Exchange 2007 Edge Synchronization transaction failure

Posted on 2011-03-04
Medium Priority
Last Modified: 2013-11-15
Dear experts,

I face a possible problem with Edge Synchronization on Exchange 2007. Mails can not get routed to- and from my domain, the queues on hub and edge fill up, so I am really desperately searching for a solution.

Setup: Essential Business Server 2008 with Exchange 2007 SP2. German version.

MessagingServer: Hub, Mailbox, CA
SecurityServer: EdgeTransport
All "standard" according to MS installation whitepaper.

Mail-delivery/routing has worked fine ever since initial installation, there was no change in HW, nor was any software recently installed.

When executing Test-EdgeSynchronyzation on hub, this is what I get:

[PS] C:\Windows\System32>Test-EdgeSynchronization

Name                        : ReefSecurity
LeaseHolder                 :
LeaseType                   : 0
ConnectionResult            : Failed
FailureDetail               : Für den Edge-Transport-Server 'ReefSecurity.Reefd
                              iver.lan' wurden keine EdgeSync-Anmeldeinformatio
                              nen auf dem lokalen Hub-Transport-Server gefunden
                              . Entfernen Sie das Edge-Abonnement, und abonnier
                              en Sie den Edge-Transport-Server erneut.
LeaseExpiry                 : 01.01.0001 00:00:00
LastSynchronized            : 01.01.0001 00:00:00
CredentialStatus            : Skipped
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Skipped
CredentialRecords           : Number of credentials 0

FailureDetail plainly translated: "No EdgeSync-logon-information was found for Edge-Transport-Server ... on local Hub-Transport-Server. Delete Edge-subscription, and re-subscribe to Edge-Transport-Sever".

I have done some research, this is what I have tested & done so far:

From Edge

PING from Edge to Hub works both via IP and FQDN
NSLOOKUP on Edge for FQDN <Hub> delivers IP
NSLOOKUP on Edge for IP <Hub> fails (non-existend domain)
TELNET from Edge to Hub on port 25 works
TELNET from Edge to Hub on port 50636 does not work (blocked by firewall)

From Hub

PING from Hub to Edge for FQDN fails
PING from Hub to Edge for IP fails
NSLOOKUP on Hub for FQDN <Edge> delivers IP
NSLOOKUP on Hub for IP <Edge>  fails (non-existend domain)
TELNET from Hub to Edge via FQDN on port 25 works
TELNET from Hub to Edge via FQDN on port 50636 works

On Edge, the logs show following errors

MSExchangeTransport, 1036
MSExchangeTransport, 2018

On Hub, the logs show following errors

MSExchange EdgeSync, 1032
MSExchangeTransport, 12023

Get-ExchageCertificate | fl shows only valid certificates on Edge and Hub

Several times, I have recreated new subscriptions on Edge and renewed on Hub with- and without deleting the EdgeSubscription on Hub; Start-EdgeSynchronization was executed, however there was no detail-log afterwards like I saw some people had in their threads. This is what I get when executing Start-EdgeSynchronization in Hub:

[PS] C:\Windows\System32>Start-EdgeSynchronization
[PS] C:\Windows\System32>

So far, all actions to no avail - my mail queues keep growing.

Again - mail flow has worked just fine all the time with stated setup; There are no invalid certificates in the ExchangeStore from what I can tell.

I am definitely no AD- and Exchange-expert, so I hope there is someone out there who has seen such a problem before and who can lead me though the necessary steps.

Thanks in advance.
Question by:Reefdiver
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 44

Expert Comment

ID: 35036357
Hi Mark,

Is it possible for you to create a connector in HUB server and directly route your mail to the internet. This will resolve your current issue.

For Edge issue, as you mentioned you haven't made any changes, but is there any patching made on this server.
LVL 44

Expert Comment

ID: 35036450
Can you run Exchange Best practice analyser and Mail flow troubshooting tool. It is part of tool snap-in. This can give more understanding.

I assume, you haven't done any service pack updates in CAS or HUB. Try this, also

Login to Edge server and run New-EdgeSubscription, then export this file with anyname like edge.xml. Copy this over to Hub server and run

New-EdgeSubscription -filename "Exported XML Path"
New-EdgeSubscription -filename "c:\edge.xml"

Author Comment

ID: 35045245
HI all,

thanks for your replies. The key to my problem seems to be error message 12023 MSExchangeTransport on hub. Apparently, Exchange could not load a certain certificate from personal information store, which was used for authentication with other servers with Exchange (freely translated).

I don't know how & why the certificate is missing, nor do I know how to retrieve it; I have not updated or patched the servers with anything but the normal Microsoft security patches via WSUS (there were non related to Exchange lately, though).

I have taken following steps:

On Hub:

1.) New- ExchangeCertificate -DomainName mail.kunde.de -Services SMTP
2.) Test- EdgeSynchronization -> apparently, a new Edge-Synchronization is needed
3.) Remove- EdgeSubscription

On Edge

4.) New-EdgeSubscription -> afterwards, copied xml-file to Hub

On Hub:

5.) New-EdgeSubscription -filename "c:\edge.xml" -site "Default-First-Site-Name"
6.) Start-EdgeSynchronization -> seems to have worked
7.) Test-EdgeSynchronization -> result now good ('synchronized')

Afterwards, mail-flow to and from my domain worked, the queues emptied and all mails got delivered.

HOWEVER: I can now not access my OWA-site any more, neither from the internet, nor via calling the FQDN of the Exchange-server from the intranet..

I do have a SAN-certificate for my server from a third-party; it's valid till 2012 and installed on the gateway-/security-server. Calling some of the other hosted websites on my web-server works without any problem - only OWA replies with error '500 - internal server error'.

Can anyone please explain to me how I can re-enable the certificate for OWA to work?

-> Do I need to export the SAN from the security-server and import int into Exchange?
-> Or do I need to Enable-ExchangeCertificate with other services besides SMTP?

Again, thanks for your input - it's highly appreciated.


Accepted Solution

Reefdiver earned 0 total points
ID: 35097334
Ok, I figured it out myself now. For anyone out there who might come across the same problem:

The solution to the problem was like described above - steps 1 through 7 - however I should have used the FQDN instead of "mail.kunde.de". Also, I didn't remove and renew the EdgeSubscription; I found that synchronization will just overwrite the existing subscription. That saved me from some additional customizing (i.e. the smtp-relay-account I use as send-connector) afterwards.

I tried this solution with an older backup first (I am running EBS 2008 in a virtualized mode), then restored the production servers from backup and voila - everything's fine. Hope this description helps someone else.

Kind regards,

Author Closing Comment

ID: 35135853
No comments

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . If you have responsibility for software in production, I bet you’d like to know more about it. I don’t mean that you’d like an extra peek into the bowels of the sourc…
Invest in your employees with these five simple steps to improve employee engagement and retention.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question