Solved

Exchange 2010 - 2 servers - Choose which server sends email?

Posted on 2014-04-23
20
425 Views
Last Modified: 2014-04-28
In the middle of moving Exchange 2010 from one server to another. How do I force Exchange to send email through one server opposed to another?

Having an issue where the emails all seem to be going through the old server. The old server doesn't have a one-to-one NAT, uses our IP pool on the firewall, and sometimes gets a bounce for the reverse DNS not matching. The new server does, so I want to make sure everything goes through that one.
0
Comment
Question by:mvalpreda
  • 8
  • 6
  • 5
  • +1
20 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40017456
Are both servers Exchange 2010? If so you can modify the Send Connector so it only contains the server you want to allow to send. Make sure you only have one send connector.
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 40017475
I did that and it was still coming from the old server. Does it take a little while to replicate that info?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40017487
So, the old server is 2010 right? Not 2003 or something else?
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 40017496
Forced AD replication, sent again and got this in the headers. Only the new server in the send connectors

Received: from NEWSERVER (REVERSEDNS [NATTED EXTERNALIP] (may be forged))      by EXTERNALSERVER (8.13.8/8.14.3) with ESMTP id s3NDdgbb004529      for <mark@domain.com>; Wed, 23 Apr 2014 06:39:42 -0700
Received: from OLDSERVER (192.168.100.7) by NEWSERVER (192.168.100.13) with Microsoft SMTP Server (TLS) id 14.3.181.6; Wed, 23 Apr 2014 06:39:36 -0700
Received: from NEWSERVER ([192.168.100.13]) by OLDSERVER ([fe80::81ed:69a5:ba0c:6080%10]) with mapi id 14.03.0181.006; Wed, 23 Apr 2014 06:39:36 -0700
From: Administrator <Administrator@xxxx>
To: "mark@domain"
Subject: 6:39 test
Thread-Topic: 6:39 test
Thread-Index: Ac9e+XdWpRJnyQwXQTyWrTjD3gv5lw==
Date: Wed, 23 Apr 2014 13:39:36 +0000
Message-ID: <AA84A96D10257844B5A4B479D2BD32FE02DC5D@aether>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.100.13]
Content-Type: multipart/alternative;
      boundary="_000_AA84A96D10257844B5A4B479D2BD32FE02DC5Daether_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAC+NgFvrKqsTGxXJgRQq77oxD4cEG024tE7S4Pm8fswNjAEMUa2ZeUn5FAmvGm957bAWdbBWtj7+yNjDuZO1i5OIQEtjGKLFl7jqmLkZOCGfWWykQm03AQGL3rguMILaIgLHEg/krWEFsYQEhicPLjzNDxMUlZn16A2XrSaw7+gXMZhFQlXi7oI0NxOYVsJY4eusd2BxGATGJ76fWgO1iBuq99WQ+mC0hoC2x/dU+VghbR2LTtVUsELadRH/PTKgaAYkle84zQ9hKEr2330HFRSVePv4H1asrsebcLkYIO1Bi7aP1UPWmEm+WXIKaaStxYu1fqLi7ROv6hVBxX4lDi5dA2fIS/+/dh7KdJK5PvMYKs/fx921MMPFpC/vZIWw/id5f/6HiRhLXvzaxQdiWEm8nLoCa4yixY+0NIJsD6PcUiduX3Scwqs1CColZCJlZ4IATlDg58wkLRImuxIx/h6BsbYllC18zQ9h6EjemTmFDFl/AyL6KUdzRNcTDNUgvMaVYLzkxLyczLxXIyM/dxAhJKLw7GOe1OR1ilORgUhLlfb4rPFiILyk/pTIjsTgjvqg0J7X4EKMEB4+SCG/bAaAcb3FBYm5xZjpMSoaDQ0mCtwgkJViUmp5akZaZU5JaBJE+xSgpJc4bDJIUAOnLKM2Dy11iFJUS5p29GSjHU5BalJtZAhF/xSjOwagkzJsG0sWTmVcCt+wV0B1MQHcUTAC7oyQRISXVwCg6Y/0rFi1VPf8pqbvfWlgfXT83+XePwYW6vlcOL9fvcQ4XKXSY+U1iWsOniE6+gJMX+Po/O79nyw1W6+YJl/24a4XaHNudtjt6niwL9n0Sqp7z6r7at8xz1yVWsxas/aFpHMi1vu/wzVculUwHWJWuft7daz3r6Z6JUUkvv+X9taoqqU85x67EUpyRaKjFXFScCABtDJYOiAMAAA==
Return-Path: Administrator@canlines.com
X-MS-Exchange-Organization-AuthSource: atlas.ads.insynclh.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-Brightmail-Tracker: H4sIAAAAAAAAC1WSa0hTcRjG++9ydho7cpy312FQg7CLLqMvoQj2QYIQNUdoZdZ0y43mtnYmTPxikcEEb6BkM3XVmBKhYDYsy9lUQjFcBromxGBi5TaxsEYI1jk789K33/s+z/P+HzgH54r9fCkm5FW6OvIze92l8qzOwBOP8OxS7zg3DxUfuMLX6Cr15ht8daj5C2awYObGwC9+A3rFb0JCXEwOIVhf3ogNGwiCThePHZwIRnoGOU3oIDtYwxKGMTILxl57EMOJ5Bnw9w3wGU4gxTDZ/57L7lPA+jMUYxkMTm9GmUcehbDtPsYwQebAtG89egeRyRCZfR59i0tnfSt9UQaSBPubeS7LSfA9sM1nWQqBiJP24LRfCcufzrMn42Hm4Uq0P5CLArAtNmKMR0ymw7e/F9joRbC0z/FYzoXAg0nE8jnYso9jLOfBwHoPn4kynqlH+ew6A0Lt3bFm2XDP4o1ZLoGjtbwNpVn39bfudbPu68ZaMqFr2x3jk+B4HOSyLANvZwe2f29DgmcoWWHSKiiZQknJNDqqTlelVcuq9DXDiP7wwmsZPaNouz/XjVJxjjSJiLwrlYvjKvXKOrWCUl831mpVlBsBLpImEn8maI2gDIoaSlO9I6XhuBSIICPFG1XVKvNNjdakMrLyLDoiSSHkjEgyOXWtblfb+e8W0CFJAtH9gvaIDCpjjcb0v+5DuCSGaygFR9IEIsAcFGl0pt0ea3RFDl3R0BataFLsSZIGZJv/mN5I+JYLs5e84dbVcWeZ9/ipuoWcH/6pkq0ugX6ubExQGIwU3n054S9vnbZYCp5WJHc0D3vuSJQtneAIpRYVfTZUHBsdmRHltZTc/gD21FW7J+5qvSM82N67aXk75Podtqvch+VfUwt09c61xdLiicuuVfMsdkuaw5HyKLXi9AmukVL8AwlzK55zAwAA
X-MS-Exchange-Organization-AVStamp-Mailbox: SYMANTEC;513081408;0;info
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 40017497
Correct, both are 2010.
0
 
LVL 9

Expert Comment

by:Red-King
ID: 40017518
You can remove the Edge Transport Server role from the old Exchange 2010.
This will allow the server to route internally only (as long as it has the Hub Transport Server role).
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40017568
The Edge transport role cannot be installed with any other role, so the comment from Red-King above is wrong.

When it comes to email transport, Exchange will use all servers in the site that have the hub transport role. That could mean that an email between two users on server 1, actually goes through server 2. Remember the hub transport role doesn't belong to any specific server - any server in the site can use any hub transport role holder.

That behaviour you cannot change.
Therefore the fact that email is going through the old server is fine, nothing to worry about. The only thing to be concerned about is the final hop - which is at the top of the headers, which is how the email leaves your Exchange org.

Simon.
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 40017584
For the most part, the email gets out. The issue is that there is a one-to-one NAT for the new Exchange server that is different from our NAT pool on the firewall. So Exchange needs to leave on x.x.x.170 since there is a reverse for mail.domain.com for x.x.x.170. Right now it is going out through the other server that doesn't have a one-to-one NAT, goes out through the NAT pool, the reverse doesn't match for that IP for mail.domain.com so a few hosts are rejecting.

I'm almost at a point where I can remove the old server, but I just wanted to get the mail flow going out through the new one for now.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40017620
Assuming you have enough public IPs you can create a second NAT statement for the second hub transport server. Then create a second reverse lookup with your provider. Plus modify any SPF records with the second public IP (if you use SPF). Additionally, if you throw an Edge Transport into the mix, or Exchange Online Protection, you could make the final hop one of those for both hub transport servers.
0
 
LVL 9

Expert Comment

by:Red-King
ID: 40017663
My apologies, Simon is right, I'd forgotten the Edge transport couldn't be installed on the same server.

You could take another approach to this and temporarily configure a valid DNS entry for the server.
Ggive your old Exchange server a new 1to1 NAT and configure a public DNS A record.
Then add another MX record to your DNS domain with a higher preference (i.e. 99) using the newly created A record. You might need to update your spf and get your ISP to add the reverse dns entry. You'll probably need to update the EHLO for the old server too.
Sending servers will then primarily use the New server as it has a lower preference and outgoing email through the old server would not be an issue.
Once your migration is completed you could then remove the MX and DNS entries.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 2

Author Comment

by:mvalpreda
ID: 40017712
That sounds like a lot of work and a lot of time waiting for DNS propagation for a server that is going to be retired soon.

I surely can't be the only person who has ever wanted all of their email to go out through a particular server.
0
 
LVL 9

Expert Comment

by:Red-King
ID: 40017786
The great thing about adding a new DNS record is that it is available almost immediately as it won't be cached by other DNS servers. If you wanted to change a DNS entry you'd have to wait for the TTL to expire. You don't really care if the cached MX record needs to expire because you don't care if email is not received into the old server.

The ISPs reverse DNS entry for your server should take effect almost immediately too as they shouldn't have an existing one for the new IP.

The SPF is the only thing you may need to wait for.

While it's a reasonable bit of configuration that needs to be done it would most likely solve your problem.
I'd recommend writing out the individual parts of the configuration that you would implement to help ensure you have it right first time.
Depending on the TTL of the SPF the problem would be resolved in a day or 2.
0
 
LVL 2

Assisted Solution

by:mvalpreda
mvalpreda earned 0 total points
ID: 40017824
The part that was left out was to restart the Microsoft Exchange Transport service. Took the old server out, restarted the service on both Exchange servers and mail is flowing as I want.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40017853
Removing the old 2010 server from the Source Server tab in the Send Connector is supposed to work, according to Microsoft.

Check Step 6.
httptechnet.microsoft.comen-USlibrary1190a8da-3271-4dca-92e3-55c5d4e74626(EXCHG.141).aspxv=14.1.218.11&t=exchgf1#SendConnectorSourceServerTab

Use the Source Server tab to specify the transport servers that can use this Send connector. Only those Hub Transport servers in the list use this Send connector for outbound messages.

How many Send Connectors do you have?
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 40017855
Now I have 1. I needed to restart the Transport service.
0
 
LVL 9

Expert Comment

by:Red-King
ID: 40017856
I'm also surprised the changes to your send connectors didn't work.
How have you got your send connectors configured?

I use a similar approach only my Exchange sends to a mail gateway rather than another Exchange server. I did use the send connectors when migrating exchange servers some time ago.

I'm not sure if this will help but I currently have 2 send connectors for my Exchange server.
These are configured as so:

*Send Connector 1
**Address Space Tab
>Type: SMTP
>Address: *
>Include All Subdomains: Yes
>Cost: 1
**Network Tab
>Route Mail through the following smart hosts:
>Smart Host: FQDN - myMailGateway.mydomain.local
**Source Server Tab
>Name: myExchangeServer.mydomain.local

*Send Connector 2
**Address Space Tab
>Type: SMTP
>Address: *
>Include All Subdomains: Yes
>Cost: 2
**Network Tab
>Use DNS "MX" records to route mail automatically.
**Source Server Tab
>Name: myExchangeServer.mydomain.local

I hope that makes sense.
Send Connector 1 is chosen over Send Connector 2 as it has a lower 'Cost'. If Connector 1 fails then 2 is used.
Send Connector 1 tells the server to send its mail to the mail gateway (in the case of your Old Exchange only your New Exchange should be listed)
For Send Connector 1, on the Source Server tab, I'm telling the Exchange servers that this connector only applies to my single Exchange Server. If I had a second Exchange server it would not use this Send Connector.

My second connector tells my Exchange Server to route mail to the internet using DNS MX records.
If you have a Send Connector like this, do you have the Old Exchange listed on the 'Source Server' tab?

Rory
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40017859
Awesome. Glad you got it working!
0
 
LVL 9

Expert Comment

by:Red-King
ID: 40017860
Looks like I took too long writing that.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40017877
Well let us know if we can be of any further assistance!
0
 
LVL 2

Author Closing Comment

by:mvalpreda
ID: 40026829
Figured out a bit on my own. Was missing from the contributors.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now