Exchange 2010 SMTP Authentication against AD LDS

I've been troubleshooting this for weeks without luck.

I'm currently running a mix of Exchange 2003 mailbox/front end and Exchange 2010 mailbox/client access/hub deployment, all on individual physical or virtual servers (5 total).  I installed the edge transport role on a sixth server in my DMZ.  Following MULTIPLE edge transport install guides, I was able to get my edge transport server up and running.  

As I was moving mailboxes from the 2003 to the 2010 mailbox server, I discovered a problem with a user that is exclusively SMTP/POP.  On the 2003 mailbox/front end it was easy to have that user authenticate before SMTP to prevent relaying.  I am unable to get the edge transport to authenticate any Active Directory users.

I have installed and re-installed the edge transport multiple times.  My current edge test, I've moved to onto my AD network (still stand alone) to rule out any firewall problems.

I've tested extensively using a telnet session along with the AUTH LOGIN command.

What I think the problem is, is that the edge transport is unable to authenticate to the AD LDS instance installed during the Exchange edge transport role install.  I feel this way because if I create a local user on the edge transport role server, SMTP authenticates successfully.  I'm also receiving a monitoring error for the Exchange-installed LDS instance (attached image).

Executing the Exchange Management Shell command "Start-EdgeSynchronization -Server <hub_transport> -TargetServer <edge_transport> -ForceFullSync" doesn't show any errors that I can tell.

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Configuration
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 2
Scanned        : 35
TargetScanned  : 0

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Recipients
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 160
Scanned        : 268
TargetScanned  : 0

However, the command "Test-EdgeSynchronization -VerifyRecipient username@domain.com" returns a mixed message of:

RunspaceId                  : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
SyncStatus                  : Inconclusive
UtcNow                      : 3/15/2012 1:33:16 PM
Name                        : EDGESERVER
LeaseHolder                 : CN=EXCHHUB,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=My Exchange Server,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=ORG
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 3/15/2012 2:01:57 PM
LastSynchronizedUtc         : 3/15/2012 1:31:57 PM
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
RemoteDomainStatus          : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 3
CookieRecords               : Number of cookies 2

I have checked and double-checked everything I know how to check.  I can telnet to 50389 and 50636.

I'm stuck in a holding pattern until I can get this resolved.

Thanks in advance.
Exchange-ADAM.jpg
LVL 1
mlehnertzAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mlehnertzAuthor Commented:
Anybody?
0
abdulalikhanCommented:
Edge server is only responsible for Email transportation and for receiving emails from the internet you cannot restrict it for limited IPs and allowing POP/SMTP for every user with the authentication will conflict with the default receive connectors.
0
mlehnertzAuthor Commented:
If I read this correctly, the "by design" behavior for the edge transport role is to NOT enable the ability to authenticate during SMTP.  It is strictly a server-to-server transport device and does not allow interaction between email clients.  This does make sense, but please correct me if I'm wrong.

So if that's the case, why does it matter than AD LDS is installed on the edge transport role?

Also, how would you suggest I authenticate a user before allowing an SMTP relay?  Should I create a private NAT through my firewall to the hub transport server?  I've considered this since my original posting.

The bottom line is that I have external SMTP/POP email clients that require a method of sending email via SMTP through my mail servers.  Any suggestions would be GREATLY appreciated.
0
abdulalikhanCommented:
For the first part of your understanding it is similar to mine.

AD LDS role is installed because of Edge Synchronization. It can minimize the email traffic on HUB Transport server which is more critical, as edge synchronization will control recipient filtering easily.

Yes, I have NAT the SMTP / POP users to HUB transport for few of the Customers and it is working fine.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mlehnertzAuthor Commented:
I'm not happy with the solution but until I can discover a better one...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.