?
Solved

DNS and Exchange Server 2003

Posted on 2005-04-13
88
Medium Priority
?
379 Views
Last Modified: 2012-06-21
I am having trouble with getting Exchange server to work correctly.

This is my configuration.

We have several servers.
External DNS
Internal DNS
Web Server 209.242.3.x / 192.168.1.6
Exchange Server ip 192.168.1.42

I am able to send/receive emails sent from inside the network, but I am unable to recieve emails sent from outside the network.

I believe that this is a DNS issue.

Any ideas would be a great help.

Thanks,
Jake

0
Comment
Question by:jacobbeckley
  • 45
  • 42
88 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13776951

What does the MX Record say?

And how do you get the public inbound traffic on Port 25 to the internal IP of your Exchange?
0
 

Author Comment

by:jacobbeckley
ID: 13776976
The MX record on the external server points to [same as parent]
The MX record on the internal DNS points to the internal IP 192.168.1.42

The inbound traffic is routed through my ISP/T1 to 192.168.1.6

Thanks,
Jake
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777004

It would be a good idea to test traffic on Port 25 is getting through correctly. The easiest way to do this is with Telnet.

i.e

Telnet <Exchange Server Address> 25

The commands that can be issued are detailed here:

http://support.microsoft.com/kb/q153119/

To check External DNS is set correctly for the MX a site like dnsreport can be used (www.dnsreport.com).
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:jacobbeckley
ID: 13777129
I cannot gain access to port 25 through telnet.

I cannot check DNSReports.com as I am in the network.

Any other ideas?

Thanks,
Jake
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777223

Can you Telnet to the Server IP instead of by name?

Can you post your exact MX record?

It should be in the rough form:

yourdomain.com. IN MX mail.yourdomain.com.

Then you need the associated A record for mail:

mail.yourdomain.com. IN A <External IP>

DNS Report should be able to check the external domain name, or is it just a case of not being able to get to the site?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777247
Nevermind... I saw your other post.

Your name server will not respond to any of the following:

Request for Name Servers for bmedia-online.com
Requests for MX for bmedia-online.com
Requests for SOA for bmedia-online.com

Your DNS server needs fixing before anything else will work. Is it set up with a Master Zone file for bmedia-online.com?
0
 

Author Comment

by:jacobbeckley
ID: 13777252
I cannot telnet to the IP

The exact MX record is as follow:
(same as parent)     Mail Exchanger (MX)     [10] bmedia-online.com.
mail                        Host (A)                       209.242.3.139

I can access the domain name from the web internally and externally, but DNSReports.com says it is having trouble accessing the NS.

Thanks,
Jake
0
 

Author Comment

by:jacobbeckley
ID: 13777268
Yes there is master zone for bmedia-online.com.

Here is a link to a screenshot.


www.bmediaweb.com/SERVER/DNS.gif

Thanks,
Jake
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777281

This is not legal:

(same as parent)     Mail Exchanger (MX)     [10] bmedia-online.com.

Change bmedia-online.com. to mail.bmedia-online.com.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777291

Your Start of Authority Record uses the Private IP (bmedia-web). Two of your name server records are on private (non-routable) IP ranges.

There's no point in having ns2 since it's the same machine as ns1 ;)
0
 

Author Comment

by:jacobbeckley
ID: 13777310
That did not seem to fix the problem. But we are on the right track.

Thanks,

Jake
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777312

And one more... you seem to be refusing queries which is why no one outside can query:

C:\Dig>dig @195.167.168.63 bmedia-online.com ns

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

Can you check that everyone is allowed to query your DNS?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777323

Or alternatively, same thing from NSlookup in debug mode:

> ns1.bmedia-online.com

Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = REFUSED
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ns1.bmedia-online.com, type = A, class = IN

------------
*** 195.167.168.63 can't find ns1.bmedia-online.com: Query refused
0
 

Author Comment

by:jacobbeckley
ID: 13777357
stupid question.

How do I allow query in Windows 2003?

Thanks,
Jake
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777365

Security for the zone file I think, does it include the Everyone group? They need Read access.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777371

If it's not that, run the following command:

dnscmd /Config /EnableEDnsProbes 0

On the server.
0
 

Author Comment

by:jacobbeckley
ID: 13777374
They already had that? Am I missing something else?

Thanks,
Jake
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777384

EDNS as above?
0
 

Author Comment

by:jacobbeckley
ID: 13777389
Is DNSCMD installe don the server by default or must I install it from the windows disc?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777394

Normally by default on Windows 2003. If not, it's part of the Support Tools.
0
 

Author Comment

by:jacobbeckley
ID: 13777435
That is done... can you test it again?

Thanks,
Jake
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777439

Still refused, could you try restarting the DNS service?
0
 

Author Comment

by:jacobbeckley
ID: 13777440
C:\Program Files\Support Tools>dnscmd /info
Query result:
Server info
        server name              = bmedia-web.bmedia-online.com
        version                  = 0ECE0205 (5.2 build 3790)
        DS container             = cn=MicrosoftDNS,cn=System,DC=bmedia-online,DC
=com
        forest name              = bmedia-online.com
        domain name              = bmedia-online.com
        builtin domain partition = ForestDnsZones.bmedia-online.com
        builtin forest partition = DomainDnsZones.bmedia-online.com
        last scavenge cycle      = not since restart (0)
  Configuration:
        dwLogLevel               = 0100F321
        dwDebugLevel             = 00000000
        dwRpcProtocol            = FFFFFFFF
        dwNameCheckFlag          = 00000002
        cAddressAnswerLimit      = 0
        dwRecursionRetry         = 3
        dwRecursionTimeout       = 15
        dwDsPollingInterval      = 180
  Configuration Flags:
        fBootMethod                  = 3
        fAdminConfigured             = 1
        fAllowUpdate                 = 1
        fDsAvailable                 = 1
        fAutoReverseZones            = 1
        fAutoCacheUpdate             = 0
        fSlave                       = 0
        fNoRecursion                 = 0
        fRoundRobin                  = 1
        fStrictFileParsing           = 0
        fLooseWildcarding            = 0
        fBindSecondaries             = 1
        fWriteAuthorityNs            = 0
        fLocalNetPriority            = 1
  Aging Configuration:
        ScavengingInterval           = 0
        DefaultAgingState            = 0
        DefaultRefreshInterval       = 168
        DefaultNoRefreshInterval     = 168
  ServerAddresses:
 Addr Count = 2
                Addr[0] => 192.168.1.129
                Addr[1] => 192.168.1.5
  ListenAddresses:
        NULL IP Array.
  Forwarders:
 Addr Count = 2
                Addr[0] => 216.145.243.22
                Addr[1] => 209.242.0.2
        forward timeout  = 5
        slave            = 0
Command completed successfully.
0
 

Author Comment

by:jacobbeckley
ID: 13777445
I just restarted the DNS server...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777463

Still query refused on everything but a few records in there. Checking a few things...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777492

Can you enable logging on DNS for TCP, UDP, Query and Answers?
0
 

Author Comment

by:jacobbeckley
ID: 13777501
How could I enable that? Is that done through my ISP/Ti/Router provider?

If so I can call them and get it done in a few minutes.

Do you mean port 53 TCP/UDP?

What do you mean by Query and Answers?

Sorry for the confusion.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777520

Sorry no, it's via DNS Manager, if you open the properties for your server you'll see a Logging tab, each is an option under there.

Then it's a case of see what's in the Event Log.

Query refused generally implies an ACL problem or sometime the EDNS problem - there's not all that much else to it.

Can you also remove the Everyone group from the zone file permissions and re-add it (with Read Access again)?
0
 

Author Comment

by:jacobbeckley
ID: 13777534
Ok the log is loacted here...

www.bmedia-online.com/dns_log.txt

I am working on the rest.

Thanks,
Jake
0
 

Author Comment

by:jacobbeckley
ID: 13777559
Event Log on the Exhcange server


Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4007
Date:            4/13/2005
Time:            5:48:31 PM
User:            N/A
Computer:      BMEDIA-EXCHANGE
Description:
The DNS server was unable to open zone _msdcs.BloomquistNewMedia.local in the Active Directory from the application directory partition ForestDnsZones.BloomquistNewMedia.local. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0d 00 00 00               ....    
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777561

A few more notes in the meantime...

Your server can correctly resolve external domain names (like www.google.com). It can answer questions about some records (www and mail). But MX, NS and SOA as well as a number of your other records respond with Refused.

Now you can set permissions on each of those objects (if you were feeling like it), so it would be worth verifying that each as Everyone Read access.

Can you add a new zone file to your DNS as follows:

Zone Name: Test.local
A Record in Zone: mail (209.242.3.139)
MX Record in Zone: Test.Local IN MX mail.Test.Local

Let me know when you have it there, I just want to make sure it can normally answer the right questions.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777568

You haven't renamed your domain have you?
0
 

Author Comment

by:jacobbeckley
ID: 13777570
Not that I am aware of... but maybe by accident somewhere... But I doubt it...
0
 

Author Comment

by:jacobbeckley
ID: 13777576
Could this be a AD error, or Domains and trusts issue?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777578

Fair enough :)

Can you also create a zone called BloomquistNewMedia.local as Active Directory Integrated and set it to allow Secure Updates only. It seems your AD structure expects it there.

If this is your internal domain name the inability to resolve addresses could explain foul-ups with the public zone.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777588

After you've created it, run this on both your bmedia-web and bmedia-exchange servers:

ipconfig /flushdns
ipconfig /registerdns

Then restart the NetLogon Service on both.

Then it's back to the event log...
0
 

Author Comment

by:jacobbeckley
ID: 13777591
Is this a primary zone or stub zone?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777594

Sorry... Primary zone.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777611

Forgot to add.. if BloomquistNewMedia.local is your AD domain then it will need adding on both bmedia-web and bmedia-exchange (AD Integrated Primary in both cases).
0
 

Author Comment

by:jacobbeckley
ID: 13777612
that is all done

I created the zone bloomquistNewMedia.local
flush and registered the dns
restarted netlogon on both servers

I am checking the event log now...

Jake
0
 

Author Comment

by:jacobbeckley
ID: 13777623
the log is at www.bmedia-online.com/dns_log1.txt

Thanks,
Jake

I missed the post about the test.local.

Should I still set this up?

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777636

File not found for the log...

It's still refusing queries so making test.local would allow me to bounce a few bits off that which would be quite useful for a quick test.
0
 

Author Comment

by:jacobbeckley
ID: 13777642
I created test.local

let me know if that worked...
0
 

Author Comment

by:jacobbeckley
ID: 13777648
Try again on the log file... sorry about that.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777661

Does that one have the MX too?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777663

Here we go...

18:27:04 10DC EVENT   The DNS server could not signal the service "NAT". The error was 1168. There
may be interoperability problems between the DNS service and this service.

Stop the Routing and Remote Access Service on that server.
0
 

Author Comment

by:jacobbeckley
ID: 13777671
It has the following...

(same as parent)   Start of Authoirty(SOA)  [1],bmedia-web.bmedia-online.com.
(same as parent)   Name Server (NS)         bmedia-web.bmedia-online.com.
mail                      Mail Exchanger             [10] mail.test.local
mail                      Host (A)                       209.242.3.139
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777682

Okay, the problem isn't zone file specific then. But it is almost certainly caused by the NAT service - generally this is either Internet Connection Sharing or Routing and Remote Access.

Do you use those services on the server?
0
 

Author Comment

by:jacobbeckley
ID: 13777692
OK Routing and Romote Access is stopped...
0
 

Author Comment

by:jacobbeckley
ID: 13777694
I am using both of those services... Is there anyway around it?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777712

Hmm still not responding to requests. Restart DNS Service and check for errors again?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777724

Yes, the rules about DNS proxies need to be absolutely correct to run those services on the machine.

This article covers it...

http://www.petri.co.il/dns_and_nat_errors.htm
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777730

The first step in that might not be so helpful, although it is the most sensible ;)
0
 

Author Comment

by:jacobbeckley
ID: 13777746
I am still getting this on bmedia-exchange server in the dns log

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4007
Date:            4/13/2005
Time:            6:39:16 PM
User:            N/A
Computer:      BMEDIA-EXCHANGE
Description:
The DNS server was unable to open zone _msdcs.BloomquistNewMedia.local in the Active Directory from the application directory partition ForestDnsZones.BloomquistNewMedia.local. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0d 00 00 00               ....    
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777757

And that's with BloomquistNewMedia.local as a Forward Lookup zone on both servers?
0
 

Author Comment

by:jacobbeckley
ID: 13777759
That is correct...
0
 

Author Comment

by:jacobbeckley
ID: 13777762
Only bmedia-exchange gets that event, not bmedia-web

j
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777765

One more, is 202.242.3.139 actually assigned to the DNS server itself?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777771

And the DNS is listening on all IP addresses?
0
 

Author Comment

by:jacobbeckley
ID: 13777776
209.242.3.139 is the actual IP. It is not assigned to the server...

My T1/Router provider is routing requests for that IP to my static internal IP of 192.168.1.5


jb
0
 

Author Comment

by:jacobbeckley
ID: 13777781
Should I assign the ip of 209.242.3.139 to the NIC card?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777790

Getting requests through is via NAT or Port Forwarding?
0
 

Author Comment

by:jacobbeckley
ID: 13777796
port forwarding on their end through the router.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777823

Can you do:

nslookup
server 192.168.1.5
set type=mx
bmedia-online.com

And confirm that works?
0
 

Author Comment

by:jacobbeckley
ID: 13777832
> server 192.168.1.5
Default Server:  [192.168.1.5]
Address:  192.168.1.5

> set type=mx
> bmedia-online.com
Server:  [192.168.1.5]
Address:  192.168.1.5

bmedia-online.com       MX preference = 10, mail exchanger = bmedia-exchange.bme
dia-online.com
bmedia-online.com       MX preference = 10, mail exchanger = mail.bmedia-online.
com
bmedia-exchange.bmedia-online.com       internet address = 192.168.1.41
mail.bmedia-online.com  internet address = 209.242.3.139
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777841

Okay, this is a bit of a longshot. Can you try adding 209.242.3.139 Mask 255.255.255.255 (or 255.255.255.252 if it refuses). No gateway to the server?
0
 

Author Comment

by:jacobbeckley
ID: 13777848
Do you mean changing the NIC TCP/IP settings?

jb
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777857

TCP/IP Properties, Advanced and add a new IP. Leave anything you already have there on.
0
 

Author Comment

by:jacobbeckley
ID: 13777863
ok that is done...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777871

No good... remove that one again.
0
 

Author Comment

by:jacobbeckley
ID: 13777878
try one more time if you coold please.

Thanks,
JB
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777882

Nope, timeout, cannot query MX.
0
 

Author Comment

by:jacobbeckley
ID: 13777885
do you want to take a look around inside the server?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777900

Your own DNS is having problems answering public zone queries because it keeps having to go to ns1.bmedia-online.com. This is a bit of a problem since that doesn't seem able to route back in. Could really use bi-directional NAT...
0
 

Author Comment

by:jacobbeckley
ID: 13777913
How do I go about that?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777916

Quite complicated and it all depends on the capabilities of the router. Your ISP configure that right?
0
 

Author Comment

by:jacobbeckley
ID: 13777921
My ISP configures everythign relating to the Router / T1... Do you want to take a look around in the server?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777924

Yeah, that would be useful.
0
 

Author Comment

by:jacobbeckley
ID: 13777928
email me at j.beckley@bmediaweb.com... I will send you the information...

Thanks,
JB
0
 

Author Comment

by:jacobbeckley
ID: 13777956
of give me your email so I can send you the login info...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13777962

That one is at the bottom of my profile.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13778027

This lot at the bottom is what the router needs to be doing, then it should be possible to change ns1 for the private IP within DNS. It's possible it's setup like that anyway so changing ns1 to the private IP may work.

Does Cisco IOS NAT support DNS queries?
    A. Yes, Cisco IOS NAT will translate the address(es) which appear in DNS responses to name lookups (A queries) and inverse lookups (PTR queries). Thus, if an outside host sends a name-lookup to a DNS server on the inside, and that server responds with a local address, the NAT code will translate that local address to a global address. The opposite is also true, and is how we support IP addresses overlapping: an inside host queries an outside DNS server, the response contains an address that matches the ACL specified on the outside source command, and the code translates the outside global address to an outside local address.

    Time-to-live (TTL) values on all DNS resource records (RRs) which receive address translations in RR payloads are automatically set to zero.

    Cisco IOS NAT does not translate IP addresses embedded in DNS zone transfers.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 13778040

For now though, I must go to sleep or I'll never get up tomorrow. Sorry I can't hang around longer.
0
 
LVL 9

Expert Comment

by:CDCOP
ID: 13778737
Are you sure your DNS server is running on all the correct IP's? The IP's that have the outside data forwarded to them?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 13779534

The IPs do have data forwarded to them, you can connect to the DNS and resolve some records using tools like NSLookup and Dig.

Records such as www and mail are resolving correctly. Requests for records like MX, NS and SoA fail timing out on the server end and now coming up with SERVFAIL.

This implies there is a problem with how the general public access the DNS server. More to the point, that the server has it's NS records set to an IP bound to the router (not to the DNS server).

To resolve it, either NAT must be enabled so the server can see itself on the public IP from both the inside and the outside.

Always loads of different methods to achieve this. Cisco kit changes the DNS A records on-the-fly as it passes through the router, converting the private A record to a public A record. Others include bi-directional NAT (two-way NAT / local NAT / source NAT).
0
 

Author Comment

by:jacobbeckley
ID: 13783149
Thanks to Chris-Dent's help some of the issues are as follows.

It turns out that I have two MX records. One for local, and one for remote. The one for local was removed and now I can receive email from the outside.

Thanks Chris,
Jake
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses
Course of the Month17 days, 2 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question