none
451 4.4.0 Errors

    Question

  • I think Transport is the right place for this question. I've recently setup and Exchange 2007 server which we will be migrating to from Exchange 2003. The Exchange 2007 is one server, and has the Mailbox, Client Access, and Hub Transport roles installed. Everything seems to be working fine for outbound mail to 95% of all domains. For the other 5% I get 451 4.4.0 Errors, saying either "Primary target IP address responded with 421 4.2.1 Unable to connect," or "DNS query failed." I've tried everything I could find with various Google and Live searches, to no avail. Things I've tried:

    1. Changing DNS servers from internal ones to external. No help.
    2. Manually doing an nslookup and telnet connection to the smtp servers listed in the MX record for the affected domains. This has been successful in all cases.
    3. Setting -IgnoreStartTLS to true on the send connector. This did not help.

    Any other advice on why this might be occuring?
    Regards, Josh Erquiaga
    Thursday, April 30, 2009 3:08 PM

Answers

  • Yes, after reviewed the trace, I also found the info below:

    =========

    Standard query MX ExternalDomain

    Standard query response MX ...

    Standard query AAAA ExternalDomain

    Standard query response, Server failure

    Standard query AAAA ExternalDomain

    Standard query AAAA ExternalDomain

    Standard query response, Server failure

    =========

    After spent more time on the issue, I found that the issue is still caused by IPv6. IPv6 cannot be completely disabled in Windows 2008 even by adding the registry

    Here’s a similar case as yours

    Explanation: The registry entry will only disable the IPv6 but does not uninstall it completely from the windows 2008 server, exchange will still querying for remote domain’s AAAA record (QuadA – IPV6) for delivering. And if exchange server were asking the AAAA record to a remote domain that doesn’t have one, same symptom will occur, and it won’t continue to seek for remote domain’s A record for delivering

    Current workarounds:

    ·         Add target IP in the host file (Just like you did)

    ·         Set up send connector for specify correct remote server IP address (A record) on them

    ·         If there is lots of target domains (without AAAA record) encountered the error, suggest setting up non-Windows 2008 IIS SMTP Server and forward all outgoing messages to the smart host for externally delivering

    Notes: If the ISP (hosting remote domain’s MX records) can publish AAAA records for the remote domain’s MX Record FQDN, then this issue won’t be seen even as Exchange 2007 gets a successful response for its queries

    • Proposed as answer by Alan.Gim Monday, May 11, 2009 1:32 AM
    • Marked as answer by Josh Erquiaga Monday, May 11, 2009 1:14 PM
    Friday, May 08, 2009 2:40 AM

All replies

  • One additional note. I added the IP and host name of the affected domains to the hosts file, and the mail went through. I'm running Exchange 2007 SP1 on Windows Server 2008, and have disabled IPv6, per a number of Technet articles. Is there something else I am missing that would cause these to not work? Adding domains to the hosts file on the mail server doesn't seem to be the best solution out there.

    Regards, Josh Erquiaga
    Thursday, April 30, 2009 6:03 PM
  • Issue description: Outbound mails to certain domains getting blocked

    Last error: “Primary target IP address responded with 421 4.2.1 Unable to connect”; “DNS query failed

    1.      How many NICs does the exchange server have?

    2.      You can enable the protocol logging on the send connector, Connectivity Logging on the exchange server and then reproduce the issue, which can give us more error info to isolate the root cause

    Monday, May 04, 2009 2:16 AM
  • The server only has one NIC. I enabled protocol logging, and found that a couple of the other servers that were dropping connections were actively refusing connections. I'm guessing that we must be on some blacklist that I can't find. I'm going to try contacting the admin at one of the problem domains and see if they can shed any light for me on what spam services they may be using.

    One of the other domains dropping connections is online.microsoft.com. Anyone know what blacklists Microsoft uses? Maybe we got on that one somehow.

    I haven't seen another DNS error, but if I do I'll check the protocol logs and see if that helps.

    Regards, Josh Erquiaga
    Monday, May 04, 2009 6:57 PM
  • Yes, please do that. Meanwhile, can you post the error info (with context) in the log file, see if we can find more clue about it?

    Tuesday, May 05, 2009 1:39 AM
  • Here is the error information from the protocol log when attempting to send to online.microsoft.com:

    2009-05-05T18:13:15.031Z,Default,08CB97D581460B5F,0,,207.46.197.32:25,*,,attempting to connect
    2009-05-05T18:13:17.452Z,Default,08CB97D581460B5F,1,,207.46.197.32:25,*,,"Failed to connect. Error Code: 10061, Error Message: No connection could be made because the target machine actively refused it 207.46.197.32:25"
    2009-05-05T18:13:17.452Z,Default,08CB97D581460B5F,0,,207.46.232.182:25,*,,attempting to connect
    2009-05-05T18:13:38.453Z,Default,08CB97D581460B5F,1,,207.46.232.182:25,*,,"Failed to connect. Error Code: 10060, Error Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 207.46.232.182:25"


    I tried to get information on the DNS query error (took the problem domain out of the hosts file and tried sending it) and I got the error again (451 4.4.0 DNS query failed) in the Queue Viewer but didn't see anything in the protocol logs. Is there somewhere else I should be looking for info on that error?
    Regards, Josh Erquiaga
    Tuesday, May 05, 2009 6:16 PM
  • Please describe the exchange topology, does there have only one exchange 2007 server as you said in the first post? And is the exchange 2007 server the one that faces the internet?

    Can you send me the network trace on the exchange server?

    a.      Please start Network Monitor on exchange server to capture the network trace

    b.      Send test mail and reproduce the issue

    c.       Stop the network monitor, and save the trace

    d.      Add the affected domain’s info to host file

    e.      Start the network monitor and send the second test mail

    f.        Stop the network monitor, and save the trace

    Notes: Please define the name for all relevant stuff in the trace package, like machine name, IP address and etc

    Resources:

    How to capture network traffic with Network Monitor

     

    Wednesday, May 06, 2009 3:38 AM
  • Complete Exchange topology consists of two servers currently, our legacy Exchange 2003 Server which still holds most of our mailboxes, and an Exchange 2007 server with the Mailbox, CAS, and Hub Transport roles. The Exchange 2007 server is Internet facing.

    The network traces are on the way.
    Regards, Josh Erquiaga
    Thursday, May 07, 2009 4:27 PM
  • Yes, after reviewed the trace, I also found the info below:

    =========

    Standard query MX ExternalDomain

    Standard query response MX ...

    Standard query AAAA ExternalDomain

    Standard query response, Server failure

    Standard query AAAA ExternalDomain

    Standard query AAAA ExternalDomain

    Standard query response, Server failure

    =========

    After spent more time on the issue, I found that the issue is still caused by IPv6. IPv6 cannot be completely disabled in Windows 2008 even by adding the registry

    Here’s a similar case as yours

    Explanation: The registry entry will only disable the IPv6 but does not uninstall it completely from the windows 2008 server, exchange will still querying for remote domain’s AAAA record (QuadA – IPV6) for delivering. And if exchange server were asking the AAAA record to a remote domain that doesn’t have one, same symptom will occur, and it won’t continue to seek for remote domain’s A record for delivering

    Current workarounds:

    ·         Add target IP in the host file (Just like you did)

    ·         Set up send connector for specify correct remote server IP address (A record) on them

    ·         If there is lots of target domains (without AAAA record) encountered the error, suggest setting up non-Windows 2008 IIS SMTP Server and forward all outgoing messages to the smart host for externally delivering

    Notes: If the ISP (hosting remote domain’s MX records) can publish AAAA records for the remote domain’s MX Record FQDN, then this issue won’t be seen even as Exchange 2007 gets a successful response for its queries

    • Proposed as answer by Alan.Gim Monday, May 11, 2009 1:32 AM
    • Marked as answer by Josh Erquiaga Monday, May 11, 2009 1:14 PM
    Friday, May 08, 2009 2:40 AM
  • So, two questions come to mind. The first (and I would guess most obvious) is when will this issue be fixed. I can't imagine that I'm the only one with this issue, and I would bet that there are a lot of other people killing themselves because this isn't working right. That issue aside...

    If I were to setup an Edge Transport server (which means additional hardware for my topology, but maybe is not the end of the world) that was running Server 2003, I wouldn't have this issue anymore, correct? That seems like a better solution than trying to keep the hosts file on our Exchange server constantly updated.
    Regards, Josh Erquiaga
    Friday, May 08, 2009 3:20 AM
  • The issue has been reported, and I’ll post at here if there’s any new update

    Yes, edge on windows 2003 will work since the issue is about IPv6

    Friday, May 08, 2009 4:38 AM
  • Hi James,

    are there any news regarding this topic as I'm struggling with the same?

    Regards,

    Carsten

     

     

    Tuesday, May 26, 2009 7:50 AM
  • Hi All,

    I am having the same problem in my smtp - I can not send emails to this domain/s, I have done some checking and I saw that Josh is having the same problem as mine!
    I would like to know what is his status? Is it solved? If do so how?

    Thanks in advance!
    Thursday, July 09, 2009 7:13 AM
  • Oren,

    No, the issue (as far as I know) has not been resolved, and to be honest I can't for the life of me figure out why not. Microsoft's two flagship products when used together in a 64-bit environment (as required by Microsoft) have a critical failure, and nothing has been done about it. I'm extremely disappointed.

    Hoepfully it will be fixed sometime soon, but I wouldn't count on it I suppose.

    --
    Josh


    Regards, Josh Erquiaga
    Thursday, July 09, 2009 4:38 PM
  • Hi All,

    I've opened a ticket at MS and it turned out that this is an already known issue:

    "... This problem has been fixed for Exchange 2010 and now Exchange Team will try to fix it as soon as possible for Exchange 2007.

    They think the build target for this hotfix will be E2K7 SP1 RU10 but they need to change the source code and test these changes in order to have the possibility to have an interim hotfix. After this process we can go for the interim hotfix if you can't wait for RU10 to be released. "


    Regards,

    Carsten

    Friday, July 17, 2009 2:12 PM
  • I have a related question on this issue - we are on the OTHER end of what appears to be this issue.  One of our customers is not able to send mail our domain with the exact same beavior is listed above.

    Does anyone know what it is about the domains that Exchange Servers running on machines with IPV6 enabled that prevent mail delivery?  There has to be some attribute of the DNS entries for the domains it's not able to send mail to given that mail is properly delivered to other domains.

    I'm trying to work with them to get IPV6 disabled on their server to see if that resolves the problem, but if I can make a change in our DNS configuration that will resolve it I'm happy to do so.

    jon
    Tuesday, July 21, 2009 5:35 PM
  • Hi.

    I noticed this has been marked as answered already, but i was having the same issue.
    I had no problems for weeks, then we added another mailscreen/antispam and i tighten security a little, and boom, same issue as described by far to many...

    I can also mention, IPV6 is ENABLED (I had issues both installing without and after, so I let it be..)

    I didnt google much (solved it within 2-3 hours) so missed the host file fixes etc.
    But i went with it being DNS errors (Since exchange was complaining, 451 4.4.0 DNS query failed)
    From the server all mx-records etc looked totally screwed. (Outside, no problem)
    Also not using any smarthost.

    All i did to fix it, was create a reverse lookup zone and specify the server.
    And no more problems :P

    Edit: read up a little, and my problem was like Jon R's, i had no trouble reciving mail, only sending mail(to any domain whatsoever)

    Maybe this helps someone :P

    /D.
    Tuesday, November 03, 2009 2:10 PM
  • I had this same issue today and it was all addresses to MSN.com and Live.com.  After a lot of troubleshooting I found that our DNS servers were unable to query the mx records for these and only these domains.  Doing an nslookup -type=mx msn.com would totally fail.  So I thought it might be an upstream DNS issue.  Our server were not configured with DNS forwarders so I added a couple of public ones I often use to test which are easy to remember 4.2.2.1, 4.2.2.2. and low and behold I could now resolve MSN.com mx records and mail started flowing.  I hope this someone in some way.  Cheers.
    Tuesday, November 17, 2009 10:30 PM
  • The issue has been reported, and I’ll post at here if there’s any new update

    Yes, edge on windows 2003 will work since the issue is about IPv6



    We are experiencing the exact same issue as described by Josh Erquiaga.

    Has this been resolved, and if so, what is the fix?

    Wednesday, January 20, 2010 2:43 AM
  • Looks like this still has not been fixed even with RU1 for Exchange Server 2007 SP2 - which I find incredible given how long this has been a known issue. Roomail you still have to do one of these to resolve:


    Current workarounds:

    ·         Add target IP in the host file (Just like you did)

    ·         Set up send connector for specify correct remote server IP address (A record) on them

    ·         If there is lots of target domains (without AAAA record) encountered the error, suggest setting up non-Windows 2008 IIS SMTP Server and forward all outgoing messages to the smart host for externally delivering

    Thursday, January 21, 2010 5:27 AM
  • Hi All,

    Microsoft just released the E2K7 SP2 RU3.

    Have anyone tried?  Does it resolve the problem?

    ===========================

    Update Rollup 3 for Exchange Server 2007 SP2 fixes the issues that are described in the following Microsoft Knowledge Base articles:

    976108  (http://support.microsoft.com/kb/976108/ ) "451 4.4.0 DNS Query Failed" status message in an Exchange Server 2007 Edge Transport server

    ===========================

    Monday, March 22, 2010 2:31 AM
  • Hi All ,

    I had a same issue (451 4.4.0 DNS Query Failed) Please add 4.2.2.2 IP on edge server properties  .

    > edge server properties > external DNS lookup > Use these DNS > 4.2.2.2

     

    Hop this will help out

     

    Thanks

    vino

    • Proposed as answer by CT-Ppros Monday, March 04, 2013 11:34 PM
    Tuesday, April 13, 2010 7:35 AM
  • James,

     

    It's been over a year now with no answer as to whether or not this will be fixed. Has it been addressed in one of the updates? Please advise.

     

    --

    Josh Erquiaga


    Regards, Josh Erquiaga
    Wednesday, August 04, 2010 8:19 PM
  • Hi All,

    I've opened a ticket at MS and it turned out that this is an already known issue:

    "... This problem has been fixed for Exchange 2010 and now Exchange Team will try to fix it as soon as possible for Exchange 2007.

    They think the build target for this hotfix will be E2K7 SP1 RU10 but they need to change the source code and test these changes in order to have the possibility to have an interim hotfix. After this process we can go for the interim hotfix if you can't wait for RU10 to be released. "


    Regards,

    Carsten

    I'm not sure this is fixed on Ex 2010. I am running Ex 2010 and get similar issues and this is a clean new install no upgrades from anything else.  This happens when we send to a domain that used to be on our same nextwork then was moved. NSLOOKUP works fine, but Exchange always gets DNS query failure. Tried send connector to use MX records, but same failure.
    Monday, September 20, 2010 11:39 AM
  • Does anyone know if this bug has been fixed yet?

     

    We're experiencing this issue.

     

    Our Hub Transport servers are performing one DNS lookup for an AAAA record, failing, and not performing an A lookup for some domains.

     

    We don't believe that adding the mx server in to the host file is a viable option.

     

     

    Wednesday, October 06, 2010 11:42 PM
  • Adding servers to the host file isn't a fix for this.  Its a workaround.  I do appreciate the workaround to get people out of a bind, but something that has gone on this long should have been fully addressed by now.

    I am currently on exchange 2003, and am not experiencing this issue with outgoing mail.  However, anyone in my office that doesn't get an email calls on me first, and many times it is because of this issue.  We hired a company to review our server/domain records, and nothing out of the ordinary there.  They ended up pointing me to this thread as the only available solution.  We use a barracuda spam/virus firewall... does anyone know if that might be a common factor in these 5% of domains that don't respond to the dns queries?

    We are budgeted to upgrade our exchange this year, but I won't be doing it until issue is resolved.

    Tuesday, November 23, 2010 3:04 PM
  • We were finally able to find a resolution to this problem thanks to Pileum Corporation (http://www.pileum.com).  One of their technicians suggested that we change our DNS provider.  We did this and immediately were able to get emails from companies that were never able to send us email before.
    Monday, April 11, 2011 4:54 PM
  • I have been having this issue with several different SBS boxes, different clients, different ISPs. Is a fix still in the works for this problem, or is all research now devoted to Ex 2010?
    Wednesday, May 25, 2011 6:48 PM
  • Adding servers to the host file isn't a fix for this.  Its a workaround.  I do appreciate the workaround to get people out of a bind, but something that has gone on this long should have been fully addressed by now.

    I am currently on exchange 2003, and am not experiencing this issue with outgoing mail.  However, anyone in my office that doesn't get an email calls on me first, and many times it is because of this issue.  We hired a company to review our server/domain records, and nothing out of the ordinary there.  They ended up pointing me to this thread as the only available solution.  We use a barracuda spam/virus firewall... does anyone know if that might be a common factor in these 5% of domains that don't respond to the dns queries?

    We are budgeted to upgrade our exchange this year, but I won't be doing it until issue is resolved.

    Yes! S.Carpenter, the two companies my client is trying to email that the mail will not pass through (out of the thousands that do work), they are using Barracuda antispam protection through a host company here.  I have checked with the Barracuda online (http://www.barracudacentral.org/lookups) and my clients mail server passed.  I am contacting Barracuda now to see if they know what's up.
    Tuesday, December 20, 2011 12:12 AM
  • Interestingly, we've just performed data centre maintenance that required a complete shutdown, which included the 2010 Edge Transport - which otherwise largely gets left alone (about every two months it will be patched up).

    Mail delivery hadn't been a problem until this restart, yet we too are now encountering the issue where the Exchange Edge will only query for the AAAA record (and not hte A).

    It's really disappointing that there's no resolution for the actual fault (as opposed to the work around). The only thing more disappointing/frustrating is that it's come out of the blue after almost two years of operation.

    This really ought to be addressed at the product level, not the expectation that affected parties put in dinky workarounds that others that come after may not be aware of (the old "who reads documentation" clause).

    Cheers,
    Lain

    Sunday, January 22, 2012 9:56 AM
  • Well, I don't know what to say. I restarted the Microsoft Exchange Transport service just on a whim, as I'd had problems with the service over a year ago with repeated issues around the Forefront Protection for Exchange 2010 side of things, and lo and behold, now the silly thing is querying for A records again.

    Network trace behaviour when it's not working:

    • Query for an MX record for the host specified as part of the Active Directory subscription.
    • Query for the AAAA record for the host specified as part of the Active Directory subscription.

    Network trace behaviour when it is working:

    • Query for an MX record for the host specified as part of the Active Directory subscription.
    • Query for the AAAA record for the host specified as part of the Active Directory subscription.
    • Query for the A record for the host specified as part of the Active Directory subscription.

    It destroys my faith that this is a reliable solution (Exchange + Forefront) when repeated restarts of the Transport Service can yield different results.

    Cheers,
    Lain

    Sunday, January 22, 2012 10:18 AM
  • Hi All ,

    I had a same issue (451 4.4.0 DNS Query Failed) Please add 4.2.2.2 IP on edge server properties  .

    > edge server properties > external DNS lookup > Use these DNS > 4.2.2.2

    Hop this will help out

    Thanks

    vino

    Exchange 2007 on 2003 Server here.  Experiencing constant issues with comcast.net addresses.  Already had "Use External DNS" checked in the Send Connector. Following the advice of the above post, I went to Server Configuration - Hub Transport - Select Server, Right Click, Properties, External DNS Lookups. Change radio button to "Use these DNS servers" and specify 4.2.2.2. Went into Queue, told it to Retry and immediately emptied.

    -Eric

    Monday, March 04, 2013 11:37 PM