Cannot receive emails via Exchange 2010 - Emails are down, PLEASE HELP!

Posted on 2011-04-22
Last Modified: 2012-05-11
Hi, this is quite urgent, so any help would be greatly appreciated:

I have Windows 2008 R2 with Exchange 2010 installed on the same server - everything is running on this one server (including DNS, IIS, Exchange, File Server, Print Server, AD). DHCP is handled by a router. This server has fqdn: with local ip The server is currently set in a DMZ. The router has port forwarding for 80, 25, 110, 993, 995, 587 and a few others all setup to forward to server,

Exchange 2010 setup
Exchange has send and receive connectors correctly configured. I can send emails locally and externally, and can receive them locally but not externally. The receive connector is set to listen to all external ip addresses.

DNS setup
DNS is configured such that the forward and reverse lookup zones have been defined. A local cmd nslookup, cannot find server unless WINS and WINS-R are enabled. Is this supposed to happen? I thought that NetBIOS was supposed to take over?

Currently in DNS, I have:
- an A record pointing to server local ip, ( is DHCP-enabled router) and an A record pointing to external ip address of server, both linked to There is also an A record on ZoneEdit - see second point for more details.
- 3 NS records, one detailing and the other two directing to ZoneEdit nameservers ( ZoneEdit also has an A record pointing the nameservers to the external ip of From here, the router would forward the requests/data to at
- a Mx record pointing locally to server,, with the fqdn set as
- a CNAME record to append www as a prefix to
- a PTR record in the reverse lookup zone pointing to local server, with fqdn

local nslookup
- returns and its local ip,
- set type=mx for returns the correct record in accordance with above (mail pref = 10)
- set type=ns for returns all three nameservers and their ip addresses. The ZoneEdit servers have external ip addresses listed, while the nameserver has the local ip listed,

nslookup on a computer away from premesis, including online nslookup (
- returns and external ip address (due to ZoneEdit A record)
- set type=mx for returns nothing
- set type=ns for returns only ZoneEdit nameservers

It is as if no computer can see server, but they can see the ZoneEdit servers. However, if I type in the external ip or, the IIS7 website will load. But when I type, the page will not load - again this is due to servers being able to see ZoneEdit which lists an A record pointing to my external ip.

Please advise me as to what I need to do. This is quite urgent. Thank you to everyone in advance.
Question by:indiglo265
    LVL 58

    Accepted Solution


    Okay, let's wind back your DNS configuration a second. I think you've added a few too many records and modified what Windows adds and manages itself too much, which would explain the loss of connectivity.

    I'm unclear what your internal Active Directory domain name is. Is this too or something else, like domain.local?

    I will use domain.local here to refer to the internal Active Directory domain name and to refer to your externally facing name, but please let me know exactly what you are using.

    Whatever happens, within the DNS zone for your AD domain, you should have only one record for the server. It will be an A record which maps the name of the server to its internal IP,

    You do not need additional records to map server.domain.local to the external IP. If DNS round robin is enabled, that will wind up returning random DNS records which will lead to inconsistencies in attempting to access the server internally.

    If you just have the one Exchange server then you don't need NS records or MX records anywhere in your internal DNS either. Those are unrequired because Exchange takes care of all email handling internally. Email gets routed to it from outside by the MX records at and internally Exchange already knows that it is responsible for emails to -- it doesn't need to look up an MX record and get pointed back to itself.

    So, what you need to do is return anything to do with your internal zone to how it was before, which means removing the additional NS records to, the MX records and any server records which point to the external IP. You will see a bunch of Active Directory related containers and records, such as _msdcs, which should all be left alone.

    If your internal Active Directory and external domain names are the same,, then it gets a little more complicated because you will be managing two DNS zones which, although they have the same name, serve very different purposes. One runs your domain and internal network, the other runs the external.

    It would be of great assistance if you could post screenshots of what you have already so I can see exactly what is happening. We'll focus on internal DNS for now, and once that is resolved, we can look at the external DNS issues.


    Author Comment

    Hi Matt, thanks for your response.

    Unfortunately, both AD domain name and external facing name are the same;

    I am heading back to the office now, and will make the changes you detailed above, and also post the screenshots. I assume you'd like to see my forward and reverse lookup zones?

    I have a few questions:
    1) I have a pending request with my ISP to point their rDNS records to, should I follow through with this?
    2) should the mx record on ZoneEdit point to or

    Thanks for your help. I really do appreciate it.
    LVL 58

    Assisted Solution


    The forward lookup zone is the key one, but by all means include an image of the reverse one too. We're just not concerned about that one at this stage.

    >> I have a pending request with my ISP to point their rDNS records to

    If you want to send email out directly, the rDNS on the IP which the email goes out on should strictly point to the address your server is available at (see next point). This is known as a forward-confirmed reverse DNS entry, and is required to satisfy lots of spam filters these days that your email is indeed legitimate.

    >> should the mx record on ZoneEdit point to or

    The MX record should be created for the host "", but its data should contain a priority and then the host which your server can be found at. The host needs to be valid in external DNS.

    So if you have an A record of at which resolves to your public IP, say, then your MX record should point to Personally, I would normally create a record called in my external DNS zone and then put that on the MX record -- it means your external zone is fairly generic and you aren't tying records to server names externally.

    The critical distinction here is that you have an internal and external DNS zone with the same name. Any changes you make on your server will not be reflected and cannot be referenced from ZoneEdit, and any changes at ZoneEdit will not be used internally. You must physically create the A record at ZoneEdit which is then referenced in the MX record.

    Going back to the rDNS records, whatever you set your MX record to should be what is set in the rDNS. So if you use in ZoneEdit, get the rDNS record set to the same value. We will also need to ensure your Exchange send connector is announcing itself to the world using the value in the MX record too, but we can do that later.

    If you are comfortable with doing so, you can always post your domain name here so that I can remotely look up the DNS records in your external (ZoneEdit) zone. The Moderators can obscure it later to protect your identity once everything has been resolved.


    Author Comment

    My is UKPS01 is the name of my server.

    Forward-lookup zone: forwardDNSZoneEdit: zoneedit
    I don't fully understand what you are saying concerning the mx records. Wouldn't an A record resolving to my public IP be for, then forwarded via the router to server; not
    LVL 58

    Assisted Solution

    Okay - your forward lookup zone seems fine to me. We don't need to worry about that at all.

    >> Wouldn't an A record resolving to my public IP be for, then forwarded via the router to server; not

    No problem - this is quite a common misconception so I don't blame you for getting confused!

    The MX record is a special type of resource record (DNS speak) which maps a domain name,, to a list of one or more mail servers which are responsible for handling email sent to that domain.

    Right now, you have an MX record created for the subdomain "@". You can think of @ as being -- it is nothing to do with the @ in email addresses but is rather a short-hand of saying "the current domain". In your Windows DNS, it is equivalent to the (same as parent folder) records.

    That MX record is basically telling the world something like this:

    "Hey! You want to send an email to According to my records, the MX record for bob's domain, has a host name of, so please open an SMTP session on port 25 to whatever IP resolves to, and the server at that IP will happily oblige and deliver your message to bob. Thank you! Have a good day!"

    The first part of all that is fine. Inbound email looks up and gets your MX record. The MX record has in the host column, so the sender's server knows that whatever IP goes to, that's the IP they need to send the email to.

    The next part is the problem. Right now, the host name in the "host" column of the MX record is ukps01. Except, at ZoneEdit, there is no A record called ukps01 which goes to your external IP. So the server sending you an email goes, "hey, he gave me bad information, because nothing is there for ukps01. Nope. Nothing. As far as I go that server must be imaginary -- even if it does exist, I can't find it."

    The confusion now steps in because you have a record called on your server, so why can't the world see that? The reason... you actually have two totally isolated DNS namespaces which are called the same name. Unless a workstation is on your network, it will NEVER see the records on your server (and this is a good thing); the ONLY thing it sees is what is at, and right now, the ones at don't have a ukps01 host. You wouldn't want the outside world to use the ukps01 name on your server anyway, because that resolves to the IP which isn't routable by anyone outside your firewall.

    This is one of the issues with naming the AD domain the same as the external domain; although it is technically fine, it can be very difficult to get your head around the fact you have two DNS namespaces which can resolve totally different things. You will also run into issues with making work inside your network which we can talk about once email is working.

    So... how do you fix it?

    You need to create, at, an A record called ukps01 which goes to your public IP.

    You also want to update the "host" column on the MX record to read the full name: for completeness, rather than simply the shortened alias.

    Once you have allowed for that to propagate, and as long as your Exchange Server is properly configured, you should be able to receive email from outside to your Once you've made the changes, feel free to let me know and I can run a lookup from here to say if the DNS is sound or not.

    Note: none of this affects the A record for "@" you have in place, which makes your website work. This is just an additional A record which goes to the same IP address and tells inbound email where to go.

    If you've got any questions, please let me know. This can be difficult stuff when you first start to play around with it.



    Bonus info:

    You might ask why we don't just put the IP address right into the "host" column of the MX record itself at Although this might technically work, it directly contravenes the RFCs which govern how all this stuff works. The RFCs explicitly state, and I quote:
    When a domain name associated with an MX RR is looked up and the associated data field obtained, the data field of that response MUST contain a domain name.  That domain name, when queried, MUST return at least one address record (e.g., A or AAAA RR) that gives the IP address of the SMTP server to which the message should be directed.

    -- from RFC 5321, Simple Mail Transfer Protocol

    Author Comment

    Matt, I can't thank you enough for the help you have provided me. The exchange server is receiving mail now. Thanks again, Steve.

    Author Closing Comment

    Fantastic. Thank you!
    LVL 58

    Expert Comment


    Steve, you're welcome. Glad to hear it's working and thanks for the feedback!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now