Exchange Server 2007 managed code services do not start after you install an update rollup for Exchange Server 2007

View products that this article applies to.

Symptoms

After you install an update rollup for Microsoft Exchange Server 2007, the Exchange 2007 managed code services may not start. Additionally, the following events are logged in the System log:

Event Type: Error
Event Source: Service Control Manager
Event ID: 7000
Description: The Microsoft Exchange EdgeSync service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Event Type: Information
Event Source: Microsoft Exchange Server
Event ID: 5001
Description: Bucket 77004151, bucket table 5, EventType e12, P1 c-rtl-amd64, P2 08.00.0733.000, P3 msexchangetransport, P4 unknown, P5 unknown, P6 s.serviceprocess.timeoutexception, P7 0, P8 08.00.0733.000, P9 NIL, P10 NIL.

Event Type: Error
Event Source: Service Control Manager
Event ID: 7000
Description: The Microsoft Exchange Transport Log Search service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Event Type: Error
Event Source: Service Control Manager
Event ID: 7009
Description: Timeout (30000 milliseconds) waiting for the Microsoft Exchange Transport Log Search service to connect.

The following events are logged in the Application log:

Event Type: Error
Event Source: MSExchange Common
Event Category: General
Event ID: 4999
Description:
Watson report about to be sent to dw20.exe for process id: 1448, with parameters: E12, c-RTL-AMD64, 08.00.0733.000, MSExchangeTransport, unknown, unknown, S.ServiceProcess.TimeoutException, 0, 08.00.0733.000

Event Type: Error
Event Source: Microsoft Exchange Server
Event ID: 5000
Description:
EventType e12, P1 c-rtl-amd64, P2 08.00.0733.000, P3 msexchangetransport, P4 unknown, P5 unknown, P6 s.serviceprocess.timeoutexception, P7 0, P8 08.00.0733.000, P9 NIL, P10 NIL.

Note Depending on the Exchange Server 2007 role, the events may display time-outs for other Exchange Server services.

↑ Back to the top

Cause

This problem occurs because the affected computer cannot reach the following Microsoft Web site:

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

This problem occurs because of the following behavior:

When the Microsoft .NET Framework 2.0 loads a managed assembly, the managed assembly calls the CryptoAPI function to verify the Authenticode signature on the assembly files to generate publisher evidence for the managed assembly.
The CryptoAPI function checks a Certificate Revocation List (CRL) that is available at http://crl.microsoft.com. This action requires an Internet connection.
If the Internet connection is blocked, the outgoing HTTP requests may be dropped. Therefore, an error message is not returned. This problem may also occur if the computer cannot resolve http://crl.microsoft.com. This long delay causes the CRL check to time out.
The Service Control Manager (SCM) determines that the service is taking too long to start and that the service has exceeded the maximum service start time. Therefore, the SCM reports the error message, and the Exchange managed code services are not started.

↑ Back to the top

Resolution

To resolve this problem, you have the following options:

Exchange server does not have to have a connection to the Internet. It just needs to have routers that do not send packets into a black hole. The CRL check is timing out because it never receives a response. If a router were to send a �no route to host� ICMP packet or similar error instead of just dropping the packets, the CRL check would fail right away, and the service would start. You can add an entry to crl.microsoft.com in the hosts file or on the DNS server and send the packets to a legitimate location on the network, such as 127.0.0.1, which will reject the connection. To do this, use a text editor to open the Windows\system32\drivers\etc\host file, and then add the following entry:
crl.microsoft.com 127.0.0.1
Use a switch in the configuration files that are associated with the Exchange services. This switch works in the common language runtime (CLR) 2.0 SP1 environment that is included with the .NET Framework version 3.5.

If you are using the .NET Framework 2.0, follow the steps in the �Install a software update� section. Then, continue to the �Create configuration files� section. If you already have the CLR 2.0 SP1 environment installed, go to the �Create configuration files� section.

Install a software update

If you are using the .NET Framework 2.0, install one of the following software updates:

Software update 936707 with CRL build 2.0.50727.876 For more information, click the following article number to view the article in the Microsoft Knowledge Base:
936707 FIX: A .NET Framework 2.0 managed application that has an Authenticode signature takes longer than usual to start
Software update 942027 with CRL build 2.0.50727.926 For more information, click the following article number to view the article in the Microsoft Knowledge Base:
942027 FIX: You may notice that the memory load is very high when you run an application that is built on the .NET Framework 2.0
A different software update that has a later CRL build. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
945757 Problems that are fixed in the .NET Framework 2.0 Service Pack 1

To download the .NET Framework 3.5, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=333325fd-ae52-4e35-b531-508d977d32a6&DisplayLang=en

Create configuration files

Important You must save a copy of your existing configuration files to a safe location. If there is an error in a configuration file, the applicable service cannot start.

You must create configuration files for all Exchange Server 2007 managed code services.

How to create a new configuration file

If you already have a configuration file, go to the �How to change an existing configuration file� section. To create a new application configuration file that contains the switch that is introduced in CLR 2.0 SP1, follow these steps:

Create a file, and then name it ApplicationName.exe.config.
In a text editor, open this file.

Add the following code to the file.

<configuration>
 <runtime>
            
           <generatePublisherEvidence enabled="false" />
 </runtime> 
</configuration>

Save the changes to the file.

You may have to create new configuration files for the following services or programs:

Microsoft.Exchange.AntispamUpdateSvc.exe
MsExchangeFDS.exe
MSExchangeTransport.exe

How to change an existing configuration file

Important Before you make any changes to the configuration file, save a copy of the current file in a safe location.

If the configuration file already exists for a service, add the following line to the runtime options section in the file.

<generatePublisherEvidence enabled="false"/>

For example, after you add this entry, the runtime options section will resemble the following example.

<configuration> <runtime>
<generatePublisherEvidence enabled="false"/>
<Other entries>
</runtime> </configuration>

Note Replace <Other entries> in this example with the original lines.

You may have to update the configuration files for the following services or programs:

Bin\EdgeTransport.exe
Bin\ExBPA.exe
Bin\ExBPACmd.exe
Bin\ExTRA.exe
Bin\Microsoft.Exchange.Cluster.ReplayService.exe
Bin\Microsoft.Exchange.EdgeSyncSvc.exe
Bin\Microsoft.Exchange.Monitoring.exe
Bin\Microsoft.Exchange.Search.ExSearch.exe
Bin\Microsoft.Exchange.ServiceHost.exe
Bin\MSExchangeMailboxAssistants.exe
Bin\MSExchangeMailSubmission.exe
Bin\MSExchangeTransportLogSearch.exe
ClientAccess\PopImap\Microsoft.Exchange.Imap4.Exe
ClientAccess\PopImap\Microsoft.Exchange.Pop3.Exe

Note Disabling the generation of publisher evidence does not loosen security. The assembly is treated the same as if it had an invalid Authenticode signature. Any permissions that would be granted based on a validated Authenticode signature are no longer granted with this configuration switch. This behavior is acceptable because Exchange Server 2007 does not have to have publisher evidence. Standard CAS policy does not rely on the PublisherMembershipCondition class. Therefore, unless the application runs on a computer that has custom CAS policy modifications or unless the application is intended to satisfy demands for the PublisherIdentityPermission class, you can safely disable the generation of publisher evidence for Exchange 2007 managed code services.

Troubleshooting

If a service does not start after you modify or create the configuration files, there is typically an XML syntax error or an incorrect value. In both cases, you receive an error message from the Exchange 2007 Edge Transport Service that resembles the following:

Event Type: Error
Event Source: MSExchangeTransport
Event Category: Process 
Event ID: 14004
Date: Date
Time: Time
User: N/A
Computer: Computer_Name
Description:
The worker process has failed to load application configuration file: System.Configuration.ConfigurationErrorsException: Configuration system failed to initialize ---> System.Configuration.ConfigurationErrorsException: The 'generatePublisherEvidence' start tag on line 4 does not match the end tag of 'runtime'. Line 5, position 6. (C:\Program Files\Microsoft\Exchange Server\Bin\edgetransport.exe.config line 5) ---> System.Xml.XmlException: The 'generatePublisherEvidence' start tag on line 4 does not match the end tag of 'runtime'. Line 5, position 6.
   at System.Xml.XmlTextReaderImpl.Throw(Exception e)
   at System.Xml.XmlTextReaderImpl.ThrowTagMismatch(NodeData startTag)
   at System.Xml.XmlTextReaderImpl.ParseEndElement()
   at System.Xml.XmlTextReaderImpl.ParseElementContent()
   at System.Xml.XmlTextReaderImpl.Skip()
   at System.Configuration.XmlUtil.StrictSkipToNextElement(ExceptionAction action)
   at System.Configuration.BaseConfigurationRecord.ScanSectionsRecursive(XmlUtil xmlUtil, String parentConfigKey, Boolean inLocation, String locationSubPath, OverrideModeSetting overrideMode, Boolean skipInChildApps)
   at System.Configuration.BaseConfigurationRecord.ScanSections(XmlUtil xmlUtil)
   at System.Configuration.BaseConfigurationRecord.InitConfigFromFile()
   --- End of inner exception stack trace ---
   at System.Configuration.ConfigurationSchemaErrors.ThrowIfErrors(Boolean ignoreLocal)
   at System.Configuration.BaseConfigurationRecord.ThrowIfParseErrors(ConfigurationSchemaErrors schemaErrors)
   at System.Configuration.ClientConfigurationSystem.EnsureInit(String configKey)
   --- End of inner exception stack trace ---
   at System.Configuration.ConfigurationManager.GetSection(String sectionName)
   at System.Configuration.ConfigurationManager.get_AppSettings()
   at Microsoft.Exchange.Transport.TransportAppConfig.GetConfigBool(String label, Boolean defaultValue)
   at Microsoft.Exchange.Transport.TransportAppConfig.ResourceManagerConfig.Load()
   at Microsoft.Exchange.Transport.TransportAppConfig.Load()
   at Microsoft.Exchange.Transport.Main.Program.Run(String[] args)
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. Microsoft is researching this problem and will post more information in this article when the information becomes available.

↑ Back to the top