I'm having a problem replicating public folders between two Exchange 2003 servers.
Server A (our original server) is hosted on Windows Small Business Server 2003.
Server B (our new server) is hosted on Windows Server 2003.
Both systems are fully patched with latest updates and service packs for both Windows and Exchange.
The problem I am having is that the Public Folders won't replicate in either direction. I have configured the replication, and can see the replication messages being transferred between the two servers using the Message Tracking Center. However, I notice that the last line for any replication message reads :
SMTP: Message Queued for Local Delivery
but the message does not actually get stored, suggesting the problem lies here.
I turned on various logging options, and I get the following error in my Application log (1 for each PF which is replicating)
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7010
Date: 06/01/2010
Time: 15:47:13
User: N/A
Computer: MAIL
Description:
This is an SMTP protocol log for virtual server ID 1, connection #5.
The client at "192.168.16.2" sent a "xexch50" command, and the SMTP
server responded with "504 Need to authenticate first ". The full
command sent was "xexch50 2904 2". This will probably cause the
connection to fail.
Note that 192.168.16.2 is Server A, and that this message was received on Server B's event log.
I've also received this error (again, 1 error for each PF being replicated)
Event Type: Information
Event Source: MSExchangeTransport
Event Category: Categorizer
Event ID: 9013
Date: 06/01/2010
Time: 16:57:56
User: N/A
Computer: MAIL
Description:
A message from 'smtp:[email protected]' could not be delivered
because the sender does not have permission to send to recipient
'smtp:[email protected]'. This is due to a delivery restriction
configured on the recipient. (Message-ID: [REMOVED]). A DSN will be generated.
I've had a look at KB843106 and verified that Integrated Windows Authentication is enabled on both SMTP virtual servers, but don't really know where to go from here. Any ideas?
Things I've Verified
- Both servers are members of the Exchange Domain Servers group.
- Server A (the SBS server) is a member of : Domain Controllers; Exchange Domain Servers; RAS and IAS servers.
- Server B (the 2003 server) is a member of : Cert Publishers; Domain Computers; Exchange Domain Servers.
Default SMTP Virtual Server settings
Server A (internet facing machine)
- Postini's IP address has been added as an IP which can relay.
- Authentication Methods :
- Anonymous Access : Ticked
- Basic authentication : Ticked
- Integrated Windows Authentication : Ticked
- Delivery -> Advanced Delivery -> FQDN = servera.domain.local
- Delivery -> Advanced Delivery -> Smart Host = [blank]
- Delivery -> Outbound Security -> Anonymous Access is selected.
Server B
As above, except - Delivery -> Advanced Delivery -> FQDN = serverb.domain.local
That's a bit of a puzzler w/o being able to put my hands on the machines. I'll give it a try anyway.
Have you made modifications to the configuration of the "Default SMTP Virtual Server" on either machine? Anything relating to TLS / SSL, specifically?
Verify that both servers are members of the "Exchange Domain Servers" group.
Edit:
The "SendAs" and "ReceiveAs" permissions granted to "Exchange Domain Servers" are specified at the "msExchOrganizationContainer" object in the "Microsoft Exchange" container of the "Services" container of the Configuration NC of your Active Directory. The permissions inherit down throughout the organization.
(Hmm... your comment re: these permissions disappeared. Nonetheless, I'll leave this edit in.)
Are the server computer objects members of any odd groups? In a stock AD / Exchange 2003 environment they'd be members of "Domain Computers" and "Exchange Domain Servers". I'm getting a sinking feeling that one or other other server might be a member of the "Domain Admins" group.
A workaround that you could use would be to allow unauthenticated public folder replication. It's not a fix, but it'll let the messages flow until you can figure out the root cause. Create a REG_DWORD value named "SkipPublicMDBRestriction" at "HKLM\System\CurrentControlSet\Services\MSExchangeTransport\Parameters" and set it to 1. This will remove the authentication requirement for public folder replication and should open the flood gates. (See http://support.microsoft.com/kb/830181 for background.)