Exchange over vpn not working.

Two things come to mind:

- DNS:  is it configured correctly?  Is DNS running on all servers? Your problem is most likely related to DNS
- can you verify that all ports are opened through the VPN?

Try running NETDIAG and DCDIAG (resource kit tools) on each server and check the results for FAILURES

/Justin

This is what dcdiag comes back with.

      Starting test: FsmoCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... DomainA.com failed test FsmoCheck

I assume its looking for our old server? Its not seeing the new one.  But how come?  I transferred all the roles, the old DC is still functional as it runs DHCP... i was going to demote it just no until i get DHCP onto the new box.

Do i need to demote it?

Chad

Also in Netdiag i got,

Trust relationship test. . . . . . : Failed
    [FATAL] Secure channel to domain 'DomainB' is broken. [ERROR_NO_LOGON_SERVERS]

But again.... server is there and trusts are validated?

This could be a DNS issue, as the "SRV" records denoting what server does what, and the IP addresses, are stored in the active-directory integrated DNS zone.

Which servers are DNS servers, and where are the servers looking for DNS resolution?  

Check that the DC/DNS servers have their own IP addresses listed as DNS servers in TCP/IP properties - then at a cmd prompt type "ipconfig/registerdns" (or you can just reboot).

wait 15 mins and check event viewer for errors

/justin

PS - i wouldn't demote ANYTHING until you fix this issue.  It will just make it messier

I have a gut feeling that DNS isn't right...

Are there parent/child domains? or just two separate domains that trust each other?

I'm sure you are right with DNS... just need to track it down.  Let me check your above and i'll get back to you.

2 seperate domains that trust.

Chad

from command line on one of your DCS run 'netdom query fsmo' and it will tell you whatAD 'thinks' the 5 FSMO role holders are.  If any of them in an old offline server you will need to sieze that role back to a DC that is up.

It seems i cannot ping the remote DC by name only IP from the new DC.  There is an A record point to it. i did a flush and register of the dns.  

Server is up and DNS is running.  I cannot connect to DNS through the new server to the remote either.

something is off.

>>It seems i cannot ping the remote DC by name only IP from the new DC.There is an A record point to it.
are you sure the A record is correct?  
when you do an NSLOOKUP for its FQDN, do you get the correct IP as the response?

>>I cannot connect to DNS through the new server to the remote either.
can you elaberate on exacly what you mean by this?

Ok, i believe i have created a mess =)

Remote server on DomainB cannot access exchange on local server in DomainA.  It seems there were some records in the hosts file pointing to the DC and exchange server.  I have removed those and want to set it up right through the DNS entries.  

What i meant by not being able to ping was that i could not ping just the name DC1 i would have to put the whole FQDN.

I think i have confused myself...

from the remote server (DomainB) i can ping Exchange.doamainA.com. but when i try and use this for the mail server in outlook i get that cannot resolve name problem.

Chad

ok,, well you are correct by removing the host file entries,,, that is a crappy work around for improper DNS setup.

if you can ping it by FQDN, that means the DNS server is setup correctly.... you just need to setup the DNS client (which may also be a dns server) to append dns names with the name of your domain so that it will append DC1 so it will resolve to dc1.domain.com which will resolve (using the DNS server) to the correct IP.

go into the NIC properties of the computer in question, then go to the tcp/ip properties, then go to the DNS tab and in the middle you will see the section where you setup DNS appending.

Great, i have added the two domains and i can ping servers in each domain with only the name.

Seems i am back to the origanal issue now.... i cannot get the outlook client to work... i still have the following errors,

      Starting test: FsmoCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... DomainA.com failed test FsmoCheck

and

Trust relationship test. . . . . . : Failed
    [FATAL] Secure channel to domain 'DomainB' is broken. [ERROR_NO_LOGON_SERVERS]

grrrrr.

did you do what is below like i mentioned earlier:

from command line on one of your DCS run 'netdom query fsmo' and it will tell you whatAD 'thinks' the 5 FSMO role holders are.  If any of them in an old offline server you will need to sieze that role back to a DC that is up.

can you ping all of these servers?

I did and all the roles are on active servers.  2 roles are held on DC1 from domainA (Schema and Domain role owner) and 3 roles are on DC1 from domain B PDC, RID, and IM. Both DC1 and DC2 in domain B are GC's would this cause an issue?

hold up... some FSMO roles are per forest, and others are per domain... meaning if you have two domains,, you will have a DC that holds that FSMO role in EACH domain.

see this link that explains this in detail..... i think you are running into this issue since you have multiple domains

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223346

Yep, i got that.... i layed it out at the top...

i have 2 domains, 1 forest.

DomainA has 2dc's

New DC1 - Holds all roles but IM.  Also is the GC
DC2 - IM

DomainB Has 2 dc's

DC1 - PDC, RID, and IM and a GC
DC2 - (located in remote office) no roles and has a GC

Everything should be inplace and ok? but for some reason the trust is giving an error?  I have validated them and everything.

from a client on domain A....   try to resolve   exchangeserver.domainB.com.   You should get an internal address on the B network.  If not, then you are back to troubleshooting DNS.  What are the DNS servers listed on the client ?

You should have two.  Both private DNS server ip's, or one public and one private.

If your using an internal DNS server on Domain A, then you need to create another zone for domainb.com and add a host record for exchange server.  If your trying to use a DNS server on network B, from network A...you need to look at your vpn config on the router.

Try this for testing purposes....

on a client machine....add a host file entry for exchangeserver.  See if you can ping it.  If you can ping it...try setting up the mailbox.

Let me know.

**from a client on domain A....   try to resolve   exchangeserver.domainB.com.   You should get an **internal address on the B network.  If not, then you are back to troubleshooting DNS.  What are the **DNS servers listed on the client ?

we only have one exchange server on domainA.  the pc's in a remote office are on domainB.  from domain b i am able to ping exchangeserver.domainA.com but when i open outlook i get that error.

I have added an entry in the hosts file for 192.168.100.16 to exchangeserver.  so obviously i am able to ping it with only exchangeserver and not the FQDN.

Its gotta be dns, i'm sure its not configured right.

On the DNS server in the remote office there is only a zone for DomainB, should i be adding domainA as another zone?

then add an MX record?

Chad

sorry the entry in the hosts file did not work.

yes thats exactly it, users in domain B are using outlook to access the exchange srver in domain A but its coming up with name resolving issues.

right now the DNS server in the remote office only has domain B's info. no zone for domainA.  i am able to ping anything in domain A with the FQDN

i have enabled a forwarder to the dns server on Domain A.  Restarted Dns, same issue.

Chad