Solved

Exchange 2007 Edge Synchronization transaction failure

Posted on 2011-03-04
5
2,073 Views
Last Modified: 2013-11-15
Dear experts,

I face a possible problem with Edge Synchronization on Exchange 2007. Mails can not get routed to- and from my domain, the queues on hub and edge fill up, so I am really desperately searching for a solution.

Setup: Essential Business Server 2008 with Exchange 2007 SP2. German version.

MessagingServer: Hub, Mailbox, CA
SecurityServer: EdgeTransport
All "standard" according to MS installation whitepaper.

Mail-delivery/routing has worked fine ever since initial installation, there was no change in HW, nor was any software recently installed.

When executing Test-EdgeSynchronyzation on hub, this is what I get:

[PS] C:\Windows\System32>Test-EdgeSynchronization


Name                        : ReefSecurity
LeaseHolder                 :
LeaseType                   : 0
ConnectionResult            : Failed
FailureDetail               : Für den Edge-Transport-Server 'ReefSecurity.Reefd
                              iver.lan' wurden keine EdgeSync-Anmeldeinformatio
                              nen auf dem lokalen Hub-Transport-Server gefunden
                              . Entfernen Sie das Edge-Abonnement, und abonnier
                              en Sie den Edge-Transport-Server erneut.
LeaseExpiry                 : 01.01.0001 00:00:00
LastSynchronized            : 01.01.0001 00:00:00
CredentialStatus            : Skipped
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Skipped
CredentialRecords           : Number of credentials 0

FailureDetail plainly translated: "No EdgeSync-logon-information was found for Edge-Transport-Server ... on local Hub-Transport-Server. Delete Edge-subscription, and re-subscribe to Edge-Transport-Sever".

I have done some research, this is what I have tested & done so far:

From Edge

PING from Edge to Hub works both via IP and FQDN
NSLOOKUP on Edge for FQDN <Hub> delivers IP
NSLOOKUP on Edge for IP <Hub> fails (non-existend domain)
TELNET from Edge to Hub on port 25 works
TELNET from Edge to Hub on port 50636 does not work (blocked by firewall)

From Hub

PING from Hub to Edge for FQDN fails
PING from Hub to Edge for IP fails
NSLOOKUP on Hub for FQDN <Edge> delivers IP
NSLOOKUP on Hub for IP <Edge>  fails (non-existend domain)
TELNET from Hub to Edge via FQDN on port 25 works
TELNET from Hub to Edge via FQDN on port 50636 works

On Edge, the logs show following errors

MSExchangeTransport, 1036
MSExchangeTransport, 2018

On Hub, the logs show following errors

MSExchange EdgeSync, 1032
MSExchangeTransport, 12023

Get-ExchageCertificate | fl shows only valid certificates on Edge and Hub

Several times, I have recreated new subscriptions on Edge and renewed on Hub with- and without deleting the EdgeSubscription on Hub; Start-EdgeSynchronization was executed, however there was no detail-log afterwards like I saw some people had in their threads. This is what I get when executing Start-EdgeSynchronization in Hub:

[PS] C:\Windows\System32>Start-EdgeSynchronization
[PS] C:\Windows\System32>

So far, all actions to no avail - my mail queues keep growing.

Again - mail flow has worked just fine all the time with stated setup; There are no invalid certificates in the ExchangeStore from what I can tell.

I am definitely no AD- and Exchange-expert, so I hope there is someone out there who has seen such a problem before and who can lead me though the necessary steps.

Thanks in advance.
Mark
0
Comment
Question by:Reefdiver
  • 3
  • 2
5 Comments
 
LVL 41

Expert Comment

by:Amit
Comment Utility
Hi Mark,

Is it possible for you to create a connector in HUB server and directly route your mail to the internet. This will resolve your current issue.

For Edge issue, as you mentioned you haven't made any changes, but is there any patching made on this server.
0
 
LVL 41

Expert Comment

by:Amit
Comment Utility
Can you run Exchange Best practice analyser and Mail flow troubshooting tool. It is part of tool snap-in. This can give more understanding.

I assume, you haven't done any service pack updates in CAS or HUB. Try this, also

Login to Edge server and run New-EdgeSubscription, then export this file with anyname like edge.xml. Copy this over to Hub server and run

New-EdgeSubscription -filename "Exported XML Path"
New-EdgeSubscription -filename "c:\edge.xml"
0
 

Author Comment

by:Reefdiver
Comment Utility
HI all,

thanks for your replies. The key to my problem seems to be error message 12023 MSExchangeTransport on hub. Apparently, Exchange could not load a certain certificate from personal information store, which was used for authentication with other servers with Exchange (freely translated).

I don't know how & why the certificate is missing, nor do I know how to retrieve it; I have not updated or patched the servers with anything but the normal Microsoft security patches via WSUS (there were non related to Exchange lately, though).

I have taken following steps:

On Hub:

1.) New- ExchangeCertificate -DomainName mail.kunde.de -Services SMTP
2.) Test- EdgeSynchronization -> apparently, a new Edge-Synchronization is needed
3.) Remove- EdgeSubscription

On Edge

4.) New-EdgeSubscription -> afterwards, copied xml-file to Hub

On Hub:

5.) New-EdgeSubscription -filename "c:\edge.xml" -site "Default-First-Site-Name"
6.) Start-EdgeSynchronization -> seems to have worked
7.) Test-EdgeSynchronization -> result now good ('synchronized')

Afterwards, mail-flow to and from my domain worked, the queues emptied and all mails got delivered.

HOWEVER: I can now not access my OWA-site any more, neither from the internet, nor via calling the FQDN of the Exchange-server from the intranet..

I do have a SAN-certificate for my server from a third-party; it's valid till 2012 and installed on the gateway-/security-server. Calling some of the other hosted websites on my web-server works without any problem - only OWA replies with error '500 - internal server error'.

Can anyone please explain to me how I can re-enable the certificate for OWA to work?

-> Do I need to export the SAN from the security-server and import int into Exchange?
-> Or do I need to Enable-ExchangeCertificate with other services besides SMTP?

Again, thanks for your input - it's highly appreciated.

Mark
0
 

Accepted Solution

by:
Reefdiver earned 0 total points
Comment Utility
Ok, I figured it out myself now. For anyone out there who might come across the same problem:

The solution to the problem was like described above - steps 1 through 7 - however I should have used the FQDN instead of "mail.kunde.de". Also, I didn't remove and renew the EdgeSubscription; I found that synchronization will just overwrite the existing subscription. That saved me from some additional customizing (i.e. the smtp-relay-account I use as send-connector) afterwards.

I tried this solution with an older backup first (I am running EBS 2008 in a virtualized mode), then restored the production servers from backup and voila - everything's fine. Hope this description helps someone else.

Kind regards,
Mark
0
 

Author Closing Comment

by:Reefdiver
Comment Utility
No comments
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now