Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
DNS and Exchange
Posted on 2011-03-07
Hi experts. I have a two part question about a problem I am trying to resolve.
Before the question, I'll provide the scenario.
I am using a vendor which is basically sending out promotion materials via our domain name with the exception that they are adding their own servers and then forwarding that to customers, etc.
For example, I have domain contoso.com. They are wanting to send email from vendor.contoso.com. We house internal servers with contoso.com, but they want to send emails from @vendor.contoso.com. This is actually working to a certain extent because I have DNS entries on our external DNS servers which points to the "vendor" servers.
So, with this working as best I can describe, the piece that is not working is when a user is created on the vendor.contoso.com server as joe@vendor.contoso.com this address can't seem to email the domain of @contoso.com.
In fact, no user accounts setup with @vendor.contoso.com can email @contoso.com BUT those same users emailing from @vendor.contoso.com can email all other domains successfully i.e. joe@gmail.com
I am sure I am missing something easy, but can someone show a little pity and direct me to the water :)
Thanks all!
Before the question, I'll provide the scenario.
I am using a vendor which is basically sending out promotion materials via our domain name with the exception that they are adding their own servers and then forwarding that to customers, etc.
For example, I have domain contoso.com. They are wanting to send email from vendor.contoso.com. We house internal servers with contoso.com, but they want to send emails from @vendor.contoso.com. This is actually working to a certain extent because I have DNS entries on our external DNS servers which points to the "vendor" servers.
So, with this working as best I can describe, the piece that is not working is when a user is created on the vendor.contoso.com server as joe@vendor.contoso.com this address can't seem to email the domain of @contoso.com.
In fact, no user accounts setup with @vendor.contoso.com can email @contoso.com BUT those same users emailing from @vendor.contoso.com can email all other domains successfully i.e. joe@gmail.com
I am sure I am missing something easy, but can someone show a little pity and direct me to the water :)
Thanks all!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
2
- +1
7 Comments
Not sure I understand the scenario; so are we talking about two different servers in different places? You have your server on site which is responsible for handling mail for contoso.com, and then another server on your vendor's site which is responsible for handling mail for vendor.contoso.com?
You say you "have NS entries on [your] external DNS servers which points to the "vendor" servers". Could you elaborate a little here? Exactly what do you have in DNS for that?
Sounds like you need to check what contoso.com resolves to at your *vendor* site, or from the vendor mailservers. In order to send email to you at contoso.com they will need to have the appropriate MX records pointing to the external IP addresses of the device you expect to receive the emails destined to you on that domain.
If they have set up the domain contoso.com and vendor.contoso.com on their own local/internal DNS servers they may just be trying to deliver the email somewhere internally on their own network.
You say you "have NS entries on [your] external DNS servers which points to the "vendor" servers". Could you elaborate a little here? Exactly what do you have in DNS for that?
Sounds like you need to check what contoso.com resolves to at your *vendor* site, or from the vendor mailservers. In order to send email to you at contoso.com they will need to have the appropriate MX records pointing to the external IP addresses of the device you expect to receive the emails destined to you on that domain.
If they have set up the domain contoso.com and vendor.contoso.com on their own local/internal DNS servers they may just be trying to deliver the email somewhere internally on their own network.
Sorry if I wasn't being clear, but you almost have the scenario.
We house @contoso.com and send email from this domain. Since the vendor we are working with wants to send lots and lots of emails to our customers, they wanted us to add NS entries to our external DNS servers that point to their servers for the domain vendor.contoso.com
For example:
vendor.contoso.com. 1800 IN NS ns1.vendor.com
vendor.contoso.com. 1800 IN NS ns2.vendor.com
The domain / subdomain: vendor.contoso.com
Has an authotitaive nameserver at : ns1.vendor.com
This nameserver will then resolve queries for this domain / subdomain.
We house @contoso.com and send email from this domain. Since the vendor we are working with wants to send lots and lots of emails to our customers, they wanted us to add NS entries to our external DNS servers that point to their servers for the domain vendor.contoso.com
For example:
vendor.contoso.com. 1800 IN NS ns1.vendor.com
vendor.contoso.com. 1800 IN NS ns2.vendor.com
The domain / subdomain: vendor.contoso.com
Has an authotitaive nameserver at : ns1.vendor.com
This nameserver will then resolve queries for this domain / subdomain.
I would imagine that Vendor would need to make sure that their server knows it is not authoritative for contoso.com. If they are using Exchange 2007/2010 they should check the list of accepted domains in the hub transport section at the Org level. You could look at adding contoso.com as an accepted domain and create a send connector for traffic to that domain that directs the traffic straight at the appropriate mail server.
I'd also check it all looks correct just at the DNS level. From their mail server what do you get back if you run;
nslookup -type=mx contoso.com
Personally I probably wouldn't give them control over the entire subdomain vendor.contoso.com either. Rather, I'd just have the subzone set up on my own DNS and populate it will the relevant records as per their requirements. This ensures you maintain control over the zone.
nslookup -type=mx contoso.com
Personally I probably wouldn't give them control over the entire subdomain vendor.contoso.com either. Rather, I'd just have the subzone set up on my own DNS and populate it will the relevant records as per their requirements. This ensures you maintain control over the zone.
Btw, what happens to these messages so far, do you know? Do they get any bounces? Have they gone into the message tracking tool and searched for emails being sent to contoso.com? What can be found there?
So mail users @vender.contoso.com can send/receive email anywhere except to/from contoso.com?
What happens when they try? Does it bounce?
Is the server handling mail for these domains the same? Do you have a valid mx record for the sub domain?
What happens when they try? Does it bounce?
Is the server handling mail for these domains the same? Do you have a valid mx record for the sub domain?
This vendor is a marketing company that is up and coming. They don't have "control over the domain" because essentially they are just playing with a "fake" domain housed on their servers that they then use to send emails from.
This way, they are no in my AD, ever, adn they can send marketing emails as my company. I simply needed to trick AD and Exchange inot thinking that the server sending those particular emails would be routing to their severs.
This way, they are no in my AD, ever, adn they can send marketing emails as my company. I simply needed to trick AD and Exchange inot thinking that the server sending those particular emails would be routing to their severs.
Featured Post
![[Webinar] Learn How Hackers Steal Your Credentials](https://filedb.experts-exchange.com/files/public/2017/5/21/e0b7778f-e79e-4b5d-9ec6-5496e40be42e.png)
Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Mail Flow >> Ac…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Mail Flow…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month6 days, 6 hours left to enroll
Earn Certification
MTA Server Fundamentals Exam 98-365
$59.00$53.10
626 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.