POP3 DNS problem?

[BigDogBrian]

X-posted in microsoft.public.exchange.admin
===============================

Arrived at work this morning to find that our PDC had purged the DNS zone -
AD portion of our only domain. Replication between our two DC was failing,
reporting with "RPC server not found..." errors. I found a KB article that
helped me get the AD portion reloaded. I did this same thing on both DNS
servers in our domain. I restarted all the netlogon services, as the KB
directed. I then found another KB article that helped me rebuild the NTDS
connector things in AD S&S. Replication from the PDC to the SDC works fine.
The Exchange server had been spitting out MSExchangeAL, MSExchangeFBPublish
and MSExchangeSA errors all day. After the fixes I applied, those all went
away. Everything seemed back to normal.

An hour after I left the office I got a phone call from a POP user who could
not logon to the POP server (Exchange 2003) to get his mail. I tested and
found that he was correct. The same server also serves as a VPN endpoint as
well as a terminal server. Those two services are functioning perfectly, as
tested. It seems to only be the POP service that is experiencing this
issue. I tried changing authentication settings, connection accept/deny
lists, restarting services and changing the LogOn account of the Exchange
POP3 service, to no avail. Nothing worked. It would seem that the
connection is getting through to the server (I can see the connections in
the Sessions window in ESM) but is not able to have the user account
authenticated.

Is there a correlation between the POP and DNS problems? AD *was* behaving
awkwardly before I finished the replications. It was slow and once in a
while would spit out a Win32 error, indicating that it could not connect to
the domain controller. We made no changes to any info in AD during this
period. If this is not an AD or DNS related issue, what would possibly be
the culprit? I've exhausted my knowledge on the subject and haven't had
more KB or google luck in the last 5 hours or so.

Your thoughts are appreciated. TIA :-]
-Brian

 

[Herb Martin]

Arrived at work this morning to find that our PDC had purged the DNS
zone -

AD portion of our only domain. Replication between our two DC was failing,
reporting with "RPC server not found..." errors. I found a KB article that
helped me get the AD portion reloaded. I did this same thing on both DNS
servers in our domain. I restarted all the netlogon services, as the KB
directed. I then found another KB article that helped me rebuild the NTDS
connector things in AD S&S. Replication from the PDC to the SDC works fine.
The Exchange server had been spitting out MSExchangeAL, MSExchangeFBPublish
and MSExchangeSA errors all day. After the fixes I applied, those all went
away. Everything seemed back to normal.

Chances are you don't have ALL of your DCs and other internal
DNS clients set to use your INTERNAL DNS ONLY.

Internal DNS clients much use strictly your internal DNS servers
on the NIC->IP properties.

Is there a correlation between the POP and DNS problems?

Well, yes, for finding the POP server (DNS name-->IP) but
other than that POP isn't really related to DNS.*

Unless you have your POP server (somehow) set to use
integrated authentication where it checks the user against
your Windows accounts (instead of using separate POP
accounts.)

AD authentication problems are frequently DNS problems.

Your thoughts are appreciated. TIA :-]

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Ace Fekay [MVP]]

X-posted in microsoft.public.exchange.admin
===============================

Arrived at work this morning to find that our PDC had purged the DNS
zone - AD portion of our only domain. Replication between our two DC
was failing, reporting with "RPC server not found..." errors. I
found a KB article that helped me get the AD portion reloaded. I did
this same thing on both DNS servers in our domain. I restarted all
the netlogon services, as the KB directed. I then found another KB
article that helped me rebuild the NTDS connector things in AD S&S.
Replication from the PDC to the SDC works fine. The Exchange server
had been spitting out MSExchangeAL, MSExchangeFBPublish and
MSExchangeSA errors all day. After the fixes I applied, those all
went away. Everything seemed back to normal.
An hour after I left the office I got a phone call from a POP user
who could not logon to the POP server (Exchange 2003) to get his
mail. I tested and found that he was correct. The same server also
serves as a VPN endpoint as well as a terminal server. Those two
services are functioning perfectly, as tested. It seems to only be
the POP service that is experiencing this issue. I tried changing
authentication settings, connection accept/deny lists, restarting
services and changing the LogOn account of the Exchange POP3 service,
to no avail. Nothing worked. It would seem that the connection is
getting through to the server (I can see the connections in the
Sessions window in ESM) but is not able to have the user account
authenticated.
Is there a correlation between the POP and DNS problems? AD *was*
behaving awkwardly before I finished the replications. It was slow
and once in a while would spit out a Win32 error, indicating that it
could not connect to the domain controller. We made no changes to
any info in AD during this period. If this is not an AD or DNS
related issue, what would possibly be the culprit? I've exhausted my
knowledge on the subject and haven't had more KB or google luck in
the last 5 hours or so.
Your thoughts are appreciated. TIA :-]
-Brian

Actually you multi-posted this. I replied as a cross post (by posting to
both newsgroups simultaneously).

I would agree with Herb to check and make sure ALL machines in your
organization are ONLY using in their IP properties your internal DNS servers
only. If your DHCP scope lists your ISP's DNs, remove them too please. If
you are looking for efficient Internet resolution, you can configure a
forwarder to your ISP's DNS servers in DNS properties to forward all zones
it;s not authorative for to your ISP's DNS.

Anything and everything in AD uses DNS to find services running on a DC.
Exchange uses AD, and more so, the GCs. They find them in DNS. If an
Exchange server (or any other machine) has the ISP's DNS address in their
properties (even if they are mixed with your private DNS and an ISP's
DNS -which results in mixed results) will be asking the ISP's DNS, "Where is
my domain controller?", and it will not have an answer for that.

I hope this helped. If your DNS setting in IP properties are set correctly,
and the DCs are registering their SRV records, and you are still having
problems, the tests that Herb indicated are helpful in diagnosing such
problems. If you are still having problems and ran the tests, please post
the results so we can take a look at them for you.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
Infinite Diversities in Infinite Combinations.
=================================

 

[BigDogBrian]

Actually you multi-posted this. I replied as a cross post (by posting to
both newsgroups simultaneously).

Oops, sorry

I would agree with Herb to check and make sure ALL machines in your
organization are ONLY using in their IP properties your internal DNS
servers only. If your DHCP scope lists your ISP's DNs, remove them too
please. If you are looking for efficient Internet resolution, you can
configure a forwarder to your ISP's DNS servers in DNS properties to
forward all zones it;s not authorative for to your ISP's DNS.

This problem has nothing to do with our internal clients. They use Exchange
MAPI mailboxes and are sending/receiving mail fine. Only users external to
our corporate network use POP. In fact, only one user, the owner of our
company. And he refuses to switch to VPN and does not like OWA because he
does not want his messages left on the server at all. He demands POP access


BTW...yes, all internal clients point DNS to only internal DNS servers. The
DHCP scope lists only internal DNS servers.

Anything and everything in AD uses DNS to find services running on a DC.
Exchange uses AD, and more so, the GCs. They find them in DNS. If an
Exchange server (or any other machine) has the ISP's DNS address in their
properties (even if they are mixed with your private DNS and an ISP's
DNS -which results in mixed results) will be asking the ISP's DNS, "Where
is my domain controller?", and it will not have an answer for that.

I hope this helped. If your DNS setting in IP properties are set
correctly, and the DCs are registering their SRV records, and you are
still having problems, the tests that Herb indicated are helpful in
diagnosing such problems. If you are still having problems and ran the
tests, please post the results so we can take a look at them for you.

I'll give the tests a go and letcha know

 

[BigDogBrian]

Arrived at work this morning to find that our PDC had purged the DNS zone -
AD portion of our only domain. Replication between our two DC was failing,
reporting with "RPC server not found..." errors. I found a KB article that
helped me get the AD portion reloaded. I did this same thing on both DNS
servers in our domain. I restarted all the netlogon services, as the KB
directed. I then found another KB article that helped me rebuild the
NTDS
connector things in AD S&S. Replication from the PDC to the SDC works fine.
The Exchange server had been spitting out MSExchangeAL, MSExchangeFBPublish
and MSExchangeSA errors all day. After the fixes I applied, those all went
away. Everything seemed back to normal.

Chances are you don't have ALL of your DCs and other internal
DNS clients set to use your INTERNAL DNS ONLY.

Internal DNS clients much use strictly your internal DNS servers
on the NIC->IP properties.

Is there a correlation between the POP and DNS problems?

Well, yes, for finding the POP server (DNS name-->IP) but
other than that POP isn't really related to DNS.*

Unless you have your POP server (somehow) set to use
integrated authentication where it checks the user against
your Windows accounts (instead of using separate POP
accounts.)

AD authentication problems are frequently DNS problems.

Your thoughts are appreciated. TIA :-]

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

Result of netidag tests on both DNS servers: all passed
Result of dcdiag tests on both DNS servers: all passed

The "nltest" command above did not work. I tried it with "nltest /dsregdns
/server:<our DC server name>" and "nltest /dsregdns:<our DNS host name (same
as DC server)>", both of which just spat out the options for nltest, meaning
the command was not accepted.

The domain name is not single labeled.

It's weird. Everything is working fine except POP authentication. It's
like the POP virtual server is not speaking to AD at all. I tried
telnetting into port 110 and even that would not let me login.

Any other ideas? I'm completely stumped. I had MS support on the phone for
two hours earlier this morning and they could not figure it out either. I'm
awaiting callback from them.

Thank you for all of your assistance. It is greatly appreciated :]

 

[Herb Martin]

(Win2003 can do this from Support tools):

Result of netidag tests on both DNS servers: all passed
Result of dcdiag tests on both DNS servers: all passed

Then you don't likely have a DNS problem, and the DCs
are probably fully replicated.

The "nltest" command above did not work. I tried it with "nltest /dsregdns
/server:<our DC server name>" and "nltest /dsregdns:<our DNS host name (same
as DC server)>", both of which just spat out the options for nltest, meaning
the command was not accepted.

This NLTest command has been 'improved' for Win2003
so the switches work differently if you are using it on
Win2000 (as indicated.)

The domain name is not single labeled.

Then it's not an issue.

It's weird. Everything is working fine except POP authentication. It's
like the POP virtual server is not speaking to AD at all. I tried
telnetting into port 110 and even that would not let me login.

What form of authentication protection is Pop using?

(My Pop server uses as hash so it is impossible for me
to just "type in" the "pass PASSWORD" command and
I must run a Perl program to create the hash if I wish to
login directly with Telnet/NetCat.)

What error does Pop give?

Is the Pop server able to authenticate you if you log
into it's console or terminal server?

Since you Pop server is (apparently) using integrated
authentication we need to make sure IT is able to
find the DCs properly and authenticate you or whatever
it does precisely.

This would mean for instance that it is in the domain
(or trusting domain relationship) and that it's DNS client
settings are correct -- pointing ONLY to internal DNS
on the client NIC.

Any other ideas? I'm completely stumped. I had MS support on the phone for
two hours earlier this morning and they could not figure it out either. I'm
awaiting callback from them.

Thank you for all of your assistance. It is greatly appreciated :]

 

[Ace Fekay [MVP]]

Oops, sorry

No biggy...

 

[Ace Fekay [MVP]]

The "nltest" command above did not work. I tried it with "nltest
/dsregdns /server:<our DC server name>" and "nltest /dsregdns:<our
DNS host name (same as DC server)>", both of which just spat out the
options for nltest, meaning the command was not accepted.

The domain name is not single labeled.

It's weird. Everything is working fine except POP authentication. It's
like the POP virtual server is not speaking to AD at all. I
tried telnetting into port 110 and even that would not let me login.

Any other ideas? I'm completely stumped. I had MS support on the
phone for two hours earlier this morning and they could not figure it
out either. I'm awaiting callback from them.

Thank you for all of your assistance. It is greatly appreciated :]

I got a dumb question, is the POP service started? Is this Exchange 2000 or
2003? By default in Exchange 2003, POP and IMAP are disabled. If it's
already running, is thre any Event log errors in the App Log? Have you tried
restarting the POP virtual server.? Restarting the POP service too? You can
go into the Ex server's properties (in the ESM) and enable Full logging for
the POP service, which the results show up in the App Event Log. Be sure to
turn it off when you;re done, since it consumes resources.

As far as the nlstest, at this point, if everything else is running fine,
and there are no Event log errors, I wouldn't worry about it, unless you
figure out where your syntax is wrong.

Ace

 

[BigDogBrian]

I apologize that I haven't gotten back to y'all yet. I got pulled off of
this problem and into some research for a lawsuit the past few days.

You know what the problem ended up being? Username. Well, sort of. Prior
to the DNS trouble we experienced last week, POP users were able to login to
POP/SMTP using the username "<domain>\%username%" (as in domain\bob) to
authenticate. Following the DNS crash and subsequent repair, they had to
start using "domain\username\alias" (i.e. domain\bob\bob.smith) instead. As
soon as I found out how to turn on the POP3 event log it took about ten
minutes to solve that one. Weird. Their aliases hadn't changed or
anything, it just stopped working the way it worked before. Based on the KB
article describing that problem (don't have the URL handy at the moment) it
sounded like the POP users *never* should have been able to authenticate
without using the alias. I dunno. Worked fine before...

Thank you very much for your assistance. It is greatly appreciated :-]

-brian


"Ace Fekay [MVP]"

The "nltest" command above did not work. I tried it with "nltest
/dsregdns /server:<our DC server name>" and "nltest /dsregdns:<our
DNS host name (same as DC server)>", both of which just spat out the
options for nltest, meaning the command was not accepted.

The domain name is not single labeled.

It's weird. Everything is working fine except POP authentication. It's
like the POP virtual server is not speaking to AD at all. I
tried telnetting into port 110 and even that would not let me login.

Any other ideas? I'm completely stumped. I had MS support on the
phone for two hours earlier this morning and they could not figure it
out either. I'm awaiting callback from them.

Thank you for all of your assistance. It is greatly appreciated :]

I got a dumb question, is the POP service started? Is this Exchange 2000
or 2003? By default in Exchange 2003, POP and IMAP are disabled. If it's
already running, is thre any Event log errors in the App Log? Have you
tried restarting the POP virtual server.? Restarting the POP service too?
You can go into the Ex server's properties (in the ESM) and enable Full
logging for the POP service, which the results show up in the App Event
Log. Be sure to turn it off when you;re done, since it consumes resources.

As far as the nlstest, at this point, if everything else is running fine,
and there are no Event log errors, I wouldn't worry about it, unless you
figure out where your syntax is wrong.

Ace

 

[Ace Fekay [MVP]]

You know what the problem ended up being? Username. Well, sort of. Prior
to the DNS trouble we experienced last week, POP users were
able to login to POP/SMTP using the username "<domain>\%username%"
(as in domain\bob) to authenticate. Following the DNS crash and
subsequent repair, they had to start using "domain\username\alias"
(i.e. domain\bob\bob.smith) instead. As soon as I found out how to
turn on the POP3 event log it took about ten minutes to solve that
one. Weird. Their aliases hadn't changed or anything, it just
stopped working the way it worked before. Based on the KB article
describing that problem (don't have the URL handy at the moment) it
sounded like the POP users *never* should have been able to
authenticate without using the alias. I dunno. Worked fine
before...
Thank you very much for your assistance. It is greatly appreciated

Glad to hear you got it working. Make sure you shut off Diagnostic Logging
in your Exchange server's properties.

Ace