2 exchange servers different domains same lan can't deliver mail to each other

I have 2 exchange servers doing mail for different domains behind a Pix firewall (501)

mail sent to domain1.com from domain2.com isn't being deliverd - and vice versa.  I've tried adding dns entries for each domain on each server but still no luck.

public dns is handled externally so I shouldn't even need to add the dns entries to begin with...

whats going on here?  both servers are in the same private network block  192.168.2.x   -  the pix is doing the translation from public to private.  All mail originating from the outside works fine.

LVL 2
fredimacAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

isaman07Commented:
Since they are both on LAN, Use their ptivate IP addresses in DNS when you create the MX records.
0
fredimacAuthor Commented:
that's what I thought but it is not working -  I created a primary zone for domain1.com in domain2.com server - added the A record and MX record for mail.domain1.com and created rDNS as well and vice versa.  Restarted the dns service but no dice -  even created a host file entry...


0
isaman07Commented:
When you check the virtual smtp server properties, do they have the anonymous access checked?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

fredimacAuthor Commented:
should they?
0
fredimacAuthor Commented:
in any case anonymous is checked
0
isaman07Commented:
Absolutely, clear everything else and leave only anonymous access. Cause when you don't enable anonymous access, then evey single exchange server in the world needs a username and password to communicate with your servers.
0
isaman07Commented:
OK make sure of the following
1.They can ping each other
2.You can open telnet session from one to the other and vice versa.
3.Do a nslookup for the MX recordfrom one server to the other servers domain see if you will get the right answer.
0
fredimacAuthor Commented:
Ping =yes
Telnet = yes
Nslookup = yes

Should I set an MX record for domain1.com in domain1.com dns and one for domain2.com in domain2.com?  I figured since the MX record that matters is in pulic dns this wasn't necessary - Also I still have basic and integrated authenticatio enabled - as this is the default and it works I haven't changed that
0
fredimacAuthor Commented:
I just got the bounces and they say I don't have permission to send to the recipient...
0
isaman07Commented:
Ofcourse you should, that's why i asked you to make sure that they can nslookup the MX records of each other (on the LAN)

nslookup
set q=mx
domain1.com

see if that will resolve to the correct private ip address of the domain
0
fredimacAuthor Commented:
Well this is what I got  - Originally I used set type =MX but it's the same thing

> set q=mx
> domain2.com
Server:  server.domain1..com
Address:  192.168.2.11

domain2.com
        primary name server = .domain2.com
        responsible mail addr = hostmaster.domain2.com
        serial  = 5
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
================================================

> set q=MX
> domain1.com
Server:  server.domain2.com
Address:  192.168.2.12

domain1.com
        primary name server = server.domain2.com
        responsible mail addr = hostmaster.domain2..com
        serial  = 5
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
0
isaman07Commented:
Ok, your DNS looks clear, go back to your smtp virtual server and uncheck the integrated and the basic authentication, leaving only the anonymous, see what will happen and let me know.
0
UbuntopCommented:
If these servers are on the same lan, it seems like you should have a trust setup in Active Directory.  The exchange servers should be using the integrated DNS servers from AD.  Secondary zones should then be created as a replica of the other domain.

1. You originally stated that inbound-outbound for both domains was working fine, therefore adjusting the access settings for your Virtual Servers is probably not necessary.
2. Is this a new setup? Has mail previous been delivered across these domains?
3. Do you have any exchange connectors for these servers?
4.  Do you have an Active Directory trust setup for these domains?

Generally speaking, when you have two servers inside, and you always know the IP address of these servers; you do not need to get Exchange to do a DNS lookup for every email that it sends to the other server.  This is unnecessary process power and delay for both exchange and the DNS server.  You need to create a connector for the two servers.  Say something like *.domain2.com goes to smart host 192.168.112 etc.
0
isaman07Commented:
Trust relationship for two domains on LAN so the MX records are resolved? I don't see how is that necessary or usefull.
0
fredimacAuthor Commented:
unchecking the autheentication settings made no difference

I even put each server in the hosts file...
0
fredimacAuthor Commented:
unchecking the authentication made it so that pop users couldn't send mail...  
0
UbuntopCommented:
Fredimac.  Can you give more details on your environment?  Do you have a specific connector that goes between these domains?  Also how long have you had this setup?  Do you actually have two separate exchange sites on the same subnet?  Is it seperate AD domain as well?  If so, you are going to have a lot of problems with it.

As for the authentication, it was already working wasn't it?
0
fredimacAuthor Commented:
Yes separate AD domains - I had one server set up as a standalone server then the client wanted me to add a new one and take over their corporate email - which I just did -

Why am I going to have a lot of problems with it?
Yeah authentication was working - it is working again.  

I have not set up any connectors -
0
UbuntopCommented:
2 AD servers on the same subnet = DHCP clients getting random DNS servers. (assuming your clients do not all have static IP/DNS/Wins settings).

In other words, say you have a client trying to login to the domain1, they braodcast for a DHCP response.  The first response from any DHCP server on the subnet is what they will get.  If DHCP from domain2 happens to respond first, they will get the wrong DNS servers and thus have issues with authenticating to AD in domain1.
0
fredimacAuthor Commented:
No the machines are in a colocation facility just doing email and some ftp - users connect via pop3 and also rpc/https proxy depending on what OS  ( or mail client )  they use

No DHCP is going on here no logging into the domain -  just plain email & calendaring
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.