outbound email problems

[Guest]

i have a win2k3 domain, active dir integ dns (on 2 dns servers) all behind
isa 2000 server. dcdiag says everything is great , lol fantastic even. on all
3 dc's. reverse lookups fail everytime when i use the internal dns, if i use
the server = (external dns server ip address) i can do all the querys i
want. i think my forwarders are not working. this all came up becasue i have
no outbound email
with exch 2k3. the mail sits in the queue and eventually fails. when i run
smtp diag i am told that it cant find the external dns server. i have tried
leaving the dns servers in the smtp vs1, and tried with out ... neither
works.
(dns has external forwarders set up). i need all the help i can get... oh
yeah my dns servers are not published. we pay the isp for a registered domain
mx etc.


oh yeah one more thing when i use the smtp diag with the same email address's
but tell it to use a external dns server ip... it passes the tests..

weird eh

 

[Ace Fekay [MVP]]

In

i have a win2k3 domain, active dir integ dns (on 2 dns servers) all
behind isa 2000 server. dcdiag says everything is great , lol
fantastic even. on all 3 dc's. reverse lookups fail everytime when i
use the internal dns, if i use the server = (external dns server ip
address) i can do all the querys i want. i think my forwarders are
not working. this all came up becasue i have no outbound email
with exch 2k3. the mail sits in the queue and eventually fails. when
i run smtp diag i am told that it cant find the external dns server.
i have tried leaving the dns servers in the smtp vs1, and tried with
out ... neither works.
(dns has external forwarders set up). i need all the help i can
get... oh yeah my dns servers are not published. we pay the isp for a
registered domain mx etc.


oh yeah one more thing when i use the smtp diag with the same email
address's but tell it to use a external dns server ip... it passes
the tests..

weird eh

Lot's of assumptions here I'm sorry to say, on my part and your part.

If dcdiag says AD is fine and error free, then it more likely is. It seems
you have a configuration problem elsewhere causing mail not to flow.

The nslookup "problem" you may be speaking of is probably something like it
saying (and I;m guessing here with the LIMITED info you provided) that it
can't find server name or domain name or along those lines. This is a
message saying that it cannot find YOUR DNS server name in YOUR reverse
zone. If you don;t have one, create a reverse zone for your internal private
subnet and make sure a PTR entry exists for your DNS server.

If nslookup is working when you select to use an external server, then I am
assuming that ISA is allowing DNS query traffic to your internal subnet,
that is if you are testing nslookup using an external server from a machine
on the internal private subnet, unless of course you are testing it from the
ISA server.

To test if the forwarders are working, why not just select to use the
forwarders with nslookup to see if they answer queries. If they do, then
there;s nothing wrong with the forwarders.

Maybe the issue is with your ISA config. It sounds like the mail server is
not properly published. Maybe it's also an ISA rule to allow DNS traffic, or
a combo of both. We'll need much more specific info about ISA and how it's
configured, it's role (Secure NAT or just web caching, etc). This maybe more
suitable for the ISA newsgroup, depending on your respones.

Sorry, I just had to go over all the possibilities and factors affecting a
possible diagnosis.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.
===========================

 

[news.microsoft.com]

"Ace Fekay [MVP]"

In

Lot's of assumptions here I'm sorry to say, on my part and your part.

sorry i couldnt be clearer...lol ive read and looked at so many things
latley my brain is fried....

If dcdiag says AD is fine and error free, then it more likely is. It seems
you have a configuration problem elsewhere causing mail not to flow.

i figured as much

The nslookup "problem" you may be speaking of is probably something like it
saying (and I;m guessing here with the LIMITED info you provided) that it
can't find server name or domain name or along those lines. This is a
message saying that it cannot find YOUR DNS server name in YOUR reverse
zone. If you don;t have one, create a reverse zone for your internal private
subnet and make sure a PTR entry exists for your DNS server.

i have a pointer record, and its also has a name server record

If nslookup is working when you select to use an external server, then I am
assuming that ISA is allowing DNS query traffic to your internal subnet,
that is if you are testing nslookup using an external server from a machine
on the internal private subnet, unless of course you are testing it from the
ISA server.

correct i can use nslookup from any machine and the reverse query's work
when i tell it to use the same forwarder ip's

To test if the forwarders are working, why not just select to use the
forwarders with nslookup to see if they answer queries. If they do, then
there;s nothing wrong with the forwarders.

Maybe the issue is with your ISA config. It sounds like the mail server is
not properly published. Maybe it's also an ISA rule to allow DNS traffic, or
a combo of both. We'll need much more specific info about ISA and how it's
configured, it's role (Secure NAT or just web caching, etc). This maybe more
suitable for the ISA newsgroup, depending on your respones.

securenat
i though of that too, but if i use telnet to port 25 on an external smtp
server (ex mx4.hotmail.com) it talks,
i cant send an email, but i expect that because i am trying to use it from
the outside. the point is that i can connect
and go through the motions of an email test. if i use the internal smtp
server i get a unable to relay error when i try to set the rcpt to: account

Sorry, I just had to go over all the possibilities and factors affecting a
possible diagnosis.

no again, sorry i couldnt have been clearer

when i use smtpdiag with the internal dns it gives an error
THE DNS SERVER (IP ADDRESS) DID NOT RETURN A VALID SOA RECORD
but if i use smtpdiag with the -d external dns server ip it still fails the
internal one when it checks, but the external one passes.

i only figured it had something to do with dns because i cant resolve
external ips even with forwarders set up


this is what i get from dnsdiag with internal dns servers
C:\WINNT\system32\inetsrv>dnsdiag www.hotmail.com -s 192.168.48.16
Created Async Query:
--------------------
QNAME = www.hotmail.com
Type = MX (0xf)
Flags = UDP default, TCP on truncation (0x0)
Protocol = UDP
DNS Servers: (DNS cache will not be used)
192.168.48.16

Connected to DNS 192.168.48.16 over UDP/IP.
Received DNS Response:
----------------------
Error: 9002
Description: Not available.
Querying via DNSAPI:
--------------------
QNAME = www.hotmail.com
Type = A (0x1)
Flags = DNS_QUERY_TREAT_AS_FQDN, (0x1000)
Protocol = Default UDP, TCP on truncation
Servers: (DNS cache will not be used)
192.168.48.16

Received DNS Response:
----------------------
Error: 1460
Description: Not available.
Cannot resolve using DNS only, calling gethostbyname as last resort.
This will query
- Global DNS servers.
- DNS cache.
- WINS/NetBIOS.
- .hosts file.

Target hostnames and IP addresses
---------------------------------
HostName: "www.hotmail.com"
206.24.192.250






this is what i get with external servers set up
C:\WINNT\system32\inetsrv>dnsdiag www.hotmail.com -s 198.164.30.2
Created Async Query:
--------------------
QNAME = www.hotmail.com
Type = MX (0xf)
Flags = UDP default, TCP on truncation (0x0)
Protocol = UDP
DNS Servers: (DNS cache will not be used)
198.164.30.2

Connected to DNS 198.164.30.2 over UDP/IP.
Received DNS Response:
----------------------
Error: 0
Description: Success
These records were received:
www.hotmail.com CNAME www.hotmail.com.nsatc.net
www.hotmail.com.nsatc.net CNAME www.hotmail.aate.nsatc.net
nsatc.net SOA (SOA records are not used by us)

Processing MX/A records in reply.
Sorting MX records by priority.
Querying via DNSAPI:
--------------------
QNAME = www.hotmail.com
Type = A (0x1)
Flags = DNS_QUERY_TREAT_AS_FQDN, (0x1000)
Protocol = Default UDP, TCP on truncation
Servers: (DNS cache will not be used)
198.164.30.2

Received DNS Response:
----------------------
Error: 0
Description: Success
These records were received:
www.hotmail.com CNAME www.hotmail.com.nsatc.net
www.hotmail.com.nsatc.net CNAME www.hotmail.aate.nsatc.net
www.hotmail.aate.nsatc.net A 66.35.214.30
nsatc.net (Record type = 2) Unknown record type
nsatc.net (Record type = 2) Unknown record type
nsatc.net (Record type = 2) Unknown record type
nsatc.net (Record type = 2) Unknown record type
nsatc.net (Record type = 2) Unknown record type
l.ns.nsatc.net A 216.206.179.6
c.ns.nsatc.net A 64.240.90.167
a.ns.nsatc.net A 206.25.8.69
us-ny-3.ns.nsatc.net A 64.152.2.44
us-wa-4.ns.nsatc.net A 208.172.91.5

Processing CNAME: www.hotmail.com CNAME www.hotmail.com.nsatc.net
Processing CNAME: www.hotmail.com.nsatc.net CNAME
www.hotmail.aate.nsatc.net

www.hotmail.com.nsatc.net is an alias for www.hotmail.com.nsatc.net
www.hotmail.com is an alias for www.hotmail.com
1 A record(s) found for www.hotmail.aate.nsatc.net

Target hostnames and IP addresses
---------------------------------
HostName: "www.hotmail.com"
66.35.214.30

both of these were done from the dns server.

i can give you the messages from the smtpdiag tool too if you want


man thanks alot for looking, i am behind the 8 ball here

undr

 

[news.microsoft.com]

just for shits and giggles ill include the smtpdiag from the exchange server

when i tell it to us the default method (use internal, and then any external
forwarders set up un smtp vs1)

C:\Program Files\Windows Resource Kits\Tools\smtpdiag\SmtpDiag>smtpdiag
validmailaddress

@hotmail.com (e-mail address removed)



Searching for Exchange external DNS settings.

Computer name is NBCC-SJS04.

VSI 1 has the following external DNS servers:

198.164.30.2



Checking SOA for xerox.ca.

Checking external DNS servers.

Checking internal DNS servers.

DNS server [192.168.48.16] did not return a valid SOA record.

SOA serial number match: Failed with one or more failures.



Checking local domain records.

Checking MX records using TCP: hotmail.com.

Warning: The TCP DNS query returned no results.

Checking MX records using UDP: hotmail.com.

Warning: No MX or A records were found for the local domain. If the records
are

not configured, incoming mail can fail to be delivered to this server.



Checking remote domain records.

Checking MX records using TCP: xerox.ca.

Warning: The TCP DNS query returned no results.

Checking MX records using UDP: xerox.ca.

Error: No MX or A records were found for the remote domain. Verify that the

remote domain is valid. Your firewall allows outbound DNS queries (Windows

NT/2000 Server requires TCP), and your DNS server can resolve external
domains.







################################################################



when i tell it to use a external server for dns ( the same one i use for dns
forwarders )



C:\Program Files\Windows Resource Kits\Tools\smtpdiag\SmtpDiag>smtpdiag
validmailaddress

@hotmail.com (e-mail address removed) -d 198.164.30.2



Searching for Exchange external DNS settings.

Computer name is NBCC-SJS04.

VSI 1 has the following external DNS servers:

198.164.30.2



Checking SOA for xerox.ca.

Checking external DNS servers.

Checking internal DNS servers.

DNS server [192.168.48.16] did not return a valid SOA record.

SOA serial number match: Failed with one or more failures.



Checking local domain records.

Checking MX records using TCP: hotmail.com.

Checking MX records using UDP: hotmail.com.

Both TCP and UDP queries succeeded. Local DNS test passed.



Checking remote domain records.

Checking MX records using TCP: xerox.ca.

Checking MX records using UDP: xerox.ca.

Both TCP and UDP queries succeeded. Remote DNS test passed.



Checking MX servers listed for (e-mail address removed)

Connecting to xbs.xerox.ca [205.150.246.2] on port 25.

Connecting to the server failed. Error: 10060

Failed to submit mail to xbs.xerox.ca.

Connecting to mail.uunet.ca [142.77.2.9] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.1.58] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.24] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.13] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.11] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.10] on port 25.

Successfully connected to mail.uunet.ca.







hope it helps



undr

 

[Guest]

i replied via outlook express if it doesnt show up here in five or ten
minutes, i will post it in here...okay?

 

[Ace Fekay [MVP]]

In

just for shits and giggles ill include the smtpdiag from the exchange
server

when i tell it to us the default method (use internal, and then any
external forwarders set up un smtp vs1)

C:\Program Files\Windows Resource
Kits\Tools\smtpdiag\SmtpDiag>smtpdiag validmailaddress

@hotmail.com (e-mail address removed)



Searching for Exchange external DNS settings.

Computer name is NBCC-SJS04.

VSI 1 has the following external DNS servers:

198.164.30.2



Checking SOA for xerox.ca.

Checking external DNS servers.

Checking internal DNS servers.

DNS server [192.168.48.16] did not return a valid SOA record.

SOA serial number match: Failed with one or more failures.



Checking local domain records.

Checking MX records using TCP: hotmail.com.

Warning: The TCP DNS query returned no results.

Checking MX records using UDP: hotmail.com.

Warning: No MX or A records were found for the local domain. If the
records are

not configured, incoming mail can fail to be delivered to this server.



Checking remote domain records.

Checking MX records using TCP: xerox.ca.

Warning: The TCP DNS query returned no results.

Checking MX records using UDP: xerox.ca.

Error: No MX or A records were found for the remote domain. Verify
that the

remote domain is valid. Your firewall allows outbound DNS queries
(Windows

NT/2000 Server requires TCP), and your DNS server can resolve external
domains.







################################################################



when i tell it to use a external server for dns ( the same one i use
for dns forwarders )



C:\Program Files\Windows Resource
Kits\Tools\smtpdiag\SmtpDiag>smtpdiag validmailaddress

@hotmail.com (e-mail address removed) -d 198.164.30.2



Searching for Exchange external DNS settings.

Computer name is NBCC-SJS04.

VSI 1 has the following external DNS servers:

198.164.30.2



Checking SOA for xerox.ca.

Checking external DNS servers.

Checking internal DNS servers.

DNS server [192.168.48.16] did not return a valid SOA record.

SOA serial number match: Failed with one or more failures.



Checking local domain records.

Checking MX records using TCP: hotmail.com.

Checking MX records using UDP: hotmail.com.

Both TCP and UDP queries succeeded. Local DNS test passed.



Checking remote domain records.

Checking MX records using TCP: xerox.ca.

Checking MX records using UDP: xerox.ca.

Both TCP and UDP queries succeeded. Remote DNS test passed.



Checking MX servers listed for (e-mail address removed)

Connecting to xbs.xerox.ca [205.150.246.2] on port 25.

Connecting to the server failed. Error: 10060

Failed to submit mail to xbs.xerox.ca.

Connecting to mail.uunet.ca [142.77.2.9] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.1.58] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.24] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.13] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.11] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.10] on port 25.

Successfully connected to mail.uunet.ca.







hope it helps



undr

It seems that possibly ISA is not allowing DNS traffic. When using nslookup
from the Exchange server, and you select to use 192.168.48.16 as the server
for nslookup, does it work?

On your internal DNS, did you disable recursion or does the Root zone exist?

Ace

 

[Ace Fekay [MVP]]

In

i have a pointer record, and its also has a name server record

I was hoping you would offer what message or error was nslookup giving you??

FYI, if the machine you are running nslookup from is using the internal DNS
in it;s IP properties, then it should be able to do a reverse lookup and
won';t show that 'can't find domain' message, if that what you were talking
about??

correct i can use nslookup from any machine and the reverse query's
work when i tell it to use the same forwarder ip's

Then I'm leaning to something up with YOUR DNS. What Event log errors do you
have? Post the Event ID#'s and Source Names please.

securenat
i though of that too, but if i use telnet to port 25 on an external
smtp server (ex mx4.hotmail.com) it talks,
i cant send an email, but i expect that because i am trying to use it
from the outside. the point is that i can connect
and go through the motions of an email test. if i use the internal
smtp server i get a unable to relay error when i try to set the rcpt
to: account

no again, sorry i couldnt have been clearer

when i use smtpdiag with the internal dns it gives an error
THE DNS SERVER (IP ADDRESS) DID NOT RETURN A VALID SOA RECORD
but if i use smtpdiag with the -d external dns server ip it still
fails the internal one when it checks, but the external one passes.

i only figured it had something to do with dns because i cant resolve
external ips even with forwarders set up


this is what i get from dnsdiag with internal dns servers
C:\WINNT\system32\inetsrv>dnsdiag www.hotmail.com -s 192.168.48.16
Created Async Query:
--------------------
QNAME = www.hotmail.com
Type = MX (0xf)
Flags = UDP default, TCP on truncation (0x0)
Protocol = UDP
DNS Servers: (DNS cache will not be used)
192.168.48.16

Connected to DNS 192.168.48.16 over UDP/IP.
Received DNS Response:
----------------------
Error: 9002
Description: Not available.
<snip>


both of these were done from the dns server.

i can give you the messages from the smtpdiag tool too if you want


man thanks alot for looking, i am behind the 8 ball here

undr

It seems as I said, something it up or misconfigured in your DNS. Is
recursion disabled under ADvanced tab, or an yting else disabled? Does the
Root zone exist?

Ace

 

[news.microsoft.com]

the root zone does not exist, and no recursive doesnt work when i tell it to
use internal dns
"Ace Fekay [MVP]"

In

just for shits and giggles ill include the smtpdiag from the exchange
server

when i tell it to us the default method (use internal, and then any
external forwarders set up un smtp vs1)

C:\Program Files\Windows Resource
Kits\Tools\smtpdiag\SmtpDiag>smtpdiag validmailaddress

@hotmail.com (e-mail address removed)



Searching for Exchange external DNS settings.

Computer name is NBCC-SJS04.

VSI 1 has the following external DNS servers:

198.164.30.2



Checking SOA for xerox.ca.

Checking external DNS servers.

Checking internal DNS servers.

DNS server [192.168.48.16] did not return a valid SOA record.

SOA serial number match: Failed with one or more failures.



Checking local domain records.

Checking MX records using TCP: hotmail.com.

Warning: The TCP DNS query returned no results.

Checking MX records using UDP: hotmail.com.

Warning: No MX or A records were found for the local domain. If the
records are

not configured, incoming mail can fail to be delivered to this server.



Checking remote domain records.

Checking MX records using TCP: xerox.ca.

Warning: The TCP DNS query returned no results.

Checking MX records using UDP: xerox.ca.

Error: No MX or A records were found for the remote domain. Verify
that the

remote domain is valid. Your firewall allows outbound DNS queries
(Windows

NT/2000 Server requires TCP), and your DNS server can resolve external
domains.







################################################################



when i tell it to use a external server for dns ( the same one i use
for dns forwarders )



C:\Program Files\Windows Resource
Kits\Tools\smtpdiag\SmtpDiag>smtpdiag validmailaddress

@hotmail.com (e-mail address removed) -d 198.164.30.2



Searching for Exchange external DNS settings.

Computer name is NBCC-SJS04.

VSI 1 has the following external DNS servers:

198.164.30.2



Checking SOA for xerox.ca.

Checking external DNS servers.

Checking internal DNS servers.

DNS server [192.168.48.16] did not return a valid SOA record.

SOA serial number match: Failed with one or more failures.



Checking local domain records.

Checking MX records using TCP: hotmail.com.

Checking MX records using UDP: hotmail.com.

Both TCP and UDP queries succeeded. Local DNS test passed.



Checking remote domain records.

Checking MX records using TCP: xerox.ca.

Checking MX records using UDP: xerox.ca.

Both TCP and UDP queries succeeded. Remote DNS test passed.



Checking MX servers listed for (e-mail address removed)

Connecting to xbs.xerox.ca [205.150.246.2] on port 25.

Connecting to the server failed. Error: 10060

Failed to submit mail to xbs.xerox.ca.

Connecting to mail.uunet.ca [142.77.2.9] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.1.58] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.24] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.13] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.11] on port 25.

Successfully connected to mail.uunet.ca.

Connecting to mail.uunet.ca [142.77.2.10] on port 25.

Successfully connected to mail.uunet.ca.







hope it helps



undr

It seems that possibly ISA is not allowing DNS traffic. When using nslookup
from the Exchange server, and you select to use 192.168.48.16 as the server
for nslookup, does it work?

On your internal DNS, did you disable recursion or does the Root zone exist?

Ace

 

[news.microsoft.com]

recursion is not disabled

 

[news.microsoft.com]

sorry also the recursion is not diabled, and there are no errors in the dns
event log, i have had some related to problems with active directory
replication, but after i sorted that out everything has been fine other than
outound email

 

[news.microsoft.com]

recursion for thing sinside the network does work, iut is only domains
outside of the network

 

[news.microsoft.com]

when i do an nslookup with the internal server, i get dns request timed out.
however when i ping say hotmail dot com ... the thing wont ping (i have that
blocked) but it resolves the ip even after i do a flush dns etc



"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

recursion for thing sinside the network does work, iut is only domains
outside of the network

Is there a firewall?

 

[Ace Fekay [MVP]]

In

sorry also the recursion is not diabled, and there are no errors in
the dns event log, i have had some related to problems with active
directory replication, but after i sorted that out everything has
been fine other than outound email

Ok, so recursion is NOT disabled, as I see you've posted that a couple
times. Understood.

BUT, you didn't respond to my ISA question. That is relevant, believe it or
not. I still believe there's something up with the ISA config. Maybe
posting this to the ISA group may yield better results.

Ace

 

[Ace Fekay [MVP]]

In

Is there a firewall?

Scratch that. See my response about the ISA issue.