Friday, April 9, 2010

Introduction to Exchange Server 2003 - NDR (Non-Delivery Report)

Introduction to Exchange Server 2003 - NDR (Non-Delivery Report)
Let us suppose that Outlook sends an email to an Exchange server, but that server realizes that it cannot deliver the message, what happens next? The answer is the server sends a NDR (Non-Delivery Report) back to the sender.

At first, it comes as a surprise when you realize there is more than one type of NDR. Then you discover that NDRs have status codes. Moreover, each status code gives you valuable information about the cause of the email problem.

Topics for Exchange Server 2003 NDR (Non-Delivery report)
Interpreting the Exchange 2003 NDR
Exchange 2007 NDRs
NDR Example
Tips for troubleshooting NDRs
NDR List of Codes and their meanings
Master Settings to Enable or Disable NDRs
See Chris Lehr's thoughts on aqadmcli.exe
NDR - Summary


Interpreting the Windows Exchange 2003 NDR
As you examine a NDR message, look out for a three-digit code, for example, 5.2.1. If the first number begins with 5.y.z, then it means you are dealing with a permanent error; this message will never be delivered. Occasionally, you get NDRs beginning with 4.y.z, in which case there is hope that email will eventually get through. The place to look for the NDR status code is on the very last line of the report.

NDR codes like 5.5.0 or 4.3.1 may remind you of SMTP errors 550 and 431. Indeed, the 500 series in SMTP has a similar meaning to the 5.y.z codes in an NDR - failure. I expect that you have worked out why there are no 2.y.z NDRs? The reason is that the 2.y.z series mean success, whereas Non-Delivery Reports, by definition, are failures.

NDR Classification
As you are beginning to appreciate, these status codes are not random. The first number 4.y.z, or 5.y.z refers to the class of code, for example, 5.y.z is permanent error. Incidentally, I have not seen any status codes beginning with 1.y.z, 3.y.z, or indeed any numbers greater than 5.7.z.

The second number x.1.z means subject. This second digit, 1 in the previous example, gives generic information where as the third digit (z) gives detail. Unfortunately, I have not cracked the complete code for the second digit. However, I have discovered a few useful patterns, for instance, 5.1.x indicates a problem with the email address, as apposed to server or connector problem. In addition, 5.2.x means that the email is too big, somewhere there is a message limit.

Conclusion, it is best to look up your three-digit error in the status code, see NDR table below.

Guy Recommends: A Free Trial of the Orion Network Performance Monitor (NPM) 9.5
Solarwinds' Orion performance monitor will help you discover what's happening on your network. Also this utility will guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload. Because it produces network-centric views, the NPM is intuitive to navigate, and as result you can see easily what's working and what's not.

Perhaps Orion's best feature is the way it suggests solutions. Moreover, if problems arise out of the blue, then you can configure Orion NPM 9.5 to notify members of your team what's changed and how to fix it.

If you are interested in creating network maps, then I recommend that you take advantage of Solarwinds' offer of a download a free trial of Orion's Network Performance Monitor.

NDR Example
Here is an example of an email sent to user who does not exist. There is no guyx mailbox on the paris server. At the bottom of the NDR, you can see the name of the domain (exchguy.com), the server (paris) and the NDR status code (5.1.1). In your examples always seek out the servername in the last line of your NDR.


Your message did not reach some or all of the intended recipients.

Subject: Cisco Kid
Sent: 12/15/2004 11:09 PM

The following recipient(s) could not be reached:

guyx@cp.com on 12/15/2004 11:09 PM
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.





Tips for troubleshooting Exchange NDRs
The key to any troubleshooting is to isolate the problem. In the case of an NDR, discover if the fault lies with the sender, the recipient or the Exchange 2003 server. To gather more clues, send more emails to the same recipient but from different accounts. In addition, send emails to different accounts from the original sender.

Expand the search area by sending email to different sites, or to internet users. Does this tactic narrow the problem to a particular Server, Mailstore or Routing Group Connector?

If it's just one email address that produces the Non-Delivery report, do you type in the SMTP address manually, or do you click the user account in the GAL?

One ISP will only troubleshoot NDRs if you use Outlook Express, which alerted me to the fact that you get different responses from different email clients. So try a different version of Outlook.

I always mean to do this first when I troubleshoot - look in the Application log for errors. A variation of this tip is to increase the Diagnostic Logging see here.

You could also gather more clues with Regtrace, which you find on the Exchange 2003 CD in the support\utils\i386 folder. Regtrace gives you detailed information e.g. homeMDB =
CN=Mailbox Store (GuyMail-Managers),CN=First Storage Group,CN=InformationStore,CN=GuyMail-Managers,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=GuyMail,DC=com

Kiwi Syslog Server - Free Utility to Analyze Your Network Messages
Syslog messages are full of information for troubleshooting network problems. When something goes wrong then surely there will be an error message in the syslog datagram - if only we can find that record and interpret the event. What will help to capture and analyze such network messages is the Kiwi Syslog Server.

Free Download of Kiwi Syslog Server

NDR List of Codes and their meanings
NDR
Code
Explanation of Non-Delivery Report error codes for Exchange Server
(See here for Exchange 2007 NDR codes)
4.2.2 The recipient has exceeded their mailbox limit. It could also be that the delivery directory on the Virtual server has exceeded its limit. (Default 22 MB)
4.3.1 Not enough disk space on the delivery server. Microsoft say this NDR maybe reported as out-of-memory error.
4.3.2 Classic temporary problem, the Administrator has frozen the queue.
4.4.1 Intermittent network connection. The server has not yet responded. Classic temporary problem. If it persists, you will also a 5.4.x status code error.
4.4.2 The server started to deliver the message but then the connection was broken.
4.4.6 Too many hops. Most likely, the message is looping.
4.4.7 Problem with a timeout. Check receiving server connectors.
4.4.9 A DNS problem. Check your smart host setting on the SMTP connector. For example, check correct SMTP format. Also, use square brackets in the IP address [197.89.1.4] You can get this same NDR error if you have been deleting routing groups.
4.6.5 Multi-language situation. Your server does not have the correct language code page installed.
5.0.0 SMTP 500 reply code means an unrecognised command. You get this NDR when you make a typing mistake when you manually try to send email via telnet.
More likely, a routing group error, no routing connector, or no suitable address space in the connector. (Try adding * in the address space)
This status code is a general error message in Exchange 2000. In fact Microsoft introduced a service pack to make sure now get a more specific code.
Guy Recommends: SolarWinds Engineer's Toolset v10
The Engineer's Toolset v10 provides a comprehensive console of utilities for troubleshooting computer problems. Guy says it helps me monitor what's occurring on the network, and the tools teach me more about how the system itself operates.

There are so many good gadgets, it's like having free rein of a sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools. Download your copy of the Engineer's Toolset v 10

5.1.x Problem with email address.
5.1.0 Often seen with contacts. Check the recipient address.
5.1.1 Another problem with the recipient address. Possibly the user was moved to another server in Active Directory. Maybe an Outlook client replied to a message while offline.
5.1.2 SMTP; 550 Host unknown. An error is triggered when the host name can’t be found. For example, when trying to send an email to bob@ nonexistantdomain.com.
[Example kindly sent in by Paul T.]
5.1.3 Another problem with contacts. Address field maybe empty. Check the address information.
5.1.4 Two objects have the same address, which confuses the categorizer.
5.1.5 Destination mailbox address invalid.
5.1.6 Problem with homeMDB or msExchHomeServerName - check how many users are affected. Sometimes running RUS (Recipient Update Service) cures this problem. Mailbox may have moved.
5.1.7 Problem with senders mail attribute, check properties sheet in ADUC.
5.2.x NDR caused by a problem with the large size of the email.
5.2.1 The message is too large. Else it could be a permissions problem. Check the recipient's mailbox.
5.2.2 Sadly, the recipient has exceeded their mailbox limit.
5.2.3 Recipient cannot receive messages this big. Server or connector limit exceeded.
5.2.4 Most likely, a distribution list or group is trying to send an email. Check where the expansion server is situated.
5.3.0 Problem with MTA, maybe someone has been editing the registry to disable the MTA / Store driver.
5.3.1 Mail system full. Possibly a Standard edition of Exchange reached the 16 GB limit.
5.3.2 System not accepting network messages. Look outside Exchange for a connectivity problem.
5.3.3 Remote server has insufficient disk space to hold email. Check SMTP log.
5.3.4 Message too big. Check limits, System Policy, connector, virtual server.
5.3.5 Multiple Virtual Servers are using the same IP address and port. See Microsoft TechNet article: 321721 Sharing SMTP. Email probably looping.
5.4.0 DNS Problem. Check the Smart host, or check your DNS. It means that there is no DNS server that can resolve this email address. Could be Virtual Server SMTP address.
5.4.1 No answer from host. Not Exchange's fault check connections.
5.4.2 Bad connection.
5.4.3 Routing server failure. No available route.
5.4.4 Cannot find the next hop, check the Routing Group Connector. Perhaps you have Exchange servers in different Routing Groups, but no connector.
5.4.6 Tricky looping problem, a contact has the same email address as an Active Directory user. One user is probably using an Alternate Recipient with the same email address as a contact.
5.4.7 Delivery time-out. Message is taking too long to be delivered.
5.4.8 Microsoft advise, check your recipient policy. SMTP address should be cp.com.
NOT server.cp.com.
5.5.0 Underlying SMTP 500 error. Our server tried ehlo, the recipient's server did not understand and returned a 550 or 500 error. Set up SMTP logging.
5.5.2 Possibly the disk holding the operating system is full. Or could be a syntax error if you are executing SMTP from a telnet shell.
5.5.3 More than 5,000 recipients. Check the Global Settings, Message Delivery properties.
5.5.5 Wrong protocol version
5.6.3 More than 250 attachments.
5.7.1 Permissions problem. For some reason the sender is not allowed to email this account. Perhaps an anonymous user is trying to send mail to a distribution list.
Check SMTP Virtual Server Access Tab. Try checking this box: Allow computers which successfully authenticate to relay
User may have a manually created email address that does not match a System Policy.
5.7.2 Distribution list cannot expand and so is unable to deliver its messages.
5.7.3 Check external IP address of ISA server. Make sure it matches the SMTP publishing rule.
5.7.4 Extra security features not supported. Check delivery server settings
5.7.5 Cryptographic failure. Try a plain message with encryption.
5.7.6 Certificate problem, encryption level maybe to high.
5.7.7 Message integrity problem.




Monitor Your Network with the Real-time Traffic Analyzer
The main reason to monitor your network is to check at a glance which of your servers are available. If there is a network problem you want an interface to show the scope of the problem immediately.

Even when all servers and routers are available, sooner or later you will be curious to know who, or what, is hogging the precious network's bandwidth. A GUI showing the top 10 users makes interesting reading.

Another reason to monitor network traffic is to learn more about your server's response times and the consumption of resources. To take the pain out of capturing frames and analysing the raw data, Guy recommends that you download a copy of the SolarWinds free Real-time NetFlow Analyzer.

Tips for isolating the NDR problem

Master Setting to Enable or Disable NDR Exchange
See here for turning off NDR Exchange 2007

It is possible to control whether or not your Exchange 2003 server will send an NDR.

Launch the Exchange System Manager, navigate to Global Settings, Internet Message Format. Select the Advanced tab. (Un)check Allow non-delivery reports. See more here.

Summary - NDR Reports for Microsoft Exchange Server 2003
There are many reasons why Microsoft Exchange 2003 sends an NDR (Non-Delivery Report). If you examine an NDR carefully you will find a status code number, for example 5.3.1 Two points follow from this discovery, there are more than one error code and therefore, more than one possible cause. My aim is to provide reasons why Exchange sends a particular NDR.

No comments: