I highly recommend using this to trouble shoot.

https://www.testexchangeconnectivity.com/

Make sure you have both your send and recieve connectors configured correctly.  You will need to add anonymous users onto your default recieve connectors to recieve email from the internet as anyone outside your domain obviousy can't authenticate and you will need to create a send connector as well.

Thanks

to be able to send to the internet you need to create a send connector for your server

go to EMC -> org config -> hub transport -> send connector and create a send connector


to receive emails go to

emc -> server config -> hub transport -> find the DEFAULT receive connector right click properties -> permission group and select the anonymous

annonymous is added to receive connector

exch connectivity test has this error at the very end

Performing Sender ID validation
  Sender ID validation performed successfully
   Test Steps
   ExRCA is attempting to find the SPF record using a DNS TEXT record query.
  ExRCA wasn't able to find the SPF record.
   Additional Details
  No records were found.
 
I guessing I have something misconfigured in my send  / receive connectors.


send connector looks like this

AddressSpaces                : {smtp:*;100}
AuthenticationCredential     :
Comment                      :
ConnectedDomains             : {}
ConnectionInactivityTimeOut  : 00:10:00
DNSRoutingEnabled            : True
DomainSecureEnabled          : True
Enabled                      : True
ForceHELO                    : False
Fqdn                         : domino.crpud.org
HomeMTA                      : Microsoft MTA
HomeMtaServerId              : pixie
Identity                     : EdgeSync - Default-First-Site-Name to Internet
IgnoreSTARTTLS               : False
IsScopedConnector            : False
IsSmtpConnector              : True
LinkedReceiveConnector       :
MaxMessageSize               : 10 MB (10,485,760 bytes)
Name                         : EdgeSync - Default-First-Site-Name to Internet
Port                         : 25
ProtocolLoggingLevel         : None
RequireTLS                   : False
SmartHostAuthMechanism       : None
SmartHosts                   : {}
SmartHostsString             :
SmtpMaxMessagesPerConnection : 20
SourceIPAddress              : 0.0.0.0
SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
SourceTransportServers       : {pixie}
UseExternalDNSServersEnabled : False

AddressSpaces                : {smtp:--;100}
AuthenticationCredential     :
Comment                      :
ConnectedDomains             : {}
ConnectionInactivityTimeOut  : 00:10:00
DNSRoutingEnabled            : False
DomainSecureEnabled          : False
Enabled                      : True
ForceHELO                    : False
Fqdn                         : crpud.org
HomeMTA                      : Microsoft MTA
HomeMtaServerId              : pixie
Identity                     : EdgeSync - Inbound to Default-First-Site-Name
IgnoreSTARTTLS               : False
IsScopedConnector            : False
IsSmtpConnector              : True
LinkedReceiveConnector       :
MaxMessageSize               : unlimited
Name                         : EdgeSync - Inbound to Default-First-Site-Name
Port                         : 25
ProtocolLoggingLevel         : None
RequireTLS                   : False
SmartHostAuthMechanism       : ExchangeServer
SmartHosts                   : {--}
SmartHostsString             : --
SmtpMaxMessagesPerConnection : 20
SourceIPAddress              : 0.0.0.0
SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
SourceTransportServers       : {pixie}
UseExternalDNSServersEnabled : False

it looks like you have an edge server is that so ?

Yes

what version ? what is there before ? newly installed ? in what queue are the outbound messages stuck ?

Exchange 2010 is the new Edge transport server, newly installed

Was an Exchange 2003 server there, now moved to same subnet as new Exchange 2010 Hub (CAS etc)

Outbound messages stuck in queue on exchange 2010 Hub server, not edge server.

there is something wrong with your edge configuration I need to be able to connect to my edge server to help you out.

I will need some time to do it, if till then no one else was able to help I will update this thread

The previous Exchange 2003  server that I moved used to be everything, I am splitting into two new exchange 2010 servers:

Domino, New 2010 server with the basic roles, not edge
Pixie, New 2010 server with edge role

Magneto is old 2003 server that I moved inside.

Hopefully that helps, I realize I am not the best at giving clues, new at asking questions here.

Check the transport service on hub server.

no prob, the issue is a check box you should do on the edge server.

open EMC on your edge and find your receive connector, go to the second tab and send me a screenshot i shld be able to help

I think this is what you want
Capture.JPG

nop actually I want to next tab the "authentication" one
sorry working from memory ATM

k, here ya go.


Capture.JPG

that is correct ! Can you share a screen shot of the queues on your HUB server"?

here it is. (I see some sort of error there, not clue how to get details)
Capture.JPG

If I hover over it it says 421 4.3.2 service not available

and the transport service on your edge server is started ?

transport is started, but net.tcp is not, should it not be started?
Capture.JPG

oh wait wait in your first screen shot, the 2 IPS listed below what are they ? is your hub server any of them ?

No, they belong to an outside spam filter service we subscribe to. Our MX records point to them, and they forward scrubbed mail to our smtp service.

I just added the hub server to the list, pretty sure it should be there. But no mail flowing still.

go to your queue and right click retry

still same error ?

No, now is different

421 4.2.2 Connection dropped due to socket error attempted failover to alternate host but that did not succeed

I remember that net.tcp port sharing service from the docs, is it risky to turn it on?

wish there was a way to see the error msg on the queue

451 4.4.0 Primary target ip address responded with "421 4.2.2 Connection dropped due to socket error..

in your permission groups tab do you have all 3 checked ?

both net.tcp services shld be started

all three are checked.

I started the net.tcp service up on the edge server. It was already set to start auto on the hub server. I restarted the transport services. Retry on the hub queue still gets the 4.2.2 connection dropped due to socket error

can you telnet your edge server port 25 from your cas ?

Just a minute, let me get a telnet client for it.

servermanagercmd -i telnet-client

Hmmm Which telnet client for 64 bit windows server 2008?

read my previous post :)

doh, give me a second...

yes, can telnet to port 25 on edge server. Seemed to run through the smtp ok., queued a message for delivery anyway.

If I try to send to an outside address with telnet it barks with 550 5.7.1 unable to relay

on your hub if you issue a Start-EdgeSynchronization -Server HubName

errors?

result success

OK Time to run EXBPA

any special options?

try with a general heatlhcheck

I guessed the connectivity one and ran that. Red x on edge server, says Registry cannot be accessed.

do you have any firewall separating your edge and your hub server? an ASA or something ?

Juniper firewall, but I have it open between them.

can you please make sure that all smtp inspection is turned off on your firewall, also any antivrus/malware/antispam is off on both servers

Can do

health check looks like this :(
Capture.JPG

The OAB is an issue but not to be dealt with now

the exchange signature and the RUS nothing to worry about (unless you still have exchange 2003)

who are pixie and magneto ? Pixie is the edge right ?

smtp inspection is off on firewall (old smtp server was in the same zone and working)

no AV stuff on edge yet, I turned on AV on Hub transport, retired output queue, still no go

Yup. Pixie is the edge.

Magneto is the previous Exchange 2003 server.

Once I get this edge thing working I was going to migrate users from Magneto to Domino (Hub) and go have a beer.

There is something fishy... I can't catch it.
can you check the event log on your edge server anything relevant

the trouble shooting assistant reports this, is it helpful?
Capture.JPG

yea sure it is helpful

1. do you have port 50636 opened between your edge and your hub ?
2. what if you issue a Get-ExchangeCertificate on your hub server results ?

Edge server has some of these error in event log
Capture.JPG

Get-ExchangeCertificate on hub server looks like this
Capture.JPG

or more like this



AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule}
CertificateDomains : {domino, domino.crpud.org}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=domino
NotAfter           : 6/13/2015 5:17:29 PM
NotBefore          : 6/13/2010 5:17:29 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 29513B5FAA81D3A44B4990934CD47DAC
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=domino
Thumbprint         : 20AEF32606BE715B737755817E83D4EF1BFC9E65

what about port 50636 is it open between hub and the edge?

errors in event log of hub ?

I have all ports open between edge and hub

test-EdgeSynchronization on the hub please

can do.

Not much interesting in the event logs on hub server

several skipped?
Capture.JPG

what about

Test-EdgeSynchronization -VerifyRecipient user@yourdaomin.com

"inconclusive"

(are the screen shots good or bad form?)
Capture.JPG

this "inconclusive" I've been finding on all 2010 edge test sync I'm starting to consider it as "normal" wasn't the case in 2007 but since the recipient status is sync i wouldn't worry about it

Sorry buddy 3am here gtg catch some sleep a few things you can do

1.
Remove Edge - http://technet.microsoft.com/en-us/library/aa996865.aspx

New Edge - http://technet.microsoft.com/en-us/library/bb125236.aspx

2. disable autotuning http://support.microsoft.com/kb/951291

3. disable TCP Offloading, Receive Side Scaling, etc.. on the NIC of your hub server

Go get some shuteye. I am very grateful for your help, thank you very very much for your help.

I will try removing and replacing the edge , if no go I will go to my fall back position until tomorrow.

(found the suggestions for 2 and 3 on the net, already did them)

Thanks.

Any updates? Did you resubscribe the edge?

I resubscribed the edge; removed edge subscription on edge and hub server, created new xml file and subscribed hub. no luck.

I am going to try skipping the edge server and just hooking the hub server up to send and receive to the internet

By the way, since you already have a dedicated AntiSpam servers why are you using the edge role for ? isn't it a bit redundant in your case?

Microsoft docs lead me to believe that is was more secure. And mutliple layers of spam filters are effective. Old server had three layers, layer 1 caught the majority, layer 2 caught even more, and layer 3 was still catching spam the first 2 layers missed.

I am concerned about this hub server being an open relay. The edge transport server had an anti-spam tab that let me specify specific ip address to relay for. I can't find that on the hub server transport section. Do I need to install something else on the hub server?

nevermind - is not open relay. Mail flowing now. Migrating users and moving on