Thursday, February 11, 2010

Exchange Edge Server and DNS

Here's a lesson in items that should (and did) work together, but got hot fixed (pronounced hot-broken) inexplicably. Exchange EdgeSync service (which runs on your Edge server and connects to your CAS server for LDAPs information) relies on ports 50389 (internal to the box - it connects to itself) and 50636 (external, from EDGE to CAS). In a recent hotfix (KB951746) by micrsoft, DNS was also changed to reserve 2,500 random UDP ports on startup. It just so happens that the range of ports includes those of LDAP and LDAPs... you can see where this is going.

The symptoms of this problem are that

A) Your EdgeSync service will not start up, because your Exchange ADAM service will not start up.

B) You get an error in the application event log stating something to the effect of "An attempt was made to access a socket in a way forbidden by its access permissions" from the Service Control Manager service (EventID 7023).

C) No incoming email.

The fixes for this on Server 2003/2008 are as follows:

1) Open Regedit on your EDGE server and drill down to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

2) Create a new MultiString Value named "ReservedPorts"

3) In the Value box, enter 50389-50389 on one line, and 50636-50636 on another line. You could also just add 50389-50636 if you are lazy (like me).

4) Restart the server.

Voila, problem fixed.

There is an alternative on 2008 servers as well... you can simply change the "DNS Server" Service to a "Delayed Start (Automatic)" status. EDGESync ADAM should grab its ports before the DNS server does, and all proceeds merrily. There's yet another fix you can do for 2008 R2, but I won't even bother as Microsoft does not even support Exchange 2007 on 2008 R2 as of this writing... so why would you do it? :P

No comments:

Post a Comment