Exchange 2007 Can not send to other branches, and report a security problem
HI
I have 3 Branches that are connected together via 2MB link
everything was working fine .. I notice that from about 1 week the Exchange servers can not communicate with each other and any Email send from the from the network is sent to any Email in another BR it just set on the queue with the error
451 4.4.0 Primary target IP Address Responed with " 454 4.7.0 Temporary authentication failure." Attempted failover to alternative host, but that did not succees
Local messaging is working .. I mean for the Emails in the same BR
All the servers are in the same forsest
RollUp 5 is installed
Windows Server 2003 SP2 updated
What can couse the problem
and on the Eventlog there are an Error About the transport that is
LogonDenied, Intra-Organization SMTP Send Connector, ExchangeAuth, SMTPSVC/exchange.domain.co
What can Be
I have 3 Branches that are connected together via 2MB link
everything was working fine .. I notice that from about 1 week the Exchange servers can not communicate with each other and any Email send from the from the network is sent to any Email in another BR it just set on the queue with the error
451 4.4.0 Primary target IP Address Responed with " 454 4.7.0 Temporary authentication failure." Attempted failover to alternative host, but that did not succees
Local messaging is working .. I mean for the Emails in the same BR
All the servers are in the same forsest
RollUp 5 is installed
Windows Server 2003 SP2 updated
What can couse the problem
and on the Eventlog there are an Error About the transport that is
LogonDenied, Intra-Organization SMTP Send Connector, ExchangeAuth, SMTPSVC/exchange.domain.co
What can Be
Hi,
You mentioned Update Rollup 5, is it Update Rollup 5 for SP1 or RTM?
What happens when you send mails via OWA?
Thanks
Nitin
You mentioned Update Rollup 5, is it Update Rollup 5 for SP1 or RTM?
What happens when you send mails via OWA?
Thanks
Nitin
ASKER
HI All
Dear PeteLong:
I would like to tell that this is Exchange 2007 not 2003, and the problem with the Intra-organization flow,
The servers are not using Smarthost to send each other, as Exchange have its own unmanaged connector to communicate with others
I ran ExPBA, and it did not report any problem
I use MailFlow Troubleshoot assistent, and also did not report any problem
I ran the powershell command
test-mailflow and set to test the remote server mail flow and the result was ***Failure***, with on reason but the one I told you in the Eventlog and the Queue
not only this , I check the permission for the receive connector and they are all the same, for client and default connector
Qupint:
I have Exchange SP1
When I send the Email via OWA, nothing else happend . the EMail go to the Queue and stuck there
What else
Check the event logs to see if there is anything logged with regards to authentication.
Check that you have Exchange Servers enabled under Permission groups on the Send and Receive Connectors on both servers.
Have the servers been rebooted recently?
-M
Check that you have Exchange Servers enabled under Permission groups on the Send and Receive Connectors on both servers.
Have the servers been rebooted recently?
-M
ASKER
HI
In event log the only Error log for this problem is
LogonDenied, Intra-Organization SMTP Send Connector, ExchangeAuth, SMTPSVC/exchange.domain.co
The server has rebooted
In event log the only Error log for this problem is
LogonDenied, Intra-Organization SMTP Send Connector, ExchangeAuth, SMTPSVC/exchange.domain.co
The server has rebooted
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I know this issue is closed, but I had a similar issue (same error) but a different solution and wanted to share it in case anyone else runs into this and it isn't the certificate. In my case, it wound up that the time on the exchange server that was queueing up was 5 minutes off from the domain controllers. That is too large of a differential. I found that the exchange server was set to use NTP to a DC that no longe existed. I changed it to use NT5DS (so it would use an available DC), restarted the w32time service and the issue resolved. This could cause your replication issue as well.
To check the time service settings, you can do the following:
From Regedit:
Go to HKLM\SYSTEM\CurrentControl
Make sure the type is set to NT5DS.
Close Regedit.
From Command Prompt, type Net stop W32Time && Net Start W32Time.
At this point you should see the time change on the server to the same time as the domain controller. You may need to restart your AD Topology service to get mail flowing again after doing this.
Hope this helps for those who are having this same issue.
To check the time service settings, you can do the following:
From Regedit:
Go to HKLM\SYSTEM\CurrentControl
Make sure the type is set to NT5DS.
Close Regedit.
From Command Prompt, type Net stop W32Time && Net Start W32Time.
At this point you should see the time change on the server to the same time as the domain controller. You may need to restart your AD Topology service to get mail flowing again after doing this.
Hope this helps for those who are having this same issue.
Exchange Routing Groups Won?t Work
1. First in a multi Exchange Environment make sure all the servers ARE NOT using a smart host on their ?Default SMTP Virtual Server?. (Advanced Tab > Smart Host)
2. On the Same screen as above click the ?Check DNS? button and remove any DNS entries (note make sure the exchange server can resolve external MX records after you have done this)
3. If you have made any changes above force domain replication (remember if the exchange servers are on domain controllers this can sometimes take a while)
4. Make sure each physical location has a ?Routing Group? and the servers in that location are listed under members, and the main (bridgehead) server is listed as ?Master?
5. Under connectors, make sure that the following info is correct, General Tab (Anylocal servers can send mail over this group?, Remote Bridgehead = the Exchange server at the other side. Leave everything else on its defaults. When you apply it will ask if you want to automatically create the other end LET IT.
6. Create an SMTP connector at the PRIMARY Site, Set the local Bridgehead to the server your MX record routes mail to, IF YOU USE A SMARTHOST this is the ONLY place you should enter it, address space should be set to * (that means all domains) Ensure ?Entire Organisation? is selected in the connector scope, and DO NOT tick ?Allow Messages to be relayed to these domains?
7. Replicate everything, even after you force replication it takes ages for exchange to update itself everywhere, after you have forces replication restart all the system attendants, and Microsoft exchange routing services, AND the SMTP services. GO AND HAVE LOTS OF COFFEE. It will take a while.
Tools to aid troubleshooting
1. Winroute (shows Exchange Routing groups)
Download winroute tool for me to me able to see your infrastructure
http://www.microsoft.com/downloads/details.aspx?FamilyID=c5a8afbf-a4da-45e0-adea-6d44eb6c257b&DisplayLang=en
Run the tool in the Bridgehead server in Site A
2. The ExBPA tool can be installed on the computer that is running Microsoft .NET Framework 1.1. You can download .Net Framework 1.1 from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=262D25E3-F589-4842-8157-034D1E7CF3A3&displaylang=en
a. Download this analysis tool from the following link:
http://www.microsoft.com/downloads/details.aspx?familyid=dbab201f-4bee-4943-ac22-e2ddbd258df3&displaylang=en
b. Install the tool on your Exchange server or any computers in the same domain of the Exchange server.
Note: The first time when you run it, please download the latest version by clicking "Download the latest best practices". The latest version will help to identify more known issues.
C. Click Connected to Active Directory in the left pane, input the server name of DC or GC and then click Connect to the Active Directory server.
Note: You can click Show advanced login options to use another account that has the Exchange Admin permission and Domain Admin permission.
D. Click "Connect to the Active Directory Server", select entire Organization as the Scan Scope, and type "Health Check".
E. Click "Start Scanning".
F. After the scan finishes, click View a report of this Best Practices scan.
G. Click Export Report and export the scan result to a .XML file.
Note: the default file path is ":\Documents and Settings\\Application Data\Microsoft\ExBPA".
3. Microsoft Exchange Troubleshooting Assistant
http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en
Note If stuff builds up on queues then use netmon or Ethereal to ?Sniff? the servers network card and ?Force Connection? on the queues, to make sure mail is going where it?s supposed to be going.
Regards,
PeteLong