Mail stuck in queues on exchange 2007 hub and edge transport server

under your receive connectors authentication tab, is Exchange and Integrated Windows authentication checked? They need to be.

Which is what it says in the thread I posted.

What are the settings for your Send Connector on your Edge server?

This article explains exactly how to configure your connectors for the Edge Server and HUB : http://technet.microsoft.com/en-us/library/bb123883.aspx

@ Connector Configuration
In Exchange 2007, Receive connectors represent an inbound connection point for Simple Mail Transfer Protocol (SMTP) communications. Send connectors represent a logical gateway through which all outbound messages are sent. For end-to-end mail flow, the Edge Transport server must have connectors that support mail flow to and from the Internet, and to and from the organization. The following connectors are required on the Edge Transport server:

    * A Send connector that is configured to send messages to the Internet
      The address space for this connector is typically "*" (all Internet domains) and DNS routing is used to resolve destinations. The usage type for this connector is Internet. This Send connector is created automatically when the Edge Transport server is subscribed to an Active Directory directory service site by using EdgeSync.
    * A Receive connector that is configured to accept messages from the Internet
      This connector typically accepts connections from all IP address ranges and allows for anonymous access. The local network bindings for this Receive connector should be the external-facing IP address of the Edge Transport server. The usage type for this connector is Internet.
    * A Send connector that is configured to send messages to the Hub Transport servers in the Exchange organization
      The address space for this connector can be "--", or you can list each of your accepted domains. Use the Hub Transport servers in the organization as the smart hosts for this connector. The usage type for this connector is Internal. This Send connector is created automatically when the Edge Transport server is subscribed to an Active Directory site by using EdgeSync.
    * A Receive connector that is configured to receive messages from Hub Transport servers in the Exchange organization
      This connector can be configured to accept connections only from the IP address ranges assigned to the Hub Transport servers. The local network bindings for this Receive connector should be the internal-facing IP address of the Edge Transport server. The usage type for this connector is Internal. This connector is optional.

@demazter - sorry about that...I don't follow all the links posted in a thread.

You should need to do anything with the EdgeSync Send/Receive connectors, they should work fine out the box.

I would recommend you scrap the Edge Subscription on Hub --> Org config --> Edge Subscriptions, go to Edge, recreate the Edge File and then import on Hub, and ensure you have 'Create Send Connector' ticked. This will recreate the connectors with the correct settings.

Start-EdgeSyncronization and Test-E... from Hub,

Clear the queues down if necessary and test with an inbound and outbound email from mailbox user to outside and vice versa.

Shaun

Review this good article for a closer look at EdgeSync implementation:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/planning-architecture/uncovering-exchange-2007-edge-transport-server-part1.html

Shaun

Just going through some recent articles that have been written and I come across one that describes the process of commissioning an Edge Server without using EdgeSync (for times when it is not possible to use EdgeSync.

This may come in handy, if you cannot use EdgeSync, or the process fails for whatever reason.

http://www.msexchange.org/articles_tutorials/exchange-server-2007/security-message-hygiene/configuring-edge-transport-server-without-edge-synchronization-part1.html

Shaun

Hi All,

Thanks very much for the responses that are coming through - greatly appreciated.  I thought I would put in a bit more details as to what we have done to date.

With relation to deleting the Edge subscription and recreating it, we have done this about 5 times in total with the same result each time.  After rereating and importing the Edge Subscription we are able to run Start-EdgeSynchronization and also Test-Edge.... both of these work fine and the appropriate connectors are being created also.  I guess it is good to know that we can install the Edge server without the need for EdgeSync, however I'm not so sure that this is the problem seeing as though the sync works and test fine as well.

We've also read a few of the articles about the Edge server at www.msexchange.org, and in fact had the 6 part epic on hand when installing - what a great site that is.

It looks like the other connectors all work fine as messages are queued up in the Hub for outbound and Edge server for inbound.  All in all it seems to be all about getting messages to travel back and forth between the 2 even though the sync and test sync works fine - this is what seems weird.  We can also telnet from each to the other using FQDN on port 25 - if this is the case can we rule out DNS or is there something else in there that could be causing problems?  

We have the 2 networks internal and DMZ.  The Hub server uses a DNS server on the internal network, whilst there is a seperate DNS that the edge server uses.

Below is a bit of a layout of how things stand at present with DNS:

Internal Network
Exchange Server: exchange.internal.com (now has edge.dmz.com in hosts file)
DNS Server: dns.internal.com
                    Has a forward lookup zone for dmz.com and also has a record for edge.dmz.com

DMZ Network
Edge Server: edge.dmz.com (now has exchange.internal.com in the hosts file)
DNS Server: dns.dmz.com - used by edge.dmz.com has entry for exchange.internal.com

There are 2 firewalls inbetween the DMZ and the Internal network as the DMZ is hosted at a data centre.  These are Cisco ASA 5510 and 5520.  Rules have been setup which has seen us be able to telnet on port 25 between the servers.

I am not sure if the fact that the EdgeSynch works and test fine means that the DNS is setup and working fine, but I just though I would throw that one in just in case there is something special of note there.  

Would be great to get this sorted, and would appreciate any ideas.

Just thought I would mention one more thing.  As we have installed the Edge Server on Windows 2008 Server with Exchange 2007 SP1 there is now no longer ADAM (Active Directory Appplication Mode).  This has been replaced by AD LDS (Active Directory Lightweight Directory Services) .

When we look at the Manager under Roles in Server Manager it says no events in the last 24 hours.  We know we have as we have created and imported new subscription files under 24 hours ago.  It does have a service listed as ADAM_Microsoft Exchange ADAM with a warning which is more than likely due to the fact that we have broken the connection for the time being until we can try again.

Anyway it might be nothing to add to my previous post, but it is info that somone might find something wrong with.  

Yes, the ADAM service is AD LDS in 2008.

You should ensure that you can ping by FQDN from both the HUB and EDGE server.

So ping edge.dmz.com from HUB server and exchange.internal.com from EDGE server.

Also as it describes here: http://technet.microsoft.com/en-us/library/bb125154.aspx, "Port 50636/TCP is used for directory synchronization from Hub Transport servers to ADAM. This port must be open for successful EdgeSync synchronization." - so make sure this is open between the two servers and you can telnet the ports successfully (ie telnet edge.dmz.com 50636)

Shaun

Hi everyone,

And thanks for the responses.  To summarise where things are at we are able to ping the Edge from the Hub and vice versa - we also added the names to the hosts file on each just in caes there was something in that.  We are able to telnet on port 25 from the Hub to the Edge and vice versa (Port 25/TCP looks fine).  The Start-EdgeSynchronization is working fine and running a Test-EdgeSynchronization also succeeds (Port 50636/TCP looks fine).  

for all intensive purposes it looks great as everything appears to be working however mail will not flow between the 2 servers.  The mail will queue up outbound on the Hub and inbound on the Edge.  

in looking for answers we are seeing a screenshot like the one shown at the link below on the Edge server:  

http://www.calipanpan.ch/EDGE%20error.jpg

This is a screenshot connected to the following post on the Microsoft Technet:

http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/96892540-2d16-40fd-bafa-28a490081708

Unlike what is listed in that post, we are able to create and import an edge subscription, as well as successfully run a start and test sync between the both the hub and edge.

Just to reiterate we are seeing the following errors in Queue Viewer on the Hub and Edge servers.

Hub Server errors as follows:
451 4.4.0 Primary target IP address responded with: "421 4.4.1 Connection timed out."

Edge Server error is as follows:
451 5.7.3 Cannot achieve Exchange Server authentication

The Exchange 2003 server in existence prior to the transition has been removed as has the routing connectors.  the only servers in existence now are the Exchange 2007 server and the 2007 Edge server.  They are both running on Windows 2008, and if configured the Exchange server will work fine on it's own without the edge server to send and receive mail. We have also tried changing Authentication to include Integrated Windows Authentication in case this was the problem, as indicated by a couple of sources, but still without luck.

Anyway I hope this one isn't heading to the too hard basket, and if anyone has some further ideas on how to tackle it we would be greatly appreciate it.

Thanks

First of all I would enable protocol logging for the servers involved.

http://technet.microsoft.com/en-us/library/bb124531.aspx

Especially Intraorganisational logging on the transport servers involved.

Shaun