Hi, I am halfway through migrating a Hybrid deployment from 2010 to 2013. Configuration as below:

Production:

1x 2010 CAS/HT/MBX server

2x 2013 CAS/MBX servers in DAG (EX01 is getting all mail-flow)

It's worth noting that they reversed the sites, the 2010 box is in the same AD site as the 2013 DR server.

DR:

1x 2013 CAS/MBX server in DAG

They also have 365 tenant with Exchange online. Currently all mail flows through 365 to on-premise, all outbound mail flows from on-premise to 365.

I'm about to begin migrating mailboxes over, but with a few test users I've discovered the following issue.

Once a user is migrated to any 2013 box, mail-flow is fine. They can send/receive externally fine. They can send to 2010/2013 mailboxes fine as well. The problem comes when sending from 2010 mailbox to a 2013 mailbox, on the 2010 server the mail just sits in the queue:

Next Hop Domain: DR site

Delivery Type: SMTP Relay to Remote Active Directory Site

Last Error: 451 4.4.0 Primary target IP address responded with: "421 4.3.2 Service not available". Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

So I did some testing, I am unable to telnet from the 2010 box to any of the 2013 boxes on port 25. So I added the 2010 IP into the 'Default Frontend EXxx' receive connector on each of the 2013 boxes, this resolved the service not available error, but returned a different error:

451 4.4.0 Primary target IP responded with "451 5.7.3 Cannot achieve Exchange Server authentication" etc which makes sense because the 'Default Frontend' connectors don't have exchange server authentication enabled. But I can't simply enable this as other authentication methods are enabled and this is how it came from being installed and I don't want to break mail-flow. My understanding is that 2013 should simply "know" how to route 2010 messages.

Hi DaveR,

Thank you for your question.

By error 451 5.7.3, we could do the following check :

We could enable Exchange server authentication on default receive connector. It didnt break message flow when we enable Exchange server authentication.

If the issue persist, we could check the 2010 IP which you add to default receive connector if it was included in another receive connector on Exchange 2013, if this IP address has been included in another receive connector on Exchange 2013, we could exclude the 2010 IP in other receive connectors on Exchange 2013, then we could restart the service of Microsoft Exchange Transport to check if the issue persist.

If there are any questions regarding this issue, please be free to let me know. 

Best Regard,

Jim

Beside the given suggestion, I would suggest you to follow Exchange server deployment assistant while proceeding to upgrade from Exchange 2010 to 2013. It's available from Microsoft team and provides step-wise instructions to accomplish this by checking all the required prerequisites : https://technet.microsoft.com/en-us/office/dn756393.aspx

Here is another informative article : http://www.petenetlive.com/KB/Article/0000788.htm

Moreover, while need to migrate users mailboxes, you may also consider on this automated solution (http://www.exchangemigrationtool.com/) that provides hassle-free environment to get the job done without any downtime.

David,

Please check your Receive connector for Exchange 2013 with the following values..

For Client proxy and Outbound Proxy front end

Authentication

Exchange server authentication
Permissions Groups
Exchange servers

For Default front end and default same as the others and

Add Legacy Exchange servers in permissions groups.

Regards Carlos.

Thanks for the reply Jim,

Unfortunately if I set 'Exchange Server Authentication' on the default 2013 receive connector I receive the message:

Currently the FQDN is set to : mail.domain.com for HELO or EHLO responses.

The IP of the 2010 server is covered in all other connectors by a 0.0.0.0-255.255.255.255 address so I can't remove it easily.

Thanks for the reply Carlos.

I checked the settings and 'Client Proxy' and 'Outbound Proxy Frontend' both had:

-Exchange Server auth

-Exchange Servers permissions

For 'Default Frontend' and 'Default', both have Legacy Exchange Servers selected.

Thanks Sam,

At the bottom of that article, it mentions to remove the 2010 server from the send connector. My send connector routes everything through Office 365 and currently has the source server IP of all three 2013 servers AND the 2010 server. According to this, I should REMOVE the 2010 server from this send connector? I assume that will cause 2010 mail to route through 2013?

Thanks for the reply Jim,

Unfortunately if I set 'Exchange Server Authentication' on the default 2013 receive connector I receive the message:

Currently the FQDN is set to : mail.domain.com for HELO or EHLO responses.

The IP of the 2010 server is covered in all other connectors by a 0.0.0.0-255.255.255.255 address so I can't remove it e

FYI for anyone else with a similar issue...

Create a new connector (called 2010-2013) on the 2013 box. Make it 'FrontendTransport' with the following settings:

Authentication:

-TLS

-Exchange Server Authentication

Permissions:

-Exchange Servers

Scope it to the 2010 IP.