZ servers) to SCOM management server’s port 5723 & 5724.
2)Request certificate from all DMZ machines(certificate type must be server authentication & Client Authentication)
3)Request certificate from SCOM machine (certificate type must be server authentication & Client Authentication)
4)Import the server authentication & Client Authentication certificates on the DMZ machines
5)Import the server authentication & Client Authentication certificates on the SCOM 2012
6)Run the MOMCERTIMPORT on all Machines and assign the certificate
7)Approve the DMZ agents in the SCOM Server.

For Publish Certificate request for SCOM  there are 2 types based on the CA we have.

  1. Enterprise CA.
  2. StandAlone CA.

1) Enterprise CA

If we are going to request certificate from Enterprise CA then we need to use Publish a Certificate Template for SCOM through your enterprise CA.

To perform the task  through enterprise CA do the below :
Open Certificate Authority – Navigate to Certificate Templates – And Select Manage

sc1

Right click the Computer Certificate and Click Duplicate

dmzsc

Make sure the option allow private keys to be exported is chosen.

dmzsc

The most important thing that we need to note is that in the extensions it need to have both server and client authentication enabled. This is applicable for both the SCOM and the DMZ hosts throughout the configuration no matter we are requesting them either from Enterprise CA or Stand Alone CA.

dmzsc

Once the above is completed we can import this duplicate certificate to the SCOM.

2) StandAlone CA:

Below are the steps that needs to be carried over for Stand Alone CA SCOM Certificate Request:

Go to the SCOM 2012 Server

Connect to the computer hosting certificate services

https://ca.exchangequery.com/certsrv

dmzsc

Click request a certificate and submit advance certificate request

dmzsc

Click create and submit request to this CA

After that we will get confirmation on web access information as below and click yes

dmzsc

Below are the information that needs to be filled

Name – name of the server requesting the cert.

Type of Certificate – Choose Other

In OID  enter – 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (This plays a major role in enhanced key usage)

dmzsc

Keyoptions – Select Create new key set

CSP – Select Microsoft Enhanced Cryptographic Provider v1.0

Key Usage – Select Both

Key Size – 1024

Select – Mark Keys as exportable.

Request Format – CMC

Hash Algorithm – SHA1 and give friendly name and submit.

DMZsc.png

Once the CA request is completed from the CA we can go ahead and import them on the SCOM server.

Request certificate for DMZ Servers to be Monitored:

First and the foremost thing is that wecan request the Certificate from internal domain server since most of the times the DMZ servers will not have access to certificate web enrollment services on port 443 to the internal certificate authority server.

So what we can do is generate cert request from one machine in the domain nw and then import them to the DMZ servers.

Perform the same process of submitting the certificate request for all the DMZ servers

Below are the information that needs to be filled

Name – name of the  DMZ server that requires the certificate.

Type of Certificate – Choose Other

In OID  enter – 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (This plays a major role in enhanced key usage)

Keyoptions – Select Create new key set

CSP – Select Microsoft Enhanced Cryptographic Provider v1.0

Key Usage – Select Both

Key Size – 1024

Select – Mark Keys as exportable.

Request Format – CMC

Hash Algorithm – SHA1 and give friendly name and submit.

Once the above is done we need to approve the request from the CA and then import them on the server from where we requested the certificate for those DMZ machines.

Now we need to export this certificate from this requested machine and them import them on all DMZ servers which needs to be monitored.

There are multiple ways of doing this. I prefer doing this via Digicert Windows Utility Tool.

Download  the DigiCert Windows utility tool from the below url on the certificate requested machine

https://www.digicert.com/util/

On opening we  can see all the issued SSL certificate which owns the private key on that machine.

Select the DMZ  servers requested certificate and click on export

dmzsc

Select the option export the private key and export them with password.

dmzsc

Once the above steps are completed we need to import these certificates on the DMZ servers computer personal store.

We can use the same certificate import wizard like below and import the above certificate on DMZ servers

dmzsc

Now the final step is to run the MOMCERTIMPORT on all Machines and select this certificate and we are done.

This tool MOMCERTIMPORT GUI can be found on SCOM 2012 Installation Media path in below directory

E:\supporttools\AMD64\MOMCERTIMPORT

Make sure the same version of the tool from the setup is copied to all machines

Just run this tool on all machines and we will get a pop up window to confirm the certificate. Please confirm  by choosing our relevant requested certificate on all servers.

After the above is completed wait for some time and these DMZ servers will appear on the Administration – pending in the SCOM server and just we need to approve them and we are done.

Thanks & Regards
Sathish Veerapandian
MVP – Office Servers & Services

%d bloggers like this: