DNS not resolving mail server for ADSL users

[Jennie]

Hi,

I have a problem with my VPN users which has only
recently started. Little problems seem to have started
since running DCPromo on another server, not sure if this
is connected!!

When users dial in they cannot connect to the mail server
by name, it does not seem to resolve.

On the remote pc i ping the mail server by ip and all is
ok, but when i ping the mail server by name it returns
the external IP address.

It is as though our internal DNS server is sending a
request out to ISP DNS servers to resolve. It is very
strange as internally all seems to resolve fine. Checked
WINS and DNS and there are entries for the server
listed. Just wanted to check that i don't need an MX
record in the DNS... although i have been told that our
ISP DNS holds the MX record for us!

To resolve the situation i have added a hosts file on the
users pc and all works ok for now.

Why has this happened? Has anyone got any ideas?

Please help!!!

Regards,

Jennie

 

[Ace Fekay [MVP]]

In

Hi,

I have a problem with my VPN users which has only
recently started. Little problems seem to have started
since running DCPromo on another server, not sure if this
is connected!!

When users dial in they cannot connect to the mail server
by name, it does not seem to resolve.

On the remote pc i ping the mail server by ip and all is
ok, but when i ping the mail server by name it returns
the external IP address.

It is as though our internal DNS server is sending a
request out to ISP DNS servers to resolve. It is very
strange as internally all seems to resolve fine. Checked
WINS and DNS and there are entries for the server
listed. Just wanted to check that i don't need an MX
record in the DNS... although i have been told that our
ISP DNS holds the MX record for us!

To resolve the situation i have added a hosts file on the
users pc and all works ok for now.

Why has this happened? Has anyone got any ideas?

Please help!!!

Regards,

Jennie

Sounds like your internal AD domain name and your external domain name are
the same. Under your internal domain zone in DNS, manually create the record
you need, such as "mail" and give it the internal IP address. HOSTS files
are too much to deal with, so just let your DNS server take care of it.

Also, make sure all your internal machines are only using your internal DNS
and not the ISP's and you have a forwarder configured.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[jennie]

-----Original Message-----
In Jennie <[email protected]> posted their thoughts, then I
offered mine


Sounds like your internal AD domain name and your external domain name are
the same. Under your internal domain zone in DNS, manually create the record
you need, such as "mail" and give it the internal IP address. HOSTS files
are too much to deal with, so just let your DNS server take care of it.

Also, make sure all your internal machines are only using your internal DNS
and not the ISP's and you have a forwarder configured.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


.

Hi Ace,

Thanks for your prompt response. Yes the internal AD
domain is the same as the external. I have checked in
the zone for this domain and there is already an A record
for the mail server, is this what you meant or is there
another record i need to add?

Thanks

Jennie

 

[jennie]

Sorry let me also explain that if the users take out the
isp's dns it resolves ok. However this is not acceptable
as the users use the dialup for internet access and then
activate their vpn (watchguard MUVPN) to connect to the
network!

Hope this offers some further insight into the problem )

Regards,

Jennie

 

[Ace Fekay [MVP]]

In

Sorry let me also explain that if the users take out the
isp's dns it resolves ok. However this is not acceptable
as the users use the dialup for internet access and then
activate their vpn (watchguard MUVPN) to connect to the
network!

Hope this offers some further insight into the problem )

Regards,

Jennie

OH, you're saying these are remote users coming in thru a VPN?? I wouild
suggest to ensure when their VPN is connected to make sure that interface is
at the top of the binding order and make sure the internal DNS is listed in
IP properties.

VPNs believe it or not are problematic with AD. One solution is to put the
required data into the users' HOSTS file on their machines. Records such as:

192.168.1.4 internalmailname.domain.com
192.168.1.5 internalDCname.domain.com

THis way they can get to the internal stuff..



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[J.C. Hornbeck [MSFT]]

Ace is right and this is not terribly uncommon if:

1. Your internal and external domain names are identical, and
2. An internal resource and an external resource have identical names.

You basically have two different computers with the exact same name so
depending on which DNS you ask you may or may not get the answer that you
want. In the case of the VPN user, the DNS query is actually getting sent
to the ISP's DNS so that's why it resolves to the external address, not the
internal. There are fairly complex technical reasons why it works this way
that I won't go in to, but the HOSTS file is one workaround, and another is
to actually configure the remote user to use your internal DNS IP address
before the ISP's DNS's. This can cause a minor delay when the users are not
connected via the VPN but most users would never notice it.

--
J.C. Hornbeck, MCSE
Microsoft Product Support

NOTE: Please reply to the newsgroup and not directly to me. This allows
others to add to and benefit from these threads and also helps to ensure a
more timely response. Thank you!

This posting is provided "AS IS" without warranty either expressed or
implied, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose.

 

[Ace Fekay [MVP]]

In

Ace is right and this is not terribly uncommon if:

1. Your internal and external domain names are identical, and
2. An internal resource and an external resource have identical names.

You basically have two different computers with the exact same name so
depending on which DNS you ask you may or may not get the answer that
you want. In the case of the VPN user, the DNS query is actually
getting sent to the ISP's DNS so that's why it resolves to the
external address, not the internal. There are fairly complex
technical reasons why it works this way that I won't go in to, but
the HOSTS file is one workaround, and another is to actually
configure the remote user to use your internal DNS IP address before
the ISP's DNS's. This can cause a minor delay when the users are not
connected via the VPN but most users would never notice it.

Nicely put, J.C.!

Hope there will be an easier solution for this in the future.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[the confused]

it appeared that Ace is occupied with somthing and let me
jump in to confuse you a little bit, ;-)

If you don't have an MX record for this mail server
internally already, you definately need one.

Go back to the original symptom, it could well be that
because there is no internal MX record defined on your
DNS, the vpn client resolver has to look up the ISP's DNS
and gets the exteranl IP back.

 

[Kevin D. Goodknecht [MVP]]

In

it appeared that Ace is occupied with somthing and let me
jump in to confuse you a little bit, ;-)

If you don't have an MX record for this mail server
internally already, you definately need one.

Go back to the original symptom, it could well be that
because there is no internal MX record defined on your
DNS, the vpn client resolver has to look up the ISP's DNS
and gets the exteranl IP back.

Why would clients need to see an MX record?
You don't need an MX record in an internal zone, only SMTP servers look for
MX records and there should be no SMTP servers looking at the internal zone.
I can't think of even one SMTP server that will be looking for an MX record
for a mail domain it hosts.

 

[the confused]

ha, here is Kevin!

did I say my intention was to confuse, see my name!
(Sorry jennie)

Clients do not need to look up MX records, that's
correct..however, firewall rules may need the MX record
to identify mail servers, so it better to set up one as
an identifier.

In addition, the following statemnet is confusing:

"You don't need an MX record in an internal zone, only
SMTP servers look for MX records and there should be no
SMTP servers looking at the internal zone. I can't think
of even one SMTP server that will be looking for an MX
record for a mail domain it hosts."

If you have more than one internal domain and each domain
has SMTP servers, you do need MX records for the SMTP
servers.

 

[Ace Fekay [MVP]]

In

ha, here is Kevin!

did I say my intention was to confuse, see my name!
(Sorry jennie)

Clients do not need to look up MX records, that's
correct..however, firewall rules may need the MX record
to identify mail servers, so it better to set up one as
an identifier.

In addition, the following statemnet is confusing:

"You don't need an MX record in an internal zone, only
SMTP servers look for MX records and there should be no
SMTP servers looking at the internal zone. I can't think
of even one SMTP server that will be looking for an MX
record for a mail domain it hosts."

If you have more than one internal domain and each domain
has SMTP servers, you do need MX records for the SMTP
servers.

Wow, now I'm getting confused. It started with a VPN question....

Basically, an MX record is not needed internally for your domain, whether
the same name or not. A mail server will query DNS for all other external
domains when sending mail. The MX for your domain needs to exist on the
external DNS server so your machine can receive mail.

Back to the original issue.... Since your clients are connecting thru the
VPN, you did right by creating those records in a HOSTS file on the users
machine. VPNs are problematic and a HOSTS file is the answer. It's due to
the way the users connect in from their ISP. They need their ISP to resolve
INternet names while they're home or away. But when they connect in, they
need some way to resolve internal records. Hopefully there will be a method
to overcome the default behavior of the interfaces and maybe once connected,
we can force the VPN connection to be the default.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In

ha, here is Kevin!

did I say my intention was to confuse, see my name!
(Sorry jennie)

Clients do not need to look up MX records, that's
correct..however, firewall rules may need the MX record
to identify mail servers, so it better to set up one as
an identifier.

In addition, the following statemnet is confusing:

"You don't need an MX record in an internal zone, only
SMTP servers look for MX records and there should be no
SMTP servers looking at the internal zone. I can't think
of even one SMTP server that will be looking for an MX
record for a mail domain it hosts."

If you have more than one internal domain and each domain
has SMTP servers, you do need MX records for the SMTP
servers.

Maybe the way you configure your mail servers, there is no need for internal
MX it only confuses the issue. The issue was resolving the mail server host
name by the clients.

Incidentally internal mail servers should need MX records each mail server
should be configured so they know which mail server hosts the mail boxes for
all internally hosted domains.

But using you scenario, since I host ten mail domains on three SMTP servers
I should have MX records internally?
Sounds like a waste of DNS bandwidth to me, all mail servers are under my
control why should I want to configure them to check with DNS for mail
domains I know where to relay to. Each internal SMTP server should be able
to accept mail for any of the ten domains I host, then the SMTP server is
configured so that it knows which server to relay the mail to for
distribution. This is done without MX records, it is in the configuration. I
do this for redundancy, all three SMTP server can accept mail for each of
the ten domains.

 

[the confused]

I think we should follow some rules of basic DNS
practice, or the "MS" best practice here.

It is not just make it work, some how, but make it work
the way other people can follow. In your small shop, you
are the man to do whatever to make it works. However,
how about the business grows, and you are not the only
man there any more, how about in an emergency situation
and you are not around, how about you suddenly got rich
and want to retire, or how about the management want this
part to be outsourced (you will stay with the company for
other important staff)...and I think there will be some
issues.

BTW, within a mail domain, what you said is ok I guess.

 

[Jennie]

Wow thanks for all your replies. Interesting to read
everyone's thoughts on this.

In the users dial up to the ISP i have already put our
internal DNS server first then the IPS's, this doesn't
make a difference!! Given the fact that host file is
working for the moment i think i may stay with that.

Once again thanks for all your replies. Forgot how
useful this NewsGroup is )

Regards,

Jennie

 

[Ace Fekay [MVP]]

In

Wow thanks for all your replies. Interesting to read
everyone's thoughts on this.

In the users dial up to the ISP i have already put our
internal DNS server first then the IPS's, this doesn't
make a difference!! Given the fact that host file is
working for the moment i think i may stay with that.

Once again thanks for all your replies. Forgot how
useful this NewsGroup is )

Regards,

Jennie

Cool!!!

HOSTS files is the way to go with VPNs...at least for now...

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory