Exchange Server TechCenter >
Exchange Server 2010 Forums
>
Exchange Server 2010
>
Exchange 2010 not able to transport mails to Exchange 2007
Exchange 2010 not able to transport mails to Exchange 2007
In the coexistence between Exchange 2010 with Exchange 2007 I struggle with the following problem:
Exchange 2010 Hub - Transport isn't able to transfer mails to the Exchange 2007 Hub Transport. All mails hang in the pending queue with the error '451 4.4.0 Primary target IP address responded with: " 421 4.4.2 PConnection dropped due to SocketError".
The same time Exchange 2007 is able to transfer mails to Exchange 2010 without any error.
I tried to workaround with a user defined receive connector on Exchange 2007 that allows anonymous SMTP transfer but then I get an error 'Cannot achieve Exchange Server authentication' in the connection log of the Exchange 2010.
Any ideas to solve this problem are welcome.
Thanks,
Peter
Peter
Answers
- Problem is solved!
Today I realized in the event log of the Exchange 2003 hub transport a warning of source 'Schannel' with ID 36885 and the description
"When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted. "
So I did the following on the Exchange 2003 hub transport
1. Add the Certificates snap-in to the Microsoft Management Console.
a. Click the Start button, click Run, type mmc, and click OK.
b. Click the File menu, and select Add\Remove Snap-in.
c. Click the Add button, then select the Certificates snap-in and click Add
d. Select Computer Account and click Next
e. Click Finish.
f. Click Close.
g. Click OK.
2. Expand Certificates (Local Computer).
3. Expand Trusted Root Certification Authorities.
4. Click on Certificates.
5. Backup and then delete trusted root certificates that you are not using in your environment.
6. Perform a "gpupdate /force" to get back the trusted certificate authorities from our domain.
7. Restart the Exchange Transport service.
Then I forced a retry on the Exchange 2010 hub transport queues: all mails were successfully submitted to Exchange 2003!
Hope this helps everyone getting the same problem.
Peter- Marked As Answer byPeter Fischer abakus IT AG Friday, November 20, 2009 1:50 PM
All Replies
- Hi Peter,
The mentioning of a socket issue is curious. Do your 2007 or 2010 hub transport servers have any TCP Offloading, Receive Side Scaling, etc.. enabled on their NICs?
-brian
Brian Day, Overall Exchange & AD Geek
MCSA 2000/2003, CCNA
MCTS: Microsoft Exchange Server 2010 Configuration
LMNOP - Hi Brian,
the 2007 hub transport is Windows Server 2003 and the NIC has none of the named options enabled,
the 2010 hub transport is Windows Server 2008 R2 (as Hyper-V R2 VM): Autotuninglevel feature on the TCP protocol was disabled earlier during trobleshooting.
Now I disabled additionally all TPC Offloading options on the VM-Bus-NIC (synthetic NIC) and the Chimney feature on the TCP protocol: but the problem is still the same.
What I see in the SmtpReceive log of the 2007 hub transport is:
,*,None,Set Session Permissions
,>,"220 SRVEXCH01.abakus.de Microsoft ESMTP MAIL Service ready at Wed, 18 Nov 2009 22:51:06 +0100",
,<,EHLO SRVEXCH05.domain.de,
,>,250-SRVEXCH01.domain.de Hello [ip...],
,>,250-SIZE,
,>,250-PIPELINING,
,>,250-DSN,
,>,250-ENHANCEDSTATUSCODES,
,>,250-STARTTLS,
,>,250-X-ANONYMOUSTLS,
,>,250-AUTH NTLM LOGIN,
,>,250-X-EXPS GSSAPI NTLM,
,>,250-8BITMIME,
,>,250-BINARYMIME,
,>,250-CHUNKING,
,>,250-XEXCH50,
,>,250 XRDST,
,<,X-ANONYMOUSTLS,
,>,220 2.0.0 SMTP server ready,
,*,,Sending certificate
,*,CN=srvexch01.domain.de,Certificate subject
,*,"CN=domain-Internal-Issuing-CA-01, DC=domain, DC=de",Certificate issuer name
,*,1A0FC7D70000000000E7,Certificate serial number
,*,33CF8B24FDB034AF8F4B6B28CB2BBD9A27B30571,Certificate thumbprint
,*,srvexch01.domain.de;*.domain.de,Certificate alternate names
,-,,Local
I wonder why the connection is always interupted excactly at the same point with a 'local', when 2007 hub transport has sent it's certificate.
Peter - Problem is solved!
Today I realized in the event log of the Exchange 2003 hub transport a warning of source 'Schannel' with ID 36885 and the description
"When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted. "
So I did the following on the Exchange 2003 hub transport
1. Add the Certificates snap-in to the Microsoft Management Console.
a. Click the Start button, click Run, type mmc, and click OK.
b. Click the File menu, and select Add\Remove Snap-in.
c. Click the Add button, then select the Certificates snap-in and click Add
d. Select Computer Account and click Next
e. Click Finish.
f. Click Close.
g. Click OK.
2. Expand Certificates (Local Computer).
3. Expand Trusted Root Certification Authorities.
4. Click on Certificates.
5. Backup and then delete trusted root certificates that you are not using in your environment.
6. Perform a "gpupdate /force" to get back the trusted certificate authorities from our domain.
7. Restart the Exchange Transport service.
Then I forced a retry on the Exchange 2010 hub transport queues: all mails were successfully submitted to Exchange 2003!
Hope this helps everyone getting the same problem.
Peter- Marked As Answer byPeter Fischer abakus IT AG Friday, November 20, 2009 1:50 PM
- Nice work! :) That error message you were originally getting would never have lead me in this direction. Good thing the 2003 box popped an error for you. :)
Brian Day, Overall Exchange & AD Geek
MCSA 2000/2003, CCNA
MCTS: Microsoft Exchange Server 2010 Configuration
LMNOP
