I just got off the phone after 4 hours with our very own Microsoft Tech support. My Exchange 2007 server stopped moving mail in or out and it appeared to be a hosed Edge Subscription. Turns out it was simpler yet far more complicated than that.
A few days ago I reworked IP addresses on many of the machines on the network including my Exchange Edge Server and my Exchange "everything else" server. However, mail was flowing after I made the tweaks and I didn’t think anything about it until two days later when a friend called me and asked if I had received an email they had sent. I check and sure enough, I had not received anything in just over 24 hours. So I poked around and discovered that the Edge and Transport server roles weren’t talking to each other. I did a few troubleshooting steps and got pressed for time so I let it go. Yesterday I had training so it didn’t get fixed yesterday. This morning I received an Urgent Alert from my Systems Management Server (which in my case is my wife……if there is ever a hiccup with Internet access or mail flow she lets me know immediately) which meant it needed to be fixed today.
So….After getting my truck towed and dropped at the shop (I will post more about that wonnermous experience later) I decided to come back home and work the server.
It appeared to be an issue with the Edge connector. The Edge server was reporting that it could not resolve the IP of the Transport server so I thought it would be a simple enough fix. It never is. Turns out that when I changed IP addresses, I neglected to update my HOSTS file. I don’t really even need the HOSTS file info, so I just removed the offending entry and bounced the server for the heck of it.
That didn’t fix it.
So I decided to just whack the Edge subscription and create a new one. That is when it started to go south and fast. I received a message that the account being used did not have appropriate permission to import the subscription on my Transport server. Seeing as how it is the same account I sued to install and configure Exchange and it is the same account I have used for over a year when doing any kind of maintenance on the server, I was a little concerned. I spent about an hour checking group memberships, permissions on objects, blah, blah, blah. I finally gave in a decided to call MS tech support.
The first gentlemen thought it was a DNS issue and he appeared to be on target until we realized that not only could I not create a new subscription, but I could not see my mailbox databases in the GUI or the command shell. Weird thing is that the get-mailbox command showed my mailboxes but get-mailboxdatabase returned nothing. Not even an error. So no it came back to being a permissions issue. We ultimately looped in two addition techs with different specialties. I gave them control of my server through our Easy Access system and let them do most of the driving.
We confirmed IP addressing, DNS settings, made sure replication was working between my two DC’s, ran netdiag and dcdiag. I got a little nervous when I saw one of them typing ADSIEDIT in the Run window, but everything checked out and no changes were made. I did have a could of name resolution things we resolved but nothing go the mail flowing and we could not recreate the Edge subscription. One of the gentlemen decided it was a flat out permissions issue and made a few tweaks to some items that changed a few of the error messages we received but nothing allowed us to create the subscription. On a whim I noted that I was not married to that account and if we could create a new admin account and test with that then maybe we could narrow it down.
The new admin account allowed us to see the objects that were missing in the GUI and also allowed me to create the new subscription. As soon as the sub was created, mail started to flow. So it turned out to be a bad administrator account.
I don’t know how or why it became corrupted but I do know that except for AV and Defender signature updates, the only other change I made was to the IP addresses and related DNS updates. It was a fluke that my administrator account got whacked about the same time.
It is now 6pm, the big DPE party starts at 8 and I have a Guitar Hero contest to go win.