No outgoing Emails in Exchange 2013 fresh install , sent emails get stuck in Drafts folder in OWA,
Scenario: The problematic environment was a fresh install of exchange 2013, no migration and new mailboxes were created, but when emails were sent they got stuck in the drafts folder, OWA or outlook both failed sending emails. This is a 2012 environment, main DC and a member 2012 server, both being virtual and the server hosting exchange was a clone server.
Diagnosis: After enabling verbose logging on the default receive connector, the following error messages were seen in the SMTP recieve located here: C:\Program Files\MicrosoftExchange Server\V15\TransportRoles\Logs\Hub\ProtocolLogSmtpReceive\
X.X.X.X:2525,X.X.X.X:53103,>,421 4.3.2 Service not available,
Enabled kerberos logging using :http://support.microsoft.com/default.aspx?scid=kb;EN-US;262177
after this checked the eventlogs showed a huge number of Kerberos related errors under System:
A Kerberos error message was received:
on logon session DOMAIN.LOCALExchangeservername$
Client Time:
Server Time: 0:35:49.0000 3/19/2014 Z
Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN
Checked to make sure all services are running and checking SPN are set correctly using the setspn commands:
setspn -L hostname
setspn -r AccountName
more details here: http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
Also checked to make sure correct DNS settings were used in the Exchange server under EAC=>Servers=>edit=>DNS lookups.
In my case both internal and external lookups were set to ” all network adapters ipv4″
Solution: Eventually it turned out to be the Security Policy setting wasnt enabled for Access this computer from the network Policy in Group Policy
The default domain policy was applied to the OU where the Exchange 2013 server was, hence updated default domain policy: so open Group Policy Editor and go to
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Put a tick on Define these policy settings and add the default groups as per : http://technet.microsoft.com/en-us/library/cc740196(v=ws.10).aspx
- Administrators
- Backup Operators
- Users
- Everyone
Please note this is a 2012 server and for some reason there are no power users as per the article.
Did a gpupdate /force on DC and exchange and reboot exchange services and voila all stuck emails were going out one at a time.
At this point in time the kerberos errors are still being generated, I still need to fix this…more soon.
Exchange KB 
This doesnt even make sense.. What would allowing local logons have to do with Hub Transport?
LikeLike
Please read this article another time, nothing to do with hub transport. The issue in this case was caused by the “Access this computer from the network” policy setting. Can you tell me what exactly is your issue.
LikeLike
New 2012 hyperV. 2012 guest DC 2012 guest OS w exchange 2013 installed. Ive created new users- all email stuck in drafts. This is internally, id like toget that working before accepting externally from our defender server. Test-mailflow all i get is *failure*
Any help is appreciated.
LikeLike
Rob, I assume that this is a clean install of exchange, no migration etc? The default receive connectors were all setup when you installed ex 2013? is it getting stuck in draft when using OWA only or Outlook client as well? you are running test-mailflow from the local server? Is the guest vm installed from scratch or from template/ clone from the DC, if you have checked the policies applied to the OU in which the exchange servers is and made any changes as per this article and rebooted the server ?
LikeLike
That is correct, this was not a migration (We migrated the DC/DNS/DHCP from 2003 to 2012).
Yes the default receive connectors were all set up after installation and I created a Internet Mail connector.
This particular scenario the email is getting stuck in the drafts folder in OWA – Another weird issue is that outlook wont connect with the mailbox’s I just created, Initially(Outlook cannot find a unencrypted connection) – Then i get through first time config but no mailbox loads in outlook (Separate issue I will tackle after I get the mail flowing)
yes test-mailflow was run from the exchange server MSEXCH shell.
All guest VM’s were built from scratch.
I will check the policies over again, but im pretty sure I did check.. Im pretty desperate at this point and have been trying EVERYTHING..
::beating my head against the wall::
LikeLike
Thank you!!! This solution fixed my issue!!
LikeLike
Worked for me as well. Googled for days and found many possibilities that had worked for others, not never in my case. But the policy was the issue.. Had to create a new GPO to ensure that doesn’t change back. It was working for a while in the beginning, but then the policy must have changed at some point for some unknown reason. Don’t have any policies that normally handle that particular setting.. Well, that I know of I suppose.. Didn’t used to be anyway. –Thanks!!
LikeLike
I found my receive connector had been removed during a MS Patch. Remember, a server needs to be able to receive mail properly to be able to use the send connector. Here is a link to the article I used to rebuild all 5 receive connectors. After a rebuild and reboot, issue was solved.
https://www.petenetlive.com/KB/Article/0001314
LikeLike