Questions

Problem with MX Records for Test Domain.

+
0 Votes
Locked

Problem with MX Records for Test Domain.

Kjell_Andorsen
Hi,

Our company recently let us create a test domain to let us test certain configurations outside a production environment.

We created the test domain as a totally separate Active directory forest, our production environment consists of a single-domain forest as well. All our servers run W2k3.

We've set the Test domain up on a different subnet and our routers are set to route anything to that subnet over an internal connection.

Currently our DNS is active directory integrated on both the production and test domains. We set up a Forwarder in our Company's production DNS to forward DNS queries for the test domain to the test domain dns server. We can ping hosts on the test domain by Hostname and ip address, but for some reason we are unable to get the MX records to work. Trying to send mail to the exchange server on the test domain fails, we're unable to ping the mx record. We are able to ping the Echange server just by host name, but mail won't flow.

Does anyone have any idea which step we're missing here?
  • +
    0 Votes
    Zen37

    I'm having trouble following your setup, but i will give it a try. I figure you are trying to get mail from the internet to your test environment. From the internet, if you do a MX query on your domain name, are you getting the correct answer? Is your firewall getting the mail connection (port 25)? Is your firewall receiving the mail? Can you firewall resolve your internal MX record of your test environment? Can you firewall connect to your mail server on port 25?

    +
    0 Votes
    Kjell_Andorsen

    We're trying to keep it off the internet. Basically we only want the test domain to be reacheable from our main domain. We have excellent connectivity between the two domains and are able to resolve any DNS record except the MX records. The ports between the two domains are open and passing traffic.

    +
    0 Votes
    CG IT

    if your using SMTP the first thing to do is test exchange using telnet. here's a KB on it. http://support.microsoft.com/kb/153119/en-us

    once you verify that Exchange will answer properly meaning traffic over SMTP works, then its a DNS problem. Whois queries must be resolved by authoritative DNS servers for the domain. If your trying to send mail from one domain to another via dedicated line, the send from will query DNS and if it can't be resolved, will forward the query out to the internet [or in this case dedicated line] to the send to domain which must respond to the query. Otherwise the DNS query goes unanswered [no one knows whois that domain] and an NDR is generated.

    Make sure unresolved queries are forwarded to the right servers.

    Bottom line, some DNS server has to respond to the whois query. If not mail won't flow.

    +
    0 Votes
    Kjell_Andorsen

    There is no problem with connectivity we can communicate with the server itself, even rdc into it, the issue is definitely with DNS, for some reason normal host (A) records resolve fine, but not the MX record. We have the DNS servers in our main domain set to forward any queries for the test domain to the test domain DNS server which is authoritative for the test domain. We just can't figure out why the test domain DNS server will resolve host records, but not MX records

    +
    0 Votes
    CG IT

    telnet to exchange is not communicating with the server box, it's communicating with Exchange itself. It's a simple test and the first one to run if there are problems with SMTP service. Exchange must return the test for the SMTP connector message or it's not functioning properly.

    If the send to domain will resolve A, HOST, CNAME records but not MX records, try deleting the old record, flush DNS, recreate the MX record and try again.

    After that, go see msexhange.org it's probably the best and most comprehensive site for MS Exchange.

    +
    0 Votes
    Zen37

    First thing i would do is see if your DNS server is resolving the MX record from itself. From the DNS server, open a DOS window and do an NSLOOKUP. Then do a SET TYPE=MX. Then type the test domain's name. If you don't get a response, then your DNS itself has an issue.
    Make sure you have an "A" record that corresponds to your "MX" record. Have your tried reloading the DNS server service?
    What error message are you getting when you query your "MX" record? Can you show me your domainname.dns file?

    +
    0 Votes
    Kjell_Andorsen

    I telneted into the Exchange service on port 25 and smtp seems fine. I get the following:

    220 ddnpdc1.ddntest.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 rea
    dy at Tue, 14 Nov 2006 11:24:36 -0700


    I've also managed to do nslookup on the MX record for the test domain from the production domain. From what I can see it SHOULD be working, but it's still not. The bounce reply I get is "The destination server for this recipient could not be found in Domain Name Service (DNS)."

    When I do the NSlookup on the MX record I get the following:

    C:\Documents and Settings\Kjella>nslookup -querytype=MX ddntest.com
    Server: ddnpdc1.drawnet.com
    Address: 10.0.0.24

    Non-authoritative answer:
    ddntest.com MX preference = 10, mail exchanger = ddnpdc1.ddntest.com

    ddnpdc1.ddntest.com internet address = 10.0.2.20

    I am able to send email from the Exchange server on the test domain to clients on the production domain.

    +
    0 Votes
    CG IT

    ok then exchange STMP connector is running properly.

    then the problem is DNS and having an authoritative DNS server resolving the name to an IP address.

    if the send from can not resolve the send to address, you'll get the NDR report at the send from source. That means that DNS at the send from can not get the send to DNS server to answer the whois query. DNS is over UDP/TCP port 53 so the firewall between the source and the destination needs to allow traffic over these ports.

    If a query isn't resolved, DNS will try a recursive. There are DNS tests you can run to test queries in DNS. to run a simple query or recursive query here's a technet article. http://technet2.microsoft.com/WindowsServer/en/library/bd028d6e-bc2f-40f8-b1e6-d3582214eb961033.mspx?mfr=true

    If you use non routable addressing on the WAN, that also might be your problem.


    here's a technet article on how DNS works.

    http://technet2.microsoft.com/WindowsServer/en/library/bd028d6e-bc2f-40f8-b1e6-d3582214eb961033.mspx?mfr=true

    +
    0 Votes
    Kjell_Andorsen

    Gosh, now I feel like an idiot. The answer was in the one piece of information I had overlooked. Our production domain uses to DCs/DNS servers all our workstations and onsite servers use DC1 for DNS, but the Servers at our Datacenter co-location use DC2. We had loaded the secondary Zone for the test domain on DC1 and so everything was resolving fine when we tested it from our workstations, but the zone was not loaded on DC2 which is what our exchange server was using. Once we loaded the secondary zone on DC2 it worked beautifully. Figures it would be a stupid little oversight like that.....

    Thank you guys so much for your help, I really appreciate the time you took to attempt to help me, you gave me some helpful suggestions that I will employ in futrue troubleshooting

    +
    0 Votes
    junior

    I'm curious...you do konw that its not possible to ping MX records right? after all... an MX record is basically a rule which directs mail traffic to a *real* record like A or CNAME, an MX record can not be resolved cuz its not real... its only a type of rule and since you said you WERE able to ping A records you should have no problem unless you somehow didn't create the MX record properly. In which case... your solution shouldn't work but since its working i assume you have manipulated your DNS structure to to make something wrong work.

  • +
    0 Votes
    Zen37

    I'm having trouble following your setup, but i will give it a try. I figure you are trying to get mail from the internet to your test environment. From the internet, if you do a MX query on your domain name, are you getting the correct answer? Is your firewall getting the mail connection (port 25)? Is your firewall receiving the mail? Can you firewall resolve your internal MX record of your test environment? Can you firewall connect to your mail server on port 25?

    +
    0 Votes
    Kjell_Andorsen

    We're trying to keep it off the internet. Basically we only want the test domain to be reacheable from our main domain. We have excellent connectivity between the two domains and are able to resolve any DNS record except the MX records. The ports between the two domains are open and passing traffic.

    +
    0 Votes
    CG IT

    if your using SMTP the first thing to do is test exchange using telnet. here's a KB on it. http://support.microsoft.com/kb/153119/en-us

    once you verify that Exchange will answer properly meaning traffic over SMTP works, then its a DNS problem. Whois queries must be resolved by authoritative DNS servers for the domain. If your trying to send mail from one domain to another via dedicated line, the send from will query DNS and if it can't be resolved, will forward the query out to the internet [or in this case dedicated line] to the send to domain which must respond to the query. Otherwise the DNS query goes unanswered [no one knows whois that domain] and an NDR is generated.

    Make sure unresolved queries are forwarded to the right servers.

    Bottom line, some DNS server has to respond to the whois query. If not mail won't flow.

    +
    0 Votes
    Kjell_Andorsen

    There is no problem with connectivity we can communicate with the server itself, even rdc into it, the issue is definitely with DNS, for some reason normal host (A) records resolve fine, but not the MX record. We have the DNS servers in our main domain set to forward any queries for the test domain to the test domain DNS server which is authoritative for the test domain. We just can't figure out why the test domain DNS server will resolve host records, but not MX records

    +
    0 Votes
    CG IT

    telnet to exchange is not communicating with the server box, it's communicating with Exchange itself. It's a simple test and the first one to run if there are problems with SMTP service. Exchange must return the test for the SMTP connector message or it's not functioning properly.

    If the send to domain will resolve A, HOST, CNAME records but not MX records, try deleting the old record, flush DNS, recreate the MX record and try again.

    After that, go see msexhange.org it's probably the best and most comprehensive site for MS Exchange.

    +
    0 Votes
    Zen37

    First thing i would do is see if your DNS server is resolving the MX record from itself. From the DNS server, open a DOS window and do an NSLOOKUP. Then do a SET TYPE=MX. Then type the test domain's name. If you don't get a response, then your DNS itself has an issue.
    Make sure you have an "A" record that corresponds to your "MX" record. Have your tried reloading the DNS server service?
    What error message are you getting when you query your "MX" record? Can you show me your domainname.dns file?

    +
    0 Votes
    Kjell_Andorsen

    I telneted into the Exchange service on port 25 and smtp seems fine. I get the following:

    220 ddnpdc1.ddntest.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 rea
    dy at Tue, 14 Nov 2006 11:24:36 -0700


    I've also managed to do nslookup on the MX record for the test domain from the production domain. From what I can see it SHOULD be working, but it's still not. The bounce reply I get is "The destination server for this recipient could not be found in Domain Name Service (DNS)."

    When I do the NSlookup on the MX record I get the following:

    C:\Documents and Settings\Kjella>nslookup -querytype=MX ddntest.com
    Server: ddnpdc1.drawnet.com
    Address: 10.0.0.24

    Non-authoritative answer:
    ddntest.com MX preference = 10, mail exchanger = ddnpdc1.ddntest.com

    ddnpdc1.ddntest.com internet address = 10.0.2.20

    I am able to send email from the Exchange server on the test domain to clients on the production domain.

    +
    0 Votes
    CG IT

    ok then exchange STMP connector is running properly.

    then the problem is DNS and having an authoritative DNS server resolving the name to an IP address.

    if the send from can not resolve the send to address, you'll get the NDR report at the send from source. That means that DNS at the send from can not get the send to DNS server to answer the whois query. DNS is over UDP/TCP port 53 so the firewall between the source and the destination needs to allow traffic over these ports.

    If a query isn't resolved, DNS will try a recursive. There are DNS tests you can run to test queries in DNS. to run a simple query or recursive query here's a technet article. http://technet2.microsoft.com/WindowsServer/en/library/bd028d6e-bc2f-40f8-b1e6-d3582214eb961033.mspx?mfr=true

    If you use non routable addressing on the WAN, that also might be your problem.


    here's a technet article on how DNS works.

    http://technet2.microsoft.com/WindowsServer/en/library/bd028d6e-bc2f-40f8-b1e6-d3582214eb961033.mspx?mfr=true

    +
    0 Votes
    Kjell_Andorsen

    Gosh, now I feel like an idiot. The answer was in the one piece of information I had overlooked. Our production domain uses to DCs/DNS servers all our workstations and onsite servers use DC1 for DNS, but the Servers at our Datacenter co-location use DC2. We had loaded the secondary Zone for the test domain on DC1 and so everything was resolving fine when we tested it from our workstations, but the zone was not loaded on DC2 which is what our exchange server was using. Once we loaded the secondary zone on DC2 it worked beautifully. Figures it would be a stupid little oversight like that.....

    Thank you guys so much for your help, I really appreciate the time you took to attempt to help me, you gave me some helpful suggestions that I will employ in futrue troubleshooting

    +
    0 Votes
    junior

    I'm curious...you do konw that its not possible to ping MX records right? after all... an MX record is basically a rule which directs mail traffic to a *real* record like A or CNAME, an MX record can not be resolved cuz its not real... its only a type of rule and since you said you WERE able to ping A records you should have no problem unless you somehow didn't create the MX record properly. In which case... your solution shouldn't work but since its working i assume you have manipulated your DNS structure to to make something wrong work.