primary target ip address responded with 421 connection dropped

Need help fixing this

 Have an exchange2007 and exchange2010,  and created a smarthost to exchange2007 as it is the one connected to internet.

I was not having this isse before creating smart host.
Please let me what is wrong
error.docx
LVL 28
MAS EE MVETechnical Department HeadAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
MegaNuk3Connect With a Mentor Commented:
Ok, so have you allowed E2k10 to relay through E2k7?
Why don't you send direct to the Internet from E2k10?

Here is a good article about relaying:
http://exchangepedia.com/2007/01/exchange-server-2007-how-to-allow-relaying.html
0
 
NivleshCommented:
have you specified the smarthost by ip or by dns? also, have you checked to ensure the smarthost has allowed you to relay emails through it?

Best check is to start a command prompt on your server, and then do

telnet {smarthost} 25

If there is a response then you are half way there already else call your smarthost provider and ask him to check your access.

btw telnet client is not installed by default on windows 2008 servers. You will need to install it from Program features in control panel.

0
 
MAS EE MVETechnical Department HeadAuthor Commented:
It is working but few domains are showing this error as in the screenshot
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
MegaNuk3Commented:
If E2k7 and E2k10 are in the same Org then you don't need a smart host from E2k10 to E2k7. exchange will learn about other exchange servers through AD and will send via SMTP to them if they are E2k7/E2k10 otherwise it will look for a routing group connector to send to E2k3
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
They are in different forest.
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
here some users are in E2k7 and some are in E2010.

So only we can receive mails only E2k7 and email to E2010 is relaying through E2k7

In this what shall I do, What is the recommended solution?

BTW I am in a process of removing one AD from the network and will keep only one. Slowly migrating all the users.
0
 
MegaNuk3Commented:
Swap inbound MX record when you have 50% of users on E2k10.

You can have e2k10 as an outbound server to the Internet now Or is t sharing the SMTP namespace with E2k7?
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
E2010 is sharing namespace with 2007
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
or If you knwo how to move mailboxes from one exch2010forest to another exch2007forest then this is solved. As I can completely move the mailboxes over night from one to another an remove the mail relay.

I really appreciate if you can help to move from forest to another
0
 
MegaNuk3Commented:
Have you had a look at remote move requests?
http://technet.microsoft.com/en-us/library/dd351280.aspx
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
Now I removed exchange 2007 now only 2010 but still mails sitting in queue with this error.
attached the screenshot, can you help please to sort this issue
error.docx
0
 
MegaNuk3Commented:
Did you create a new Send connector for E2k10 to use?

Does the send connector have a valid FQDN that matches the SMTP cert?
You can try turning TLS sending off for the send connector with
Set-sendConnector "<send connector name>" -ignoreStartTLS:$true

If the above fails to work then try turn off tcpip auto tuning with:
Netsh interface tcp set global autotuninglevel=disabled
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
still the same I just ran the second command .

or you want me to wait
0
 
NivleshCommented:
do you have any antivirus software running on your exchange server? try disabling it and see if it helps

http://autoexec.gr/forums/thread/27617.aspx
0
 
NivleshConnect With a Mentor Commented:
also  from http://social.technet.microsoft.com/Forums/en/exchange2010/thread/2c90e6dd-c631-447a-904e-bbf97167fe36

"Well I just solved the issue and it was one of the following (sorry it isn't specific, i just threw all that I could try at this point)

I disabled all filtering on the SMTP instance on the old box - took off IMF, blocklist, eveything. Also disabled max number of connections/recipients.

Under the message delivery options I disabled all such items for message/content filtering that I could and I also unchecked the box that blocks all messages to user not listed in AD.

Restarted the virtual SMTP connector on the old box and it the queue on the new box was empty by the time i ran the ExTA again! PF instances are now clear!"
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
I have only forefront running in exchange
0
 
Azeem PatelSystem AdministartorCommented:
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
This is for exchange 2003.

I am having exchange 2010 with all roles installed in one server.

That even this problem is only for few domains.
0
 
MegaNuk3Commented:
Did you try:
Set-sendConnector "<send connector name>" -ignoreStartTLS:$true
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
When I try that I am getting the below error

The DomainSecureEnabled parameter can't be set to $True if the IgnoreSTARTTLS parameter is set to $True.
    + CategoryInfo          : NotSpecified: (Internet:ADObjectId) [Set-SendConnector], DataValidationException
    + FullyQualifiedErrorId : C497310C,Microsoft.Exchange.Management.SystemConfigurationTasks.SetSendConnector
0
 
MegaNuk3Commented:
Do you have just one Send Connector or ones per individual smtp domain you are sending to (partners or sister companies)?
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
I use to have two send connectors but I deleted that long back i.e.2 months back. Now only one send connector.

Thanks
0
 
MegaNuk3Commented:
Can you try:
Set-sendConnector "<send connector name>" -ignoreStartTLS:$true -DomainSecureEnabled:$false
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
That command ran without error.
Can I send test email now to the domains which was having issue sending?

Please explain what this command does if you dont mind. As in future I would be able to answer for quesntions in EE
0
 
MegaNuk3Commented:
Yep, try sending a few test messages.

Basically the command tells the Send Connector to not try and encrypt the connection with TLS (Transport Layer Security). A lot of mail systems out there are not setup for TLS or not setup properly
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
but it is the same as before.



0
 
MegaNuk3Commented:
Same error?
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
This is the error now
error.png
0
 
MegaNuk3Commented:
Check the DNS servers the server or the Send connector is using.
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
local dns servers configured in NIC. and in send connector it is using external dns servers.

external dns servers configured in the properties of the server from mmc
0
 
MegaNuk3Commented:
On one of the domains you are failing to send to, put it into mxtoolbox.com and check the IP address it is returning. Try the SMTP test on there too, to confirm it is a working SMTP server.

Then use nslookup against both of your external DNS servers (that the Send Connector is using) for the MX records of the failing domain and see if the same IP address is returned for those MX records when using your defined external DNS servers
0
 
Azeem PatelSystem AdministartorCommented:
I always suggest try  to initiate connection manually and send a test mail

http://www.yuki-onna.co.uk/email/smtp.html
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
I tried the above but for that some domains are ok
but some are only sender ok but recipient hanging.

That means there is some issue from our side?

Please advice
0
 
Azeem PatelSystem AdministartorCommented:
Do you have firwall between the domain from which you are trying to open conenction to the domain for whcih it is getting hanged

If yes then can you open IP to IP connection between there 2 domains for
Domain controllers and Exchange
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
-->open IP to IP connection between there 2 domains
This I understood

But what about open for domain controller and exchange?
0
 
Azeem PatelSystem AdministartorCommented:
Open IP to IP connection between domain  controllers and Exchnage

Example :
VLAN 1 > Domain1.com
VLAN 2 > Domain 2.com
Then
VLAN1 (IP to IP) VLAN 2
IP to IP means all ports are open between this two vlans
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
I already have a policy (trust to untrust) to open all the ports from exchange(i.e.ip of exchange) to any host
0
 
Azeem PatelSystem AdministartorCommented:
Re-iterating complete discussion

1. You have 2 domain forest > Domain1.com and domain2.com
2. You have Exch 2007 and 2010
3. Outgoing Msg from Exch 2007 : Exch 2007 > Forefront
    Outgoing Msg from Exch 2010 : Exch 2010 > Exch 2007 > Forefront
4. Vice versa for incoming as per point 3
5. Users from both Exch are able to send messages to each other
6. Exch 2007 is decommissioned.
8. You are facing problem to send mails to outside domains

If some points are missed then please mention
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
Please check post#35187549 and 35275352

0
 
Azeem PatelSystem AdministartorCommented:
What about other points ?

mail is getting queued from Exch 2010 to outside via Forefront ?

telnet FF on 25 and send mail from valid internal ID to gmail and check.
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
forefront is installed in the same server of exchange2010.

Now I noticed that the trsaction time of that domains are bad. I check these from 'mxtoolbox'
Could be because of that these issues?

if that is right, one problem solved. I will mail them via gmail to fix it.

and what about 'dns query failed'
I think this is something small issue. Please help to figure it out and will close the question.
0
 
Azeem PatelSystem AdministartorCommented:
It should auto resolve when this transaction time is rectified, since there must also be delay to query for DNS as well hence getting time out.

Wait this this transaction delay is rectified and then proceed with new suggestions.
0
 
MAS EE MVEConnect With a Mentor Technical Department HeadAuthor Commented:
for the domains showing 'DNS query failed' I checked in mxtoolbox and found they does not have reverse dns.

This  'DNS query failed' error because they does not have reverse dns?

I think we have reached the solution
0
 
Azeem PatelSystem AdministartorCommented:
If possible you should try adding static entries till the issue is completely resolved.
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
how to add static entries ?
Please advice
0
 
Azeem PatelConnect With a Mentor System AdministartorCommented:
I dont know about the forefront, but you see the way we add whitelist entries with domain and IP Addresses OR if you have ISP smart host to use
0
 
MAS EE MVETechnical Department HeadAuthor Commented:
for the domains showing 'DNS query failed' I checked in mxtoolbox and found they does not have reverse dns.

Second error is due to transaction time delay of the remote domain.

I think we have reached the solution
Many thanks to EE experts
0
All Courses

From novice to tech pro — start learning today.