• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

DNS and Exchange Server 2003

I am having trouble with getting Exchange server to work correctly.

This is my configuration.

We have several servers.
External DNS
Internal DNS
Web Server 209.242.3.x / 192.168.1.6
Exchange Server ip 192.168.1.42

I am able to send/receive emails sent from inside the network, but I am unable to recieve emails sent from outside the network.

I believe that this is a DNS issue.

Any ideas would be a great help.

Thanks,
Jake

0
jacobbeckley
Asked:
jacobbeckley
  • 45
  • 42
1 Solution
 
Chris DentPowerShell DeveloperCommented:

What does the MX Record say?

And how do you get the public inbound traffic on Port 25 to the internal IP of your Exchange?
0
 
jacobbeckleyAuthor Commented:
The MX record on the external server points to [same as parent]
The MX record on the internal DNS points to the internal IP 192.168.1.42

The inbound traffic is routed through my ISP/T1 to 192.168.1.6

Thanks,
Jake
0
 
Chris DentPowerShell DeveloperCommented:

It would be a good idea to test traffic on Port 25 is getting through correctly. The easiest way to do this is with Telnet.

i.e

Telnet <Exchange Server Address> 25

The commands that can be issued are detailed here:

http://support.microsoft.com/kb/q153119/

To check External DNS is set correctly for the MX a site like dnsreport can be used (www.dnsreport.com).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
jacobbeckleyAuthor Commented:
I cannot gain access to port 25 through telnet.

I cannot check DNSReports.com as I am in the network.

Any other ideas?

Thanks,
Jake
0
 
Chris DentPowerShell DeveloperCommented:

Can you Telnet to the Server IP instead of by name?

Can you post your exact MX record?

It should be in the rough form:

yourdomain.com. IN MX mail.yourdomain.com.

Then you need the associated A record for mail:

mail.yourdomain.com. IN A <External IP>

DNS Report should be able to check the external domain name, or is it just a case of not being able to get to the site?
0
 
Chris DentPowerShell DeveloperCommented:
Nevermind... I saw your other post.

Your name server will not respond to any of the following:

Request for Name Servers for bmedia-online.com
Requests for MX for bmedia-online.com
Requests for SOA for bmedia-online.com

Your DNS server needs fixing before anything else will work. Is it set up with a Master Zone file for bmedia-online.com?
0
 
jacobbeckleyAuthor Commented:
I cannot telnet to the IP

The exact MX record is as follow:
(same as parent)     Mail Exchanger (MX)     [10] bmedia-online.com.
mail                        Host (A)                       209.242.3.139

I can access the domain name from the web internally and externally, but DNSReports.com says it is having trouble accessing the NS.

Thanks,
Jake
0
 
jacobbeckleyAuthor Commented:
Yes there is master zone for bmedia-online.com.

Here is a link to a screenshot.


www.bmediaweb.com/SERVER/DNS.gif

Thanks,
Jake
0
 
Chris DentPowerShell DeveloperCommented:

This is not legal:

(same as parent)     Mail Exchanger (MX)     [10] bmedia-online.com.

Change bmedia-online.com. to mail.bmedia-online.com.
0
 
Chris DentPowerShell DeveloperCommented:

Your Start of Authority Record uses the Private IP (bmedia-web). Two of your name server records are on private (non-routable) IP ranges.

There's no point in having ns2 since it's the same machine as ns1 ;)
0
 
jacobbeckleyAuthor Commented:
That did not seem to fix the problem. But we are on the right track.

Thanks,

Jake
0
 
Chris DentPowerShell DeveloperCommented:

And one more... you seem to be refusing queries which is why no one outside can query:

C:\Dig>dig @195.167.168.63 bmedia-online.com ns

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

Can you check that everyone is allowed to query your DNS?
0
 
Chris DentPowerShell DeveloperCommented:

Or alternatively, same thing from NSlookup in debug mode:

> ns1.bmedia-online.com

Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = REFUSED
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ns1.bmedia-online.com, type = A, class = IN

------------
*** 195.167.168.63 can't find ns1.bmedia-online.com: Query refused
0
 
jacobbeckleyAuthor Commented:
stupid question.

How do I allow query in Windows 2003?

Thanks,
Jake
0
 
Chris DentPowerShell DeveloperCommented:

Security for the zone file I think, does it include the Everyone group? They need Read access.
0
 
Chris DentPowerShell DeveloperCommented:

If it's not that, run the following command:

dnscmd /Config /EnableEDnsProbes 0

On the server.
0
 
jacobbeckleyAuthor Commented:
They already had that? Am I missing something else?

Thanks,
Jake
0
 
Chris DentPowerShell DeveloperCommented:

EDNS as above?
0
 
jacobbeckleyAuthor Commented:
Is DNSCMD installe don the server by default or must I install it from the windows disc?
0
 
Chris DentPowerShell DeveloperCommented:

Normally by default on Windows 2003. If not, it's part of the Support Tools.
0
 
jacobbeckleyAuthor Commented:
That is done... can you test it again?

Thanks,
Jake
0
 
Chris DentPowerShell DeveloperCommented:

Still refused, could you try restarting the DNS service?
0
 
jacobbeckleyAuthor Commented:
C:\Program Files\Support Tools>dnscmd /info
Query result:
Server info
        server name              = bmedia-web.bmedia-online.com
        version                  = 0ECE0205 (5.2 build 3790)
        DS container             = cn=MicrosoftDNS,cn=System,DC=bmedia-online,DC
=com
        forest name              = bmedia-online.com
        domain name              = bmedia-online.com
        builtin domain partition = ForestDnsZones.bmedia-online.com
        builtin forest partition = DomainDnsZones.bmedia-online.com
        last scavenge cycle      = not since restart (0)
  Configuration:
        dwLogLevel               = 0100F321
        dwDebugLevel             = 00000000
        dwRpcProtocol            = FFFFFFFF
        dwNameCheckFlag          = 00000002
        cAddressAnswerLimit      = 0
        dwRecursionRetry         = 3
        dwRecursionTimeout       = 15
        dwDsPollingInterval      = 180
  Configuration Flags:
        fBootMethod                  = 3
        fAdminConfigured             = 1
        fAllowUpdate                 = 1
        fDsAvailable                 = 1
        fAutoReverseZones            = 1
        fAutoCacheUpdate             = 0
        fSlave                       = 0
        fNoRecursion                 = 0
        fRoundRobin                  = 1
        fStrictFileParsing           = 0
        fLooseWildcarding            = 0
        fBindSecondaries             = 1
        fWriteAuthorityNs            = 0
        fLocalNetPriority            = 1
  Aging Configuration:
        ScavengingInterval           = 0
        DefaultAgingState            = 0
        DefaultRefreshInterval       = 168
        DefaultNoRefreshInterval     = 168
  ServerAddresses:
 Addr Count = 2
                Addr[0] => 192.168.1.129
                Addr[1] => 192.168.1.5
  ListenAddresses:
        NULL IP Array.
  Forwarders:
 Addr Count = 2
                Addr[0] => 216.145.243.22
                Addr[1] => 209.242.0.2
        forward timeout  = 5
        slave            = 0
Command completed successfully.
0
 
jacobbeckleyAuthor Commented:
I just restarted the DNS server...
0
 
Chris DentPowerShell DeveloperCommented:

Still query refused on everything but a few records in there. Checking a few things...
0
 
Chris DentPowerShell DeveloperCommented:

Can you enable logging on DNS for TCP, UDP, Query and Answers?
0
 
jacobbeckleyAuthor Commented:
How could I enable that? Is that done through my ISP/Ti/Router provider?

If so I can call them and get it done in a few minutes.

Do you mean port 53 TCP/UDP?

What do you mean by Query and Answers?

Sorry for the confusion.
0
 
Chris DentPowerShell DeveloperCommented:

Sorry no, it's via DNS Manager, if you open the properties for your server you'll see a Logging tab, each is an option under there.

Then it's a case of see what's in the Event Log.

Query refused generally implies an ACL problem or sometime the EDNS problem - there's not all that much else to it.

Can you also remove the Everyone group from the zone file permissions and re-add it (with Read Access again)?
0
 
jacobbeckleyAuthor Commented:
Ok the log is loacted here...

www.bmedia-online.com/dns_log.txt

I am working on the rest.

Thanks,
Jake
0
 
jacobbeckleyAuthor Commented:
Event Log on the Exhcange server


Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4007
Date:            4/13/2005
Time:            5:48:31 PM
User:            N/A
Computer:      BMEDIA-EXCHANGE
Description:
The DNS server was unable to open zone _msdcs.BloomquistNewMedia.local in the Active Directory from the application directory partition ForestDnsZones.BloomquistNewMedia.local. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0d 00 00 00               ....    
0
 
Chris DentPowerShell DeveloperCommented:

A few more notes in the meantime...

Your server can correctly resolve external domain names (like www.google.com). It can answer questions about some records (www and mail). But MX, NS and SOA as well as a number of your other records respond with Refused.

Now you can set permissions on each of those objects (if you were feeling like it), so it would be worth verifying that each as Everyone Read access.

Can you add a new zone file to your DNS as follows:

Zone Name: Test.local
A Record in Zone: mail (209.242.3.139)
MX Record in Zone: Test.Local IN MX mail.Test.Local

Let me know when you have it there, I just want to make sure it can normally answer the right questions.
0
 
Chris DentPowerShell DeveloperCommented:

You haven't renamed your domain have you?
0
 
jacobbeckleyAuthor Commented:
Not that I am aware of... but maybe by accident somewhere... But I doubt it...
0
 
jacobbeckleyAuthor Commented:
Could this be a AD error, or Domains and trusts issue?
0
 
Chris DentPowerShell DeveloperCommented:

Fair enough :)

Can you also create a zone called BloomquistNewMedia.local as Active Directory Integrated and set it to allow Secure Updates only. It seems your AD structure expects it there.

If this is your internal domain name the inability to resolve addresses could explain foul-ups with the public zone.
0
 
Chris DentPowerShell DeveloperCommented:

After you've created it, run this on both your bmedia-web and bmedia-exchange servers:

ipconfig /flushdns
ipconfig /registerdns

Then restart the NetLogon Service on both.

Then it's back to the event log...
0
 
jacobbeckleyAuthor Commented:
Is this a primary zone or stub zone?
0
 
Chris DentPowerShell DeveloperCommented:

Sorry... Primary zone.
0
 
Chris DentPowerShell DeveloperCommented:

Forgot to add.. if BloomquistNewMedia.local is your AD domain then it will need adding on both bmedia-web and bmedia-exchange (AD Integrated Primary in both cases).
0
 
jacobbeckleyAuthor Commented:
that is all done

I created the zone bloomquistNewMedia.local
flush and registered the dns
restarted netlogon on both servers

I am checking the event log now...

Jake
0
 
jacobbeckleyAuthor Commented:
the log is at www.bmedia-online.com/dns_log1.txt

Thanks,
Jake

I missed the post about the test.local.

Should I still set this up?

0
 
Chris DentPowerShell DeveloperCommented:

File not found for the log...

It's still refusing queries so making test.local would allow me to bounce a few bits off that which would be quite useful for a quick test.
0
 
jacobbeckleyAuthor Commented:
I created test.local

let me know if that worked...
0
 
jacobbeckleyAuthor Commented:
Try again on the log file... sorry about that.
0
 
jacobbeckleyAuthor Commented:
0
 
Chris DentPowerShell DeveloperCommented:

Does that one have the MX too?
0
 
Chris DentPowerShell DeveloperCommented:

Here we go...

18:27:04 10DC EVENT   The DNS server could not signal the service "NAT". The error was 1168. There
may be interoperability problems between the DNS service and this service.

Stop the Routing and Remote Access Service on that server.
0
 
jacobbeckleyAuthor Commented:
It has the following...

(same as parent)   Start of Authoirty(SOA)  [1],bmedia-web.bmedia-online.com.
(same as parent)   Name Server (NS)         bmedia-web.bmedia-online.com.
mail                      Mail Exchanger             [10] mail.test.local
mail                      Host (A)                       209.242.3.139
0
 
Chris DentPowerShell DeveloperCommented:

Okay, the problem isn't zone file specific then. But it is almost certainly caused by the NAT service - generally this is either Internet Connection Sharing or Routing and Remote Access.

Do you use those services on the server?
0
 
jacobbeckleyAuthor Commented:
OK Routing and Romote Access is stopped...
0
 
jacobbeckleyAuthor Commented:
I am using both of those services... Is there anyway around it?
0
 
Chris DentPowerShell DeveloperCommented:

Hmm still not responding to requests. Restart DNS Service and check for errors again?
0
 
Chris DentPowerShell DeveloperCommented:

Yes, the rules about DNS proxies need to be absolutely correct to run those services on the machine.

This article covers it...

http://www.petri.co.il/dns_and_nat_errors.htm
0
 
jacobbeckleyAuthor Commented:
0
 
Chris DentPowerShell DeveloperCommented:

The first step in that might not be so helpful, although it is the most sensible ;)
0
 
jacobbeckleyAuthor Commented:
I am still getting this on bmedia-exchange server in the dns log

Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4007
Date:            4/13/2005
Time:            6:39:16 PM
User:            N/A
Computer:      BMEDIA-EXCHANGE
Description:
The DNS server was unable to open zone _msdcs.BloomquistNewMedia.local in the Active Directory from the application directory partition ForestDnsZones.BloomquistNewMedia.local. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0d 00 00 00               ....    
0
 
Chris DentPowerShell DeveloperCommented:

And that's with BloomquistNewMedia.local as a Forward Lookup zone on both servers?
0
 
jacobbeckleyAuthor Commented:
That is correct...
0
 
jacobbeckleyAuthor Commented:
Only bmedia-exchange gets that event, not bmedia-web

j
0
 
Chris DentPowerShell DeveloperCommented:

One more, is 202.242.3.139 actually assigned to the DNS server itself?
0
 
Chris DentPowerShell DeveloperCommented:

And the DNS is listening on all IP addresses?
0
 
jacobbeckleyAuthor Commented:
209.242.3.139 is the actual IP. It is not assigned to the server...

My T1/Router provider is routing requests for that IP to my static internal IP of 192.168.1.5


jb
0
 
jacobbeckleyAuthor Commented:
Should I assign the ip of 209.242.3.139 to the NIC card?
0
 
Chris DentPowerShell DeveloperCommented:

Getting requests through is via NAT or Port Forwarding?
0
 
jacobbeckleyAuthor Commented:
port forwarding on their end through the router.
0
 
Chris DentPowerShell DeveloperCommented:

Can you do:

nslookup
server 192.168.1.5
set type=mx
bmedia-online.com

And confirm that works?
0
 
jacobbeckleyAuthor Commented:
> server 192.168.1.5
Default Server:  [192.168.1.5]
Address:  192.168.1.5

> set type=mx
> bmedia-online.com
Server:  [192.168.1.5]
Address:  192.168.1.5

bmedia-online.com       MX preference = 10, mail exchanger = bmedia-exchange.bme
dia-online.com
bmedia-online.com       MX preference = 10, mail exchanger = mail.bmedia-online.
com
bmedia-exchange.bmedia-online.com       internet address = 192.168.1.41
mail.bmedia-online.com  internet address = 209.242.3.139
0
 
Chris DentPowerShell DeveloperCommented:

Okay, this is a bit of a longshot. Can you try adding 209.242.3.139 Mask 255.255.255.255 (or 255.255.255.252 if it refuses). No gateway to the server?
0
 
jacobbeckleyAuthor Commented:
Do you mean changing the NIC TCP/IP settings?

jb
0
 
Chris DentPowerShell DeveloperCommented:

TCP/IP Properties, Advanced and add a new IP. Leave anything you already have there on.
0
 
jacobbeckleyAuthor Commented:
ok that is done...
0
 
Chris DentPowerShell DeveloperCommented:

No good... remove that one again.
0
 
jacobbeckleyAuthor Commented:
try one more time if you coold please.

Thanks,
JB
0
 
Chris DentPowerShell DeveloperCommented:

Nope, timeout, cannot query MX.
0
 
jacobbeckleyAuthor Commented:
do you want to take a look around inside the server?
0
 
Chris DentPowerShell DeveloperCommented:

Your own DNS is having problems answering public zone queries because it keeps having to go to ns1.bmedia-online.com. This is a bit of a problem since that doesn't seem able to route back in. Could really use bi-directional NAT...
0
 
jacobbeckleyAuthor Commented:
How do I go about that?
0
 
Chris DentPowerShell DeveloperCommented:

Quite complicated and it all depends on the capabilities of the router. Your ISP configure that right?
0
 
jacobbeckleyAuthor Commented:
My ISP configures everythign relating to the Router / T1... Do you want to take a look around in the server?
0
 
Chris DentPowerShell DeveloperCommented:

Yeah, that would be useful.
0
 
jacobbeckleyAuthor Commented:
email me at j.beckley@bmediaweb.com... I will send you the information...

Thanks,
JB
0
 
jacobbeckleyAuthor Commented:
of give me your email so I can send you the login info...
0
 
Chris DentPowerShell DeveloperCommented:

That one is at the bottom of my profile.
0
 
Chris DentPowerShell DeveloperCommented:

This lot at the bottom is what the router needs to be doing, then it should be possible to change ns1 for the private IP within DNS. It's possible it's setup like that anyway so changing ns1 to the private IP may work.

Does Cisco IOS NAT support DNS queries?
    A. Yes, Cisco IOS NAT will translate the address(es) which appear in DNS responses to name lookups (A queries) and inverse lookups (PTR queries). Thus, if an outside host sends a name-lookup to a DNS server on the inside, and that server responds with a local address, the NAT code will translate that local address to a global address. The opposite is also true, and is how we support IP addresses overlapping: an inside host queries an outside DNS server, the response contains an address that matches the ACL specified on the outside source command, and the code translates the outside global address to an outside local address.

    Time-to-live (TTL) values on all DNS resource records (RRs) which receive address translations in RR payloads are automatically set to zero.

    Cisco IOS NAT does not translate IP addresses embedded in DNS zone transfers.
0
 
Chris DentPowerShell DeveloperCommented:

For now though, I must go to sleep or I'll never get up tomorrow. Sorry I can't hang around longer.
0
 
CDCOPCommented:
Are you sure your DNS server is running on all the correct IP's? The IP's that have the outside data forwarded to them?
0
 
Chris DentPowerShell DeveloperCommented:

The IPs do have data forwarded to them, you can connect to the DNS and resolve some records using tools like NSLookup and Dig.

Records such as www and mail are resolving correctly. Requests for records like MX, NS and SoA fail timing out on the server end and now coming up with SERVFAIL.

This implies there is a problem with how the general public access the DNS server. More to the point, that the server has it's NS records set to an IP bound to the router (not to the DNS server).

To resolve it, either NAT must be enabled so the server can see itself on the public IP from both the inside and the outside.

Always loads of different methods to achieve this. Cisco kit changes the DNS A records on-the-fly as it passes through the router, converting the private A record to a public A record. Others include bi-directional NAT (two-way NAT / local NAT / source NAT).
0
 
jacobbeckleyAuthor Commented:
Thanks to Chris-Dent's help some of the issues are as follows.

It turns out that I have two MX records. One for local, and one for remote. The one for local was removed and now I can receive email from the outside.

Thanks Chris,
Jake
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 45
  • 42
Tackle projects and never again get stuck behind a technical roadblock.
Join Now