POP3 DNS problem?

Archived from groups: microsoft.public.win2000.dns (More info?)

X-posted in microsoft.public.exchange.admin
===============================

Arrived at work this morning to find that our PDC had purged the DNS zone -
AD portion of our only domain. Replication between our two DC was failing,
reporting with "RPC server not found..." errors. I found a KB article that
helped me get the AD portion reloaded. I did this same thing on both DNS
servers in our domain. I restarted all the netlogon services, as the KB
directed. I then found another KB article that helped me rebuild the NTDS
connector things in AD S&S. Replication from the PDC to the SDC works fine.
The Exchange server had been spitting out MSExchangeAL, MSExchangeFBPublish
and MSExchangeSA errors all day. After the fixes I applied, those all went
away. Everything seemed back to normal.

An hour after I left the office I got a phone call from a POP user who could
not logon to the POP server (Exchange 2003) to get his mail. I tested and
found that he was correct. The same server also serves as a VPN endpoint as
well as a terminal server. Those two services are functioning perfectly, as
tested. It seems to only be the POP service that is experiencing this
issue. I tried changing authentication settings, connection accept/deny
lists, restarting services and changing the LogOn account of the Exchange
POP3 service, to no avail. Nothing worked. It would seem that the
connection is getting through to the server (I can see the connections in
the Sessions window in ESM) but is not able to have the user account
authenticated.

Is there a correlation between the POP and DNS problems? AD *was* behaving
awkwardly before I finished the replications. It was slow and once in a
while would spit out a Win32 error, indicating that it could not connect to
the domain controller. We made no changes to any info in AD during this
period. If this is not an AD or DNS related issue, what would possibly be
the culprit? I've exhausted my knowledge on the subject and haven't had
more KB or google luck in the last 5 hours or so.

Your thoughts are appreciated. TIA :-]
-Brian
8 answers Last reply
More about pop3 problem
  1. Archived from groups: microsoft.public.win2000.dns (More info?)

    > Arrived at work this morning to find that our PDC had purged the DNS
    zone -
    > AD portion of our only domain. Replication between our two DC was
    failing,
    > reporting with "RPC server not found..." errors. I found a KB article
    that
    > helped me get the AD portion reloaded. I did this same thing on both DNS
    > servers in our domain. I restarted all the netlogon services, as the KB
    > directed. I then found another KB article that helped me rebuild the NTDS
    > connector things in AD S&S. Replication from the PDC to the SDC works
    fine.
    > The Exchange server had been spitting out MSExchangeAL,
    MSExchangeFBPublish
    > and MSExchangeSA errors all day. After the fixes I applied, those all
    went
    > away. Everything seemed back to normal.

    Chances are you don't have ALL of your DCs and other internal
    DNS clients set to use your INTERNAL DNS ONLY.

    Internal DNS clients much use strictly your internal DNS servers
    on the NIC->IP properties.

    > Is there a correlation between the POP and DNS problems?

    Well, yes, for finding the POP server (DNS name-->IP) but
    other than that POP isn't really related to DNS.*

    Unless you have your POP server (somehow) set to use
    integrated authentication where it checks the user against
    your Windows accounts (instead of using separate POP
    accounts.)

    AD authentication problems are frequently DNS problems.

    > Your thoughts are appreciated. TIA :-]


    DNS for AD
    1) Dynamic for the zone supporting AD
    2) All internal DNS clients NIC\IP properties must specify SOLELY
    that internal, dynamic DNS server (set.)
    3) DCs and even DNS servers are DNS clients too -- see #2
    4) If you have more than one Domain, every DNS server must
    be able to resolve ALL domains (either directly or indirectly)

    netdiag /fix

    ....or maybe:

    dcdiag /fix

    (Win2003 can do this from Support tools):
    nltest /dsregdns /server:DC-ServerNameGoesHere
    http://support.microsoft.com/kb/q260371/

    Ensure that DNS zones/domains are fully replicated to all DNS
    servers for that (internal) zone/domain.

    Also useful may be running DCDiag on each DC, sending the
    output to a text file, and searching for FAIL, ERROR, WARN.

    Single Label domain zone names are a problem Google:
    [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
  2. Archived from groups: microsoft.public.exchange2000.admin,microsoft.public.win2000.dns (More info?)

    BigDogBrian wrote:
    > X-posted in microsoft.public.exchange.admin
    > ===============================
    >
    > Arrived at work this morning to find that our PDC had purged the DNS
    > zone - AD portion of our only domain. Replication between our two DC
    > was failing, reporting with "RPC server not found..." errors. I
    > found a KB article that helped me get the AD portion reloaded. I did
    > this same thing on both DNS servers in our domain. I restarted all
    > the netlogon services, as the KB directed. I then found another KB
    > article that helped me rebuild the NTDS connector things in AD S&S.
    > Replication from the PDC to the SDC works fine. The Exchange server
    > had been spitting out MSExchangeAL, MSExchangeFBPublish and
    > MSExchangeSA errors all day. After the fixes I applied, those all
    > went away. Everything seemed back to normal.
    > An hour after I left the office I got a phone call from a POP user
    > who could not logon to the POP server (Exchange 2003) to get his
    > mail. I tested and found that he was correct. The same server also
    > serves as a VPN endpoint as well as a terminal server. Those two
    > services are functioning perfectly, as tested. It seems to only be
    > the POP service that is experiencing this issue. I tried changing
    > authentication settings, connection accept/deny lists, restarting
    > services and changing the LogOn account of the Exchange POP3 service,
    > to no avail. Nothing worked. It would seem that the connection is
    > getting through to the server (I can see the connections in the
    > Sessions window in ESM) but is not able to have the user account
    > authenticated.
    > Is there a correlation between the POP and DNS problems? AD *was*
    > behaving awkwardly before I finished the replications. It was slow
    > and once in a while would spit out a Win32 error, indicating that it
    > could not connect to the domain controller. We made no changes to
    > any info in AD during this period. If this is not an AD or DNS
    > related issue, what would possibly be the culprit? I've exhausted my
    > knowledge on the subject and haven't had more KB or google luck in
    > the last 5 hours or so.
    > Your thoughts are appreciated. TIA :-]
    > -Brian

    Actually you multi-posted this. I replied as a cross post (by posting to
    both newsgroups simultaneously).

    I would agree with Herb to check and make sure ALL machines in your
    organization are ONLY using in their IP properties your internal DNS servers
    only. If your DHCP scope lists your ISP's DNs, remove them too please. If
    you are looking for efficient Internet resolution, you can configure a
    forwarder to your ISP's DNS servers in DNS properties to forward all zones
    it;s not authorative for to your ISP's DNS.

    Anything and everything in AD uses DNS to find services running on a DC.
    Exchange uses AD, and more so, the GCs. They find them in DNS. If an
    Exchange server (or any other machine) has the ISP's DNS address in their
    properties (even if they are mixed with your private DNS and an ISP's
    DNS -which results in mixed results) will be asking the ISP's DNS, "Where is
    my domain controller?", and it will not have an answer for that.

    I hope this helped. If your DNS setting in IP properties are set correctly,
    and the DCs are registering their SRV records, and you are still having
    problems, the tests that Herb indicated are helpful in diagnosing such
    problems. If you are still having problems and ran the tests, please post
    the results so we can take a look at them for you.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Paramount: What's up with taking Enterprise off the air??
    Infinite Diversities in Infinite Combinations.
    =================================
  3. Archived from groups: microsoft.public.exchange2000.admin,microsoft.public.win2000.dns (More info?)

    "Ace Fekay [MVP]"
    <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
    message news:%23Mt94h$OFHA.1500@TK2MSFTNGP09.phx.gbl...

    > Actually you multi-posted this. I replied as a cross post (by posting to
    > both newsgroups simultaneously).

    Oops, sorry :(

    >
    > I would agree with Herb to check and make sure ALL machines in your
    > organization are ONLY using in their IP properties your internal DNS
    > servers only. If your DHCP scope lists your ISP's DNs, remove them too
    > please. If you are looking for efficient Internet resolution, you can
    > configure a forwarder to your ISP's DNS servers in DNS properties to
    > forward all zones it;s not authorative for to your ISP's DNS.

    This problem has nothing to do with our internal clients. They use Exchange
    MAPI mailboxes and are sending/receiving mail fine. Only users external to
    our corporate network use POP. In fact, only one user, the owner of our
    company. And he refuses to switch to VPN and does not like OWA because he
    does not want his messages left on the server at all. He demands POP access
    :(

    BTW...yes, all internal clients point DNS to only internal DNS servers. The
    DHCP scope lists only internal DNS servers.

    >
    > Anything and everything in AD uses DNS to find services running on a DC.
    > Exchange uses AD, and more so, the GCs. They find them in DNS. If an
    > Exchange server (or any other machine) has the ISP's DNS address in their
    > properties (even if they are mixed with your private DNS and an ISP's
    > DNS -which results in mixed results) will be asking the ISP's DNS, "Where
    > is my domain controller?", and it will not have an answer for that.
    >
    > I hope this helped. If your DNS setting in IP properties are set
    > correctly, and the DCs are registering their SRV records, and you are
    > still having problems, the tests that Herb indicated are helpful in
    > diagnosing such problems. If you are still having problems and ran the
    > tests, please post the results so we can take a look at them for you.

    I'll give the tests a go and letcha know ;)

    >
    > --
    > Regards,
    > Ace
    >
    > Please direct all replies ONLY to the Microsoft public newsgroups
    > so all can benefit.
    >
    > This posting is provided "AS-IS" with no warranties or guarantees
    > and confers no rights.
    >
    > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    > Microsoft Windows MVP - Windows Server - Directory Services
    >
    > Paramount: What's up with taking Enterprise off the air??
    > Infinite Diversities in Infinite Combinations.
    > =================================
    >
  4. Archived from groups: microsoft.public.win2000.dns (More info?)

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:%23AGmR$9OFHA.1268@TK2MSFTNGP14.phx.gbl...
    >> Arrived at work this morning to find that our PDC had purged the DNS
    > zone -
    >> AD portion of our only domain. Replication between our two DC was
    > failing,
    >> reporting with "RPC server not found..." errors. I found a KB article
    > that
    >> helped me get the AD portion reloaded. I did this same thing on both DNS
    >> servers in our domain. I restarted all the netlogon services, as the KB
    >> directed. I then found another KB article that helped me rebuild the
    >> NTDS
    >> connector things in AD S&S. Replication from the PDC to the SDC works
    > fine.
    >> The Exchange server had been spitting out MSExchangeAL,
    > MSExchangeFBPublish
    >> and MSExchangeSA errors all day. After the fixes I applied, those all
    > went
    >> away. Everything seemed back to normal.
    >
    > Chances are you don't have ALL of your DCs and other internal
    > DNS clients set to use your INTERNAL DNS ONLY.
    >
    > Internal DNS clients much use strictly your internal DNS servers
    > on the NIC->IP properties.
    >
    >> Is there a correlation between the POP and DNS problems?
    >
    > Well, yes, for finding the POP server (DNS name-->IP) but
    > other than that POP isn't really related to DNS.*
    >
    > Unless you have your POP server (somehow) set to use
    > integrated authentication where it checks the user against
    > your Windows accounts (instead of using separate POP
    > accounts.)
    >
    > AD authentication problems are frequently DNS problems.
    >
    >> Your thoughts are appreciated. TIA :-]
    >
    >
    > DNS for AD
    > 1) Dynamic for the zone supporting AD
    > 2) All internal DNS clients NIC\IP properties must specify SOLELY
    > that internal, dynamic DNS server (set.)
    > 3) DCs and even DNS servers are DNS clients too -- see #2
    > 4) If you have more than one Domain, every DNS server must
    > be able to resolve ALL domains (either directly or indirectly)
    >
    > netdiag /fix
    >
    > ...or maybe:
    >
    > dcdiag /fix
    >
    > (Win2003 can do this from Support tools):
    > nltest /dsregdns /server:DC-ServerNameGoesHere
    > http://support.microsoft.com/kb/q260371/
    >
    > Ensure that DNS zones/domains are fully replicated to all DNS
    > servers for that (internal) zone/domain.
    >
    > Also useful may be running DCDiag on each DC, sending the
    > output to a text file, and searching for FAIL, ERROR, WARN.
    >
    > Single Label domain zone names are a problem Google:
    > [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


    Result of netidag tests on both DNS servers: all passed
    Result of dcdiag tests on both DNS servers: all passed

    The "nltest" command above did not work. I tried it with "nltest /dsregdns
    /server:<our DC server name>" and "nltest /dsregdns:<our DNS host name (same
    as DC server)>", both of which just spat out the options for nltest, meaning
    the command was not accepted.

    The domain name is not single labeled.

    It's weird. Everything is working fine except POP authentication. It's
    like the POP virtual server is not speaking to AD at all. I tried
    telnetting into port 110 and even that would not let me login.

    Any other ideas? I'm completely stumped. I had MS support on the phone for
    two hours earlier this morning and they could not figure it out either. I'm
    awaiting callback from them.

    Thank you for all of your assistance. It is greatly appreciated :]
  5. Archived from groups: microsoft.public.win2000.dns (More info?)

    > > (Win2003 can do this from Support tools):
    > > nltest /dsregdns /server:DC-ServerNameGoesHere
    > > http://support.microsoft.com/kb/q260371/
    > >
    > > Ensure that DNS zones/domains are fully replicated to all DNS
    > > servers for that (internal) zone/domain.
    > >
    > > Also useful may be running DCDiag on each DC, sending the
    > > output to a text file, and searching for FAIL, ERROR, WARN.
    > >

    > Result of netidag tests on both DNS servers: all passed
    > Result of dcdiag tests on both DNS servers: all passed

    Then you don't likely have a DNS problem, and the DCs
    are probably fully replicated.

    > The "nltest" command above did not work. I tried it with "nltest
    /dsregdns
    > /server:<our DC server name>" and "nltest /dsregdns:<our DNS host name
    (same
    > as DC server)>", both of which just spat out the options for nltest,
    meaning
    > the command was not accepted.

    This NLTest command has been 'improved' for Win2003
    so the switches work differently if you are using it on
    Win2000 (as indicated.)

    > The domain name is not single labeled.

    Then it's not an issue.

    > It's weird. Everything is working fine except POP authentication. It's
    > like the POP virtual server is not speaking to AD at all. I tried
    > telnetting into port 110 and even that would not let me login.

    What form of authentication protection is Pop using?

    (My Pop server uses as hash so it is impossible for me
    to just "type in" the "pass PASSWORD" command and
    I must run a Perl program to create the hash if I wish to
    login directly with Telnet/NetCat.)

    What error does Pop give?

    Is the Pop server able to authenticate you if you log
    into it's console or terminal server?

    Since you Pop server is (apparently) using integrated
    authentication we need to make sure IT is able to
    find the DCs properly and authenticate you or whatever
    it does precisely.

    This would mean for instance that it is in the domain
    (or trusting domain relationship) and that it's DNS client
    settings are correct -- pointing ONLY to internal DNS
    on the client NIC.

    > Any other ideas? I'm completely stumped. I had MS support on the phone
    for
    > two hours earlier this morning and they could not figure it out either.
    I'm
    > awaiting callback from them.
    >
    > Thank you for all of your assistance. It is greatly appreciated :]
    >
    >
  6. Archived from groups: microsoft.public.exchange2000.admin,microsoft.public.win2000.dns (More info?)

    BigDogBrian wrote:

    > Oops, sorry :(

    No biggy...
  7. Archived from groups: microsoft.public.win2000.dns (More info?)

    BigDogBrian wrote:
    > The "nltest" command above did not work. I tried it with "nltest
    > /dsregdns /server:<our DC server name>" and "nltest /dsregdns:<our
    > DNS host name (same as DC server)>", both of which just spat out the
    > options for nltest, meaning the command was not accepted.
    >
    > The domain name is not single labeled.
    >
    > It's weird. Everything is working fine except POP authentication. It's
    > like the POP virtual server is not speaking to AD at all. I
    > tried telnetting into port 110 and even that would not let me login.
    >
    > Any other ideas? I'm completely stumped. I had MS support on the
    > phone for two hours earlier this morning and they could not figure it
    > out either. I'm awaiting callback from them.
    >
    > Thank you for all of your assistance. It is greatly appreciated :]

    I got a dumb question, is the POP service started? Is this Exchange 2000 or
    2003? By default in Exchange 2003, POP and IMAP are disabled. If it's
    already running, is thre any Event log errors in the App Log? Have you tried
    restarting the POP virtual server.? Restarting the POP service too? You can
    go into the Ex server's properties (in the ESM) and enable Full logging for
    the POP service, which the results show up in the App Event Log. Be sure to
    turn it off when you;re done, since it consumes resources.

    As far as the nlstest, at this point, if everything else is running fine,
    and there are no Event log errors, I wouldn't worry about it, unless you
    figure out where your syntax is wrong.

    Ace
  8. Archived from groups: microsoft.public.win2000.dns (More info?)

    I apologize that I haven't gotten back to y'all yet. I got pulled off of
    this problem and into some research for a lawsuit the past few days.

    You know what the problem ended up being? Username. Well, sort of. Prior
    to the DNS trouble we experienced last week, POP users were able to login to
    POP/SMTP using the username "<domain>\%username%" (as in domain\bob) to
    authenticate. Following the DNS crash and subsequent repair, they had to
    start using "domain\username\alias" (i.e. domain\bob\bob.smith) instead. As
    soon as I found out how to turn on the POP3 event log it took about ten
    minutes to solve that one. Weird. Their aliases hadn't changed or
    anything, it just stopped working the way it worked before. Based on the KB
    article describing that problem (don't have the URL handy at the moment) it
    sounded like the POP users *never* should have been able to authenticate
    without using the alias. I dunno. Worked fine before...

    Thank you very much for your assistance. It is greatly appreciated :-]

    -brian


    "Ace Fekay [MVP]"
    <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
    message news:ukTGomkPFHA.3336@TK2MSFTNGP10.phx.gbl...
    > BigDogBrian wrote:
    >> The "nltest" command above did not work. I tried it with "nltest
    >> /dsregdns /server:<our DC server name>" and "nltest /dsregdns:<our
    >> DNS host name (same as DC server)>", both of which just spat out the
    >> options for nltest, meaning the command was not accepted.
    >>
    >> The domain name is not single labeled.
    >>
    >> It's weird. Everything is working fine except POP authentication. It's
    >> like the POP virtual server is not speaking to AD at all. I
    >> tried telnetting into port 110 and even that would not let me login.
    >>
    >> Any other ideas? I'm completely stumped. I had MS support on the
    >> phone for two hours earlier this morning and they could not figure it
    >> out either. I'm awaiting callback from them.
    >>
    >> Thank you for all of your assistance. It is greatly appreciated :]
    >
    > I got a dumb question, is the POP service started? Is this Exchange 2000
    > or 2003? By default in Exchange 2003, POP and IMAP are disabled. If it's
    > already running, is thre any Event log errors in the App Log? Have you
    > tried restarting the POP virtual server.? Restarting the POP service too?
    > You can go into the Ex server's properties (in the ESM) and enable Full
    > logging for the POP service, which the results show up in the App Event
    > Log. Be sure to turn it off when you;re done, since it consumes resources.
    >
    > As far as the nlstest, at this point, if everything else is running fine,
    > and there are no Event log errors, I wouldn't worry about it, unless you
    > figure out where your syntax is wrong.
    >
    > Ace
    >
Ask a new question

Read More

Microsoft DNS Windows