XADM: Exchange Search Fails After Installing Exchange 2007 SP3


After installing Exchange Server 2007 Service Pack 3 (SP3) the following may occur:

  1. Searches in Outlook (using online mode) or Outlook Web Access (OWA) may not return any results for new email that has arrived after the point in time Exchange Server 2007 SP3 was installed for users with mailboxes on the affected database(s).
  2. If you run ResetSearchIndex.ps1 on the indexing for the affected database(s), searches in online mode or OWA may not return any results for users with mailboxes on the affected database(s).
  3. If you run ResetSearchIndex.ps1 on the indexing for the affected database(s) and you check the CatalogData folder(s) that correspond to the affected database(s), you may find that either none or a very few .CI files are generated.  If .CI files are generated they are only a few (kilobytes)KB each in size.


When the Microsoft .NET Framework 2.0 loads a managed assembly, the managed assembly calls the CryptoAPI function to verify the Authenticode signature on the assembly files. The CryptoAPI function checks a Certificate Revocation List (CRL) that is available at http://crl.microsoft.com . This action requires an Internet connection.

The Micrsoft Search Indexer service (Microsoft.Exchange.Search.ExSearch.exe) is a managed assembly that is loaded by Microsoft .NET Framework 2.0. After installing Exchange 2007 SP3, if the Exchange server or DNS cannot resolve http://crl.microsoft.com for any reason the outgoing HTTP requests may be dropped and an error message is not returned.  This delay causes the CRL to time out and cached CRLs will expire.  This affects the Microsoft Search Indexer service in such a way that any new email fails to be indexed.


NOTE: This is the official resolution from Exchange Development

  1. Use a text editor to open the c:\Windows\System32\drivers\etc\hosts file on the Exchange 2007 SP3 Server and add the following entry:              crl.microsoft.com
  2. Save the HOSTS file
  3. Stop the Microsoft Search Indexer Service.
  4. Stop the Microsoft Search (Exchange) service.
  5. Rename the CatalogData folder for each database having the issue.  The CatalogData folder should be in the same folder as the database with the issue. 
    Note:  If there is not enough available disk space, then either save the CatalogData folder to another location or delete the CatalogData folder.
  6. Start the Microsoft Search (Exchange) service
  7. Start the Microsoft Search Indexer Service
  8. Wait for Event ID 110 in the application log to signify that creating the new index has finished.
  9. Check the CatalogData folder to see that .CI files are now being generated.
  10. Check searches in Outlook (using online mode) and OWA to see if search now works.

More Information

When MSSearch performs the CRL check, it tries to access http://crl.microsoft.com, and by default will wait 15 seconds for a response. Furthermore, if there are proxy servers configured (or incorrect proxy entries), MSSearch attempts to access the http://crl.microsoft.com URL via each proxy address. Adding the CRL entry to the HOSTS file forces the server to check against itself, which immediately responds saying that the CRL is not available. This bypasses the timeout period.

For more information about the timeout period please see the following:

841632  You receive the "403.13 client certificate revoked" error message after you install the MS04-11 security update

You Had Me At EHLO... : Configuring Exchange Servers Without Internet Access

For more information on WinVerifyTrust and WinHTTP please see the following:

WinVerifyTrust Function

About WinHTTP

Using WinHTTP tools


Article ID: 2469863 - Last Review: Oct 31, 2012 - Revision: 1