none
DNS conditional forwarder messed up mail flow between forest domains - Split DNS in use

    Question

  • I have what might be a simple problem but i'm not sure.  We have two AD domains in separate forests. Both have separate Exchange 2013 deployments.

    One is for a company we are taking over and I eventually need to set up a one way Trust from their domain to mine, both AD 2012. A prerequisite for setting up a trust is that you set up DNS conditional forwarders on both sides for each others domains.

    At their domain, they only use AD DNS.  On our domain we use SPLIT DNS.  That is, we have an external provider that announces authoritative DNS for use publicly so that for our externally facing websites and services, they get a lookup or a routable IP that hits our Firewall and is translated to a NAT IP internally.

    For internal DNS though, we make similar records, but not to the routable IP but rather the internal unroutable IP, like 192.168.*.*

    So for mail routing on the internet, we use external DNS MX record that routes to our virus/spam firewall external IP.  This other company sends us mail and gets it to us just like any other external entity.

    We set up a site to site VPN so we can route to each others unroutable space.  Ours is 192.168.25.* theirs is 10.0.0.*

    When I set up the conditional forwarder for our domain, that forces their DNS queries to go directly to our AD DNS server at the 192.168.25.2 address and not the external DNS provider.  This setup worked, and I could ping internal non-externally advertised internal host names after I set it up.

    However, email flow broke. They started getting the following bounce message.

    Delivery is delayed to these recipients or groups: 

    Generating server: EMAIL2.NTDOMAIN.local
    Receiving server: mydomain.com (192.168.25.2)<o:p></o:p>

    Remote Server at mydomain.com (192.168.25.2) returned '400 4.4.7 Message delayed'
    2/12/2016 2:54:49 AM - Remote Server at mydomain.com (192.168.25.2) returned '441 4.4.1 Error encountered while communicating with primary target IP address: "Failed to connect. Winsock error code: 10061, Win32 error code: 10061." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.25.2:25'<o:p></o:p>

    So basically delivery is attempted to my domain controller and not my exchange server.  I assume that when I set up the forwarder it would use my MX records in my domain.  I checked and I do have several MX records, some for Sharepoint servers, but the one with the lowest priority (10) was my Exchange 2013 MB server.  So i'm not sure why mail delivery was attempted to my domain controller.

    Any help is greatly appreciated.

    Friday, February 12, 2016 8:54 PM

Answers

  • On your server, create a send connector with an address space of the other side's e-mail domain and the smart host set to the FQDN (if it will resolve correctly) or the IP address of one or more of their Exchange or SMTP relay servers.  Configure the other direction the same way.  This way, neither side will look for an MX record for the other domain.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, February 13, 2016 12:59 AM
    Moderator

All replies

  • On your server, create a send connector with an address space of the other side's e-mail domain and the smart host set to the FQDN (if it will resolve correctly) or the IP address of one or more of their Exchange or SMTP relay servers.  Configure the other direction the same way.  This way, neither side will look for an MX record for the other domain.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, February 13, 2016 12:59 AM
    Moderator
  • That's a wonderful Idea.  Thank you very much!
    Wednesday, February 17, 2016 8:58 PM
  • You're welcome.  Happy to have helped.

    Please feel free to mark posts as helpful and/or the answer to close the thread as appropriate.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, February 17, 2016 10:29 PM
    Moderator
  • Worked like a charm btw..
    Thursday, February 25, 2016 3:43 PM