Undeliverable email & ping could not find an external host

Sounds to me like it's definately a DNS issue.  You may want to check DNS forwarders for your server by going to the DNS MMC snap-in in Control Panel -> Administrative Tools.  Right click your server name and go to properties.  Check the "Forwarders" tab.  Also, verify that your router is handing out correct DNS entries through DHCP, and make sure the server has the correct DNS server addresses.   Let us know if you find anything either way.

Are your DNS forwarders setup properly?  You can find them in dnsmgmt, right click on the server, choose properties and check the "Forwarders" tab.

I've been in the DNS forwarders.  I assumed the same.  Everything is the same as it always has been except for one host (A) record that I keep adding and deleting  = "www".  I know this one is strange to have but it has allowed in the past our intranet to see our external website.  If it is not there our workstations just time out on that particular website.

I'll be honest this area is not my specialty - I'm a database man.  So if there was something wrong in this area I might not catch it.  What I do see is that everything that has to do with our exchange/dsn/dhcp server is pointed to the correct IP address with-in our domain.  For my lack up understanding, I don't know why there are 2 zones (the confusing one is "_msdcs.ourdomainname.com).

What specific things in the DNS forwarders do I need to have there other than the host (A) records for all the computers in the domain?

Forwarders do not have to be used. You need to check if you have the root hints in you r dns managment. These are you external forward look up servers out on the internet. If they are not there then you may need to manually enter them. I have had this happen several times.

http://support.microsoft.com/kb/816567

When you are in the DNS Forwarders tab you should see "All other DNS domains" in the "DNS Domain" list box, then below that should be another list box labeled "Selected domain's forwarder IP address list."  In there should be a list of DNS servers from your ISP.

Cheers,

Root hints would work as well, but using forwards offloads the work to your ISPs server, not that handling DNS requests are all that resource intensive, but I always forward them.

Does your firewall that was reconfigured allow all outbound connections to go through?  What kind of firewall is it?

If the root hints are not in the DNS configuration then the DNS server is not getting out. It may off load the requests to the ISP but it also adds to a load on the external bandwidth. Why not let the DNS server do what it was designed for. Resolution. It can cache all requests. making resolution faster the more it is used.


Make sure port 53 is not being block on the outbound.

It's six of one, half dozen of another, in the long run it really doesn't matter, but using root hints would increase the bandwidth usage, not forwarders...

Using root hints, the internal DNS server would make multiple DNS requests to multiple DNS servers trying to find the address for the host you're looking for.  Using forwarders, the internal DNS server makes one request to your ISP's DNS server. Both ways result in a cached DNS entry...

Chris-Dent has an awesome, easy-to-understand explanation of forwarders vs. root hints here:
https://www.experts-exchange.com/questions/21558360/Adding-a-DNS-Forwarder-vs-Root-Hints.html

Hopefully that will calm the debate so we can get back on topic to helping out cfscsm.  You shouldn't have A records listed in the Forwarders tab.  You should have the two or so DNS server addresses given to you by your ISP.  You may even want to try some other common DNS addresses.  I used to use 4.2.2.2 and 4.2.2.3 for testing purposes, but I'm not 100% sure that one is still around.  Comcast uses 68.87.68.162 and 68.87.74.162.  Also check out the link above, it's a great intro for a database man.  DNS is essentially linked databases anyway.

For all of you who mentioned the root hints (especially notfuzzi - I read through your supplied link), if I were to delete all of the root hints... is that disaster for me.  The reason I ask is that there are root hints for (a - m).root-server.net. All going to IP address that I've never seen before.  Furthermore, most of them look like internal IP's that are not at all in our structure (ie. 198's & 192's) nor have I ever seen them before. We use a 172.

ps. I called my ISP and I have changed the the forwards to some possible better IP's.  He thought I was crazy and we had a long talk about why I needed them.  Anyway - If I delete the root hints - is that a bad thing - especially if I don't have a clue where any of those address are going?

As far as I understand, you only use root hints if you don't have forwarders enabled.

Well...I've wrote the root hints down before I deleted them. I tried pinging again - still doesn't work.  I looked at the queues on Exchange... they are still not going anywer.  The FTP Traffic still doesn't go anywhere.  Our "CA" antivirus on the workstations still come back with a "The server name could not be resolved."  I even added the comcast Forward 67.50.135.146 to the list and still no go.

Firewall: answer for Cypher42 - In talking with the tech guys who manage our firewall they say that they are not blocking any outbound traffic that is related to this issue (i trust them) - the divice is from a company called aimconnect.com.  This problem sure is acting like a firewall problem though.

Any other suggestions anyone?

I'm not familiar with with aimconnect firewalls...  a quick (very quick) perusal of their web site says they run FreeBSD, have the firewall guys make sure they are allowing DNS REPLIES through the firewall (port 53, UDP.)

I just got to thinking...  Make sure you can ping your forwarder IP addresses.  Then, open up a command port and type:

nslookup www.google.com 

and paste the response here.

then, type:

nslookup www.google.com server IPADDRESSOFFORWARDER

and paste the results here.  Where IPADDRESSOFFORWARDER is enter the ip address of one of your ISP's DNS servers, or the 4.2.2.2 ip address previously suggested by notfuzzi.

This should hopefully return something, if it times out it's most likely a firewall problem.  Either at the perimeter of your network, or the software firewall on your server.

Sorry, that should read "open up a command prompt" not port, it's been a long day.

Hey all, just got back from the holiday's.
 
cipher42 - just tried your suggestion and here are the results.  Not sure if I typed what asked correctly.  Double check my work.

C:\Documents and Settings\Administrator>ping www.google.com
Ping request could not find host www.google.com. Please check the name and try a
gain.

C:\Documents and Settings\Administrator>nslookup www.google.com
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com timed-out

C:\Documents and Settings\Administrator>nslookup www.google.com server 172.16.0.10
Usage:
   nslookup [-opt ...]             # interactive mode using default server
   nslookup [-opt ...] - server    # interactive mode using 'server'
   nslookup [-opt ...] host        # just look up 'host' using default server
   nslookup [-opt ...] host server # just look up 'host' using 'server'

C:\Documents and Settings\Administrator>nslookup www.google.com server 4.2.2.2
Usage:
   nslookup [-opt ...]             # interactive mode using default server
   nslookup [-opt ...] - server    # interactive mode using 'server'
   nslookup [-opt ...] host        # just look up 'host' using default server
   nslookup [-opt ...] host server # just look up 'host' using 'server'

--- I also went back and added "4.2.2.2" to the forward pointer list and placed it first. Unfortunatly same results.  Your saying then that this is firewall related?
I went the exchange server on a hunch and tried to go to the Windows Firewall through the control pannel and recieved this error message:
 "Windows Firewall cannot run because another program or service is running that might use the network address translation component (lpnat.sys)."  Could this all be related?

Good morning,

Sorry those aren't the results I was hoping for, my mistake though.  Let's try this:

-type: nslookup
--You'll then get the nslookup interractive prompt.
-Then type: server IPADDRESSOFFORWARDER
-Then type: www.google.com

Repeat for the 4.2.2.2 DNS server.

Just out of curiosity, the 172.16.0.10 is your ISP's DNS server IP address?  Are you sure?

cipher42 - I mis-read the ISP's DNS IP address - Below is the results - as you can see I couldn't get to the point of entering an website (ie. google) because each time it would time out.

C:\Documents and Settings\Administrator>nslookup
Default Server:  something.ourdomain.com
Address:  172.16.0.10

> 67.50.135.146
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com  timed-out
> 66.133.170.2
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com  timed-out
> 68.87.68.162
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com  timed-out
> 4.2.2.2
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com  timed-out

Ok, we'll deal with the time outs in a sec...  Make sure the DNS service is running on your DNS server, I'm sure it is, but double check...

After you start nslookup, where you're typing in the ISP's DNS servers, make sure you're typing in "server" first, it doesn't look like you are...  So the command you will type is "server 66.133.170.2" (without the quotes.)

What this does is uses the ISP's DNS server for name resolution, then when you type in "www.google.com" it will bypass your internal DNS server, this way we will see if is a firewall problem at the perimeter...  

Can you tell I'm new to this :)?  OK one more time.  PS. Did you see my comment about the ""Windows Firewall cannot run because another program or service is running that might use the network address translation component (lpnat.sys)."  Could this all be related?"

C:\Documents and Settings\Administrator>nslookup
Default Server:  something.ourdomain.com
Address:  172.16.0.10

> server 66.133.170.2
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [66.133.170.2]
Address:  66.133.170.2

> www.google.com
Server:  [66.133.170.2]
Address:  66.133.170.2

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [66.133.170.2] timed-out
> server 4.2.2.2
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [4.2.2.2]
Address:  4.2.2.2

> www.google.com
Server:  [4.2.2.2]
Address:  4.2.2.2

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [4.2.2.2] timed-out
>

cipher42 - I'm looking back through the post and revisiting other areas on the server.  I went to the root hints and all the [a-m]root-servers.net addresses that I deleted are back agian.  I deleted them again and restarted the server and they are back agian.  Does this info help in our problem solving?

What is this server's function?  DNS obviously, it's not your perimeter firewall is it?  How about VPN server?

This server only is DNS, DHCP, Exchange (which has a CA antivirus for Exchange - no firewall), Active Directory/Domain Controler.  There is a backup domain controler with no Exchange on it.  I used to remote in to this server - but after we made some website hosting changes a while back I could never get that working agian so I abandened it. Today I have disabled the Routing and Remote Access (my mistake... I thought I was just stopping the service... now all those settings are gone)  I think that is it.

Our ISP is just terrible to work with - they were the cause to the original problem.  They change setting with out telling the customer.