SendAs for "Exchange Domain Servers" and "Exchange Enterprise Servers" denied

Hi all,

    I'm having problems with SMTP with all my exchange servers (4) under the 
same organization. The Event IDs are 7010 and 7004.



I look them up and they are caused by the impossibility to authenticate 
between servers.

I've made focus on the article 843106 
http://support.microsoft.com/default.aspx?scid=kb;en-us;843106&sd=ee
there, this paragraph call my attention:

If Integrated Windows Authentication is enabled, but the events persist, the
sending server in the 7004 event or in the 7010 event may lack or be denied
the SendAs right on the receiving server. If the sending server and the
receiving server are experiencing these events, the servers may lack the
SendAs rights on each other. The SendAs right is not set explicitly. The
SendAs right is typically inherited through membership in the Exchange
Domain Servers (EDS) group. If the EDS does not have this DENY access
control entry (ACE) , the affected server may be nested in another group
that has the DENY ACE, or the EDS may be nested in some other groups that
have the DENY ACE. To succeed, the XEXCH50 command has to have the SendAs
right for servers in the Exchange organization.



The thing is that in all my servers, the "Exchange Domain Servers" and 
"Exchange Enterprise Servers" have the SendAs denied. I can't change this 
because it is an inherited permission, but I don't know where it was 
inherited from.


Can anyone hive me a hand on this? I've never modify this permissions and 
they are denied anyway, how could they be changed? How can I change this 
permission to it's correct way?



I'm looking this permissions at server level.



Thanks in advanced.

Juli�n





0
11/7/2005 5:08:11 PM
exchange.admin 57650 articles. 2 followers. Follow

3 Replies
899 Views

Similar Articles

[PageSpeed] 21

Exchange 2003 DOES place a Deny for the Exchange Domain Servers group at the 
Servers level.  It's there by default and should not impede any delivery of 
mail between servers.

Also, looking at the server level isn't where the problem is.  Try using 
ADSIEdit and look at the SMTP Virtual Server level.

Configuration\Services\Microsoft Exchange\Org name\Administrative 
Groups\Servers\Server name\Protocols\SMTP\1 - go to the properties of this 
object, then go to the security tab.  You should see that Exchange Domain 
Servers has an inherited ALLOW for Send As at this level.  If it's not 
there, then I'd double-check and make sure that Inheritance is turned on.

You might also consider re-running Exchange domainprep - it should re-apply 
the permissions, if I'm not mistaken.

-- 
Ben Winzenz
Exchange MVP
MessageOne


"Julian AR" <julian@servit.com.ar> wrote in message 
news:%23Ry2W374FHA.3636@TK2MSFTNGP09.phx.gbl...
> Hi all,
>
>    I'm having problems with SMTP with all my exchange servers (4) under 
> the same organization. The Event IDs are 7010 and 7004.
>
>
>
> I look them up and they are caused by the impossibility to authenticate 
> between servers.
>
> I've made focus on the article 843106 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;843106&sd=ee
> there, this paragraph call my attention:
>
> If Integrated Windows Authentication is enabled, but the events persist, 
> the
> sending server in the 7004 event or in the 7010 event may lack or be 
> denied
> the SendAs right on the receiving server. If the sending server and the
> receiving server are experiencing these events, the servers may lack the
> SendAs rights on each other. The SendAs right is not set explicitly. The
> SendAs right is typically inherited through membership in the Exchange
> Domain Servers (EDS) group. If the EDS does not have this DENY access
> control entry (ACE) , the affected server may be nested in another group
> that has the DENY ACE, or the EDS may be nested in some other groups that
> have the DENY ACE. To succeed, the XEXCH50 command has to have the SendAs
> right for servers in the Exchange organization.
>
>
>
> The thing is that in all my servers, the "Exchange Domain Servers" and 
> "Exchange Enterprise Servers" have the SendAs denied. I can't change this 
> because it is an inherited permission, but I don't know where it was 
> inherited from.
>
>
> Can anyone hive me a hand on this? I've never modify this permissions and 
> they are denied anyway, how could they be changed? How can I change this 
> permission to it's correct way?
>
>
>
> I'm looking this permissions at server level.
>
>
>
> Thanks in advanced.
>
> Juli�n
>
>
>
>
> 


0
Ben
11/7/2005 6:40:09 PM
Thank you Ben for your answer.



I checked with ADSIEdit and found the same permissions as in the servers. 
SendAs has the Allow as well as the Deny check on both, "Exchange Domain 
Servers" and "Exchange Enterprise Servers". Is that correct?



I will do some more test and research and then re apply the domain prep.



Thanks,

Juli�n


"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:emZNtq84FHA.3636@TK2MSFTNGP09.phx.gbl...
> Exchange 2003 DOES place a Deny for the Exchange Domain Servers group at 
> the Servers level.  It's there by default and should not impede any 
> delivery of mail between servers.
>
> Also, looking at the server level isn't where the problem is.  Try using 
> ADSIEdit and look at the SMTP Virtual Server level.
>
> Configuration\Services\Microsoft Exchange\Org name\Administrative 
> Groups\Servers\Server name\Protocols\SMTP\1 - go to the properties of this 
> object, then go to the security tab.  You should see that Exchange Domain 
> Servers has an inherited ALLOW for Send As at this level.  If it's not 
> there, then I'd double-check and make sure that Inheritance is turned on.
>
> You might also consider re-running Exchange domainprep - it should 
> re-apply the permissions, if I'm not mistaken.
>
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
>
>
> "Julian AR" <julian@servit.com.ar> wrote in message 
> news:%23Ry2W374FHA.3636@TK2MSFTNGP09.phx.gbl...
>> Hi all,
>>
>>    I'm having problems with SMTP with all my exchange servers (4) under 
>> the same organization. The Event IDs are 7010 and 7004.
>>
>>
>>
>> I look them up and they are caused by the impossibility to authenticate 
>> between servers.
>>
>> I've made focus on the article 843106 
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;843106&sd=ee
>> there, this paragraph call my attention:
>>
>> If Integrated Windows Authentication is enabled, but the events persist, 
>> the
>> sending server in the 7004 event or in the 7010 event may lack or be 
>> denied
>> the SendAs right on the receiving server. If the sending server and the
>> receiving server are experiencing these events, the servers may lack the
>> SendAs rights on each other. The SendAs right is not set explicitly. The
>> SendAs right is typically inherited through membership in the Exchange
>> Domain Servers (EDS) group. If the EDS does not have this DENY access
>> control entry (ACE) , the affected server may be nested in another group
>> that has the DENY ACE, or the EDS may be nested in some other groups that
>> have the DENY ACE. To succeed, the XEXCH50 command has to have the SendAs
>> right for servers in the Exchange organization.
>>
>>
>>
>> The thing is that in all my servers, the "Exchange Domain Servers" and 
>> "Exchange Enterprise Servers" have the SendAs denied. I can't change this 
>> because it is an inherited permission, but I don't know where it was 
>> inherited from.
>>
>>
>> Can anyone hive me a hand on this? I've never modify this permissions and 
>> they are denied anyway, how could they be changed? How can I change this 
>> permission to it's correct way?
>>
>>
>>
>> I'm looking this permissions at server level.
>>
>>
>>
>> Thanks in advanced.
>>
>> Juli�n
>>
>>
>>
>>
>>
>
> 


0
11/7/2005 7:22:57 PM
Well, here are my default permissions.

Servers level:
Exchange Domain Servers has inherited ALLOW for Send As and Receive As, but 
has an Explicit DENY set at that level for Receive As.
I do not have Exchange Enterprise Servers listed in my ACL list, though it 
may be present if you have multiple domains - not sure.

This Deny then propagates to all child objects for Receive As ONLY.

I'd suggest finding where the explicit DENY for Send As has been set, and 
remove that.  The default should be deny for Receive As only.  I'd presume 
this is where the problem is.

-- 
Ben Winzenz
Exchange MVP
MessageOne


"Julian AR" <julian@servit.com.ar> wrote in message 
news:eWq6pC94FHA.3908@tk2msftngp13.phx.gbl...
> Thank you Ben for your answer.
>
>
>
> I checked with ADSIEdit and found the same permissions as in the servers. 
> SendAs has the Allow as well as the Deny check on both, "Exchange Domain 
> Servers" and "Exchange Enterprise Servers". Is that correct?
>
>
>
> I will do some more test and research and then re apply the domain prep.
>
>
>
> Thanks,
>
> Juli�n
>
>
> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
> in message news:emZNtq84FHA.3636@TK2MSFTNGP09.phx.gbl...
>> Exchange 2003 DOES place a Deny for the Exchange Domain Servers group at 
>> the Servers level.  It's there by default and should not impede any 
>> delivery of mail between servers.
>>
>> Also, looking at the server level isn't where the problem is.  Try using 
>> ADSIEdit and look at the SMTP Virtual Server level.
>>
>> Configuration\Services\Microsoft Exchange\Org name\Administrative 
>> Groups\Servers\Server name\Protocols\SMTP\1 - go to the properties of 
>> this object, then go to the security tab.  You should see that Exchange 
>> Domain Servers has an inherited ALLOW for Send As at this level.  If it's 
>> not there, then I'd double-check and make sure that Inheritance is turned 
>> on.
>>
>> You might also consider re-running Exchange domainprep - it should 
>> re-apply the permissions, if I'm not mistaken.
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "Julian AR" <julian@servit.com.ar> wrote in message 
>> news:%23Ry2W374FHA.3636@TK2MSFTNGP09.phx.gbl...
>>> Hi all,
>>>
>>>    I'm having problems with SMTP with all my exchange servers (4) under 
>>> the same organization. The Event IDs are 7010 and 7004.
>>>
>>>
>>>
>>> I look them up and they are caused by the impossibility to authenticate 
>>> between servers.
>>>
>>> I've made focus on the article 843106 
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;843106&sd=ee
>>> there, this paragraph call my attention:
>>>
>>> If Integrated Windows Authentication is enabled, but the events persist, 
>>> the
>>> sending server in the 7004 event or in the 7010 event may lack or be 
>>> denied
>>> the SendAs right on the receiving server. If the sending server and the
>>> receiving server are experiencing these events, the servers may lack the
>>> SendAs rights on each other. The SendAs right is not set explicitly. The
>>> SendAs right is typically inherited through membership in the Exchange
>>> Domain Servers (EDS) group. If the EDS does not have this DENY access
>>> control entry (ACE) , the affected server may be nested in another group
>>> that has the DENY ACE, or the EDS may be nested in some other groups 
>>> that
>>> have the DENY ACE. To succeed, the XEXCH50 command has to have the 
>>> SendAs
>>> right for servers in the Exchange organization.
>>>
>>>
>>>
>>> The thing is that in all my servers, the "Exchange Domain Servers" and 
>>> "Exchange Enterprise Servers" have the SendAs denied. I can't change 
>>> this because it is an inherited permission, but I don't know where it 
>>> was inherited from.
>>>
>>>
>>> Can anyone hive me a hand on this? I've never modify this permissions 
>>> and they are denied anyway, how could they be changed? How can I change 
>>> this permission to it's correct way?
>>>
>>>
>>>
>>> I'm looking this permissions at server level.
>>>
>>>
>>>
>>> Thanks in advanced.
>>>
>>> Juli�n
>>>
>>>
>>>
>>>
>>>
>>
>>
>
> 


0
Ben
11/8/2005 2:41:20 PM
Reply:

Similar Artilces:

SendAs for "Exchange Domain Servers" and "Exchange Enterprise Servers" denied
Hi all, I'm having problems with SMTP with all my exchange servers (4) under the same organization. The Event IDs are 7010 and 7004. I look them up and they are caused by the impossibility to authenticate between servers. I've made focus on the article 843106 http://support.microsoft.com/default.aspx?scid=kb;en-us;843106&sd=ee there, this paragraph call my attention: If Integrated Windows Authentication is enabled, but the events persist, the sending server in the 7004 event or in the 7010 event may lack or be denied the SendAs right on the receiving server. If the sen...