Exchange 2010 SMTP Authentication against AD LDS

Posted on 2012-03-15
Last Modified: 2012-03-27
I've been troubleshooting this for weeks without luck.

I'm currently running a mix of Exchange 2003 mailbox/front end and Exchange 2010 mailbox/client access/hub deployment, all on individual physical or virtual servers (5 total).  I installed the edge transport role on a sixth server in my DMZ.  Following MULTIPLE edge transport install guides, I was able to get my edge transport server up and running.  

As I was moving mailboxes from the 2003 to the 2010 mailbox server, I discovered a problem with a user that is exclusively SMTP/POP.  On the 2003 mailbox/front end it was easy to have that user authenticate before SMTP to prevent relaying.  I am unable to get the edge transport to authenticate any Active Directory users.

I have installed and re-installed the edge transport multiple times.  My current edge test, I've moved to onto my AD network (still stand alone) to rule out any firewall problems.

I've tested extensively using a telnet session along with the AUTH LOGIN command.

What I think the problem is, is that the edge transport is unable to authenticate to the AD LDS instance installed during the Exchange edge transport role install.  I feel this way because if I create a local user on the edge transport role server, SMTP authenticates successfully.  I'm also receiving a monitoring error for the Exchange-installed LDS instance (attached image).

Executing the Exchange Management Shell command "Start-EdgeSynchronization -Server <hub_transport> -TargetServer <edge_transport> -ForceFullSync" doesn't show any errors that I can tell.

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Configuration
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 2
Scanned        : 35
TargetScanned  : 0

RunspaceId     : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
Result         : Success
Type           : Recipients
Name           : EDGESERVER
FailureDetails :
StartUTC       : 3/15/2012 1:31:55 PM
EndUTC         : 3/15/2012 1:31:57 PM
Added          : 0
Deleted        : 0
Updated        : 160
Scanned        : 268
TargetScanned  : 0

However, the command "Test-EdgeSynchronization -VerifyRecipient" returns a mixed message of:

RunspaceId                  : bf64f8ad-f659-4e0e-bb42-273e4e70f7f3
SyncStatus                  : Inconclusive
UtcNow                      : 3/15/2012 1:33:16 PM
Name                        : EDGESERVER
LeaseHolder                 : CN=EXCHHUB,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=My Exchange Server,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=ORG
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 3/15/2012 2:01:57 PM
LastSynchronizedUtc         : 3/15/2012 1:31:57 PM
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
RemoteDomainStatus          : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 3
CookieRecords               : Number of cookies 2

I have checked and double-checked everything I know how to check.  I can telnet to 50389 and 50636.

I'm stuck in a holding pattern until I can get this resolved.

Thanks in advance.
Question by:mlehnertz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 37749110

Expert Comment

ID: 37770000
Edge server is only responsible for Email transportation and for receiving emails from the internet you cannot restrict it for limited IPs and allowing POP/SMTP for every user with the authentication will conflict with the default receive connectors.

Author Comment

ID: 37772906
If I read this correctly, the "by design" behavior for the edge transport role is to NOT enable the ability to authenticate during SMTP.  It is strictly a server-to-server transport device and does not allow interaction between email clients.  This does make sense, but please correct me if I'm wrong.

So if that's the case, why does it matter than AD LDS is installed on the edge transport role?

Also, how would you suggest I authenticate a user before allowing an SMTP relay?  Should I create a private NAT through my firewall to the hub transport server?  I've considered this since my original posting.

The bottom line is that I have external SMTP/POP email clients that require a method of sending email via SMTP through my mail servers.  Any suggestions would be GREATLY appreciated.

Accepted Solution

abdulalikhan earned 500 total points
ID: 37773145
For the first part of your understanding it is similar to mine.

AD LDS role is installed because of Edge Synchronization. It can minimize the email traffic on HUB Transport server which is more critical, as edge synchronization will control recipient filtering easily.

Yes, I have NAT the SMTP / POP users to HUB transport for few of the Customers and it is working fine.

Author Comment

ID: 37773565
I'm not happy with the solution but until I can discover a better one...

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How ldap located a Domain controller? 22 78
MS Exchange 2016 license 5 34
Office 365 adding a domain 3 35
Citrix ServerAd/Exchange 5 30
In-place Upgrading Dirsync to Azure AD Connect
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question