Active Directory and Exchange 5.5

[CJ]

I just tested an upgrade of our Windows NT system to 2003 Server AD.
I am using split-brain DNS and I am wanting to use the same FQDN for
internal and external zones. We'll call it mydomain.com

Everything works fine, users can log on...logon scripts run, internet works,
then DNS resolves for internal users and forwards to external servers for
internet names.

One problem, our Exchange 5.5 server hosts 3 different domain names. All
emails send and receive just fine except for the mydomain.com email. Once I
put the old Windows NT server back online and rejoin the Exchange Server
with it, boom....the mydomain.com email comes in.

My thinking is it has to do with the local DNS server not going beyond the
local network to resolve anything mydomain.com and thus doesn't see the
mydomain.com email. DNS settings on the exchange server are correct,
pointing to the internal DNS server, and it registers itself in the local
DNS server.

This is my last obstacle to making this an Active Directory network. I
really don't want to have to use mydomain.local for internal records.

Any ideas????

Any help is greatly appreciated

 

[Nathan]

I am using split-brain DNS

Who or what is "split brain"? Just for clarity.

I am wanting to use the same FQDN for internal and

external zones.

Should have no problems doing this.

then DNS resolves for internal users and forwards to external servers for
internet names.

This is how you want to do it, with forwards. Sounds like
you are taking the right approach.

send and receive just fine except for the mydomain.com

email.

OK, so something's not configured right

I put the old Windows NT server back online and rejoin the Exchange
Server with it, boom....the mydomain.com email comes in.

Can you explain what you are doing here in more detail?
It sounds like you are still usign the new 2003 server for
mail processing to some degree. Do I haev this right, the
old server is processing mydomain.com and the new server
processes 2nd.com and 3rd.com with no changes to the 2003
server.

My thinking is it has to do with the local DNS server not going beyond the
local network to resolve anything mydomain.com and thus doesn't see the
mydomain.com email.

I think you are thinking backwards here. Oh such a pun,
but... "Think outside the box" Mail processing has two
directions. Inbound and Outbuond. Are both broken or
just inbound? If it's just inbound, check your MX records
and see what IP they are pointing to. You probably have
the old NT box for it, so mail can't be delivered unless
it is online. Change the MX record, and things should
start hopping along.

This is my last obstacle to making this an Active

Directory network.

Good Luck!

don't want to have to use mydomain.local for internal

records.

No, don't do this. Really it will work!

 

[Cary Shultz [A.D. MVP]]

Nathan,

in-line....

Who or what is "split brain"? Just for clarity.

Split brain is when you have a registered domain name, such as
nkdsolutions.com. for your external domain domain ( your Internet presence )
and you use nkdsolutions.com for your internal domain name as well.

There should be no problems with this set up. The one thing that you will
have to do in your internal domain is create an A Record in your FLZ (
Forward Lookup Zone ) and call it 'www' - without the quotes - and give that
host record the public IP Address of the external nkdsolutions.com,
otherwise your internal users will not be able to get to
http://www.nkdsolutions.com when the are inside the network.

What a lot of people are doing, however, is keeping nkdsolutions.com as
their external domain name and using something like nkdsolutions.local for
their internal domain name.

HTH,

Cary

 

[CJ]

Who or what is "split brain"? Just for clarity.

Split-brain DNS is setting up DNS to have the ability for internal networks
to use the same domain name as external network without having to do, for
example, mydomain.com for the web servers and email, and mydomain.local for
internal Active Directory.

Basically, for security so your internal records are not out on the
internet, you set up internal DNS servers to resolve internal names, and
forward all other requests to external DNS servers and do not use recursion
in case external servers can't resolve the name for some reason.

external zones.

Should have no problems doing this.

And I'm not. It works great....just can't receive email with the domain
name the same as the internal network. All other domain names come through
the Exchange server just fine.

This is how you want to do it, with forwards. Sounds like
you are taking the right approach.

email.

OK, so something's not configured right

Well, I have 3 domain names in Exchange. 2 of them work fine, its just the
emails with the domain name same as Active Directory that don't come in.
But if I put the old NT domain back together, boom...the mydomain.com comes
in.

Can you explain what you are doing here in more detail?
It sounds like you are still usign the new 2003 server for
mail processing to some degree.

No, the 2003 test server is completely taken offline when I put the NT
domain back together.


Do I haev this right, the

old server is processing mydomain.com and the new server
processes 2nd.com and 3rd.com with no changes to the 2003
server.

No, the old server is processing them all... The only thing the new 2003
test server is doing is authentication and DNS. Everything works
fine....the emails come in and out except the email with the same domain
name as the internal network.

I think you are thinking backwards here. Oh such a pun,
but... "Think outside the box" Mail processing has two
directions. Inbound and Outbuond. Are both broken or
just inbound? If it's just inbound, check your MX records
and see what IP they are pointing to. You probably have
the old NT box for it, so mail can't be delivered unless
it is online. Change the MX record, and things should
start hopping along.

That was the other thing I was wondering was the MX records. Only thing is,
will the MX record make any difference since I only have the one Exchange
server and the 2 email domains it hosts work fine, but the other one does
not?

Ok I'll give it a shot. It will be a weekend or 2 before I can try it
again.

 

[Nathan]

Who or what is "split brain"? Just for clarity.

Split-brain DNS is setting up DNS to have the ability for

I know exaclty what you were trying to accomplish so this
makes perfect sense. I didn't know if "split-brain" was a
specific product or service name you were refering to,
just a term I've not been familiar enough with. I don't
claim to be an AD expert (yet) but I've got years of
experience with NT and NDS and DNS, so this AD thing
shouldn't take too long to get a good grasp on.

No, the old server is processing them all...

OK, good that you filled in the blanks there. But you
also indicated that inbound email was effected ONLY? Can
you confirm this, if so then I am more certain it's the
external DNS records that are to matter.

That was the other thing I was wondering was the MX records. Only thing is,
will the MX record make any difference since I only have the one Exchange
server and the 2 email domains it hosts work fine, but the other one does
not?

The MX record must point to the IP (inbout gateway)
address that mail comes INBOUND to. It won't effect email
internally. Now if this is an _Exchange_ problem, it
could want an internal MX record. I know that older
versions of Exchange didn't, but you never know when some
new thing does something different

In order for mail to arrive at the server, the MX has to
be right. Try adding a new MX entry with a lower priority
with the new IP. This should NOT be an issue if the new
Exchange server uses the old IP.

If it's the same IP, then start looking at Exchange as the
problem and vhosting the domains. Any mail server has to
be explicitly told what domains to handle. Hopefully this
isn't the problem.

Ok I'll give it a shot. It will be a weekend or 2 before I can try it
again.

It will take a while for an MX record change to make it's
way out. Sometimes a little longer than just an A record,
because the MTA's all have to retry the lookup for waiting
mail in the MTA's retry queue.

Hope to hear good results next week

Nathan

 

[CJ]

Figured it out...turns out all in needed to do was have the DNS settings of
my exchange server point to my ISP rather than my internal DNS servers

 

[Cary Shultz [A.D. MVP]]

CJ,

That is never ever ever a good idea.....

I would look for another solution as this is going to cause more
problems....

HTH,

Cary

 

[Rich Matheisen [MVP]]

I just tested an upgrade of our Windows NT system to 2003 Server AD.
I am using split-brain DNS and I am wanting to use the same FQDN for
internal and external zones. We'll call it mydomain.com

Everything works fine, users can log on...logon scripts run, internet works,
then DNS resolves for internal users and forwards to external servers for
internet names.

One problem, our Exchange 5.5 server hosts 3 different domain names. All
emails send and receive just fine except for the mydomain.com email.

What doesn't work, sending or receiving? If your Exchange 5.5 server
hosts the mydomain.com domain it shoudn't need DNS to deliver mail to
local mailboxes -- and it would have no need to send the mail
elsewhere since it's hosting the domain.

So, since sending probably isn't a problem, the "Receiving" part most
likely is. Now the question becomes "from inside yout LAN or from
outside?" Inside shouldn't be a problem if all te SMTP clients are
using the internal DNS. if they aren't, well . . .

If the problem is with receiving mail from outside your LAN, have a
look at the external DNS. What does the MX record say to do? And does
the "A" record use your Exchange server's EXTERNAL IP address? It
can't refer to the internal IP address because that shouldn't be
accessible from outside.

Once I
put the old Windows NT server back online and rejoin the Exchange Server
with it, boom....the mydomain.com email comes in.

I don;t think this is an Exchange problem as much as a DNS/firewall
problem.

My thinking is it has to do with the local DNS server not going beyond the
local network to resolve anything mydomain.com

Whay would it? Your internal DNS should be authoritative for
mydomain.com or it shouldn't have any zone for it at all.

 

[CJ]

What doesn't work, sending or receiving? If your Exchange 5.5 server
hosts the mydomain.com domain it shoudn't need DNS to deliver mail to
local mailboxes -- and it would have no need to send the mail
elsewhere since it's hosting the domain.

Well, I followed the DNS guidelines about internal DNS servers and
forwarding to external.

Turns out, the Exchange server I had set to internal. And since the
internal servers are authoritative for mydomain.com, thats why they didn't
come through.

So I pointed the DNS settings on the exchange server to our ISP, and
bam...they came through just fine.

So, since sending probably isn't a problem, the "Receiving" part most
likely is. Now the question becomes "from inside yout LAN or from
outside?" Inside shouldn't be a problem if all te SMTP clients are
using the internal DNS. if they aren't, well . . .

If the problem is with receiving mail from outside your LAN, have a
look at the external DNS. What does the MX record say to do? And does
the "A" record use your Exchange server's EXTERNAL IP address? It
can't refer to the internal IP address because that shouldn't be
accessible from outside.

Nah, all external email domains were coming in except for the one that had
the same name as the chosen internal FQDN. But using the ISP for the
exchange server DNS did the trick.

I don;t think this is an Exchange problem as much as a DNS/firewall
problem.

Yes, that is it. But is there a way to have the Exchange server use the
internal DNS servers, which forward to external ones of course, for name
resolution?

 

[CJ]

CJ,

That is never ever ever a good idea.....

I would look for another solution as this is going to cause more
problems....

Well in a split-brain DNS setup, how can I have the Exchange server look to
the internal DNS servers and still look outside the LAN to resolve anything
with the same FQDN as the internal network?

 

[Cary Shultz [A.D. MVP]]

It is called Forwarding,

You should enter the IP Addresses of your ISP's DNS Servers in the
Forwarder's Tab in the DNS MMC. There are also the Root Hints that take
care of this but I prefer to use Forwarders....

In order for your internal clients to be able to find
http://www.yourdomain.com ( should you have a public website ) you would
need to create an A Record called "www" - without the quotes - and give it
the public IP Address of your web site.

HTH,

Cary

 

[CJ]

It is called Forwarding,

That is what I am doing, and without recursion for security.
Anything that is not mydomain.com gets forwarded to my ISP, but if an
internal request for anything mydomain.com is meant for the external
mydomain.com, it doesn't get resolved.

 

[Rich Matheisen [MVP]]

[ snip ]

Yes, that is it. But is there a way to have the Exchange server use the
internal DNS servers, which forward to external ones of course, for name
resolution?

Sure. Change the DNS IP addresses on the TCP/IP propety page of the
NICs. Then your internal DNS servers will forward the queries to where
ever you tell them to. But this works only for domains for which your
DNS isn't authoritative.

 

[CJ]

[ snip ]

Yes, that is it. But is there a way to have the Exchange server use the
internal DNS servers, which forward to external ones of course, for name
resolution?

Sure. Change the DNS IP addresses on the TCP/IP propety page of the
NICs. Then your internal DNS servers will forward the queries to where
ever you tell them to. But this works only for domains for which your
DNS isn't authoritative.

Correct. And I tried this already. Then just so I had email going in and
out, I put the DNS to our ISP for a short time...then went back to using my
internal DNS with forwarding and no recursion, and boom....it works fine
now. I don't know what happened. All I did was the same thing I did before
and now for some reason they all work fine.

Oh well...as long as the problem is solved. Thanks for your input!!!