Adding Second Domain on Exchange 2003 Problem

[200network]

Hi
I have a exchange 2003 on windows 2000 server, I already have a domain up and working, but I bought and new domain name call rfisd.net but I want to receive email from both domain name. so I do in the exhange and under default policy on recipient policy and add in my second smtp. apply the everyting. I can send email from inside with new domain name. but I can not recieve email from outside with new domain name. I check all the dns routing everything look good. here is the return email from google mail. look like it can not fine my server from outside.

Thank you
please advice

This is an automatically generated Delivery Status Notification


Delivery to the following recipient failed permanently:

lam@rfisd.net

Technical details of permanent failure:

TEMP_FAILURE: Could not initiate SMTP conversation with any hosts:
[rfisd7.randolph-field.k12.tx.us. (0): Connection timed out]


----- Original message -----

Received: by 10.78.137.7 with SMTP id k7mr1310881hud.1180714995876;
Fri, 01 Jun 2007 09:23:15 -0700 (PDT)
Received: by 10.78.163.19 with HTTP; Fri, 1 Jun 2007 09:23:15 -0700 (PDT)
Message-ID: <879dd210706010923v4c079c1dkce12d7e257f93006@mail. gmail.com>
Date: Fri, 1 Jun 2007 11:23:15 -0500
From: "Kevin Lam" <kl300zx@gmail.com>
To: lam@rfisd.net
Subject: test email
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_7497_10071034.1180714995853"


------=_Part_7497_10071034.1180714995853
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

hello

------=_Part_7497_10071034.1180714995853
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

----- Message truncated -----

 

[xmsre]

external dns for the new doain need an MX, A, and PTR record pointing to you.

 

[200network]

I setup everything up with godaddy dns
can you run a dns test for me?
my exchange server are rfisd7.randolph-field.k12.tx.us
69.147.13.7
my new domain name is rfisd.net

can you run some dns look up from outside
Thank you

 

[58sniper]

can you run some dns look up from outside

Why can't you do it?

http://www.dnsstuff.com/

is your friend.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[200network]

yes I can
when I ran a dns lookup mail.rfisd.net is return rfisd7.randolph-field.k12.tx.us which is my mail server from outside and when I look up rfisd.net is return my outside IP fine. no Problem.

 

[200network]

Category Status Test Name Information
Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
INFO NS records at parent servers Your NS records at the parent servers are:

ns47.domaincontrol.com. [208.109.14.164] [TTL=172800] [US]
ns48.domaincontrol.com. [208.109.80.50] [TTL=172800] [US]
[These were obtained from c.gtld-servers.net]
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.
PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.
PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.
NS INFO NS records at your nameservers Your NS records at your nameservers are:

ns47.domaincontrol.com.
ns48.domaincontrol.com.

PASS Open DNS servers OK. Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers).
PASS Mismatched glue OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.
PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical.
PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
PASS Number of nameservers OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.
PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
PASS Missing (stealth) nameservers OK. All 2 of your nameservers (as reported by your nameservers) are also listed at the parent servers.
PASS Missing nameservers 2 OK. All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers.
PASS No CNAMEs for domain OK. There are no CNAMEs for rfisd.net. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS Nameservers on separate class C's OK. You have nameservers on different Class C (technically, /24) IP ranges. You must have nameservers at geographically and topologically dispersed locations. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
PASS TCP Allowed OK. All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
WARN Single Point of Failure WARNING: Although you have at least 2 NS records, they may both point to the same server (one of our two tests shows them being the same, the other does not), which would result in a single point of failure. You are required to have at least 2 nameservers per RFC 1035 section 2.2.
INFO Nameservers versions [For security reasons, this test is limited to members]
PASS Stealth NS record leakage Your DNS servers do not leak any stealth NS records (if any) in non-NS requests.
SOA INFO SOA record Your SOA record [TTL=86400] is:

Primary nameserver: ns47.domaincontrol.com.
Hostmaster E-mail address: dns.jomax.net.
Serial #: 2007042700
Refresh: 28800
Retry: 7200
Expire: 604800
Default TTL: 86400

PASS NS agreement on SOA serial # OK. All your nameservers agree that your SOA serial number is 2007042700. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNS Report only checks the NS records listed at the parent servers (not any stealth servers).

PASS SOA MNAME Check OK. Your SOA (Start of Authority) record states that your master (primary) name server is: ns47.domaincontrol.com.. That server is listed at the parent servers, which is correct.

PASS SOA RNAME Check OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: dns@jomax.net. (techie note: we have changed the initial '.' to an '@' for display purposes).
PASS SOA Serial Number OK. Your SOA serial number is: 2007042700. This appears to be in the recommended format of YYYYMMDDnn, where 'nn' is the revision. So this indicates that your DNS was last updated on 27 Apr 2007 (and was revision #0). This number must be incremented every time you make a DNS change.
PASS SOA REFRESH value OK. Your SOA REFRESH interval is : 28800 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.
PASS SOA RETRY value OK. Your SOA RETRY interval is : 7200 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed.
PASS SOA EXPIRE value OK. Your SOA EXPIRE time: 604800 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.
PASS SOA MINIMUM TTL value OK. Your SOA MINIMUM TTL is: 86400 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
MX INFO MX Record Your 1 MX record is:

0 rfisd7.randolph-field.k12.tx.us. [TTL=3600] IP=69.147.13.7 (No Glue) [TTL=35396] [US]

PASS Low port test OK. Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports (this specific lookup must be cached), but is a good indication that it does not.
PASS Invalid characters OK. All of your MX records appear to use valid hostnames, without any invalid characters.
PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.
PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.
PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).
PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
INFO Multiple MX records NOTE: You only have 1 MX record. If your primary mail server is down or unreachable, there is a chance that mail may have troubles reaching you. In the past, mailservers would usually re-try E-mail for up to 48 hours. But many now only re-try for a couple of hours. If your primary mailserver is very reliable (or can be fixed quickly if it goes down), having just one mailserver may be acceptable.
PASS Differing MX-A records OK. I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records).
PASS Duplicate MX records OK. You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.
PASS Reverse DNS entries for MX records OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. Note that this information is cached, so if you changed it recently, it will not be reflected here (see the

http://www.DNSstuff.com

Reverse DNS Tool for the current data). The reverse DNS entries are:

7.13.147.69.in-addr.arpa rfisd7.randolph-field.k12.tx.us. [TTL=38705]

Mail FAIL Connect to mail servers ERROR: I could not complete a connection to any of your mailservers!

rfisd7.randolph-field.k12.tx.us: Timed out [Last data sent: [Did not connect]]

If this is a timeout problem, note that the DNS report only waits about 40 seconds for responses, so your mail *may* work fine in this case but you will need to use testing tools specifically designed for such situations to be certain.
WWW
INFO

http://WWW Record

Your

http://www.rfisd.net

A record is:

http://www.rfisd.net.

CNAME rfisd.net. [TTL=3600]
rfisd.net. A 69.147.13.10 [TTL=3600] [US]

PASS All

http://WWW IPs

public OK. All of your

http://WWW IPs

appear to be public IPs. If there were any private IPs, they would not be reachable, causing problems reaching your web site.
PASS CNAME Lookup OK. You do have a CNAME record for

http://www.rfisd.net,

which can cause some confusion. However, this is legal. Your CNAME entry also returns the A record for the CNAME entry, which is good -- otherwise, it would require an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. Note that if the CNAME points to another CNAME, it will likely cause problems.
INFO Domain A Lookup Your rfisd.net A record is:

rfisd.net. A 69.147.13.10 [TTL=3600]

 

[200network]

look at this above message is fail to connect to mail server. but my mail server are up and running fine I can still recieve email from other domain name.

 

[58sniper]

mail.rfisd.net should point to the same IP address that your other MX records for the other domain point to.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[200network]

Sniper
this is my outside DNS setting, I don't see anything wrong with it.
Thankyou

rfisd.net
field in your domain-management interface.
A (Host)
Host Points To TTL Actions
@ 69.147.13.10 1 Hour
mail 69.147.13.7 1 Hour


CNAMES (Aliases)
Host Points To TTL Actions

http://www @

1 Hour


MX (Mail Exchange)
Priority Host Goes To TTL Actions
0 @ rfisd7.randolph-field.k12.tx.us 1 Hour


TXT (Text)
Host TXT Value TTL Actions
@ v=spf1 a mx ptr ~all 1 Hour


SRV (Service)

 

[58sniper]

MX for rfisd.net points to rfisd7.randolph-field.k12.tx.us

Attempting to telnet over port 25 to that address is denied. That's a routing/firewall issue. Can't ping it either.

You mentioned in the first post that this is a second domain name that's working. Obviously, if it's working, the MX record for that domain name is different than what you're using for this one. My question is, why? Why are they different if you want them to come to the same server?

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[200network]

Sniper
MX for rfisd.net points to rfisd7.randolph-field.k12.tx.us
because rfisd7.randolph-field.k12.tx.us is my current FQ domain name.
my current domian is name@randolph-field.k12.tx.us so we want short the email to name@rfisd.net for people from outside the send us email for shorter name, my current email domain is work fine, I add this rfisd.net to my current server because I want out user can recieve new email address and also old email, for me to setup a new server I have to setup and new active diretory again. because I run windows 2000 server. right now my current DNS is with my ISP and the new domain name I bought from goddady so I use godaddy dns. I wonder that cause a problem, as far routing I don't have anything block under port 25 in my firewall,
THank you

 

[58sniper]

You're missing the point entirely. If mail for randolph-field.k12.tx.us is going to the same server that mail for fisd.net is going to, then the MX record for fisd.net should point to the same IP as the one for randolph-field.k12.tx.us

Accoding to dnsstuff.com, that's
randolph-field.k12.tx.us. MX IN 86400 skylancer.esc20.net. [Preference = 2]

randolph-field.k12.tx.us. MX IN 86400 lancer.esc20.net. [Preference = 1]

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[200network]

Sniper
Thank you for all your help all this time. I check all the routing and fire wall and I correct some of the routing. but I still having problem with incomming email. something to do with relay, I already open relay for rfisd.net on my exchange server. this is the error from google

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

lam@rfisd.net

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 13): 550 5.7.1 Unable to relay for lam@rfisd.net

----- Original message -----

Received: by 10.78.138.14 with SMTP id l14mr1335590hud.1181322151805;
Fri, 08 Jun 2007 10:02:31 -0700 (PDT)
Received: by 10.78.163.19 with HTTP; Fri, 8 Jun 2007 10:02:31 -0700 (PDT)
Message-ID: <879dd210706081002mce7b8b2icb28f1a5ecb45ae7@mail.gmail.com>
Date: Fri, 8 Jun 2007 12:02:31 -0500
From: "Kevin Lam" <kl300zx@gmail.com>
To: lam@rfisd.net
Subject: Test email
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_55637_16522572.1181322151411"

------=_Part_55637_16522572.1181322151411
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline



------=_Part_55637_16522572.1181322151411
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

----- Message truncated -----

 

[58sniper]

routing/firewall? If mail for the other domain is coming through those routers and firewalls, and going to the same server, then firewall and routers should not need any changes.


The **ONLY** thing you have to do to make a server support an additional domain name is to add it to the Recipient Policies and make sure it stamps the accounts with the new addresses. THATS IT. NOTHING ELSE (unless your anti-spam resource requires configuration for the domain name).

If the new domain name will be the default domain name, then you also need to have the PTR record updated to reflect that.

Nothing else.

5 minutes of work.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[200network]

Thank alot Sniper
will check on that again