Managing Limits in Exchange Server 2010 (Part 2)

by [Published on 11 Dec. 2012 / Last Updated on 11 Dec. 2012]

In this second article about exchange limits, the author discusses the limits that can be applied on Send and Receive connectors, and Active Directory sites.

If you would like to read the other parts in this article series please go to:

Managing limits on Send Connectors

In Exchange Server 2007/2010 the connectors can be considered as the bridges between the Exchange organization and the external world, which can be servers on the Internet or messaging partners.

In order to manage them, you can open Exchange Management Console, expand Organization Configuration, Hub Transport, and click the Send Connectors tab. Double click on the desired Send Connector, and in Maximum message size (KB) a new value can be defined. In this article, let’s configure the Send Connector to 2MB as shown in Figure 01.

 


Figure 01

Now, if a user tries to send a message larger than 2MB the error message as shown in figure 2 will be displayed. The administrator can look at the Diagnostic Information section to check the information provided by the system.

 


Figure 02

The administrator can identify where is the limitation is by glancing at the diagnostic information for administrators section where the string Routing.SizeLimit is displayed.

The Send Connector is the only type of connector that can be configured as unlimited. In some cases the administrator can decide to uncheck the option Maximum message size (kb) (Figure 03), and the Organization Limit will be the determinant to define if a message can leave the organization.


Figure 03

Managing limits on Receive Connectors

Receive Connectors are there to receive incoming traffic in Exchange Server 2007/2010 and a key factor to apply limit on the incoming traffic is to be consistent among several components that your topology may have available. The Receive Connector is available in two roles which are: Hub Transport and Edge Transport where the first one is mainly responsible to route message internally and must be installed inside of the network and be member of an Active Directory. The second one is more secure and it should be placed in a DMZ, and not connected to Active Directory.

However, some companies designed their infrastructure to receive incoming traffic straight to the Hub Transport role without using an Edge Transport. In this article series the configuration itself is the same but the administrator must be aware of his topology to apply the limit in the right place.

Another point that must be validated before restricting limits at Receive Connector level is to check if your organization is using any anti-spam solution on-premises or even in the cloud. Let’s suppose that your organization is using FOPE (Forefront Protection for Exchange) and the message limit there is 10MB. However, you configure your Receive Connector to receive 5MB so any message sent between 5MB+ to 10MB will be accepted by FOPE and routed to your domain, which will block the message. In this case it is better to keep consistent values in all locations.

The Receive Connectors are configured at the Server Level which means that if you have a group of Hub Transport behind a Load Balancer, all servers must be configured the same way related to limits, otherwise, you will experience weird issues where messages from certain sizes are received but not all the time. The ability to receive the message in the mailbox is also validated against the organization limits which we are going to cover both pieces together in more details in our next section of this series.

In order to configure limits on a Receive Connector, let’s open Exchange Management Console, expand Server Configuration, click Hub Transport and then on the right side, select the desired server. A list of all Receive Connectors will be shown below. Right click the Receive Connector responsible for the traffic that you want to limit and then Properties, as shown in Figure 04.

 


Figure 04

A server can have more than one Receive Connector which allows the administrator to control the limits accordingly. For example, a scanner which relies on Exchange can use a Receive Connector that accept a larger limit than a different receive connector on the same server that allows a different limit.

A last note about Receive Connector is that their limit is always applied to unauthenticated sources, if you have clients using Outlook/OWA/ActiveSync client interfaces, then the organization limit takes precedence.

Managing Active Directory Site limits…

Connectors are really good objects to control limits for external recipients, however, when an organization wants to limit internal users, there is a better way to do that. It is through Active Directory Site links.

Let’s say that we have 3 main sites (Porto Alegre, Buenos Aires and Montevideo) and there is no direct connection between Buenos Aires and Montevideo sites, so to improve Active Directory replication the decision was to create an AD Site Link between Porto Alegre and Buenos Aires named GauchoLand-Argentina and another one between Porto Alegre and Montevideo named GauchoLand-Uruguay. Let’s say that the link to Argentina is really bad and messages with more than 1MB will stop the ERP because we don’t have QoS in place (trust me that is based on a true story!). In this scenario we could use limits at Site Level and the following cmdlets will help us out:

  • Get-ADSite: It lists all Active Directory sites
  • Get-ADSiteLink: this cmdlet lists all IP Inter-Site Transport entries
  • Set-ADSiteLink: this cmdlet sets the MaxMessageSize attribute

In Figure 05, first we listed all AD Sites then we listed the AD Site Links, and then we defined the limit to 1M. Finally, we checked if the new value was configured properly.


Figure 05

If you are running Exchange Server 2010 and you receive an error 4003 (INSUFF_ACCESS_RIGHTS) during the Set-ADSiteLink , it may be a permission issue and there is no official documentation from Microsoft at this point, however, there are a couple of workarounds to bypass this error:

If you still have an Exchange Server 2007, then you can run the same cmdlet and it will work like a charm; If you are running a native Exchange Server 2010, then you can open the Active Directory Sites and Services, expand Sites, Inter-Site Transport and right-click IP and then Properties. In the IP Properties, click the Security tab, and then Advanced button. Click the Name column and then find the entry that has Exchange Trusted Subusystem in the Name column and also Descendant Site Link objects in the Apply to column, and then click on Edit as shown in Figure 06.


Figure 06

Because of RBAC introduction in Exchange Server 2010, the Exchange Trusted Subsystem is responsible to perform such changes. To make it work select the Allow column for the following items: Read delivContLenght and Write delivContLength as shown in Figure 07

 


Figure 07

Depending on the size of your organization you may have to wait for replication to take place and then you can run again the cmdlets. It will probably work as it does in Exchange Server 2007.

Now, when a user sends a message larger than the set value to a recipient that belongs to a site where the limit was configured, the following error messages will show up on the Diagnostic Information for administrators:

#550 5.3.4 ROUTING.SizeLimit; message size exceeds fixed maximum size for route ##

Conclusion

In this second article of our series we went through the process to configure limits on the connectors. In the next article we will be analyzing how all pieces fit together, and running a couple of scenarios to put them to the test.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links