Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsMicrosoft WindowsHelp setting up DNS with PTR in windows server 2012


787 posts

Ultimate Geek
+1 received by user: 79

Trusted

Topic # 132209 12-Oct-2013 17:20
Send private message

Exchange server 2010 can send mail but no receive anything.

Current setup :

 

PTR --> x.x.x.1 (internal ip) point to 1.2.3.4 (public ip)
domain controller = x.x.x.1 ( abc.com )
exchange server = x.x.x.2 (internal ip)

iv setup the the PTR in the DNS server on the domain controller.
Have also setup the forwards in DNS Server on the domain controller.

For some reason the mx record keeps showing the local ip ( x.x.x.2 ) on mxtoolbox.com

Any idea why it keeps showing the internal IP of the exchange server?




Binary Limited - Safe. Secure. Simple. ™
www.binarylimited.co.nz

Filter this topic showing only the reply marked as answer Create new topic
Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 914199 12-Oct-2013 19:19
3 people support this post
Send private message

can your exchange server be seen from the internet? i.e. if you telnet to port 25 on your external ip do you get the "220 myserver.mydomain.co.nz Microsoft ESMTP MAIL Service ready" banner?

not quite sure i understand what you're doing with DNS and PTR/MX records. normally you have an A record, a PTR (if available) and an MX record.

note that a PTR record is *not* required for mail delivery. If you don't have one, you may be more likely to get blocked as spam by other mail servers.

an MX record *is* required. This is what tells other servers where to send mail for your domain.

e.g. (if your ext IP was 200.200.200.200)

External DNS records:
200.200.200.200 A myserver.mydomain.co.nz
mydomain.co.nz MX 10 myserver.mydomain.co.nz
myserver.mydomain.co.nz PTR 200.200.200.200

Internal DNS records (if using split brain DNS):
192.168.0.2 A myserver.mydomain.co.nz
mydomain.co.nz MX 10
myserver.mydomain.co.nz PTR 192.168.0.2

Normally external dns servers do not show internal records unless you explicitly load them. Not sure how you ended up with an internal IP address there.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

8029 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 914787 14-Oct-2013 13:45
Send private message

Great answer by Regs.

Also for the external PTR if you're not the owner of the ip address range, you will need to get your provider who owns the ip address range to setup a reverse dns record/delegation.

 
 
 
 


Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 914798 14-Oct-2013 13:54
Send private message

Binary was using windows DNS server in an AD domain to host the *.mydomain.co.nz nameserver records.

Because the server was serving internal addresses, there was a need to either:
* set up a second non-AD integrated DNS server and use this for external zone (split brain DNS)
* use the domain name hosting services (godaddy) to host the external facing DNS

Easiest option was to go with external DNS services, and i think this is all up and running now.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

8029 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 914810 14-Oct-2013 14:12
Send private message

Yes definitely not a good idea for AD server to be doing internal and external dns imo.



787 posts

Ultimate Geek
+1 received by user: 79

Trusted

  Reply # 914824 14-Oct-2013 14:34
Send private message

Regs: Binary was using windows DNS server in an AD domain to host the *.mydomain.co.nz nameserver records.

Because the server was serving internal addresses, there was a need to either:
* set up a second non-AD integrated DNS server and use this for external zone (split brain DNS)
* use the domain name hosting services (godaddy) to host the external facing DNS

Easiest option was to go with external DNS services, and i think this is all up and running now.


Thanks again for the help Reg....All is up and running...well not now due to me swopping some servers around.Did some mods to my supermicro server which sounded like a Jet taking off.Dropped the fans from 12v to 5v....working like a charm now, and most importantly, not so louuuuuuuuuuuuud.


With the D/C , i was under the impression the setup goes something like this :
Domain.com ---> internet ---> PTR points to D/C --> domain controller (distributing the required info) ---> exchange server

turns out that pointing the PTR directly to the exchange server solved everything, including the DNS management stuff you mentioned with godaddy.




Binary Limited - Safe. Secure. Simple. ™
www.binarylimited.co.nz



787 posts

Ultimate Geek
+1 received by user: 79

Trusted

  Reply # 914832 14-Oct-2013 14:38
Send private message

Ragnor: Yes definitely not a good idea for AD server to be doing internal and external dns imo.


Why is that? Technical or Noob answer would be fine :)




Binary Limited - Safe. Secure. Simple. ™
www.binarylimited.co.nz

8029 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 914995 14-Oct-2013 19:54
Send private message

BinaryLimited:
Ragnor: Yes definitely not a good idea for AD server to be doing internal and external dns imo.


Why is that? Technical or Noob answer would be fine :)


Security - there are whole bunch of attacks/exploits that are enabled by running caching/recursive and authoritative dns on the same server.
http://bestpractices.wikia.com/wiki/DNS_Introduction



787 posts

Ultimate Geek
+1 received by user: 79

Trusted

  Reply # 915012 14-Oct-2013 20:08
Send private message

Ragnor:
BinaryLimited:
Ragnor: Yes definitely not a good idea for AD server to be doing internal and external dns imo.


Why is that? Technical or Noob answer would be fine :)


Security - there are whole bunch of attacks/exploits that are enabled by running caching/recursive and authoritative dns on the same server.
http://bestpractices.wikia.com/wiki/DNS_Introduction


any other reasons?




Binary Limited - Safe. Secure. Simple. ™
www.binarylimited.co.nz

Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 915031 14-Oct-2013 20:36
Send private message

BinaryLimited:
Ragnor:
BinaryLimited:
Ragnor: Yes definitely not a good idea for AD server to be doing internal and external dns imo.


Why is that? Technical or Noob answer would be fine :)


Security - there are whole bunch of attacks/exploits that are enabled by running caching/recursive and authoritative dns on the same server.
http://bestpractices.wikia.com/wiki/DNS_Introduction


any other reasons?


sometimes you want to run an internal IP address for a site which is different to external IP address.
e.g.
internal www.mydomain.co.nz A 192.168.1.100
external: www.mydomain.co.nz A 200.200.200.200

when accessing the www site internally, traffic will be directly to the web server instead of traversing out, then back in, the firewall. sometimes its not even possible to hit your own external IP from inside the firewall - depends on the firewall you have and the NAT/routing setup.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

Filter this topic showing only the reply marked as answer Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.