Inbound email stuck in queue at Edge server

Dear experts,

This one's been a real pain for me recently. I have a DC, an exchange 2007 server and an ISA server.  The ISA server hosts the exchange Edge Transport services and the exchange server is the Hub Transport.

Outbound mail is being processed fine but inbound mail is queueing up on the edge server. It will sit there for a random amount of time. Then all of a sudden a few will get delivered to the user's mailboxes. This happens constatntly and the users are complaing of delays receiving email.

Now - I had been seeing events suggesting that a certificate had expired. so i generated a new one using the exchange cmdlet - and subsequently wrecked something.  So I performed the following, restarting the relevant services where appropriate:

- generated new cert (I received a warning that the cert was missing in AD but that it was now fixed)
- removed the edge subscription from the HT and the ET
- created a new edge subscription and used the xml file to create a new one on the HT
- started the edge synchronisation

But still the mail is queueing up at the edge server.  I ran through the mailflow trouble shooter and get the following errors:

One or more inconsistencies were found with Active Directory Application Mode (ADAM) instance on server This is an indication that EdgeSync has not successfully replicated critical configuration information from Active Directory to this ADAM instance.

No EdgeSync credentials were found in Active Directory for Edge Transport server role computer %EDGECN%. This occurs when the tool is unable to retrieve one or more values for the 'msExchEdgeSyncCredential' attribute on the server object '%EDGEDN%' in Active Directory.

The test-edgesynchronisation returns a successful message
The necessary rules are in place in ISA

What have i missed?
Who is Participating?
tech53Connect With a Mentor Author Commented:
Ok.  I got the issue resolved.  It was caused by an upchaining issue.  I generated the self signed cert on the exchange server. But the exchange server was not the CA. I generated the cert request and had it authorised by the internal CA. Then i installed the cert on the exchange server and all is good.

Thanks for all your help.
tech53Author Commented:
Anyone any ideas on this?
tech53Author Commented:
the result from the test-edgesynchronization command is:

Name                        : EdgeServer
LeaseHolder                 : HubTransportServer
LeaseType                   : Option
ConnectionResult            : Succeeded
FailureDetail               :
LeaseExpiry                 : 21/09/2011 15:11:22
LastSynchronized            : 21/09/2011 14:11:22
CredentialStatus            : Synchronized
TransportServerStatus       : Synchronized
TransportConfigStatus       : Synchronized
AcceptedDomainStatus        : Synchronized
SendConnectorStatus         : Synchronized
MessageClassificationStatus : Synchronized
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 3

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


try running the start-edgesyncronization command on your hub transport server.  

tech53Author Commented:
I've done that too - several times! It returns a successful result.  

is the exchange credential service started on the edge transport server ?

Start the Microsoft Exchange ADAM service
1.Click Start, click Run, type services.msc, and then click OK.

2.In the Services, locate the Microsoft Exchange ADAM service in the details pane.

3.Right-click the service, and then click Start.

tech53Author Commented:
The ADAM sevice is started ok.

Right.  The sync erros have disappeared now following a server reboot.  Event logs on the ISA and exchange box are nice and clean.

So i ran the exchange analyser and discovered a few issues. One particualr issue is described below:

Cannot find 'Host' or 'MX' record(s) for domain exch1
Domain exch1 is a remote domain to which server security1 is trying to send messages but neither the 'MX' records nor 'Host' records of domain exch1 can be obtained from any DNS server security1 uses. This may be causing message backups in the queue or non-delivery reports if the DNS response is 'non-existent domain'.

exch1 is the name of the HT server and security1 is the name of the ISA server, yet it seems to refer to the HT server as a domain rather than a host. The error i see against the queue for the HT is
2421 4.4.2 Connection dropped..."

See this link: 

Thats exactly what i'm experienceing, but I dont see a resolution.
tech53Author Commented:
see my previous post
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.