Solved

Setting Exchange External DNS

Posted on 2014-02-13
6
306 Views
Last Modified: 2014-02-19
Hi,

I've been given an Exchange 2013 server to use in a separate forest, but on the same IP network as another forest.  On my forest I have Exchange 2013 with a DC/DNS installed on it.

Exchange itself works fine, but I'm trying to set it up to use external DNS in the forwards on the WAN interface, but when I changed it, all of my inbound e-mail stopped.  The queue viewer showed the following error: #554 5.4.4 SMTPSEND.DNS.NonExistentDomain; nonexistent domain ##

I've attached screenshots of my current settings.  The forward screenshot points to a server in the other forest.  What can I change up to get external dns going?
localdns.PNG
dnsforwarder.PNG
dnsexchange.PNG
0
Comment
Question by:ts11
  • 3
  • 3
6 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
WAN interface? Are you dual homing Exchange? If so, that isn't a supported configuration.
Exchange should have a single network interface and anything that needs to connect to a WAN should be done with a router. Windows is a very poor router and should not be used for that task. That is probably the root of the problems.
DNS Forwarding to another server shouldn't be a problem, it is almost certainly routing that is the issue.

Simon.
0
 

Author Comment

by:ts11
Comment Utility
It's running on a virtual machine with 2 NICs.  One is internal, one is for the public IP.  I'm using outlook anywhere and people outside connect direct to this.

Edit: also I don't want to forwards to the other private ip as it's outside my forest.  I want this server to completely independent.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
That isn't a supported configuration.
You are not supported to have Exchange in any kind of DMZ or internet zone, so you will see problems with email delivery.
You need to go back to a single NIC and have a router in front of Exchange to handle the internet connection.

Having Exchange on a domain controller is also not recommended, and should be avoided where possible. With the Windows 2012 1+2 virtualisation rights, it is very easy to avoid having a DC in place and if you went virtualised you could use a virtual router such as Monowall to be the link between Windows and the internet.

Simon.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:ts11
Comment Utility
There is a Cisco router in front of the exchange server, all traffic passes through this to get to the exchange server.  It has the public ip for Outlook Anywhere connections.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
Don't multi-home the Exchange server. Configure the Cisco router to do NAT and have the server on a single NIC. Then configure the DNS settings to use the server itself only. If you have a problem with using root hints, configure DNS forwarders on the DNS server applet on the server itself.

Simon.
0
 

Author Comment

by:ts11
Comment Utility
ok, well the router isn't owned by me, but the people that own it told me that it isn't setup to allow public ip nat'ing to a private address.  All public IPs are assigned on an interface (i think they're using multiple secondary addresses).  So it would be a pretty big reconfiguration for the NAT'ing.  Anyway, I don't think much else can be said on this for now, so I will look to close the thread.
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now