>>Thread-Topic: Certificate Authority is also a DC, want to demote?
>>thread-index: AcYkK/+T5F5ls94iRLCtydNk0ChN/w==
>>X-WBNR-Posting-Host: 66.212.133.164
>>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
>>Subject: Certificate Authority is also a DC, want to demote?
>>Date: Sat, 28 Jan 2006 08:58:02 -0800
>>Lines: 24
>>Message-ID: <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>>    charset="Utf-8"
>>Content-Transfer-Encoding: 7bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.windows.server.active_directory
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl

>>X-Tomcat-NG: microsoft.public.windows.server.active_directory
>>
>>Background:
>>2003 server SP 1 running Exchange 2003, SP2.  Server is also a DC and a
>>Certificate Authority.
>>
>>When I initially set up my Certficate Authority I had problems that I
>>thought would be resolved by making the server a DC as well.
>>
>>At this point the CA is up and running fine. But we are encountering
>>occasional 2013 2012 system events stating that SMTP could not connect to
any
>>DNS servers.
>>
>>Haven't been able to get rid of the 2012, 2012 errors and am thinking
that
>>having the server be a DC is only complicating the issue.
>>
>>Attempted to demote the server to a member server but encountered a
warning
>>"Before you can install or remove Active Directory, you must remove
>>Certificate Services.  For information ... ..."
>>
>>We currently are using certificates issued by this CA for RPC over HTTP
>>communications.  If I remove Certificate Services, then demote, then
>>reinstall Certficate Services, won't all the cetificates issued
previously be
>>invalid?
>>
>>Any help will be appreciated.
>>

"Vincent Xu [MSFT]" wrote:

> Hi,
>
> The answer to your questioin is: Yes, the cetificates will be invalid if
> you remove the CA service.Even if you re-install it immediately.
>
> Please let me know the Error Event in detail and I'll try to research if we
> have any work arounds.
>
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
> >>thread-index: AcYkK/+T5F5ls94iRLCtydNk0ChN/w==
> >>X-WBNR-Posting-Host: 66.212.133.164
> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
> >>Subject: Certificate Authority is also a DC, want to demote?
> >>Date: Sat, 28 Jan 2006 08:58:02 -0800
> >>Lines: 24
> >>Message-ID: <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
> >>MIME-Version: 1.0
> >>Content-Type: text/plain;
> >>    charset="Utf-8"
> >>Content-Transfer-Encoding: 7bit
> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>Content-Class: urn:content-classes:message
> >>Importance: normal
> >>Priority: normal
> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>Newsgroups: microsoft.public.windows.server.active_directory
> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.windows.server.active_directory:61793
> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
> >>
> >>Background:
> >>2003 server SP 1 running Exchange 2003, SP2.  Server is also a DC and a
> >>Certificate Authority.
> >>
> >>When I initially set up my Certficate Authority I had problems that I
> >>thought would be resolved by making the server a DC as well.
> >>
> >>At this point the CA is up and running fine. But we are encountering
> >>occasional 2013 2012 system events stating that SMTP could not connect to
> any
> >>DNS servers.
> >>
> >>Haven't been able to get rid of the 2012, 2012 errors and am thinking
> that
> >>having the server be a DC is only complicating the issue.
> >>
> >>Attempted to demote the server to a member server but encountered a
> warning
> >>"Before you can install or remove Active Directory, you must remove
> >>Certificate Services.  For information ... ..."
> >>
> >>We currently are using certificates issued by this CA for RPC over HTTP
> >>communications.  If I remove Certificate Services, then demote, then
> >>reinstall Certficate Services, won't all the cetificates issued
> previously be
> >>invalid?
> >>
> >>Any help will be appreciated.
> >>
>
>

>>Subject: RE: Certificate Authority is also a DC, want to demote?
>>Date: Mon, 30 Jan 2006 07:15:28 -0800
>>Lines: 223
>>Message-ID: <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>>    charset="Utf-8"
>>Content-Transfer-Encoding: 8bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.windows.server.active_directory
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl

>>X-Tomcat-NG: microsoft.public.windows.server.active_directory
>>
>>Thanks for the quick response, although your response what what I was
afraid
>>of.
>>
>>I very much appreciate your offer for additional support with the 2012 -
>>2013 errors. 
>>
>>Below are my notes to date:
>>
>>Errors:
>>
>>In the Event log on the Exchange Server two errors are found occasionally.
>>
>>Source: smtpsvc
>>Category: None
>>Event ID: 2013
>>Description:SMTP could not connect to any DNS server. Either none are
>>configured, or all are down.
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>"Clicking on the link above doesn't provide any information."
>>
>>There is an accompanying event, below:
>>Source: smtpsvc
>>Category: None
>>Event ID: 2012
>>SMTP could not connect to the DNS server '172.16.16.50'. The protocol
used
>>was 'UDP'. It may be down or inaccessible.
>>
>>Additional Information:
>>... The IP address of the internal DNS server is 172.16.16.50.
>>... The other Exchange/SMTP server on the LAN does not encounter these
>>errors (it has since been taken down).
>>... The errors occur roughly 10 times a day but not at predictable times.
>>... They started at around a time when the server became the dominant
SMTP
>>server for the network.
>>... There is no external DNS server configured with SMTP settings for the
>>server.  Either on the old Exchange server or the new.
>>... When external DNS servers were temporarily added (Step 1 & 2 below)
the
>>error 2012 reappeared three times in a row, this time listing an internal
or
>>external DNS servers in each event.  Not sure what this indicates.
>>
>>
>>Troubleshooting Steps:
>>1. Added local ISPs DNS servers to the SMTP settings for the server ( In
>>exchange system manager - administrative groups/first administrative
>>group/servers/servername/protocols/SMTP/default virtual server -
properties.
>>Deliver tab, Advanced button, Configure external DNS servers.).  Not
positive
>>that the DNS queury replies will be routed back to the server. 
>>2. Removed fix in step 1 after finding information listed in the (Hits)
>>section below.
>>3. Following the logic of the article below, shut down the SMTP server on
>>CTRSV11.  Deleted all mail from the queue that was more than serveral
hours
>>old and restarted.  Errors returned within the same day.
>>
>>
>>Google article found on the problem
>>------------------------------------------------
>> 1. I have at least found the reasons for the errors (SMTP 2012 & 2013)
and
>>here is how I fixed the errors completely. The errors seem to be caused
>>because of excessive UDP packet traffic to the DNS server (internal in
most
>>cases) due to a large number of NDR messages waiting to be sent from the
>>exchange queue �read the details below.
>>2. It appears the errors are coming from getting DNS info for NDR records
>>(non delivery reports). Each time a spam is sent to your server to an
unknown
>>address the server swallows the message and then attempts to send the
>>original sender back a message saying no such person exists.
>>3. Look under C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue and you will
>>probably see 1,000 to thousands of messages waiting to be sent out of the
>>queue. Unless you have a very busy server or low bandwidth all messages
that
>>are in the queue are trying to be delivered to a server that does not
exist
>>(fake FROM addresses from spammers). You can open these with Outlook
express
>>and see they are just NDR reports being sent back to e-mail spammers
>>informing them that the user does not exist on the server. The reason
these
>>are in the queue is because the server cannot deliver the messages
because
>>there are no servers at these fake spammer FROM addresses.
>>4. So I think the exchange server is creating too much UDP packet traffic
to
>>the DNS to get these NDR reports delivered (these errors in most cases
are
>>thereby harmless). The NDR reports cannot be delivered because spammers
use
>>fake FROM addresses so your server attempts to send these for up to 48
hours
>>and then gives up and erases them. So much spam continues day after day
to be
>>sent to unknown users that this queue just keeps staying at a very large
size
>>- below is how you get exchange to no longer accept messages to users
that do
>>not exist on your domains. This will reduce traffic on your server and
>>eliminate your SMTP errors on your server.
>>
>>1. Exchange by default produces a NDR report for every e-mail sent to an
>>incorrect address - example is if a person sends an e-mail to
>>nob***@tymer.com then the server actually takes the message sees that it
>>cannot be delivered then sends an NDR (non delivery report) to the
senders
>>FROM address telling them that the e-mail address does not exist. Now
what is
>>important here is that the server can tell the other server it can not
find
>>the person in the list so there is really no reason to send an NDR for
every
>>spam sent to an incorrect address winds up in the NDR queue. Side affect
of
>>my fix below is that if a spammer is actually using a legitimate server
he
>>could check all known common names on your server and figure out some
>>addresses that actually exist on your server. In any case the side affect
is
>>minor and fix below:
>>
>>a. Load exchange system manager and then click the + on Global Settings
>>b. Now right click on Delivery options and pick properties
>>c. Not click on the tab for "Recipient Filtering"
>>d. I checked the box for "filter recipients that are not in the
directory".
>>Once this box is checked the server gives you a message that you still
have
>>to make another setting to complete the process as described in next step.
>>e. As a final setting you have to go to the SMTP Virtual Server (also in
the
>>exchange system manager under the server) and right click on SMTP virtual
>>server and pick properties. Now you must click on advanced for the IP
Address
>>and click EDIT for the IP address (usually unassigned) and you will see a
>>check box that says "Apply Recipient Filter" and you check that box.
>>f. Now this will stop the exchange server from taking a message to a user
>>that does not exist on your domains (active directory in this case) and
>>sending NDR reports back to the spammers reducing traffic on the server.
As
>>we know all FROM e-mail addressees from spammers are made up so sending
an
>>NDR report is a waste of time. Also when the server tries to send an NDR
and
>>the address does not exist it continues to keep trying to send this NDR
for
>>two days and this is a waste of resources and creating this excessive UDP
>>packet traffic to the DNS.
>>
>>Also you can delete all messages currently in your exchange queue by
>>stopping the SMTP server for a minute and delete all the files under
>>C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue and restart the SMTP
service.
>>Remember these messages in the queue are not able to be delivered because
the
>>addresses they are being sent to do not exist (unless you have an
extremely
>>busy server and very low bandwidth in which case you better open some of
them
>>and verify they are all junk).
>>
>>One last note is that I also saw where someone had just configured
external
>>DNS servers under the SMTP Virtual Server properties and I suspect this
might
>>also work for the ISP DNS servers probably can handle the excessive UDP
>>packets coming into their DNS servers.
>>
>>I would like know if anyone implements this and if it works for you
>>(tazma***@hotmail.com). This basically reduces network traffic and cleans
up
>>your exchange server and eliminates the SMTP errors completely (I have
had it
>>running for 1 week and it is working perfectly).
>>
>>Good luck to all and I hope this helps.
>>Gordon
>>End of Article
>>--------------------------------------------------------------------------
-
>>
>>I look forward to hearing from you.
>>
>>"Vincent Xu [MSFT]" wrote:
>>
>>> Hi,
>>>
>>> The answer to your questioin is: Yes, the cetificates will be invalid
if
>>> you remove the CA service.Even if you re-install it immediately.
>>>
>>> Please let me know the Error Event in detail and I'll try to research
if we
>>> have any work arounds.
>>>
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>> When responding to posts, please "Reply to Group" via your newsreader
so
>>> that others may learn and benefit from your issue.
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>>
>>>
>>> --------------------
>>> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
>>> >>thread-index: AcYkK/+T5F5ls94iRLCtydNk0ChN/w==
>>> >>X-WBNR-Posting-Host: 66.212.133.164
>>> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
>>> >>Subject: Certificate Authority is also a DC, want to demote?
>>> >>Date: Sat, 28 Jan 2006 08:58:02 -0800
>>> >>Lines: 24
>>> >>Message-ID: <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
>>> >>MIME-Version: 1.0
>>> >>Content-Type: text/plain;
>>> >>    charset="Utf-8"
>>> >>Content-Transfer-Encoding: 7bit
>>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>Content-Class: urn:content-classes:message
>>> >>Importance: normal
>>> >>Priority: normal
>>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>Newsgroups: microsoft.public.windows.server.active_directory
>>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>Path:

>>> >>Xref: TK2MSFTNGXA02.phx.gbl
>>> microsoft.public.windows.server.active_directory:61793
>>> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
>>> >>
>>> >>Background:
>>> >>2003 server SP 1 running Exchange 2003, SP2.  Server is also a DC and
a
>>> >>Certificate Authority.
>>> >>
>>> >>When I initially set up my Certficate Authority I had problems that I
>>> >>thought would be resolved by making the server a DC as well.
>>> >>
>>> >>At this point the CA is up and running fine. But we are encountering
>>> >>occasional 2013 2012 system events stating that SMTP could not
connect to
>>> any
>>> >>DNS servers.
>>> >>
>>> >>Haven't been able to get rid of the 2012, 2012 errors and am thinking
>>> that
>>> >>having the server be a DC is only complicating the issue.
>>> >>
>>> >>Attempted to demote the server to a member server but encountered a
>>> warning
>>> >>"Before you can install or remove Active Directory, you must remove
>>> >>Certificate Services.  For information ... ..."
>>> >>
>>> >>We currently are using certificates issued by this CA for RPC over
HTTP
>>> >>communications.  If I remove Certificate Services, then demote, then
>>> >>reinstall Certficate Services, won't all the cetificates issued
>>> previously be
>>> >>invalid?
>>> >>
>>> >>Any help will be appreciated.
>>> >>
>>>
>>>
>>

"Vincent Xu [MSFT]" wrote:

> Hi,
>
> Found some information based on your description.You may have a try.
>
> 1. Have you installed Symantec Mail Security for Exchange? If so, please
> install the most current version.Symantec Mail Security 4.6.3 or higher.
>
> Here are the steps from Symantec's website on how to uninstall the product
> manually:
> 1) Stop the SMSMSE service. 
> 2) Uninstall SMS for Exchange. 
> 3) Delete the registry sub-key, MessageDeletionQueue, from the registry.
> The location is:
> HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\4.0\Server\Components\MsgDeletio
> nQueue 
> 4) Reinstall the most current update of Symantec Mail Security for
> Exchange. 
>
> 2. An alternate workaround for this problem is to edit the registry for
> version of Symantec Mail Security installed.
> To edit the registry
> 1) Exit all programs. 
> 2) On the Windows taskbar, click Start -> Run. 
> 3) In the Run dialog box, type the following: regedit 
> 4) Click OK. 
> 5) Go to one of the following registry keys:
> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.0\Server\Components\
> -or
> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.5\Server\Components\ 
> 6) In the left pane, right-click Components -> New -> Key and type the
> following name for the new key:
>
> NaveCtrl 
> 7) Right-click NaveCtrl -> New -> DWORD Value, in the right pane type the
> following name:
>
> CheckForSerialScanAndHeartBeatBool 
> 8) Right-click CheckForSerialScanAndHeartBeatBool -> Modify . 
> 9) In the Value Data: field type in: 0 
> 10) Exit the Registry Editor. 
>
> 3. Except the Event, is there any obviously symptoms happen to your system?
> You may have a try following steps:
> 1) In Exchange System Manager go to Servers/[your server]/Protocols/SMTP
> 2) right click on the Default SMTP Virtual Server and select Properties
> 3) Click on the Delivery tab
> 4) Click on Advanced button
> 5) Click on the Configure button next to "Configure external DNS Servers"
> 6) If there are External servers listed in this dialog box remove them.
> 7) restart the Default SMTP Virtual Server
>
> Hope it helps.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
> >>thread-index: AcYlsADJwSrE2EulRV2C+FxgK0ysIQ==
> >>X-WBNR-Posting-Host: 66.212.133.164
> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
> >>References:  <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
> <yjJONqWJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> >>Subject: RE: Certificate Authority is also a DC, want to demote?
> >>Date: Mon, 30 Jan 2006 07:15:28 -0800
> >>Lines: 223
> >>Message-ID: <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
> >>MIME-Version: 1.0
> >>Content-Type: text/plain;
> >>    charset="Utf-8"
> >>Content-Transfer-Encoding: 8bit
> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>Content-Class: urn:content-classes:message
> >>Importance: normal
> >>Priority: normal
> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>Newsgroups: microsoft.public.windows.server.active_directory
> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.windows.server.active_directory:61969
> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
> >>
> >>Thanks for the quick response, although your response what what I was
> afraid
> >>of.
> >>
> >>I very much appreciate your offer for additional support with the 2012 -
> >>2013 errors. 
> >>
> >>Below are my notes to date:
> >>
> >>Errors:
> >>
> >>In the Event log on the Exchange Server two errors are found occasionally.
> >>
> >>Source: smtpsvc
> >>Category: None
> >>Event ID: 2013
> >>Description:SMTP could not connect to any DNS server. Either none are
> >>configured, or all are down.
> >>For more information, see Help and Support Center at
> >>http://go.microsoft.com/fwlink/events.asp.
> >>"Clicking on the link above doesn't provide any information."
> >>
> >>There is an accompanying event, below:
> >>Source: smtpsvc
> >>Category: None
> >>Event ID: 2012
> >>SMTP could not connect to the DNS server '172.16.16.50'. The protocol
> used
> >>was 'UDP'. It may be down or inaccessible.
> >>
> >>Additional Information:
> >>... The IP address of the internal DNS server is 172.16.16.50.
> >>... The other Exchange/SMTP server on the LAN does not encounter these
> >>errors (it has since been taken down).
> >>... The errors occur roughly 10 times a day but not at predictable times.
> >>... They started at around a time when the server became the dominant
> SMTP
> >>server for the network.
> >>... There is no external DNS server configured with SMTP settings for the
> >>server.  Either on the old Exchange server or the new.
> >>... When external DNS servers were temporarily added (Step 1 & 2 below)
> the
> >>error 2012 reappeared three times in a row, this time listing an internal
> or
> >>external DNS servers in each event.  Not sure what this indicates.
> >>
> >>
> >>Troubleshooting Steps:
> >>1. Added local ISPs DNS servers to the SMTP settings for the server ( In
> >>exchange system manager - administrative groups/first administrative
> >>group/servers/servername/protocols/SMTP/default virtual server -
> properties.
> >>Deliver tab, Advanced button, Configure external DNS servers.).  Not
> positive
> >>that the DNS queury replies will be routed back to the server. 
> >>2. Removed fix in step 1 after finding information listed in the (Hits)
> >>section below.
> >>3. Following the logic of the article below, shut down the SMTP server on
> >>CTRSV11.  Deleted all mail from the queue that was more than serveral
> hours
> >>old and restarted.  Errors returned within the same day.
> >>
> >>
> >>Google article found on the problem
> >>------------------------------------------------
> >> 1. I have at least found the reasons for the errors (SMTP 2012 & 2013)
> and
> >>here is how I fixed the errors completely. The errors seem to be caused
> >>because of excessive UDP packet traffic to the DNS server (internal in
> most
> >>cases) due to a large number of NDR messages waiting to be sent from the
> >>exchange queue �read the details below.
> >>2. It appears the errors are coming from getting DNS info for NDR records
> >>(non delivery reports). Each time a spam is sent to your server to an
> unknown
> >>address the server swallows the message and then attempts to send the
> >>original sender back a message saying no such person exists.
> >>3. Look under C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue and you will
> >>probably see 1,000 to thousands of messages waiting to be sent out of the
> >>queue. Unless you have a very busy server or low bandwidth all messages
> that
> >>are in the queue are trying to be delivered to a server that does not
> exist
> >>(fake FROM addresses from spammers). You can open these with Outlook
> express
> >>and see they are just NDR reports being sent back to e-mail spammers
> >>informing them that the user does not exist on the server. The reason
> these
> >>are in the queue is because the server cannot deliver the messages
> because
> >>there are no servers at these fake spammer FROM addresses.
> >>4. So I think the exchange server is creating too much UDP packet traffic
> to
> >>the DNS to get these NDR reports delivered (these errors in most cases
> are
> >>thereby harmless). The NDR reports cannot be delivered because spammers
> use
> >>fake FROM addresses so your server attempts to send these for up to 48
> hours
> >>and then gives up and erases them. So much spam continues day after day
> to be
> >>sent to unknown users that this queue just keeps staying at a very large
> size
> >>- below is how you get exchange to no longer accept messages to users
> that do
> >>not exist on your domains. This will reduce traffic on your server and
> >>eliminate your SMTP errors on your server.
> >>
> >>1. Exchange by default produces a NDR report for every e-mail sent to an
> >>incorrect address - example is if a person sends an e-mail to
> >>nob***@tymer.com then the server actually takes the message sees that it
> >>cannot be delivered then sends an NDR (non delivery report) to the
> senders
> >>FROM address telling them that the e-mail address does not exist. Now
> what is
> >>important here is that the server can tell the other server it can not
> find
> >>the person in the list so there is really no reason to send an NDR for
> every
> >>spam sent to an incorrect address winds up in the NDR queue. Side affect
> of
> >>my fix below is that if a spammer is actually using a legitimate server
> he
> >>could check all known common names on your server and figure out some
> >>addresses that actually exist on your server. In any case the side affect
> is
> >>minor and fix below:
> >>
> >>a. Load exchange system manager and then click the + on Global Settings
> >>b. Now right click on Delivery options and pick properties
> >>c. Not click on the tab for "Recipient Filtering"
> >>d. I checked the box for "filter recipients that are not in the
> directory".
> >>Once this box is checked the server gives you a message that you still
> have
> >>to make another setting to complete the process as described in next step.
> >>e. As a final setting you have to go to the SMTP Virtual Server (also in
> the
> >>exchange system manager under the server) and right click on SMTP virtual
> >>server and pick properties. Now you must click on advanced for the IP
> Address
> >>and click EDIT for the IP address (usually unassigned) and you will see a
> >>check box that says "Apply Recipient Filter" and you check that box.
> >>f. Now this will stop the exchange server from taking a message to a user
> >>that does not exist on your domains (active directory in this case) and
> >>sending NDR reports back to the spammers reducing traffic on the server.
> As
> >>we know all FROM e-mail addressees from spammers are made up so sending
> an
> >>NDR report is a waste of time. Also when the server tries to send an NDR
> and
> >>the address does not exist it continues to keep trying to send this NDR
> for
> >>two days and this is a waste of resources and creating this excessive UDP
> >>packet traffic to the DNS.
> >>
> >>Also you can delete all messages currently in your exchange queue by
> >>stopping the SMTP server for a minute and delete all the files under
> >>C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue and restart the SMTP
> service.
> >>Remember these messages in the queue are not able to be delivered because
> the
> >>addresses they are being sent to do not exist (unless you have an
> extremely
> >>busy server and very low bandwidth in which case you better open some of
> them
> >>and verify they are all junk).
> >>
> >>One last note is that I also saw where someone had just configured
> external
> >>DNS servers under the SMTP Virtual Server properties and I suspect this
> might
> >>also work for the ISP DNS servers probably can handle the excessive UDP
> >>packets coming into their DNS servers.
> >>
> >>I would like know if anyone implements this and if it works for you
> >>(tazma***@hotmail.com). This basically reduces network traffic and cleans
> up
> >>your exchange server and eliminates the SMTP errors completely (I have
> had it
> >>running for 1 week and it is working perfectly).
> >>
> >>Good luck to all and I hope this helps.
> >>Gordon
> >>End of Article
> >>--------------------------------------------------------------------------
> -
> >>
> >>I look forward to hearing from you.
> >>
> >>"Vincent Xu [MSFT]" wrote:
> >>
> >>> Hi,
> >>>
> >>> The answer to your questioin is: Yes, the cetificates will be invalid
> if
> >>> you remove the CA service.Even if you re-install it immediately.
> >>>
> >>> Please let me know the Error Event in detail and I'll try to research
> if we
> >>> have any work arounds.
> >>>
> >>>
> >>> Best regards,
> >>>
> >>> Vincent Xu
> >>> Microsoft Online Partner Support

>>Subject: RE: Certificate Authority is also a DC, want to demote?
>>Date: Tue, 31 Jan 2006 03:59:28 -0800
>>Lines: 306
>>Message-ID: <E3C8389C-3D5D-4DA3-B6E3-8D26D3C55***@microsoft.com>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>>    charset="Utf-8"
>>Content-Transfer-Encoding: 8bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.windows.server.active_directory
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl

>>X-Tomcat-NG: microsoft.public.windows.server.active_directory
>>
>>Thank you for the tip on SAV potentially causing the problem.  We don't
use
>>SAV, we use Trend's AV product.  I also have confirmed that there are no
DNS
>>server settings for the default virtual SMTP server.
>>
>>"Vincent Xu [MSFT]" wrote:
>>
>>> Hi,
>>>
>>> Found some information based on your description.You may have a try.
>>>
>>> 1. Have you installed Symantec Mail Security for Exchange? If so,
please
>>> install the most current version.Symantec Mail Security 4.6.3 or higher.
>>>
>>> Here are the steps from Symantec's website on how to uninstall the
product
>>> manually:
>>> 1) Stop the SMSMSE service. 
>>> 2) Uninstall SMS for Exchange. 
>>> 3) Delete the registry sub-key, MessageDeletionQueue, from the
registry.
>>> The location is:
>>>

>>> nQueue 
>>> 4) Reinstall the most current update of Symantec Mail Security for
>>> Exchange. 
>>>
>>> 2. An alternate workaround for this problem is to edit the registry for
>>> version of Symantec Mail Security installed.
>>> To edit the registry
>>> 1) Exit all programs. 
>>> 2) On the Windows taskbar, click Start -> Run. 
>>> 3) In the Run dialog box, type the following: regedit 
>>> 4) Click OK. 
>>> 5) Go to one of the following registry keys:
>>> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.0\Server\Components\
>>> -or
>>> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.5\Server\Components\ 
>>> 6) In the left pane, right-click Components -> New -> Key and type the
>>> following name for the new key:
>>>
>>> NaveCtrl 
>>> 7) Right-click NaveCtrl -> New -> DWORD Value, in the right pane type
the
>>> following name:
>>>
>>> CheckForSerialScanAndHeartBeatBool 
>>> 8) Right-click CheckForSerialScanAndHeartBeatBool -> Modify . 
>>> 9) In the Value Data: field type in: 0 
>>> 10) Exit the Registry Editor. 
>>>
>>> 3. Except the Event, is there any obviously symptoms happen to your
system?
>>> You may have a try following steps:
>>> 1) In Exchange System Manager go to Servers/[your server]/Protocols/SMTP
>>> 2) right click on the Default SMTP Virtual Server and select Properties
>>> 3) Click on the Delivery tab
>>> 4) Click on Advanced button
>>> 5) Click on the Configure button next to "Configure external DNS
Servers"
>>> 6) If there are External servers listed in this dialog box remove them.
>>> 7) restart the Default SMTP Virtual Server
>>>
>>> Hope it helps.
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>> When responding to posts, please "Reply to Group" via your newsreader
so
>>> that others may learn and benefit from your issue.
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>>
>>>
>>> --------------------
>>> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
>>> >>thread-index: AcYlsADJwSrE2EulRV2C+FxgK0ysIQ==
>>> >>X-WBNR-Posting-Host: 66.212.133.164
>>> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
>>> >>References:  <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
>>> <yjJONqWJGHA.3***@TK2MSFTNGXA02.phx.gbl>
>>> >>Subject: RE: Certificate Authority is also a DC, want to demote?
>>> >>Date: Mon, 30 Jan 2006 07:15:28 -0800
>>> >>Lines: 223
>>> >>Message-ID: <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
>>> >>MIME-Version: 1.0
>>> >>Content-Type: text/plain;
>>> >>    charset="Utf-8"
>>> >>Content-Transfer-Encoding: 8bit
>>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>Content-Class: urn:content-classes:message
>>> >>Importance: normal
>>> >>Priority: normal
>>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>Newsgroups: microsoft.public.windows.server.active_directory
>>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>Path:

>>> >>Xref: TK2MSFTNGXA02.phx.gbl
>>> microsoft.public.windows.server.active_directory:61969
>>> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
>>> >>
>>> >>Thanks for the quick response, although your response what what I was
>>> afraid
>>> >>of.
>>> >>
>>> >>I very much appreciate your offer for additional support with the
2012 -
>>> >>2013 errors. 
>>> >>
>>> >>Below are my notes to date:
>>> >>
>>> >>Errors:
>>> >>
>>> >>In the Event log on the Exchange Server two errors are found
occasionally.
>>> >>
>>> >>Source: smtpsvc
>>> >>Category: None
>>> >>Event ID: 2013
>>> >>Description:SMTP could not connect to any DNS server. Either none are
>>> >>configured, or all are down.
>>> >>For more information, see Help and Support Center at
>>> >>http://go.microsoft.com/fwlink/events.asp.
>>> >>"Clicking on the link above doesn't provide any information."
>>> >>
>>> >>There is an accompanying event, below:
>>> >>Source: smtpsvc
>>> >>Category: None
>>> >>Event ID: 2012
>>> >>SMTP could not connect to the DNS server '172.16.16.50'. The protocol
>>> used
>>> >>was 'UDP'. It may be down or inaccessible.
>>> >>
>>> >>Additional Information:
>>> >>... The IP address of the internal DNS server is 172.16.16.50.
>>> >>... The other Exchange/SMTP server on the LAN does not encounter
these
>>> >>errors (it has since been taken down).
>>> >>... The errors occur roughly 10 times a day but not at predictable
times.
>>> >>... They started at around a time when the server became the dominant
>>> SMTP
>>> >>server for the network.
>>> >>... There is no external DNS server configured with SMTP settings for
the
>>> >>server.  Either on the old Exchange server or the new.
>>> >>... When external DNS servers were temporarily added (Step 1 & 2
below)
>>> the
>>> >>error 2012 reappeared three times in a row, this time listing an
internal
>>> or
>>> >>external DNS servers in each event.  Not sure what this indicates.
>>> >>
>>> >>
>>> >>Troubleshooting Steps:
>>> >>1. Added local ISPs DNS servers to the SMTP settings for the server (
In
>>> >>exchange system manager - administrative groups/first administrative
>>> >>group/servers/servername/protocols/SMTP/default virtual server -
>>> properties.
>>> >>Deliver tab, Advanced button, Configure external DNS servers.).  Not
>>> positive
>>> >>that the DNS queury replies will be routed back to the server. 
>>> >>2. Removed fix in step 1 after finding information listed in the
(Hits)
>>> >>section below.
>>> >>3. Following the logic of the article below, shut down the SMTP
server on
>>> >>CTRSV11.  Deleted all mail from the queue that was more than serveral
>>> hours
>>> >>old and restarted.  Errors returned within the same day.
>>> >>
>>> >>
>>> >>Google article found on the problem
>>> >>------------------------------------------------
>>> >> 1. I have at least found the reasons for the errors (SMTP 2012 &
2013)
>>> and
>>> >>here is how I fixed the errors completely. The errors seem to be
caused
>>> >>because of excessive UDP packet traffic to the DNS server (internal
in
>>> most
>>> >>cases) due to a large number of NDR messages waiting to be sent from
the
>>> >>exchange queue â�read the details below.
>>> >>2. It appears the errors are coming from getting DNS info for NDR
records
>>> >>(non delivery reports). Each time a spam is sent to your server to an
>>> unknown
>>> >>address the server swallows the message and then attempts to send the
>>> >>original sender back a message saying no such person exists.
>>> >>3. Look under C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue and you
will
>>> >>probably see 1,000 to thousands of messages waiting to be sent out of
the
>>> >>queue. Unless you have a very busy server or low bandwidth all
messages
>>> that
>>> >>are in the queue are trying to be delivered to a server that does not
>>> exist
>>> >>(fake FROM addresses from spammers). You can open these with Outlook
>>> express
>>> >>and see they are just NDR reports being sent back to e-mail spammers
>>> >>informing them that the user does not exist on the server. The reason
>>> these
>>> >>are in the queue is because the server cannot deliver the messages
>>> because
>>> >>there are no servers at these fake spammer FROM addresses.
>>> >>4. So I think the exchange server is creating too much UDP packet
traffic
>>> to
>>> >>the DNS to get these NDR reports delivered (these errors in most
cases
>>> are
>>> >>thereby harmless). The NDR reports cannot be delivered because
spammers
>>> use
>>> >>fake FROM addresses so your server attempts to send these for up to
48
>>> hours
>>> >>and then gives up and erases them. So much spam continues day after
day
>>> to be
>>> >>sent to unknown users that this queue just keeps staying at a very
large
>>> size
>>> >>- below is how you get exchange to no longer accept messages to users
>>> that do
>>> >>not exist on your domains. This will reduce traffic on your server
and
>>> >>eliminate your SMTP errors on your server.
>>> >>
>>> >>1. Exchange by default produces a NDR report for every e-mail sent to
an
>>> >>incorrect address - example is if a person sends an e-mail to
>>> >>nob***@tymer.com then the server actually takes the message sees that
it
>>> >>cannot be delivered then sends an NDR (non delivery report) to the
>>> senders
>>> >>FROM address telling them that the e-mail address does not exist. Now
>>> what is
>>> >>important here is that the server can tell the other server it can
not
>>> find
>>> >>the person in the list so there is really no reason to send an NDR
for
>>> every
>>> >>spam sent to an incorrect address winds up in the NDR queue. Side
affect
>>> of
>>> >>my fix below is that if a spammer is actually using a legitimate
server
>>> he
>>> >>could check all known common names on your server and figure out some
>>> >>addresses that actually exist on your server. In any case the side
affect
>>> is
>>> >>minor and fix below:
>>> >>
>>> >>a. Load exchange system manager and then click the + on Global
Settings
>>> >>b. Now right click on Delivery options and pick properties
>>> >>c. Not click on the tab for "Recipient Filtering"
>>> >>d. I checked the box for "filter recipients that are not in the
>>> directory".
>>> >>Once this box is checked the server gives you a message that you
still
>>> have
>>> >>to make another setting to complete the process as described in next
step.
>>> >>e. As a final setting you have to go to the SMTP Virtual Server (also
in
>>> the
>>> >>exchange system manager under the server) and right click on SMTP
virtual
>>> >>server and pick properties. Now you must click on advanced for the IP
>>> Address
>>> >>and click EDIT for the IP address (usually unassigned) and you will
see a
>>> >>check box that says "Apply Recipient Filter" and you check that box.
>>> >>f. Now this will stop the exchange server from taking a message to a
user
>>> >>that does not exist on your domains (active directory in this case)
and
>>> >>sending NDR reports back to the spammers reducing traffic on the
server.
>>> As
>>> >>we know all FROM e-mail addressees from spammers are made up so
sending
>>> an
>>> >>NDR report is a waste of time. Also when the server tries to send an
NDR
>>> and
>>> >>the address does not exist it continues to keep trying to send this
NDR
>>> for
>>> >>two days and this is a waste of resources and creating this excessive
UDP
>>> >>packet traffic to the DNS.
>>> >>
>>> >>Also you can delete all messages currently in your exchange queue by
>>> >>stopping the SMTP server for a minute and delete all the files under
>>> >>C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue and restart the SMTP
>>> service.
>>> >>Remember these messages in the queue are not able to be delivered
because
>>> the
>>> >>addresses they are being sent to do not exist (unless you have an
>>> extremely
>>> >>busy server and very low bandwidth in which case you better open some
of
>>> them
>>> >>and verify they are all junk).
>>> >>
>>> >>One last note is that I also saw where someone had just configured
>>> external
>>> >>DNS servers under the SMTP Virtual Server properties and I suspect
this
>>> might
>>> >>also work for the ISP DNS servers probably can handle the excessive
UDP
>>> >>packets coming into their DNS servers.
>>> >>
>>> >>I would like know if anyone implements this and if it works for you
>>> >>(tazma***@hotmail.com). This basically reduces network traffic and
cleans
>>> up
>>> >>your exchange server and eliminates the SMTP errors completely (I
have
>>> had it
>>> >>running for 1 week and it is working perfectly).
>>> >>
>>> >>Good luck to all and I hope this helps.
>>> >>Gordon
>>> >>End of Article
>>>
>>--------------------------------------------------------------------------
>>> -
>>> >>
>>> >>I look forward to hearing from you.
>>> >>
>>> >>"Vincent Xu [MSFT]" wrote:
>>> >>
>>> >>> Hi,
>>> >>>
>>> >>> The answer to your questioin is: Yes, the cetificates will be
invalid
>>> if
>>> >>> you remove the CA service.Even if you re-install it immediately.
>>> >>>
>>> >>> Please let me know the Error Event in detail and I'll try to
research
>>> if we
>>> >>> have any work arounds.
>>> >>>
>>> >>>
>>> >>> Best regards,
>>> >>>
>>> >>> Vincent Xu
>>> >>> Microsoft Online Partner Support
>>

"Vincent Xu [MSFT]" wrote:

> Hi,
>
> Is there any obvious symptom?
>
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
> >>thread-index: AcYmXcnBvTCZbvj8QYO8OtUqVAm6+A==
> >>X-WBNR-Posting-Host: 209.195.152.108
> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
> >>References:  <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
> <yjJONqWJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
> <v75FqIhJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> >>Subject: RE: Certificate Authority is also a DC, want to demote?
> >>Date: Tue, 31 Jan 2006 03:59:28 -0800
> >>Lines: 306
> >>Message-ID: <E3C8389C-3D5D-4DA3-B6E3-8D26D3C55***@microsoft.com>
> >>MIME-Version: 1.0
> >>Content-Type: text/plain;
> >>    charset="Utf-8"
> >>Content-Transfer-Encoding: 8bit
> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>Content-Class: urn:content-classes:message
> >>Importance: normal
> >>Priority: normal
> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>Newsgroups: microsoft.public.windows.server.active_directory
> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.windows.server.active_directory:62121
> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
> >>
> >>Thank you for the tip on SAV potentially causing the problem.  We don't
> use
> >>SAV, we use Trend's AV product.  I also have confirmed that there are no
> DNS
> >>server settings for the default virtual SMTP server.
> >>
> >>"Vincent Xu [MSFT]" wrote:
> >>
> >>> Hi,
> >>>
> >>> Found some information based on your description.You may have a try.
> >>>
> >>> 1. Have you installed Symantec Mail Security for Exchange? If so,
> please
> >>> install the most current version.Symantec Mail Security 4.6.3 or higher.
> >>>
> >>> Here are the steps from Symantec's website on how to uninstall the
> product
> >>> manually:
> >>> 1) Stop the SMSMSE service. 
> >>> 2) Uninstall SMS for Exchange. 
> >>> 3) Delete the registry sub-key, MessageDeletionQueue, from the
> registry.
> >>> The location is:
> >>>
> HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\4.0\Server\Components\MsgDeletio
> >>> nQueue 
> >>> 4) Reinstall the most current update of Symantec Mail Security for
> >>> Exchange. 
> >>>
> >>> 2. An alternate workaround for this problem is to edit the registry for
> >>> version of Symantec Mail Security installed.
> >>> To edit the registry
> >>> 1) Exit all programs. 
> >>> 2) On the Windows taskbar, click Start -> Run. 
> >>> 3) In the Run dialog box, type the following: regedit 
> >>> 4) Click OK. 
> >>> 5) Go to one of the following registry keys:
> >>> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.0\Server\Components\
> >>> -or
> >>> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.5\Server\Components\ 
> >>> 6) In the left pane, right-click Components -> New -> Key and type the
> >>> following name for the new key:
> >>>
> >>> NaveCtrl 
> >>> 7) Right-click NaveCtrl -> New -> DWORD Value, in the right pane type
> the
> >>> following name:
> >>>
> >>> CheckForSerialScanAndHeartBeatBool 
> >>> 8) Right-click CheckForSerialScanAndHeartBeatBool -> Modify . 
> >>> 9) In the Value Data: field type in: 0 
> >>> 10) Exit the Registry Editor. 
> >>>
> >>> 3. Except the Event, is there any obviously symptoms happen to your
> system?
> >>> You may have a try following steps:
> >>> 1) In Exchange System Manager go to Servers/[your server]/Protocols/SMTP
> >>> 2) right click on the Default SMTP Virtual Server and select Properties
> >>> 3) Click on the Delivery tab
> >>> 4) Click on Advanced button
> >>> 5) Click on the Configure button next to "Configure external DNS
> Servers"
> >>> 6) If there are External servers listed in this dialog box remove them.
> >>> 7) restart the Default SMTP Virtual Server
> >>>
> >>> Hope it helps.
> >>>
> >>> Best regards,
> >>>
> >>> Vincent Xu
> >>> Microsoft Online Partner Support
> >>>
> >>> Get Secure! - www.microsoft.com/security
> >>>
> >>> When responding to posts, please "Reply to Group" via your newsreader
> so
> >>> that others may learn and benefit from your issue.
> >>>
> >>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >>>
> >>>
> >>> --------------------
> >>> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
> >>> >>thread-index: AcYlsADJwSrE2EulRV2C+FxgK0ysIQ==
> >>> >>X-WBNR-Posting-Host: 66.212.133.164
> >>> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
> >>> >>References:  <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
> >>> <yjJONqWJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> >>> >>Subject: RE: Certificate Authority is also a DC, want to demote?
> >>> >>Date: Mon, 30 Jan 2006 07:15:28 -0800
> >>> >>Lines: 223
> >>> >>Message-ID: <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
> >>> >>MIME-Version: 1.0
> >>> >>Content-Type: text/plain;
> >>> >>    charset="Utf-8"
> >>> >>Content-Transfer-Encoding: 8bit
> >>> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>> >>Content-Class: urn:content-classes:message
> >>> >>Importance: normal
> >>> >>Priority: normal
> >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>> >>Newsgroups: microsoft.public.windows.server.active_directory
> >>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>> >>Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>> >>Xref: TK2MSFTNGXA02.phx.gbl
> >>> microsoft.public.windows.server.active_directory:61969
> >>> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
> >>> >>
> >>> >>Thanks for the quick response, although your response what what I was
> >>> afraid
> >>> >>of.
> >>> >>
> >>> >>I very much appreciate your offer for additional support with the
> 2012 -
> >>> >>2013 errors. 
> >>> >>
> >>> >>Below are my notes to date:
> >>> >>
> >>> >>Errors:
> >>> >>
> >>> >>In the Event log on the Exchange Server two errors are found
> occasionally.
> >>> >>
> >>> >>Source: smtpsvc
> >>> >>Category: None
> >>> >>Event ID: 2013
> >>> >>Description:SMTP could not connect to any DNS server. Either none are
> >>> >>configured, or all are down.
> >>> >>For more information, see Help and Support Center at
> >>> >>http://go.microsoft.com/fwlink/events.asp.
> >>> >>"Clicking on the link above doesn't provide any information."
> >>> >>
> >>> >>There is an accompanying event, below:
> >>> >>Source: smtpsvc
> >>> >>Category: None
> >>> >>Event ID: 2012
> >>> >>SMTP could not connect to the DNS server '172.16.16.50'. The protocol
> >>> used
> >>> >>was 'UDP'. It may be down or inaccessible.
> >>> >>
> >>> >>Additional Information:
> >>> >>... The IP address of the internal DNS server is 172.16.16.50.
> >>> >>... The other Exchange/SMTP server on the LAN does not encounter
> these
> >>> >>errors (it has since been taken down).
> >>> >>... The errors occur roughly 10 times a day but not at predictable
> times.
> >>> >>... They started at around a time when the server became the dominant
> >>> SMTP
> >>> >>server for the network.
> >>> >>... There is no external DNS server configured with SMTP settings for
> the
> >>> >>server.  Either on the old Exchange server or the new.
> >>> >>... When external DNS servers were temporarily added (Step 1 & 2
> below)
> >>> the
> >>> >>error 2012 reappeared three times in a row, this time listing an
> internal
> >>> or
> >>> >>external DNS servers in each event.  Not sure what this indicates.
> >>> >>
> >>> >>
> >>> >>Troubleshooting Steps:
> >>> >>1. Added local ISPs DNS servers to the SMTP settings for the server (
> In
> >>> >>exchange system manager - administrative groups/first administrative
> >>> >>group/servers/servername/protocols/SMTP/default virtual server -
> >>> properties.
> >>> >>Deliver tab, Advanced button, Configure external DNS servers.).  Not
> >>> positive
> >>> >>that the DNS queury replies will be routed back to the server. 
> >>> >>2. Removed fix in step 1 after finding information listed in the
> (Hits)
> >>> >>section below.
> >>> >>3. Following the logic of the article below, shut down the SMTP
> server on
> >>> >>CTRSV11.  Deleted all mail from the queue that was more than serveral
> >>> hours
> >>> >>old and restarted.  Errors returned within the same day.
> >>> >>
> >>> >>
> >>> >>Google article found on the problem
> >>> >>------------------------------------------------
> >>> >> 1. I have at least found the reasons for the errors (SMTP 2012 &
> 2013)
> >>> and
> >>> >>here is how I fixed the errors completely. The errors seem to be
> caused
> >>> >>because of excessive UDP packet traffic to the DNS server (internal
> in
> >>> most
> >>> >>cases) due to a large number of NDR messages waiting to be sent from
> the
> >>> >>exchange queue â�read the details below.
> >>> >>2. It appears the errors are coming from getting DNS info for NDR
> records
> >>> >>(non delivery reports). Each time a spam is sent to your server to an
> >>> unknown
> >>> >>address the server swallows the message and then attempts to send the
> >>> >>original sender back a message saying no such person exists.
> >>> >>3. Look under C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue and you
> will
> >>> >>probably see 1,000 to thousands of messages waiting to be sent out of
> the
> >>> >>queue. Unless you have a very busy server or low bandwidth all
> messages
> >>> that
> >>> >>are in the queue are trying to be delivered to a server that does not
> >>> exist
> >>> >>(fake FROM addresses from spammers). You can open these with Outlook
> >>> express
> >>> >>and see they are just NDR reports being sent back to e-mail spammers
> >>> >>informing them that the user does not exist on the server. The reason
> >>> these
> >>> >>are in the queue is because the server cannot deliver the messages
> >>> because
> >>> >>there are no servers at these fake spammer FROM addresses.
> >>> >>4. So I think the exchange server is creating too much UDP packet
> traffic
> >>> to
> >>> >>the DNS to get these NDR reports delivered (these errors in most
> cases
> >>> are
> >>> >>thereby harmless). The NDR reports cannot be delivered because
> spammers
> >>> use
> >>> >>fake FROM addresses so your server attempts to send these for up to
> 48
> >>> hours
> >>> >>and then gives up and erases them. So much spam continues day after
> day
> >>> to be
> >>> >>sent to unknown users that this queue just keeps staying at a very
> large
> >>> size
> >>> >>- below is how you get exchange to no longer accept messages to users
> >>> that do
> >>> >>not exist on your domains. This will reduce traffic on your server
> and
> >>> >>eliminate your SMTP errors on your server.
> >>> >>
> >>> >>1. Exchange by default produces a NDR report for every e-mail sent to
> an
> >>> >>incorrect address - example is if a person sends an e-mail to
> >>> >>nob***@tymer.com then the server actually takes the message sees that
> it
> >>> >>cannot be delivered then sends an NDR (non delivery report) to the
> >>> senders
> >>> >>FROM address telling them that the e-mail address does not exist. Now
> >>> what is

>>Subject: RE: Certificate Authority is also a DC, want to demote?
>>Date: Mon, 13 Feb 2006 07:59:28 -0800
>>Lines: 308
>>Message-ID: <2E547525-208E-4713-9FB4-7C2B0FA4E***@microsoft.com>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>>    charset="Utf-8"
>>Content-Transfer-Encoding: 8bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.windows.server.active_directory
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl

>>X-Tomcat-NG: microsoft.public.windows.server.active_directory
>>
>>Vincent,
>>
>>Sorry I never got back to you on this.  I probably missed the
notification
>>that you had replied.  In reponse to "Is there an obvious symptom?"  No. 
>>Just errors in the event log which are making the client nervous.
>>
>>"Vincent Xu [MSFT]" wrote:
>>
>>> Hi,
>>>
>>> Is there any obvious symptom?
>>>
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>> When responding to posts, please "Reply to Group" via your newsreader
so
>>> that others may learn and benefit from your issue.
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>>
>>>
>>> --------------------
>>> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
>>> >>thread-index: AcYmXcnBvTCZbvj8QYO8OtUqVAm6+A==
>>> >>X-WBNR-Posting-Host: 209.195.152.108
>>> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
>>> >>References:  <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
>>> <yjJONqWJGHA.3***@TK2MSFTNGXA02.phx.gbl>
>>> <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
>>> <v75FqIhJGHA.3***@TK2MSFTNGXA02.phx.gbl>
>>> >>Subject: RE: Certificate Authority is also a DC, want to demote?
>>> >>Date: Tue, 31 Jan 2006 03:59:28 -0800
>>> >>Lines: 306
>>> >>Message-ID: <E3C8389C-3D5D-4DA3-B6E3-8D26D3C55***@microsoft.com>
>>> >>MIME-Version: 1.0
>>> >>Content-Type: text/plain;
>>> >>    charset="Utf-8"
>>> >>Content-Transfer-Encoding: 8bit
>>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>Content-Class: urn:content-classes:message
>>> >>Importance: normal
>>> >>Priority: normal
>>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>Newsgroups: microsoft.public.windows.server.active_directory
>>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>> >>Xref: TK2MSFTNGXA02.phx.gbl
>>> microsoft.public.windows.server.active_directory:62121
>>> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
>>> >>
>>> >>Thank you for the tip on SAV potentially causing the problem.  We
don't
>>> use
>>> >>SAV, we use Trend's AV product.  I also have confirmed that there are
no
>>> DNS
>>> >>server settings for the default virtual SMTP server.
>>> >>
>>> >>"Vincent Xu [MSFT]" wrote:
>>> >>
>>> >>> Hi,
>>> >>>
>>> >>> Found some information based on your description.You may have a try.
>>> >>>
>>> >>> 1. Have you installed Symantec Mail Security for Exchange? If so,
>>> please
>>> >>> install the most current version.Symantec Mail Security 4.6.3 or
higher.
>>> >>>
>>> >>> Here are the steps from Symantec's website on how to uninstall the
>>> product
>>> >>> manually:
>>> >>> 1) Stop the SMSMSE service. 
>>> >>> 2) Uninstall SMS for Exchange. 
>>> >>> 3) Delete the registry sub-key, MessageDeletionQueue, from the
>>> registry.
>>> >>> The location is:
>>> >>>
>>>

>>> >>> nQueue 
>>> >>> 4) Reinstall the most current update of Symantec Mail Security for
>>> >>> Exchange. 
>>> >>>
>>> >>> 2. An alternate workaround for this problem is to edit the registry
for
>>> >>> version of Symantec Mail Security installed.
>>> >>> To edit the registry
>>> >>> 1) Exit all programs. 
>>> >>> 2) On the Windows taskbar, click Start -> Run. 
>>> >>> 3) In the Run dialog box, type the following: regedit 
>>> >>> 4) Click OK. 
>>> >>> 5) Go to one of the following registry keys:
>>> >>> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.0\Server\Components\
>>> >>> -or
>>> >>> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.5\Server\Components\ 
>>> >>> 6) In the left pane, right-click Components -> New -> Key and type
the
>>> >>> following name for the new key:
>>> >>>
>>> >>> NaveCtrl 
>>> >>> 7) Right-click NaveCtrl -> New -> DWORD Value, in the right pane
type
>>> the
>>> >>> following name:
>>> >>>
>>> >>> CheckForSerialScanAndHeartBeatBool 
>>> >>> 8) Right-click CheckForSerialScanAndHeartBeatBool -> Modify . 
>>> >>> 9) In the Value Data: field type in: 0 
>>> >>> 10) Exit the Registry Editor. 
>>> >>>
>>> >>> 3. Except the Event, is there any obviously symptoms happen to your
>>> system?
>>> >>> You may have a try following steps:
>>> >>> 1) In Exchange System Manager go to Servers/[your

>>> >>> 2) right click on the Default SMTP Virtual Server and select
Properties
>>> >>> 3) Click on the Delivery tab
>>> >>> 4) Click on Advanced button
>>> >>> 5) Click on the Configure button next to "Configure external DNS
>>> Servers"
>>> >>> 6) If there are External servers listed in this dialog box remove
them.
>>> >>> 7) restart the Default SMTP Virtual Server
>>> >>>
>>> >>> Hope it helps.
>>> >>>
>>> >>> Best regards,
>>> >>>
>>> >>> Vincent Xu
>>> >>> Microsoft Online Partner Support
>>> >>>
>>> >>> Get Secure! - www.microsoft.com/security
>>> >>>
>>> >>> When responding to posts, please "Reply to Group" via your
newsreader
>>> so
>>> >>> that others may learn and benefit from your issue.
>>> >>>
>>> >>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>> >>>
>>> >>>
>>> >>> --------------------
>>> >>> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
>>> >>> >>thread-index: AcYlsADJwSrE2EulRV2C+FxgK0ysIQ==
>>> >>> >>X-WBNR-Posting-Host: 66.212.133.164
>>> >>> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
>>> >>> >>References:  <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
>>> >>> <yjJONqWJGHA.3***@TK2MSFTNGXA02.phx.gbl>
>>> >>> >>Subject: RE: Certificate Authority is also a DC, want to demote?
>>> >>> >>Date: Mon, 30 Jan 2006 07:15:28 -0800
>>> >>> >>Lines: 223
>>> >>> >>Message-ID: <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
>>> >>> >>MIME-Version: 1.0
>>> >>> >>Content-Type: text/plain;
>>> >>> >>    charset="Utf-8"
>>> >>> >>Content-Transfer-Encoding: 8bit
>>> >>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>> >>Content-Class: urn:content-classes:message
>>> >>> >>Importance: normal
>>> >>> >>Priority: normal
>>> >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>> >>Newsgroups: microsoft.public.windows.server.active_directory
>>> >>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>> >>Path:
>>> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>> >>> >>Xref: TK2MSFTNGXA02.phx.gbl
>>> >>> microsoft.public.windows.server.active_directory:61969
>>> >>> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
>>> >>> >>
>>> >>> >>Thanks for the quick response, although your response what what I
was
>>> >>> afraid
>>> >>> >>of.
>>> >>> >>
>>> >>> >>I very much appreciate your offer for additional support with the
>>> 2012 -
>>> >>> >>2013 errors. 
>>> >>> >>
>>> >>> >>Below are my notes to date:
>>> >>> >>
>>> >>> >>Errors:
>>> >>> >>
>>> >>> >>In the Event log on the Exchange Server two errors are found
>>> occasionally.
>>> >>> >>
>>> >>> >>Source: smtpsvc
>>> >>> >>Category: None
>>> >>> >>Event ID: 2013
>>> >>> >>Description:SMTP could not connect to any DNS server. Either none
are
>>> >>> >>configured, or all are down.
>>> >>> >>For more information, see Help and Support Center at
>>> >>> >>http://go.microsoft.com/fwlink/events.asp.
>>> >>> >>"Clicking on the link above doesn't provide any information."
>>> >>> >>
>>> >>> >>There is an accompanying event, below:
>>> >>> >>Source: smtpsvc
>>> >>> >>Category: None
>>> >>> >>Event ID: 2012
>>> >>> >>SMTP could not connect to the DNS server '172.16.16.50'. The
protocol
>>> >>> used
>>> >>> >>was 'UDP'. It may be down or inaccessible.
>>> >>> >>
>>> >>> >>Additional Information:
>>> >>> >>... The IP address of the internal DNS server is 172.16.16.50.
>>> >>> >>... The other Exchange/SMTP server on the LAN does not encounter
>>> these
>>> >>> >>errors (it has since been taken down).
>>> >>> >>... The errors occur roughly 10 times a day but not at
predictable
>>> times.
>>> >>> >>... They started at around a time when the server became the
dominant
>>> >>> SMTP
>>> >>> >>server for the network.
>>> >>> >>... There is no external DNS server configured with SMTP settings
for
>>> the
>>> >>> >>server.  Either on the old Exchange server or the new.
>>> >>> >>... When external DNS servers were temporarily added (Step 1 & 2
>>> below)
>>> >>> the
>>> >>> >>error 2012 reappeared three times in a row, this time listing an
>>> internal
>>> >>> or
>>> >>> >>external DNS servers in each event.  Not sure what this
indicates.
>>> >>> >>
>>> >>> >>
>>> >>> >>Troubleshooting Steps:
>>> >>> >>1. Added local ISPs DNS servers to the SMTP settings for the
server (
>>> In
>>> >>> >>exchange system manager - administrative groups/first
administrative
>>> >>> >>group/servers/servername/protocols/SMTP/default virtual server -
>>> >>> properties.
>>> >>> >>Deliver tab, Advanced button, Configure external DNS servers.). 
Not
>>> >>> positive
>>> >>> >>that the DNS queury replies will be routed back to the server. 
>>> >>> >>2. Removed fix in step 1 after finding information listed in the
>>> (Hits)
>>> >>> >>section below.
>>> >>> >>3. Following the logic of the article below, shut down the SMTP
>>> server on
>>> >>> >>CTRSV11.  Deleted all mail from the queue that was more than
serveral
>>> >>> hours
>>> >>> >>old and restarted.  Errors returned within the same day.
>>> >>> >>
>>> >>> >>
>>> >>> >>Google article found on the problem
>>> >>> >>------------------------------------------------
>>> >>> >> 1. I have at least found the reasons for the errors (SMTP 2012 &
>>> 2013)
>>> >>> and
>>> >>> >>here is how I fixed the errors completely. The errors seem to be
>>> caused
>>> >>> >>because of excessive UDP packet traffic to the DNS server
(internal
>>> in
>>> >>> most
>>> >>> >>cases) due to a large number of NDR messages waiting to be sent
from
>>> the
>>> >>> >>exchange queue ââ�read the details below.
>>> >>> >>2. It appears the errors are coming from getting DNS info for NDR
>>> records
>>> >>> >>(non delivery reports). Each time a spam is sent to your server
to an
>>> >>> unknown
>>> >>> >>address the server swallows the message and then attempts to send
the
>>> >>> >>original sender back a message saying no such person exists.
>>> >>> >>3. Look under C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue and
you
>>> will
>>> >>> >>probably see 1,000 to thousands of messages waiting to be sent
out of
>>> the
>>> >>> >>queue. Unless you have a very busy server or low bandwidth all
>>> messages
>>> >>> that
>>> >>> >>are in the queue are trying to be delivered to a server that does
not
>>> >>> exist
>>> >>> >>(fake FROM addresses from spammers). You can open these with
Outlook
>>> >>> express
>>> >>> >>and see they are just NDR reports being sent back to e-mail
spammers
>>> >>> >>informing them that the user does not exist on the server. The
reason
>>> >>> these
>>> >>> >>are in the queue is because the server cannot deliver the
messages
>>> >>> because
>>> >>> >>there are no servers at these fake spammer FROM addresses.
>>> >>> >>4. So I think the exchange server is creating too much UDP packet
>>> traffic
>>> >>> to
>>> >>> >>the DNS to get these NDR reports delivered (these errors in most
>>> cases
>>> >>> are
>>> >>> >>thereby harmless). The NDR reports cannot be delivered because
>>> spammers
>>> >>> use
>>> >>> >>fake FROM addresses so your server attempts to send these for up
to
>>> 48
>>> >>> hours
>>> >>> >>and then gives up and erases them. So much spam continues day
after
>>> day
>>> >>> to be
>>> >>> >>sent to unknown users that this queue just keeps staying at a
very
>>> large
>>> >>> size
>>> >>> >>- below is how you get exchange to no longer accept messages to
users
>>> >>> that do
>>> >>> >>not exist on your domains. This will reduce traffic on your
server
>>> and
>>> >>> >>eliminate your SMTP errors on your server.
>>> >>> >>
>>> >>> >>1. Exchange by default produces a NDR report for every e-mail
sent to
>>> an
>>> >>> >>incorrect address - example is if a person sends an e-mail to
>>> >>> >>nob***@tymer.com then the server actually takes the message sees
that
>>> it
>>> >>> >>cannot be delivered then sends an NDR (non delivery report) to
the
>>> >>> senders
>>> >>> >>FROM address telling them that the e-mail address does not exist.
Now
>>> >>> what is
>>

"Vincent Xu [MSFT]" wrote:

> Hi,
>
> If so, I'd like to suggest you just ignore this event.
>
> Honestly, MS doesn't recommend installing Exchange on DC because there may
> have some unknown issue. For this reason, the event log may be caused by
> various reasons and we seems to be lack of clues to analyse it. In another
> word, this event log may be mis-logged. For current situation, I suggest
> you told your client to safely ignore this event.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
> >>thread-index: AcYwtnf9XmzkHs9jSOW3O3gQvpyX/Q==
> >>X-WBNR-Posting-Host: 66.212.133.164
> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
> >>References:  <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
> <yjJONqWJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
> <v75FqIhJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> <E3C8389C-3D5D-4DA3-B6E3-8D26D3C55***@microsoft.com>
> <fZbOJ7wJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> >>Subject: RE: Certificate Authority is also a DC, want to demote?
> >>Date: Mon, 13 Feb 2006 07:59:28 -0800
> >>Lines: 308
> >>Message-ID: <2E547525-208E-4713-9FB4-7C2B0FA4E***@microsoft.com>
> >>MIME-Version: 1.0
> >>Content-Type: text/plain;
> >>    charset="Utf-8"
> >>Content-Transfer-Encoding: 8bit
> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>Content-Class: urn:content-classes:message
> >>Importance: normal
> >>Priority: normal
> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>Newsgroups: microsoft.public.windows.server.active_directory
> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.active_directory:63878
> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
> >>
> >>Vincent,
> >>
> >>Sorry I never got back to you on this.  I probably missed the
> notification
> >>that you had replied.  In reponse to "Is there an obvious symptom?"  No. 
> >>Just errors in the event log which are making the client nervous.
> >>
> >>"Vincent Xu [MSFT]" wrote:
> >>
> >>> Hi,
> >>>
> >>> Is there any obvious symptom?
> >>>
> >>>
> >>> Best regards,
> >>>
> >>> Vincent Xu
> >>> Microsoft Online Partner Support
> >>>
> >>> Get Secure! - www.microsoft.com/security
> >>>
> >>> When responding to posts, please "Reply to Group" via your newsreader
> so
> >>> that others may learn and benefit from your issue.
> >>>
> >>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >>>
> >>>
> >>> --------------------
> >>> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
> >>> >>thread-index: AcYmXcnBvTCZbvj8QYO8OtUqVAm6+A==
> >>> >>X-WBNR-Posting-Host: 209.195.152.108
> >>> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
> >>> >>References:  <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
> >>> <yjJONqWJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> >>> <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
> >>> <v75FqIhJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> >>> >>Subject: RE: Certificate Authority is also a DC, want to demote?
> >>> >>Date: Tue, 31 Jan 2006 03:59:28 -0800
> >>> >>Lines: 306
> >>> >>Message-ID: <E3C8389C-3D5D-4DA3-B6E3-8D26D3C55***@microsoft.com>
> >>> >>MIME-Version: 1.0
> >>> >>Content-Type: text/plain;
> >>> >>    charset="Utf-8"
> >>> >>Content-Transfer-Encoding: 8bit
> >>> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>> >>Content-Class: urn:content-classes:message
> >>> >>Importance: normal
> >>> >>Priority: normal
> >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>> >>Newsgroups: microsoft.public.windows.server.active_directory
> >>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>> >>Xref: TK2MSFTNGXA02.phx.gbl
> >>> microsoft.public.windows.server.active_directory:62121
> >>> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
> >>> >>
> >>> >>Thank you for the tip on SAV potentially causing the problem.  We
> don't
> >>> use
> >>> >>SAV, we use Trend's AV product.  I also have confirmed that there are
> no
> >>> DNS
> >>> >>server settings for the default virtual SMTP server.
> >>> >>
> >>> >>"Vincent Xu [MSFT]" wrote:
> >>> >>
> >>> >>> Hi,
> >>> >>>
> >>> >>> Found some information based on your description.You may have a try.
> >>> >>>
> >>> >>> 1. Have you installed Symantec Mail Security for Exchange? If so,
> >>> please
> >>> >>> install the most current version.Symantec Mail Security 4.6.3 or
> higher.
> >>> >>>
> >>> >>> Here are the steps from Symantec's website on how to uninstall the
> >>> product
> >>> >>> manually:
> >>> >>> 1) Stop the SMSMSE service. 
> >>> >>> 2) Uninstall SMS for Exchange. 
> >>> >>> 3) Delete the registry sub-key, MessageDeletionQueue, from the
> >>> registry.
> >>> >>> The location is:
> >>> >>>
> >>>
> HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\4.0\Server\Components\MsgDeletio
> >>> >>> nQueue 
> >>> >>> 4) Reinstall the most current update of Symantec Mail Security for
> >>> >>> Exchange. 
> >>> >>>
> >>> >>> 2. An alternate workaround for this problem is to edit the registry
> for
> >>> >>> version of Symantec Mail Security installed.
> >>> >>> To edit the registry
> >>> >>> 1) Exit all programs. 
> >>> >>> 2) On the Windows taskbar, click Start -> Run. 
> >>> >>> 3) In the Run dialog box, type the following: regedit 
> >>> >>> 4) Click OK. 
> >>> >>> 5) Go to one of the following registry keys:
> >>> >>> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.0\Server\Components\
> >>> >>> -or
> >>> >>> HKEY_LOCAL_MACHINE\Software\Symantec\SMSMSE\4.5\Server\Components\ 
> >>> >>> 6) In the left pane, right-click Components -> New -> Key and type
> the
> >>> >>> following name for the new key:
> >>> >>>
> >>> >>> NaveCtrl 
> >>> >>> 7) Right-click NaveCtrl -> New -> DWORD Value, in the right pane
> type
> >>> the
> >>> >>> following name:
> >>> >>>
> >>> >>> CheckForSerialScanAndHeartBeatBool 
> >>> >>> 8) Right-click CheckForSerialScanAndHeartBeatBool -> Modify . 
> >>> >>> 9) In the Value Data: field type in: 0 
> >>> >>> 10) Exit the Registry Editor. 
> >>> >>>
> >>> >>> 3. Except the Event, is there any obviously symptoms happen to your
> >>> system?
> >>> >>> You may have a try following steps:
> >>> >>> 1) In Exchange System Manager go to Servers/[your
> server]/Protocols/SMTP
> >>> >>> 2) right click on the Default SMTP Virtual Server and select
> Properties
> >>> >>> 3) Click on the Delivery tab
> >>> >>> 4) Click on Advanced button
> >>> >>> 5) Click on the Configure button next to "Configure external DNS
> >>> Servers"
> >>> >>> 6) If there are External servers listed in this dialog box remove
> them.
> >>> >>> 7) restart the Default SMTP Virtual Server
> >>> >>>
> >>> >>> Hope it helps.
> >>> >>>
> >>> >>> Best regards,
> >>> >>>
> >>> >>> Vincent Xu
> >>> >>> Microsoft Online Partner Support
> >>> >>>
> >>> >>> Get Secure! - www.microsoft.com/security
> >>> >>>
> >>> >>> When responding to posts, please "Reply to Group" via your
> newsreader
> >>> so
> >>> >>> that others may learn and benefit from your issue.
> >>> >>>
> >>> >>> This posting is provided "AS IS" with no warranties, and confers no
> >>> rights.
> >>> >>>
> >>> >>>
> >>> >>> --------------------
> >>> >>> >>Thread-Topic: Certificate Authority is also a DC, want to demote?
> >>> >>> >>thread-index: AcYlsADJwSrE2EulRV2C+FxgK0ysIQ==
> >>> >>> >>X-WBNR-Posting-Host: 66.212.133.164
> >>> >>> >>From: =?Utf-8?B?Tmljay1NYXJz?= <nickmars@news.postalias>
> >>> >>> >>References:  <00AC0D1A-E834-4946-B47F-398A6D649***@microsoft.com>
> >>> >>> <yjJONqWJGHA.3***@TK2MSFTNGXA02.phx.gbl>
> >>> >>> >>Subject: RE: Certificate Authority is also a DC, want to demote?
> >>> >>> >>Date: Mon, 30 Jan 2006 07:15:28 -0800
> >>> >>> >>Lines: 223
> >>> >>> >>Message-ID: <4A7156D4-5C22-4BB7-8303-BD240801F***@microsoft.com>
> >>> >>> >>MIME-Version: 1.0
> >>> >>> >>Content-Type: text/plain;
> >>> >>> >>    charset="Utf-8"
> >>> >>> >>Content-Transfer-Encoding: 8bit
> >>> >>> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>> >>> >>Content-Class: urn:content-classes:message
> >>> >>> >>Importance: normal
> >>> >>> >>Priority: normal
> >>> >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>> >>> >>Newsgroups: microsoft.public.windows.server.active_directory
> >>> >>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>> >>> >>Path:
> >>> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>> >>> >>Xref: TK2MSFTNGXA02.phx.gbl
> >>> >>> microsoft.public.windows.server.active_directory:61969
> >>> >>> >>X-Tomcat-NG: microsoft.public.windows.server.active_directory
> >>> >>> >>
> >>> >>> >>Thanks for the quick response, although your response what what I
> was
> >>> >>> afraid
> >>> >>> >>of.
> >>> >>> >>
> >>> >>> >>I very much appreciate your offer for additional support with the
> >>> 2012 -
> >>> >>> >>2013 errors. 
> >>> >>> >>
> >>> >>> >>Below are my notes to date:
> >>> >>> >>
> >>> >>> >>Errors:
> >>> >>> >>
> >>> >>> >>In the Event log on the Exchange Server two errors are found
> >>> occasionally.
> >>> >>> >>
> >>> >>> >>Source: smtpsvc
> >>> >>> >>Category: None
> >>> >>> >>Event ID: 2013
> >>> >>> >>Description:SMTP could not connect to any DNS server. Either none
> are
> >>> >>> >>configured, or all are down.
> >>> >>> >>For more information, see Help and Support Center at
> >>> >>> >>http://go.microsoft.com/fwlink/events.asp.
> >>> >>> >>"Clicking on the link above doesn't provide any information."
> >>> >>> >>
> >>> >>> >>There is an accompanying event, below:
> >>> >>> >>Source: smtpsvc
> >>> >>> >>Category: None
> >>> >>> >>Event ID: 2012
> >>> >>> >>SMTP could not connect to the DNS server '172.16.16.50'. The
> protocol
> >>> >>> used
> >>> >>> >>was 'UDP'. It may be down or inaccessible.
> >>> >>> >>
> >>> >>> >>Additional Information:
> >>> >>> >>... The IP address of the internal DNS server is 172.16.16.50.
> >>> >>> >>... The other Exchange/SMTP server on the LAN does not encounter
> >>> these
> >>> >>> >>errors (it has since been taken down).
> >>> >>> >>... The errors occur roughly 10 times a day but not at
> predictable
> >>> times.
> >>> >>> >>... They started at around a time when the server became the
> dominant
> >>> >>> SMTP
> >>> >>> >>server for the network.
> >>> >>> >>... There is no external DNS server configured with SMTP settings
> for
> >>> the
> >>> >>> >>server.  Either on the old Exchange server or the new.
> >>> >>> >>... When external DNS servers were temporarily added (Step 1 & 2
> >>> below)
> >>> >>> the
> >>> >>> >>error 2012 reappeared three times in a row, this time listing an
> >>> internal
> >>> >>> or
> >>> >>> >>external DNS servers in each event.  Not sure what this
> indicates.
> >>> >>> >>
> >>> >>> >>
> >>> >>> >>Troubleshooting Steps:
> >>> >>> >>1. Added local ISPs DNS servers to the SMTP settings for the
> server (
> >>> In
> >>> >>> >>exchange system manager - administrative groups/first