You may have trouble sending mail to certain domains while using Exchange Server 2007 on Windows Server 2008. The Queue Viewer displays the following status error for the domain in question:

“451 4.4.0 primary target IP address responded with “421.4.4.2 unable to connect.”attempted failover to alternate host, but that did not succeed.Either there are no alternate hosts, or delivery failed to all alternate hosts.”

This problem occurs because routers do not support the TCP autotuning settings in Windows Server 2008.

To disable autotuning, follow these steps:

Run CMD as Administrator

At the command prompt, type the following command, and then press ENTER:

netsh interface tcp set global autotuninglevel=disabled

This command disables the Receive Window Auto-Tuning feature.

Exit the Command Prompt window.

Restart the computer.

To add the Active Directory Schema Admin for the mmc, you need to first register a dll before you can see the Schema Admin tools. Go to start –> run –> type: regsvr32 schmmgmt.dll and click enter. You can now open the mmc, and add Active Directory Schema.

http://kb.eset.com/esetkb/index?page=content&id=SOLN146

In the situation I came across, Outlook 2007 clients were constantly prompting for a password eventhough the users were on the LAN, members of the domain, and logged in to the PC with domain credentials.  While I found several potential causes, the solution ended up being an SSL setting in IIS on the mail server. 

The solution was to allow client certificates on the virtual directory for Exchange Autodiscover.  It turns out the clients were attempting to use the Autodiscover service with Exchange 2007 to detect settings and the website wasn’t accepting their client certificate.  The client certificates are apparently used for encryption between the client and the server.  Disabling the checkbox to enable that type of communication may also have been a solution, but this is a better one because it maintains the security of an encrypted channel.  Here are the instructions:

1. Using IIS6 - Click Here
2. Using IIS7 - Open the IIS manager.  Expand the Sites group and expand down to the Autodiscover virtual directory.  Select this virtual directory then selec “SSL Settings” from the center pane.  In the settings window, select “Accept Client Certificates”.

In addition, the authentication settings on this virtual directory can also cause this to happen if not configured correctly.  Just make sure that Integrated Windows Authentication is checked.

After installing the latest version of Trend Micro Scanmail 8.0 on an SBS 2008 server, the Exchange Transport service kept stopping and reporting the following errors in the Application event log:

Event ID: 16023 Source: MSExchangeTransportMicrosoft Exchange couldn’t start transport agents. The Microsoft Exchange Transport service will be stopped. Exception details: Failed to create type ‘TrendMicro.SMEX.hookE12TransportAgent.hookE12RoutingAgentFactory’ from assembly ‘D:\Program Files\Trend Micro\Smex\hookE12TransportAgent.dll’ due to error ‘Invalid agent assembly path.’ …

Event ID: 1052 Source: MSExchange Extensibility

The creation of an agent factory for the agent ‘ScanMail Routing Agent’ failed with error ‘Failed to create type ‘TrendMicro.SMEX.hookE12TransportAgent.hookE12RoutingAgentFactory’ from assembly ‘D:\Program Files\Trend Micro\Smex\hookE12TransportAgent.dll’ due to error ‘Invalid agent assembly path.’.’. Verify that the corresponding transport agent assembly and dependencies with the correct version are installed.

The issues turned out to be a permission issue on the SMEX program file directory.  Exchange uses the Network Service account for the Transport Service credentials but this account didnt get security permissions to the Trend Micro SMEX program folder after install.  Adding the appropriate read permissions did the trick.

I experienced this issue on an SBS 2008 server with IIS7.  The fix was to enable the “Execute” permission on the CGI and ISAPI modules for the web application, but it was tricky with IIS7.  Heres how to do it. 

1. Open IIS Manager (Start->Run->Inetmgr)
2. Select the SMEX Virtual Directory
3. Select Handler Mappings
4. Find CGI-Exe and ISAPI-dll and select “Edit Feature Permissions” in the action pane.
5. Make sure “Execute” is checked and close.

Prior to this, make sure you complete the following other actions (from the Trend Readme):

      (1) Install ASP and CGI Role Services
          a.Go to the Server Manager.
          b.Select Roles and then right-click on the Web Server (IIS).
          c.Click Add Role Services.
          d.Under Application Development, select ASP and CGI.
          e.Click Next > Install.

      (2) Allow ScanMail CGIs (if ISAPI and CGI restrictions are
          implemented).
          a.Go to the IIS Manager.
          b.Select the server node and then select ISAPI and CGI
            Restrictions.
          c.Verify that both cgiDispatcher and cgiCmdNotify are
            allowed.
          d.Re-open the ScanMail product console.