locked
need advice RRS feed

  • Question

  •  
    have a customre whos doing a migration from 2k3 to 2k7 and after installing the 2 hub-cas servers in WNLB and then the 2 CCR clusters very perfectly and mail flow between the 2k3 and 2k7 internally and externally was very good
    suddenly he stoped beign able to send emails to any external domain from any user mailbox reside on the exchange 2k7
    beer in mind that there is a RGC between the 2k3 and the 2k7 hub so the main guy is still the exchange 2k3 server
    the email going from the 2k3 reach the queue and got stuck there giving the follwoing error msg
    451 4.4.0 primary target ip address responded with 421 4.2.1 unable to connect attemted failover to alternate host but that didnt succeed, either there are not alternative host or deleivery failed to all alternate hosts
     
    i tried also to send to hotmail.com , msn.com , yahoo.com also the same error 

     i enable the verbos looging on the SMTP send connector on exchange 2007
    i got this message in the log file alot
    2008-12-25T11:55:57.349Z,Internet Connector 2007,08CB3494C6B14AC2,0,,65.54.244.72:25,*,,attempting to connect
    2008-12-25T11:55:58.349Z,Internet Connector 2007,08CB3494C6B14AC2,1,,65.54.244.72:25,*,,"Failed to connect. Error Code: 10061, Error Message: No connection could be made because the target machine actively refused it 65.54.244.72:
    25"
     

    Ahmad Ramadan AbaYazeed
    Thursday, December 25, 2008 12:09 PM

All replies

  •  

    i already have on the exchange 2007 an smtp connector with * address space and source server are my 2 nlb hub-cas servers and a cost of 10

    and on the exchange 2003 i have the same connector but with cost of 1



    i found out that when i create the exchange 2007 connector as i said the mails wont go from any exchange 2007 mailbox to the internet

    but when i delete that connector the mail flow goes very smooth!!



    i am still waiting for any advice about this wierd problem

    waiting for replies!!!

    Thank you


    Ahmad Ramadan AbaYazeed
    Thursday, December 25, 2008 2:47 PM
  •  Did you check the firewall?

    I have had issues in the past where setting up a new 2k7 box and outbound didn't work b/c it was either no passing through the smart host or the IP was not configured to allow external via port 25.
    BP
    Friday, December 26, 2008 3:10 AM
  • thank you for your reply

    as i said the exchange 2007 servers depends on the exchange 2003 server for sedning and recieving emails
    i have a CISCO firewall already allowing the exhange 2003 to do everything 
    so do u think i have to configure the firewall to allow the ex2k7 to send mails throught SMTP?? while i am depending mainly on the ex2k3 for sending and recieving mails?????

    dont u have any other ideas or suggestions???
    where exactly i have to look on the FW???

    thank you
    waiting for ur replis
     
    Ahmad Ramadan AbaYazeed
    Saturday, December 27, 2008 7:30 PM
  • I'm not a networking guy but typically you want to have routing go through the Exchange 07 environment leveraging the Hub Transport servers.

    What Version of Exchange?  SP1 or RTM?  Hub Transport servers won't support NLB on RTM, can't remember the exact reason why.

    Also,what version of Windows? 

    As for the firewall, how many IPs on the hub transport servers?  You have hub/cas roles on these with NLB which means they could have up to three IPs.  The Hub transport server could use any one of those IPs to transmit.

    One thing you could do is open a telnet session on the hub server to an external mail server on port 25.

    I would also be interested to know how the send connector is configured.  Also, what about domains exchange is configured to receive?  

    Have you seen this link? http://technet.microsoft.com/en-us/library/aa998212.aspx

    Here is a good link on how to test mail flow on port 25: http://support.microsoft.com/default.aspx/kb/153119

    Hope this helps, in a bit of a rush this morning.

    BP
    Sunday, December 28, 2008 2:52 PM
  • thank you bradapony for ur quick reply

    1- i am using Exchange 2007 Enterprise Edition SP1 and i know that WNLB not supported on the RTM version

    2- i am using windows server 2003 R2 SP2 with full latest windows update

    3- as i mentioned i have 2 servers holding Hub trasport and client access role so each server has 2 NIC one for LAN connectivity and the seconde one for NLB communication and they r 100% balanced and tested

    4- i've  tried to telnet the servers on port 25 by server name for example Telnet Hubcas1 25 / Telnet Hubcas2 25 from both sides and from other servers like the CCR nodes and they r working very fine and as u should know that port 25 SMTP is disabled on the NLB virtual name by design which is my current configuration right now

    5- like i told you i have already 2 exchange 2003 server active/passive cluster they have SMTP connector, address space *, cost 1. and on the exchange 2007 i have an SMTP Send connector, address space *, cost 10, and its using the 2 Hub servers as a source servers and also its using the external MX recorde for routing emails

    6- on the recieve connector they r configured to recieve from anyone normally nothing new with it. i have checked the 2 links before and its okay

    the problem is once i create the exchange 2007 send connector as i mentioned in the configuration before with cost 10 all the ex2k7 users can send to internet but they cannot recieve from the internet, even if i changed the cost and make it lower than the ex2k3 SMTP connctor same error message that i mentioned on the thread before.

    as far as i know as long as the exchange 2003 has a clear connectivity to the internet, the exchange 2007 will depend on the ex2k3 on sending emails through the RGC that has been created during the installation of the 1st hub transport server and this problem should not ever happen, right?!!! coz tell now the ex2k3 is my main mail system i didnt redirect the public host A and the MX recorde to the ex2k7 yet

    waiting for your reply

    thanx again 


    Ahmad Ramadan AbaYazeed
    Monday, December 29, 2008 12:30 AM
  •  So, if I am understanding correctly when a user sends from Exchange 2007 they will send out to the internet.  There is no smart host configured in your 07 send connector that routes mail, but rather relys on DNS. 

    The default Routing Group is configured which is created when you deploy exchange 07 so communication between 07 and 03 is working.

    The problem you are having is when you change your MX record and A records to point to the Exchange 2007 servers they don't receive mail?  

    Your Connector being a route of 1 will tell Exchange to use that as the primary connector since it has a lower cost. 

    Is your receive connector configured to allow anonymous connections?  Server Config, Hub Transport, Connector, Properties, Permissions Group.  Everything execpt partners should be checked unless you're using partners.  If Anonymous access is not checked remote SMTP servers will not connect.

    If the issue is the send connector are you using a smart host (routing mail to a specifi IP) or are you using DNS for MX records?

    If you go to a command shell can you do a "get-routinggroupconnector | fl"   This will give out the configuration of Routing Groups.
     
    You can also do a "Get-ReceiveConnector | fl" which will show the receive connector config.

    a "Get-SendConnector | fl" will display your send connector config.  If you could post that it may help me determine what is going on. 

    The otherthing to consider is your firewall though.  What you may want to do is get WireShark to help analyze packets, it may give you a better view of what is going on and if traffic is properly passing to the HUB server.

    The problem could also be related to DNS since you havn't fully switched over DNS for the new mail routes. 

    BP
    Monday, December 29, 2008 1:47 AM
  • hello
    the exchange 2007 users can recieve mails from internet but they cannot send to the internet(sorry i said it worng on the last post), once i delete the exchange 2007 SMTP connector they can send and recieve normally.
    the default RGC between the 1st hub transport server and the exchange 2003 is working correctly in two ways, i've  confirmed it by runnign the command shell Get-RoutingGroupConnector and the results are okay.

    i didnt touch my public MX and host A records yet i want to work in a coexistence sutiation for a while to test the new systems before depend mainly on the exchange 2007 server
    so the exchange 2007 users will depend on the exchange 2003 server throught the default RGC that've been created in the installation of the Hub , got my idea??

    i know that when u change the cost this will tell the messaging routing service protocol to depend on it to route mails out side but the problem is that once i create the exchange 2007 SMTP connctor with higher cost or even with lower cost the exchange 2k7 users can recieve mails but cannot send

    the recieve connector is configured to allow annoymous access on the default (servername) recieve connector. sure i've done and i know i have to do it to be able to recieve emails annoymously from anyone from outside my organaization.

    i am not  using any smarthost nor i dont have any edge transport server so i am using the public DNS for MX recorde and i am fully switched over DNS for the new mail routes.

    note: the exchange 2003 have SMTP connector, address space *, cost 1, using DNS to reoute mails and on the exchange 2007 i have an SMTP Send connector, address space *, cost 10, and its using the 2 Hub servers as a source servers and also its using the external MX recorde for routing emails
    the recieve connector on hubcas1 i have the default server recieve connector can with permission as you and i mentioned earlier, the ip that listen to is the server IP, and using the DNS congiured on the NIC
    same goes for hubcas2 but it listens to the hubcas2's ip

    my friend like i said before i dont have to do anything right now in the coexisting situation that i am in on the FW coz the FW is allowing the Exchange 2003 and all the exhcnage 2007 mail flow will go from the ex2k7 to the ex2k3 throught the RGC then to the FW which is allowing the ex2k3 ,right??i am not a networking engineer but this is what the logic says to me and correct me if i am wrong.

    thank you for sticking by my friend


    Ahmad Ramadan AbaYazeed
    Monday, December 29, 2008 2:36 AM
  • Yes, you can continue to use 03 to route mail.

    I believe the problem you are having is b/c of the cost for the 03 environment.  The SMTP cost for 03 is 1, while the cost for 07 is 10.

    Set the 07 to a cost of 1.

    Mail for 07 will go out the 07 hub while mail for 03 will go out the 03 send connector. 

    I'm willing to bet this will help.

    The other concern are firewall rules on your corporate firewall.  You could have an internal and perimeter firewall or you could have just one in the environment.  Either way the firewall needs to allow any one of the hub transport servers to send mail unless you create a RGC and specify only one Hub to route mail through. 

    Let me know how that works.


    BP
    Monday, December 29, 2008 3:25 AM
  • hello Bradapony,
          
    as far as i know that the SMTP * connector is applied based on the organaization lever so if i made the cost of the ex2k7 to 1 and the ex2k3 to 10 all the mails coming from 2k7 users and 2k3 users will flow throught the exchange 2007 i am 100% sure about that
    and my friend sorry i guess you owe me a bear now coz i already tried that way and still didnt work :D

    i have a concern also about the firewall as i told i am not a networking guy i am the Senior systems projects Engineer but again i dont think i have to make a rule in any firewall to allow anyone of the Hub to go to the internet because i have the RGC that was intially created between my hubcas1 and the ex2k3 BH server and its in a 2 ways
    so the FW already allowing the ex2k3 to go to the internet and for that the hub will send the mails to the ek3

    but let me test it and i will feed you back
    i guess you will owe me another bear, hopefully :D

    thanx
    Ahmad Ramadan AbaYazeed
    Tuesday, December 30, 2008 6:27 AM
  • Hi Ahmad,

    You want the cost for each environment to be 1 or equal.

    Do you have a networking engineer you can talk to about firewall policies?  Most organizations block port 25 from all computers to prevent an email worm from going out.

    You may need to allos the IPs of the Hub Servers to go external on port 25.


    BP
    Tuesday, December 30, 2008 1:08 PM
  • hello

    i want the cost for the exchange 2003 to be 1 (so he can be the primary system) and the exchange 2007 cost to be 10
    with the senario i will depened 100% on the exchange 2003 for sending emails (from 2k3 and ek7 users)

    and to test that the exchange 2007 can route mails to the internet i just need to make the 2k3 cost higher than the 2k7
    this is my strategy

    i have a meeting with the senior network engineer to discuss this matter with him and to see what we will do to comply with out organaization security policy and procedures
    and i will feed you back

    thank you man
    Ahmad Ramadan AbaYazeed
    Tuesday, December 30, 2008 1:45 PM
  • Any luck with this? 

    The other thought, are all the domain controllers in your AD site where Exchange 2007 is being deployed, are those Global Catalogs all Windows 2003 Servers with Service Pack 1? 
    BP
    Thursday, January 1, 2009 8:40 PM
  • nop not yet i just came back 2day from the xmas vacation
    and yes all the DC are 2003 SP2 domain controller except 1 is a win2k8 and all the other branches r using win2k8 Rodc technology

    and yes they AD site is the same site that the ex2k7 is deployed
    Ahmad Ramadan AbaYazeed
    Sunday, January 4, 2009 6:22 AM
  • How are the RODC's laid out?  ARe they in seperate Sites?  I have read (can't remember where) that 2007 can have issues with RODCs.

    BP
    Sunday, January 4, 2009 5:24 PM
  •  as i mentioned i am a Senoir system projects Engineer and i am resposible for implementing the new IT projects
    so the WAN contains nearly 10 branches all over the work all connected to one root domain the R/W 2008 DC is in the HQ site
    and each Rodc server for each branch is in his AD Site

    the only problem between the exchange 2007 and the Rodc technology servers is that the Rodc will never appear for u in the "System Settings" tab as a Domain Controller or as a Global Catalog
    and sometimes it will give u event log explaining you that the Rodc is a Read only DC and bla bla bla which is no problem in that

    Thank you
    Kind Regards
    Ahmad Ramadan AbaYazeed
    Monday, January 5, 2009 6:29 AM