Solved

SMTP cannot connect to any DNS server on my Exchange Server

Posted on 2009-04-14
18
257 Views
Last Modified: 2012-05-06
We migrated our ISA Server 2004 to new hardware last week. A couple of days ago, our outbound mail ceased to leave our Exchange Server and is queued with the error message "SMTP cannot connect to any DNS server."
I ran DNSDIAG on my exchange server, testing different mail domains, with total success. Nevertheless nslookup and telnet through port 25 to these domains fail.
We are not listed on any spam list.
0
Comment
Question by:MSABBAGH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
  • 3
18 Comments
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24138933
I presume you are using your ISA Server as a front end firewall?
Your Exchange Servers are using EXTERNAL DNS for name resolution?
If it was me, I would have DNS running on the ISA Server and have that as the forwarder for your Domain, and then have the EXTERNAL DNS Servers as forwarders for it.
So, your DC's would have DNS running, the Exchange Servers would use them for DNS services. The DC's would point to the ISA Server for domains they don't know about, and ISA would only allow external name resolution through.
0
 

Author Comment

by:MSABBAGH
ID: 24139033
ISA is our front end firewall and our Exchange Server has external DNS servers configured on its SMTP virtual server. Unfortunately I inherited a setup in which the Exchange server is our DC also.
We also have DNS running on ISA. Can you elaborate a bit on how we would set up ISA's DNS as the forwarder for our domain and how our DC would point to ISA Server?
0
 
LVL 10

Accepted Solution

by:
Kieran_Burns earned 400 total points
ID: 24139214
For reference: a forwarder is used when a DNS Server is unable to resolve a name internally, it forwards the request on.
So local name resolution should stay internal to your DC(s), anything they don't know about is forwarded onto the next hop and so on.
To show the forwarders: If you right click on the Server name in the DNS console it will list the forwarders for  that Server.
ONLY ISA should have external IP addresses listed. Everything else should point to it. (whether within DNS or Exchange SMTP)
This way the only DNS traffic going out of your network is from the one Server (it makes trouble shooting much easier)
So all your clients would point to their AD Server, AD Servers hold all the local DNS Domains, Exchange and DC's point to ISA and ISA points out.
If you change your Exchange Server to use the ISA Server as the DNS source and ensure that there is a rule to allow DNS traffic from the Servers to ISA and ISA out to your ISP DNS Servers you should be fine
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:MSABBAGH
ID: 24139437

How do I change Exchange Server to use ISA Server as its DNS source (remember that the Exchange Server is also our sole DC)? When I try to configure Forwarders on the DNS console, it is not possible because "forwarders are not available because this is a root server."
0
 

Author Comment

by:MSABBAGH
ID: 24140445
Forget the last comment. I get it.
Do I have to reboot for these changes to take effect.
0
 

Author Comment

by:MSABBAGH
ID: 24142839
I have redirected my Exchange server to ISA's DNS. DNS in ISA now has forwarders to external DNS. I created a new connector with  "Use DNS to route to each address space on this connector" selected on its General Properties tab.
Now I get a "The remote server did not respond to a connection attempt."
Further help would be much appreciated.
0
 

Author Comment

by:MSABBAGH
ID: 24143094
Additional information.

DNSDIAG resolves names yet we cannot establish a connection on port 25 with Telnet to external mail domains from our Exchange Server.
0
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24145497
I presume your ISA Server is the route of last resort for the network (default gateway). If so then do you have a rule to allow SMTP traffic from just the Exchange Servers to the EXTERNAL network?
0
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24145506
Can you also confirm that DNs is working throughout the domain? Not just for Internal name resolution but for internet browsing and the like? (just so we know that the DNS issue is sorted)
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24147099
sounds like your isa server is actively blocking outbound smtp connections from your exchange box

I'd adjust the ruleset

you might want to look at all the rules on your isa server that pertain to your internal exchange box - I'm thinking you'll find that no traffic is being allowed out past the proxy
0
 

Author Comment

by:MSABBAGH
ID: 24149503
Exchange servers do have a rule allowing SMTP to External.
Internal DNS is working. Now, internal computers use DC's DNS and DC uses ISA's DNS.
I have checked ISA rules over and over again and nothing seems to be blocking. I enclose results from SMTPDIAG from the Exchange Server.

SNAPSHOT.doc
0
 
LVL 15

Assisted Solution

by:abhaigh
abhaigh earned 100 total points
ID: 24149663
you created a new, deliver-by-dns, connector? did you give it a lower cost than your other connectors? And what/how are your other connectors configured?
0
 

Author Comment

by:MSABBAGH
ID: 24151351
I created a deliver-by-dns connector. No other user-connectors exist so I really do not understand the "lower cost than other connectors" part of your question.
0
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 24155142
If you fire up monitor on the ISA Server and monitor only traffic from the Exchange Servers what does it show you?
0
 
LVL 15

Expert Comment

by:abhaigh
ID: 24155429
if there is only one connector then the cost is irrelevant - it only comes into play when you have more than one connector

the rule on your proxy server should look something like this - allow smtp, dns from your exchange_server to all
0
 

Author Comment

by:MSABBAGH
ID: 24185817
Things finally worked out. Our DC/Mail server is dual-homed. Do not ask why; I inherited it this way. After creating the connector and clicking on the "Use DNS to route to each address space on this connector", the IP address pertaining to the SMTP Virtual Server was not configured to use ISA's DNS while the other one was. After switching configurations, everything worked as it should.
Warm thanks to ABHAIGH and the points are yours.
0
 

Author Comment

by:MSABBAGH
ID: 24185835
And warm thanks to Kieran Burns who also shares the points!
0
 

Author Closing Comment

by:MSABBAGH
ID: 31569938
Thank you again.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
how to add IIS SMTP to handle application/Scanner relays into office 365.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the adminiā€¦

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question