0

I'm having a problem replicating public folders between two Exchange 2003 servers.

Server A (our original server) is hosted on Windows Small Business Server 2003.

Server B (our new server) is hosted on Windows Server 2003.

Both systems are fully patched with latest updates and service packs for both Windows and Exchange.

The problem I am having is that the Public Folders won't replicate in either direction. I have configured the replication, and can see the replication messages being transferred between the two servers using the Message Tracking Center. However, I notice that the last line for any replication message reads :

 SMTP: Message Queued for Local Delivery

but the message does not actually get stored, suggesting the problem lies here.

I turned on various logging options, and I get the following error in my Application log (1 for each PF which is replicating)

Event Type: Error
Event Source:   MSExchangeTransport
Event Category: SMTP Protocol 
Event ID:   7010
Date:       06/01/2010
Time:       15:47:13
User:       N/A
Computer:   MAIL
Description:
This is an SMTP protocol log for virtual server ID 1, connection #5. 
The client at "192.168.16.2" sent a "xexch50" command, and the SMTP 
server responded with "504 Need to authenticate first  ". The full 
command sent was "xexch50 2904 2".  This will probably cause the 
connection to fail.

Note that 192.168.16.2 is Server A, and that this message was received on Server B's event log.

I've also received this error (again, 1 error for each PF being replicated)

Event Type: Information
Event Source:   MSExchangeTransport
Event Category: Categorizer 
Event ID:   9013
Date:       06/01/2010
Time:       16:57:56
User:       N/A
Computer:   MAIL
Description:
A message from 'smtp:CERBERA-IS@girlings.co.uk' could not be delivered 
because the sender does not have permission to send to recipient 
'smtp:MAIL-IS@girlings.co.uk'. This is due to a delivery restriction 
configured on the recipient. (Message-ID: [REMOVED]). A DSN will be generated.

I've had a look at KB843106 and verified that Integrated Windows Authentication is enabled on both SMTP virtual servers, but don't really know where to go from here. Any ideas?

Things I've Verified

  • Both servers are members of the Exchange Domain Servers group.
  • Server A (the SBS server) is a member of : Domain Controllers; Exchange Domain Servers; RAS and IAS servers.
  • Server B (the 2003 server) is a member of : Cert Publishers; Domain Computers; Exchange Domain Servers.

Default SMTP Virtual Server settings

Server A (internet facing machine)

  • Postini's IP address has been added as an IP which can relay.
  • Authentication Methods :
  • Anonymous Access : Ticked
  • Basic authentication : Ticked
  • Integrated Windows Authentication : Ticked
  • Delivery -> Advanced Delivery -> FQDN = servera.domain.local
  • Delivery -> Advanced Delivery -> Smart Host = [blank]
  • Delivery -> Outbound Security -> Anonymous Access is selected.

Server B

As above, except - Delivery -> Advanced Delivery -> FQDN = serverb.domain.local

RB.
  • 382
  • 2
  • 8
  • 19

1 Answers1

1

That's a bit of a puzzler w/o being able to put my hands on the machines. I'll give it a try anyway.

Have you made modifications to the configuration of the "Default SMTP Virtual Server" on either machine? Anything relating to TLS / SSL, specifically?

Verify that both servers are members of the "Exchange Domain Servers" group.

Edit:

The "SendAs" and "ReceiveAs" permissions granted to "Exchange Domain Servers" are specified at the "msExchOrganizationContainer" object in the "Microsoft Exchange" container of the "Services" container of the Configuration NC of your Active Directory. The permissions inherit down throughout the organization.

(Hmm... your comment re: these permissions disappeared. Nonetheless, I'll leave this edit in.)

Are the server computer objects members of any odd groups? In a stock AD / Exchange 2003 environment they'd be members of "Domain Computers" and "Exchange Domain Servers". I'm getting a sinking feeling that one or other other server might be a member of the "Domain Admins" group.

A workaround that you could use would be to allow unauthenticated public folder replication. It's not a fix, but it'll let the messages flow until you can figure out the root cause. Create a REG_DWORD value named "SkipPublicMDBRestriction" at "HKLM\System\CurrentControlSet\Services\MSExchangeTransport\Parameters" and set it to 1. This will remove the authentication requirement for public folder replication and should open the flood gates. (See http://support.microsoft.com/kb/830181 for background.)

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I've checked that both servers are members of the Exchange Domain Servers group as requested, and can confirm they are. Just looking into any SMTP Virtual Server changes I might have made. – RB. Jan 06 '10 at 16:17
  • I've updated the question with my current SMTP Virtual Server settings - let me know if you need any more info :-) – RB. Jan 06 '10 at 16:26
  • - Server A (the SBS server) is a member of : Domain Controllers; Exchange Domain Servers; RAS and IAS servers. - Server B (the 2003 server) is a member of : Cert Publishers; Domain Computers; Exchange Domain Servers. I've walked the permissions for those groups, and nothing looks out of the ordinary. – RB. Jan 06 '10 at 17:13
  • I've confirmed that the EDS group has the SendAs and RecieveAs permissions in the node you mentioned. These inherit down to the relevant SMTP server containers. – RB. Jan 06 '10 at 17:19
  • Implementing KB830181 fixes the issue (or, at least, temporarily works-around it). Many thanks! Any clues for where to look as to the underlying issue, or is it just a matter of going through KB843106 in detail? – RB. Jan 06 '10 at 18:28
  • I'd crank the Diagnostic Logging as described in KB830181 and see what comes out of it. Going thru KB843106 in detail is probably the next best thing to do. – Evan Anderson Jan 06 '10 at 19:20