Wednesday, November 27, 2013

Microsoft Exchange 2007 How to find what is inside Mailbox Database from Shell

In this Article, We are checking various options from the Exchange Management Shell

To avoid any Permission issue, Run Exchange Management Shell "Run As" Administrator or Account with Full Admin rights

How to find Mailbox Database
[PS] C:\>Get-mailboxDatabase

How to find Mailbox Database
[PS] C:\>Get-mailboxDatabase | FL Name, StorageGroup, Mounted, BackupInProgress, OnlineMaintenanceInProgress

How to find Mailbox Database
[PS] C:\>Get-mailboxDatabase -id "Name of the DB" | Get-Mailbox

How to find which Mailbox belongs to which Database
[PS] C:\Documents and Settings\Administrator>Get-mailbox | FL Name, Database

How to find list of the Mailboxes in Database
[PS] C:\>Get-mailbox -database "Database name" 

How to find Total number of Storage group 
[PS] C:\>Get-StorageGroup 

How to find list of the Mailboxes in Database
[PS] C:\>Get-mailbox -database "Database name" 

How to find list of the Mailboxes in Database
[PS] C:\>Mount-Database -Id "E2k7\RSG\"Mailbox Database" 

Understanding CCR log files

Creating bulk users from Exchange management shell

Original script From : Script to download

When you have downloaded and extracted the scripts to your server – open a Powershell Console and navigate to the location where they are located – when there type in:



When the script executes you will be presented with a Windows “Open” dialog box – navigate to the location where you extracted the files and then choose the sample CSV – see below;


The script will then execute creating each user in your Active Directory Lab environment – the Default password is “Password1” – see below;


When the script has completed – open Active Directory Users and Computers – you will see a new OU called “ExchangeUsers” – within this OU are the new accounts that you can play with – see below;


Enable the users using Power Shell

Get-User -Filter {Department -Like 8* -And RecipientType -eq User} | % { Enable-MailUser $_ -externalEmailAddress $($}

Another Script
Get-User | Where-Object{$_.RecipientType –eq “User”}
Get-User –OrganizationalUnit People | Where-Object{$_.RecipientType –eq “User”}
get-user –organizationalUnit people | where-object{$_.RecipientType –eq “User” -and $_.department –eq “Sales”}
get-user –organizationalUnit people | where-object {$_.RecipientType –eq “User” -and $_.department –eq “Sales”} | Enable-Mailbox –Database “EXCHANGE1\Mailbox Database” | get-mailbox | select name,windowsemailaddress,database

From the powershell, run the .\CreateUsersFromCSV.ps1
and the confirm the user from Get-User in Active directory at OU=ExchangeUsers and in the below Exchange shell command rename -OrganizationalUnit People
Get-user –organizationalUnit people | where-object {$_.RecipientType –eq “User” -and $_.department –eq “Sales”} | Enable-Mailbox –Database “EXCHANGE1\Mailbox Database” | get-mailbox | select name,windowsemailaddress,database

Run the command from Shell
get-mailbox | fl name, database and from the resultant replace the Database after Enable-Mailbox -Database ""

So the new command would be
get-user –organizationalUnit ExchangeUsers | where-object {$_.RecipientType –eq “User” -and $_.department –eq “Sales”} | Enable-Mailbox –Database “E2K7\First Storage Group\Mailbox Database” | get-mailbox | select name,windowsemailaddress,database

Here OrganizationUnit is the location from ADUC where Exchange users created
and E2K7\First Storage Group\Mailbox Database is an example from my E2k7 DB

Thursday, November 21, 2013

Post Installing KB 2837618 2768005 Unable to set out of office settings, free busy contains no information

Issue : 
After installing KB on Outlook 2013, users are complaining that they are unable to set "Out of Settings" and can't schedule Free busy information after Installing November Security Patches

but Owa users can set OOF and schedule meetings

 "Your server location could not be determined."

Creation of new profile while update 2768005 and 2837618 installed on the system, didn't working either, you need to remove both of the update and then create a new Outlook Profile.

Lots of users are complaining about this issue on Outlook 2013 with Exchange 2007.

Alternately Quit Outlook and try setting OOF from OWA and log back into Outlook and check if this settings can resolve the issue

There is no update released as far of now, wait for Microsoft to update about this issue in newer patch or update

Current issue on Technet

Wednesday, November 13, 2013

Inspirational Quotes

“Experience life in all possible ways –good-bad, bitter-sweet, dark-light, summer-winter. Experience all the dualities. Don’t be afraid of experience, because the more experience you have, the more mature you become.”
- Osho

Continuous effort—not strength or intelligence—is the key to unlocking our potential.

- Winston Churchill

In order to grow, you must give up the struggle to remain the same, and learn to embrace change at all times.

–Michael A.  Singer

“if we do what we resolve to do then we can enjoy unlimited success” –Amit Malviya

"Focus on where you want to go, not on what you fear." - Anthony Robbins

Some of my suggestions are easier said than done. Just try. The intention is more important than immediate success. -

"It's determination and commitment to an unrelenting pursuit of your goal that will enable you to attain the success you seek."

"Sooner or later, those who win are those who think they can." - Richard Bach

People only treat you one way …… the way you allow them

एक छुपी हुई पहचान रखता हूँ, बाहर शांत हूँ, अंदर तूफान रखता हूँ, 

रख के तराजू में अपने दोस्त की खुशियाँ, दूसरे पलड़े में मैं अपनी 

जान रखता हूँ।

One night a father overheard his son pray: Dear God, Make me the kind of man my Daddy is. Later that night, the Father prayed: Dear God, Make me the kind of man my son wants me to be.
- Anonymous

The 3 C’s of life: You must make a choice to take a chance or your life will never change

Sunday, November 10, 2013

Bulk Mailbox Script

ForEach ($mailbox in $mailbox) {Enable-Mailbox -Identity $Mailbox.Identity -Database $Mailbox.Database}

NEXT: Run the Script
Go to Exchange Management Shell
You can change the directory to the root by typing cd\ then hit Enter (NOTE: If you just typed the words "then hit Enter" you do not belong working on servers)

Then type: ./enablebox.ps1

Just in case you want to enable archive for all users in the csv add this to the above script. 
Add <| Enable-Mailbox –Archive -ArchiveDatabase "<enter archive db name here>"}> Shown below in its entirety. 

$mailbox=import-csv C:\<filename>.CSV
ForEach ($mailbox in $mailbox) {Enable-Mailbox -Identity $Mailbox.Identity -Database $Mailbox.Database | Enable-Mailbox –Archive -ArchiveDatabase "<enter archive db name here>"}

Reference : Mailbox Script

Unable to Mount Exchange 2010 Database on Hyper-V Guest MapiExceptionJetErrorOutOfMemory: Unable to mount database

Issue : On Exchange 2010 DAG database are not mounting

Error :
Couldn't mount the database that you specified. Specified database: DB1; Error code: An Active Manager operation failed with a transient error. Please retry the operation. Error: A transient error occurred during discovery of the database availability group topology. Error: Database action failed with transient error. Error: A transient error occurred during a database operation. Error: MapiExceptionJetErrorOutOfMemory: Unable to mount database. 

Resolution : 
In Hyper-V, Shutdown the Exchange VM to reset the Memory to multiple of 1024.
I reset the memory to 4096 MB and start the Exchange VM.
Now able to mount the Database.

Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later

Users from Outlook 2010, unable to set OOF, no issues from OWA

"Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later"

Exchange server 2010 Sp2
Outlook 2007 

Troubleshooting steps
1. Check for Address book service to ensure that connectivity for Autodiscover is fine 
2. Check for Autodiscover status from Outlook machine. Click on URL to check "Test Connectivity"
3. On Exchange server, Check Autodiscover Virtual Directory
It can be check from EMC or EMS 

Get-AutodiscoveryVirtualDirectory -id "Autodiscover (Default Web Site)" | FL *URL*
and check for both InternalURL and ExternalURL

For reference, Autodiscover FQDN URL are listed as below. Outlook Client will try to Access URLs from Internet in following order

To Set the Autodiscover from Exchange server

Ran the below commands on the server:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl

Spoofed Address

Resolve Spoofed Address Issue

ms-Exch-SMTP-Accept-Authoritative-Domain-Sender permission on the default receive connector

Get-ReceiveConnector 'Default E2' | Remove-ADPermission -user 'NT AUTHORITY\ANONYMOUS LOGON' -ExtendedRights 'ms-Exch-SMTP-Accept-Authoritative-Domain-Sender'

Add-ADPermission –Identity “Default internal receive connector SPARTAN" –Deny –User “NT Authority\Anonymous Logon" –ExtendedRights ms-exch-smtp-accept-authoritative-domain-sender

Get-ReceiveConnector "Default ReceiveConnector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

Uncheck the Bypass Antispam for Authenticated user for Default Receive connector from ADSIEDIT.msc 

We run the command from the Set-SenderIdConfig -InternalMailEnabled $True and 
Set-SenderfilterConfig -InternalMailEnabled $True 

Restart the Transport service

Sender ID Sender ID verifies that each e-mail message originates from the 
Internet domain from which the message claims to come by examining the sender's IP 
address and comparing the IP address to the Sender ID record in the sender's public 
Domain Name System (DNS) server. The Sender ID record in the sender's public DNS 
server is the sender policy framework (SPF) record. The SPF defines the IP 
addresses that are authorized to send messages for the domain in which the SPF 
record resides. When the receiving system queries the SPF record, and a "Pass" 
status is returned, the receiving system has a higher assurance that the message is 
not being spoofed by an illegitimate sender.
You can specify how the Sender ID agent handles temporary errors, such as DNS 
failures, when it performs an SPF query. 

For more information, see Sender IDSender ID 

Saturday, November 9, 2013

Brief Info about Checksum Offload

Brief Info about Checksum Offload
When data comes in through a network, it's "checksummed," meaning the data is checked against a checksum (or validation code) in the headers in the packets it was delivered in. If the data and checksum don't match, the packet is determined to be bad and has to be retransmitted. 

To speed things up, some network cards can "offload" the checksumming, i.e., perform the checksumming on the network card itself, rather than leave the job to the CPU. This frees up the CPU to do that much more work on its own and on a server with extremely high network throughput that much CPU savings can add up. 

Windows 2003 Server and Windows 2008 server both have driver-level support for checksum offloading in many network cards (that is, when the card itself also supports it). However, sometimes this causes the network link on the computer in question to drop unexpectedly. And you may experience communication issues with DCs, GCs and clients.


from : Disable checksum offloading to resolve network slowdown caused by Windows Firewall


netstat -s   //shows packet information
netstat -arn // Persistant routes.
netstat -a
netstat -ano
netstat -abo
Route Print 

Belos is the Example to filter port 25 for TCP
netstat -an |file ":25" | file "TCP"

Disable SMTP on Cisco firewall

Log on to the PIX device by establishing a telnet session or by using the console. 

Type enable, and then press ENTER. 
When you are prompted, type your password, and then press ENTER. 
Type "configure" terminal, and then press ENTER. 
Type "no fixup protocol smtp 25" , and then press ENTER. 
Type "write memory", and then press ENTER. 
Restart the PIX device, or reload the PIX configuration.

Please use above command carefully on your responsibility.

Exchange Attributes

Important attributes for Exchange server

from : XCON: Attributes Required to Route Messages Through the Categorizer



Port 25; Simple Mail Transfer Protocol (SMTP) 465 (SSL)

DNS 53; TCP & UDP 

Port 80; Hypertext Transfer Protocol (HTTP) 

Port 88; Kerberos TCP & UDP 

Port 102; Message Transfer Agent (MTA) 

Port 110; Post Office Protocol v3 (POP3) (995, SSL)

Port 119; Network News Transfer Protocol (NNTP) 

Port 135; Exchange administration, RPC, client server communication   
RPC 135, 445 & all 1024+ port TCP 

Port 143, Internet Message Access Protocol version 4 (IMAP4) 

Port 389, Lightweight Directory Application Protocol (LDAP) TCP & UDP 

Port 443, HTTP using Secure Sockets Layer (SSL) 

port 465 (ssmtp), 

Port 563, NNTP using Secure Sockets Layer (SSL) 

Port 636, LDAP using Secure Sockets Layer (SSL) 

Port 691, Link State T

Port 993, IMAP4 using Secure Sockets Layer (SSL) 

Port 995, POP3 using Secure Sockets Layer (SSL) 

Port 3268 – Port 3269; Global catalog lookups 

On Exchange Server
CAS server to CAS server = TCP 80 and TCP 443
Hub server to Hub server = TCP_25
Hub server to Mailbox server = Ephermal port i.e Dynamic TCP port (1024-65535)
Mailbox server to Mailbox Server  = TCP 135, Dynamic TCP (1024-65535), UDP 3343, TCP 64327


Here are the few Examples for using NSLookup

nslookup -q=a ""
Eg. nslookup -q=a ""

In above examples, i am using as an example and if you want to test with any other domain, use IP along with domain name.

set vc   // for tcp queries
server <>

nslookup q=ptr
> type IP address to check whether IP address has reverse IP

in the same way you can change the query type to mx, a, txt,ns

q=mx //to query about MX record of the domain
q=a    //All
q=txt // TXT record
q=ns //name server 

Other tools can be used
c:\> ARP -a 
c:\> Route Print

c:\> pathping -4  ( domain is used as an Example)

Microsoft Exchange server 2003 Queues listing

from : How to use Queue Viewer to troubleshoot mail flow issues in Exchange server 2003

Queue: Messages pending submission
Queue: Messages awaiting directory lookup
Queue: Messages waiting to be routed
Queue: Local delivery (the domain name may appear) 
Queue: Remote delivery queue 
Queue: Messages with an unreachable destination
Queue: Messages queued for deferred delivery
Queue: DSN messages pending submission
Queue: Failed message retry
Queue: Failed message retry
Queue: PendingRerouteQ (X.400)

Exchange Technet links

Managing Connectors

Send Connectors

Configuring Exchange 2007 Hub Transport role to receive Internet mail

How to Configure Connectors for Internet Mail Flow

Exchange Server 2007 Recipient Policies and Accepted Domains

Exchange Server 2007 recipient management one-liners

How to Modify an SMTP E-Mail Address by Using Recipient Policies

How to customize the SMTP e-mail address generators through recipient policies

Recipient Policies

Troubleshooting the Recipient Update Service in Exchange Server 2003 and Exchange 2000 Server

Tools and parameter

Ethereal  - smtp.rsp.parameter contains "Authentication unsuccessful"

NetMon ipv4.Address == and ipv4.Address ==

wireshark (ip.addr eq and ip.addr eq

experfwiz from
.\experfwiz.ps1 -server <Server FQDN> -interval 5 -filepath C:\Logs

procdump.exe -ma -n <number of dumps> -s <number> -accepteula <servicename>.exe c:\dumps\<nameof the dump file>.dmp 

ExTrace.exe -v -c xx.etl >output.txt
delmsg flags=sender,
Ran aspnet_regiis -i from the \WINDOWS\Microsoft.NET\Framework\v2.0.50727 folder the issue was resolved.
Running ASPNET_REGIIS.EXE –i resolved the issue

Command to check SPN
ldifde -t 3268 -d "" -p subtree -r "(serviceprincipalname=*)" -f spn.txt


Outbound : IIS box's IP should be added in the relay in the Exchange server box
Exchange server --> IIS box --> Internet
Inbound : Remote domain

How to troubleshoot the POP3 Connector in Windows Small Business Server 2003;en-us;885685&x=9&y=13

E-mail to external recipients with the same e-mail domain causes NDR messages when using the POP3 Connector

Exchange Server Connector for POP3 Mailboxes deliver multiple copies of messages

Enable logging from EMC (few eg.)
Get-EventlogLevel "MSExchange ADAccess" | Set-EventlogLevel -Level Lowest
Get-EventlogLevel "MSExchange Common" | Set-EventlogLevel -Level Lowest

Get-EventlogLevel "MSExchange ADAccess" | Set-EventlogLevel -Level Lowest

variable can be used as 
MSExchange Common\General                                                                                  Expert    
MSExchange Common\Configuration                                                                         Expert    
MSExchange Common\Logging                                                                                  Expert
MSExchange Configuration Cmdlet - Management Console\General                         Expert    
MSExchange Configuration Cmdlet - Management Console\RBAC                            Expert    
MSExchange ADAccess\General                                                                             Expert    
MSExchange ADAccess\Cache                                                                                Lowest    
MSExchange ADAccess\Topology                                                                           Expert    
MSExchange ADAccess\Configuration                                                                    Expert    
MSExchange ADAccess\LDAP                                                                                 Expert    
MSExchange ADAccess\Validation                                                                         Expert

MSExchange ADAccess\Site Update                                                                      Expert    

Image compression software
=======================        //it compresses the file to the % of the file

Active directory troubleshooting

Active directory troubleshooting

1. Run and post: netdom query dc

2. Run and post: repadmin /replsum

3. Run and post: ipconfig /all (on all DCs listed in #1)

4. dcdiag /test:dns /v > dnsdiag.txt

5.C:\Windows\system32>sc query rpcss


LDIFDE example

c:\>ldifde -f delegates.txt -d "ou=users,dc=domain,dc=com" -l name,publicDelegates,publicDelegatesBL -r "(|(publicDelegates=*)(publicDelegatesBL=*))"

Outlook "Test E-mail Autoconfiguration" and "Connection Status"

"Test E-mail Autoconfiguration" for outlook

1. Hold Control Key and Right click outlook icon bottom right of the task bar. It might be possible that Outlook Icon is hidden in Notification bar. If it is so Click and drag icon into task bar.

2. From Popup-menu Test E-mail Autoconfiguration.

3. Select only “Use AutoDiscover” and then click Test button

Similarly you can check the "Connection Status" to check which GC/CAS/FE server Outlook is connected to.

Here is the Image of both of the Options

List of Microsoft Exchange server's Verb

Exchange verb in my Lab

Exchange 2003's verb (18 verb)
220 TEST.lab.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at  Sun, 10 Nov 2013 02:41:11 +0530
250-TEST.lab.local Hello []
250 OK

Exchange 2007's Verb ( 14 verb)
250-E2K7.labs.local Hello [::1]

Exchange 2010's verb (15 verb)
220 E2K10.labs.local Microsoft ESMTP MAIL Service ready at Sat, 9 Nov 2013 13:12:46 -0800
250-E2K10.labs.local Hello [::1]

Exchange 2013's verb on Mailbox server's
220 E15MBX2.labs.local Microsoft ESMTP MAIL Service ready at Wed, 13 Nov 2013 20:51:43 +0530
250-E15MBX2.labs.local Hello [::1]

Exchange 2013's verb on CAS server's
220 E15CAS1.labs.local Microsoft ESMTP MAIL Service ready at Wed, 13 Nov 2013 07:21:31 -0800
250-E15CAS1.labs.local Hello [::1]
250-SIZE 37748736

How to Configure Outlook Anywhere from Internet

How to Configure Outlook Anywhere from Internet

If your customer does decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.

In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the url is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-
  • Outlook 2007 or higher
  • Vista SP1

Then when you open Outlook you should not longer get the cert error!

Excerpt from : The Name on the security certificate is invalid or does not match the name of the site - PART 2

The set of folders cannot be opened Your server administrator has limited the number of items you can open simultaneously

In Outlook 2010 (Exchange 2010) Configured with multiple Mailboxes received error while accessing Mailbox's

"The set of folders cannot be opened. Your server administrator has limited the number of items you can open simultaneously."

In the Event log, Application log on Mailbox server
Error General 9646 MSExchangeIS N/A Mapi session b07d8c58-536d-4e6c-80b2-cd6722433802: /O=ORG/OU=OU/cn=Recipients/cn=Recipientsname" exceeded the maximum of 32 objects of type "session"."

Things need to check
1. Check for 3rd party Add-in to Ms Outlook
. If Outlook is configured in Cached Exchange mode.
Open Outlook in “Folder list” module on the Navigation Pane to see \Sync Issues

* 2. Check if firewall is causing any connection timeout. (RPC timeout)

3. Check Perfomrance at MBX SERVER
4. Disable TCP Chimney, RSS on Exchange server, if networking is an issue, also confirm with EXBPA

Possible Resolution
1. In Outlook Profile if secondary Mailbox or more Mailboxes added, try removing Mailbox from Outlook Profile. If fewer number of Mailboxes are added then try checking the Mailboxes folder.

*2. Also check for Shared Mailbox if it is enabled, if it is enabled disable it.

To disable Caching of shared folders in Outlook 2010/2013
File > Account Settings > Account setting lists > E-mail tab > "double click" Exchange server Account > in Change account > More settings > Advanced tab > click to clear "Download shared folders" > finish and complete the Wizard and restart the Outlook.

3. If still you want to Cache Shared folders in the secondary Exchange mailbox, remove secondary Mailbox from Account settings and Open Mail item in control panel and Add new account.

4. Check if firewall is between Outlook client and Exchange and causing RPC reset *

5. Here Event id 9646, indicates towards, "Session" limit, so try increasing session value but it may effect Server's performance, increase session size in +3

6. MAPI session Limit disabled 
From Registry Editor (always have backup of Registry key*), goto the location
If value "Disable Session Limit" exist then change the value to 1 (Dec) from 0 or else create a new DWORD KEY.

Wednesday, November 6, 2013

Creating and Renew Exchange certificate from Internal Certificate Authority

Environment in my lab
(Domains used in my lab are fictitious and only for demonstration purpose only)

Domain name :
DC role : ADC + CA (Certificate Authority is installed on DC) *
CAS/Hub Server Name : ACasHub
Exchange server version : Exchange 2010
Windows version : Windows 2008 R2 Ent

In my lab, CAS/Hub roles are installed on seperate roles and assuming certificates are going to expired and for that reason, we are going to renew certificate on CAS/Hub server role

Here is the process of Renewing certificate which is Installed on Exchange CAS/HUB server

For the purpose of understanding, I am using Exchange management console to renew the Certificate, We can also use Exchange Management Shell, which i will be covering in next blog.

We need to renew the highlighted “ACASHUB server”. The name of the certificate is “*” which is “Self-Signed” and services assigned are “IIS” and “SMTP”

We selected the highlighted services and choose the option “Renew Exchange certificate

Highlighted certificate “*” would be using to renew certificate process, Self-Signed Status is showing “False” which means the certificate is been assigned from CA (Internal or 3rd party)

Click on browse on above browse button and select a location on your server to save “ .REQ” Extension file. 

In my lab I am renewing certificate with a name of the Server in folder name “New Exchange Certificate”
this is the REQ file generated by Exchange Server for certification Renew request

After saving file, Please click on RENEW button from the bottom of the Wizard and you would be the End of the confirmation wizard.

After finishing, Certificate wizard, you will find new Certificate for Server “ACasHub” where status is showing “This is a pending certificate signing request (CSR)” and check the services status, which is now “NONE”

And this is REQ file generated by Exchange server for certification renew

certutil -encode c:\renewal.req c:\base64renewal.req 

2nd Part
there are two process for Enrollment 
(a) Copy the file to CA server and initiate the process of Certificate approval using web
(b) From the Exchange server, you can initiate the process of Certificate approval using web 

In our process, we are copying file *.REQ file to CA

We need to copy the *.REQ file to the CA.
In case of internal CA, you can copy the file into the CA or if it is a 3rd party, you need to follow the URL of their respective services to upload file and get a CERTIFICATE REQUEST file

So now we are at Internal CA, where we copied file “ACasHub.req” from our CAS/Hub server.

Logged into your CA and open Internet Browser and type URL http://servername/certsrv or https:// servername/certsrv, where servername is the name of the Web server hosting the CA Web enrollment pages and this process is known as Request a certificate over the Web

From Here, Select “Request a Certificate” Under “Select a Task”

Now select “Advanced certificate request” and then

In this screen, the file that we copied from our CAS/Hub server, should be opened in a notepad and Highlight the content from Edit Menu “Select All” > Copy the content in the Renewal request page

And paste the content in Based-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) and make sure the “Certificate Template” should be “Web Server”

And then click on Submit

if you need subject alternative names, add in attributes box as

because we are renewing the certificate request, I Kept it as empty

The next page we will be getting is to “Download Certificate”

Here you will find two Radio button “DER encoded” or “Base 64 encoded” and two option of downloading the Certificate  “Download Certificate” and “Download Certificate Chain”

So highlight “Base 64 encoded” and select “Download Certificate” URL

Now you will be prompted to download a file with Extension name “ *.CER “

Save this “ *.CER” file and copy it to the CAS/Hub server

In Exchange Management console, highlight the Certificate that is pending for “Certificate signing request”, Right click > Complete Pending Request > Browse and provide “ *.CER” file that we have downloaded

And now the status of “Exchange certificate” is complete, now as a next step we need to assign services

Highlight the certificate and assign services

In the Assign services to certificate, highlight the CAS/Hub server for which you want to install Certificate.

In case, if CAS and Hub are installed on different box, then for CAS server, Services needs to be assigned would be IIS, POP, IMAP and Hub Transport Service “SMTP” service
And here you can add the list of the server for which you want to assign services to the certificate at once

Here you need to select Services

And next

Here I am assuming that the certificate has been expired on my lab so I would select “Overwrite the existing default SMTP certificate” or else you can select “NO” and as a result it will generate two certificate.
One which we created and another older certificate and later we can delete the older/ expired certificate.

After assigning services to the certificate, restarting Exchange services like for Hub Transport server, Restarting “Ms Exchange Transport” works and most of the from command prompt IISRESET will work.
Or from the services console“

Part 4 How to backup Certificate

And for backup CA (Internal), you can backup by highlighting Server under “Certification Authority” right click “All Tasks” and then “Backup CA”