After installing Exchange Server 2007 Service Pack 3 (SP3) the following may occur:
When the Microsoft .NET Framework 2.0 loads a managed assembly, the managed assembly calls the CryptoAPI function to verify the Authenticode signature on the assembly files. The CryptoAPI function checks a Certificate Revocation List (CRL) that is available at http://crl.microsoft.com . This action requires an Internet connection.
The Micrsoft Search Indexer service (Microsoft.Exchange.Search.ExSearch.exe) is a managed assembly that is loaded by Microsoft .NET Framework 2.0. After installing Exchange 2007 SP3, if the Exchange server or DNS cannot resolve http://crl.microsoft.com for any reason the outgoing HTTP requests may be dropped and an error message is not returned. This delay causes the CRL to time out and cached CRLs will expire. This affects the Microsoft Search Indexer service in such a way that any new email fails to be indexed.
NOTE: This is the official resolution from Exchange Development
When MSSearch performs the CRL check, it tries to access http://crl.microsoft.com, and by default will wait 15 seconds for a response. Furthermore, if there are proxy servers configured (or incorrect proxy entries), MSSearch attempts to access the http://crl.microsoft.com URL via each proxy address. Adding the CRL entry to the HOSTS file forces the server to check against itself, which immediately responds saying that the CRL is not available. This bypasses the timeout period.
For more information about the timeout period please see the following:
841632 You receive the "403.13 client certificate revoked" error message after you install the MS04-11 security update
You Had Me At EHLO... : Configuring Exchange Servers Without Internet Access
For more information on WinVerifyTrust and WinHTTP please see the following:
Using WinHTTP tools
Article ID: 2469863 - Last Review: 10/31/2012 06:54:00 - Revision: 5.0