After you install an update rollup for Microsoft Exchange Server 2007, the Exchange 2007 managed code services may not start. Additionally, the following events are logged in the System log:

Event Type: Error
Event Source: Service Control Manager
Event ID: 7000
Description: The Microsoft Exchange EdgeSync service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Event Type: Information
Event Source: Microsoft Exchange Server
Event ID: 5001
Description: Bucket 77004151, bucket table 5, EventType e12, P1 c-rtl-amd64, P2 08.00.0733.000, P3 msexchangetransport, P4 unknown, P5 unknown, P6 s.serviceprocess.timeoutexception, P7 0, P8 08.00.0733.000, P9 NIL, P10 NIL.

Event Type: Error
Event Source: Service Control Manager
Event ID: 7000
Description: The Microsoft Exchange Transport Log Search service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Event Type: Error
Event Source: Service Control Manager
Event ID: 7009
Description: Timeout (30000 milliseconds) waiting for the Microsoft Exchange Transport Log Search service to connect.

The following events are logged in the Application log:

Event Type: Error
Event Source: MSExchange Common
Event Category: General
Event ID: 4999
Description:
Watson report about to be sent to dw20.exe for process id: 1448, with parameters: E12, c-RTL-AMD64, 08.00.0733.000, MSExchangeTransport, unknown, unknown, S.ServiceProcess.TimeoutException, 0, 08.00.0733.000

Event Type: Error
Event Source: Microsoft Exchange Server
Event ID: 5000
Description:
EventType e12, P1 c-rtl-amd64, P2 08.00.0733.000, P3 msexchangetransport, P4 unknown, P5 unknown, P6 s.serviceprocess.timeoutexception, P7 0, P8 08.00.0733.000, P9 NIL, P10 NIL.

Note Depending on the Exchange 2007 server role, the events may display time-outs for other Exchange Server services.

Back to the top

This problem occurs because the affected computer cannot reach the following Microsoft Web site: This problem occurs because of the following behavior:

•	When the Microsoft .NET Framework 2.0 loads a managed assembly, the managed assembly calls the CryptoAPI function to verify the Authenticode signature on the assembly files to generate publisher evidence for the managed assembly.
•	The CryptoAPI function checks a Certificate Revocation List (CRL) that is available at http://crl.microsoft.com. This action requires an Internet connection.
•	If the Internet connection is blocked, the outgoing HTTP requests may be dropped. Therefore, an error message is not returned. This problem may also occur if the computer cannot resolve http://crl.microsoft.com. This long delay causes the CRL check to time out.
•	The Service Control Manager (SCM) determines that the service is taking too long to start and that the service has exceeded the maximum service start time. Therefore, the SCM reports the error message, and the Exchange managed code services are not started.

Note The maximum service start time is defined by the following registry subkey:

Back to the top

To resolve this problem, verify that the computer can reach the following Microsoft Web site to download the CRL: If your organization uses a proxy server for HTTP and for HTTPS, you must configure the proxy server so that HTTP-enabled CRL validation works. Additionally, make sure that the proxy settings are configured correctly for the Exchange Server services to access the Internet.

The simplest way to configure WinHTTP is to use ProxyCfg.exe. ProxyCfg.exe is a command-line tool that is included in the %System32% directory on all Windows Server 2003-based computers. You can use ProxyCfg.exe to set WinHTTP configurations and to view WinHTTP configurations. For more information about how to use the Proxycfg.exe tool to modify WinHTTP proxy settings, click the following article number to view the article in the Microsoft Knowledge Base: Note Microsoft Knowledge Base article 841641 describes how to configure a specific proxy setting if you are running services as a noninteractive account. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Back to the top

To work around this problem, use one of the following methods.

Back to the top

Method 1: Configure the firewall

Configure the firewall to return a failure status to the application quickly if the firewall blocks access to http://crl.microsoft.com.

Note For more information, see the firewall documentation or contact the manufacturer of the firewall provider.

Back to the top

Method 2: Configure the URL retrieval time-out values

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Configure the URL retrieval time-out values that are used by CryptoAPI to a lower value. CryptoAPI provides the following settings to control the time-out values for authority information access (AIA). AIA is a certificate extension that contains information that is useful for verifying the trust status of a certificate. The CRL is part of the AIA extension.

URL retrieval time-out value

The URL retrieval time-out value defines the default URL time-out period for AIA retrievals and for nonaccumulative CRL retrievals. This setting was introduced in security update 835732.

Location	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\ EncodingType 0\CertDllCreateCertificateChainEngine\Config
Type	REG_DWORD
Name	ChainUrlRetrievalTimeoutMilliseconds
Value	If this value is set to 0 or if this value is undefined, the default value of 15000 milliseconds is used.

This registry key is also exposed as a Group Policy UI item on the Default URL Retrieval Timeout policy property page. The UI item has a list to control the units in seconds. The default value is 15 seconds. Although the UI item allows a maximum value of 1000 seconds, the registry key and policy processing allow a maximum value of 65536 seconds.

Aggregate URL retrieval time-out value

The Aggregate URL retrieval time-out value defines the default revocation accumulative URL time-out period. The first revocation URL retrieval uses half of this time-out value. This setting was introduced in security update 835732.

Location	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\ EncodingType 0\CertDllCreateCertificateChainEngine\Config
Type	REG_DWORD
Name	ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds
Value	If this value is set to 0 or if this value is undefined, the value of 20000 milliseconds is used.

This registry key is also exposed as a Group Policy UI item on the Default Accumulative URL Retrieval Timeout policy property page. The UI item has a list to control the units in seconds. The default value is 20 seconds. Although the UI will allow a maximum value of 1000 seconds, the registry key and policy processing allow a maximum value of 65536 seconds.

Back to the top

Method 3: Configure the Service Control Manager (SCM) time-out value

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Increase the default time-out value for the SCM in the registry. To do this, follow these steps:

1.	Start Registry Editor.
2.	Change the value data for the ServicesPipeTimeout DWORD value to 60000 in the Control subkey. To do this, follow these steps: a. Click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet b. Click the Control registry subkey. c. Right-click the ServicesPipeTimeout DWORD value, and then click Modify. d. Click Decimal. e. Type 60000, and then click OK.
3.	If the ServicesPipeTimeout value is not available, add the new DWORD value, and then set its value data to 60000 in the Control registry subkey. To do this, follow these steps: a. Click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. b. Click the Control registry subkey. c. On the Edit menu, point to New, and then click DWORD Value. d. Type ServicesPipeTimeout, and then press ENTER. e. Right-click the ServicesPipeTimeout DWORD value, and then click Modify. f. Click Decimal. g. Type 60000, and then click OK. Note The value 60000 milliseconds equals 60 seconds.

This change does not take effect until you restart the computer. After you increase the ServicesPipeTimeout value in the registry, the SCM waits for the services to use the whole ServicesPipeTimeout value before the System log reports that the service did not start.

If the services require several minutes to start, a value of 60 seconds may be insufficient. Therefore, increase the ServicesPipeTimeout value to give the services sufficient time to start.

Back to the top

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Back to the top