Sign in with
Sign up | Sign in
Your question

POP3 DNS problem?

Last response: in Windows 2000/NT
Share
Anonymous
April 7, 2005 6:39:10 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

X-posted in microsoft.public.exchange.admin
===============================

Arrived at work this morning to find that our PDC had purged the DNS zone -
AD portion of our only domain. Replication between our two DC was failing,
reporting with "RPC server not found..." errors. I found a KB article that
helped me get the AD portion reloaded. I did this same thing on both DNS
servers in our domain. I restarted all the netlogon services, as the KB
directed. I then found another KB article that helped me rebuild the NTDS
connector things in AD S&S. Replication from the PDC to the SDC works fine.
The Exchange server had been spitting out MSExchangeAL, MSExchangeFBPublish
and MSExchangeSA errors all day. After the fixes I applied, those all went
away. Everything seemed back to normal.

An hour after I left the office I got a phone call from a POP user who could
not logon to the POP server (Exchange 2003) to get his mail. I tested and
found that he was correct. The same server also serves as a VPN endpoint as
well as a terminal server. Those two services are functioning perfectly, as
tested. It seems to only be the POP service that is experiencing this
issue. I tried changing authentication settings, connection accept/deny
lists, restarting services and changing the LogOn account of the Exchange
POP3 service, to no avail. Nothing worked. It would seem that the
connection is getting through to the server (I can see the connections in
the Sessions window in ESM) but is not able to have the user account
authenticated.

Is there a correlation between the POP and DNS problems? AD *was* behaving
awkwardly before I finished the replications. It was slow and once in a
while would spit out a Win32 error, indicating that it could not connect to
the domain controller. We made no changes to any info in AD during this
period. If this is not an AD or DNS related issue, what would possibly be
the culprit? I've exhausted my knowledge on the subject and haven't had
more KB or google luck in the last 5 hours or so.

Your thoughts are appreciated. TIA :-]
-Brian

More about : pop3 dns problem

Anonymous
April 8, 2005 12:48:25 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

> Arrived at work this morning to find that our PDC had purged the DNS
zone -
> AD portion of our only domain. Replication between our two DC was
failing,
> reporting with "RPC server not found..." errors. I found a KB article
that
> helped me get the AD portion reloaded. I did this same thing on both DNS
> servers in our domain. I restarted all the netlogon services, as the KB
> directed. I then found another KB article that helped me rebuild the NTDS
> connector things in AD S&S. Replication from the PDC to the SDC works
fine.
> The Exchange server had been spitting out MSExchangeAL,
MSExchangeFBPublish
> and MSExchangeSA errors all day. After the fixes I applied, those all
went
> away. Everything seemed back to normal.

Chances are you don't have ALL of your DCs and other internal
DNS clients set to use your INTERNAL DNS ONLY.

Internal DNS clients much use strictly your internal DNS servers
on the NIC->IP properties.

> Is there a correlation between the POP and DNS problems?

Well, yes, for finding the POP server (DNS name-->IP) but
other than that POP isn't really related to DNS.*

Unless you have your POP server (somehow) set to use
integrated authentication where it checks the user against
your Windows accounts (instead of using separate POP
accounts.)

AD authentication problems are frequently DNS problems.

> Your thoughts are appreciated. TIA :-]


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:D C-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
Anonymous
April 8, 2005 5:04:31 AM

Archived from groups: microsoft.public.exchange2000.admin,microsoft.public.win2000.dns (More info?)

BigDogBrian wrote:
> X-posted in microsoft.public.exchange.admin
> ===============================
>
> Arrived at work this morning to find that our PDC had purged the DNS
> zone - AD portion of our only domain. Replication between our two DC
> was failing, reporting with "RPC server not found..." errors. I
> found a KB article that helped me get the AD portion reloaded. I did
> this same thing on both DNS servers in our domain. I restarted all
> the netlogon services, as the KB directed. I then found another KB
> article that helped me rebuild the NTDS connector things in AD S&S.
> Replication from the PDC to the SDC works fine. The Exchange server
> had been spitting out MSExchangeAL, MSExchangeFBPublish and
> MSExchangeSA errors all day. After the fixes I applied, those all
> went away. Everything seemed back to normal.
> An hour after I left the office I got a phone call from a POP user
> who could not logon to the POP server (Exchange 2003) to get his
> mail. I tested and found that he was correct. The same server also
> serves as a VPN endpoint as well as a terminal server. Those two
> services are functioning perfectly, as tested. It seems to only be
> the POP service that is experiencing this issue. I tried changing
> authentication settings, connection accept/deny lists, restarting
> services and changing the LogOn account of the Exchange POP3 service,
> to no avail. Nothing worked. It would seem that the connection is
> getting through to the server (I can see the connections in the
> Sessions window in ESM) but is not able to have the user account
> authenticated.
> Is there a correlation between the POP and DNS problems? AD *was*
> behaving awkwardly before I finished the replications. It was slow
> and once in a while would spit out a Win32 error, indicating that it
> could not connect to the domain controller. We made no changes to
> any info in AD during this period. If this is not an AD or DNS
> related issue, what would possibly be the culprit? I've exhausted my
> knowledge on the subject and haven't had more KB or google luck in
> the last 5 hours or so.
> Your thoughts are appreciated. TIA :-]
> -Brian

Actually you multi-posted this. I replied as a cross post (by posting to
both newsgroups simultaneously).

I would agree with Herb to check and make sure ALL machines in your
organization are ONLY using in their IP properties your internal DNS servers
only. If your DHCP scope lists your ISP's DNs, remove them too please. If
you are looking for efficient Internet resolution, you can configure a
forwarder to your ISP's DNS servers in DNS properties to forward all zones
it;s not authorative for to your ISP's DNS.

Anything and everything in AD uses DNS to find services running on a DC.
Exchange uses AD, and more so, the GCs. They find them in DNS. If an
Exchange server (or any other machine) has the ISP's DNS address in their
properties (even if they are mixed with your private DNS and an ISP's
DNS -which results in mixed results) will be asking the ISP's DNS, "Where is
my domain controller?", and it will not have an answer for that.

I hope this helped. If your DNS setting in IP properties are set correctly,
and the DCs are registering their SRV records, and you are still having
problems, the tests that Herb indicated are helpful in diagnosing such
problems. If you are still having problems and ran the tests, please post
the results so we can take a look at them for you.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
Infinite Diversities in Infinite Combinations.
=================================
Related resources
Anonymous
April 8, 2005 3:10:31 PM

Archived from groups: microsoft.public.exchange2000.admin,microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:%23Mt94h$OFHA.1500@TK2MSFTNGP09.phx.gbl...

> Actually you multi-posted this. I replied as a cross post (by posting to
> both newsgroups simultaneously).

Oops, sorry :( 

>
> I would agree with Herb to check and make sure ALL machines in your
> organization are ONLY using in their IP properties your internal DNS
> servers only. If your DHCP scope lists your ISP's DNs, remove them too
> please. If you are looking for efficient Internet resolution, you can
> configure a forwarder to your ISP's DNS servers in DNS properties to
> forward all zones it;s not authorative for to your ISP's DNS.

This problem has nothing to do with our internal clients. They use Exchange
MAPI mailboxes and are sending/receiving mail fine. Only users external to
our corporate network use POP. In fact, only one user, the owner of our
company. And he refuses to switch to VPN and does not like OWA because he
does not want his messages left on the server at all. He demands POP access
:( 

BTW...yes, all internal clients point DNS to only internal DNS servers. The
DHCP scope lists only internal DNS servers.

>
> Anything and everything in AD uses DNS to find services running on a DC.
> Exchange uses AD, and more so, the GCs. They find them in DNS. If an
> Exchange server (or any other machine) has the ISP's DNS address in their
> properties (even if they are mixed with your private DNS and an ISP's
> DNS -which results in mixed results) will be asking the ISP's DNS, "Where
> is my domain controller?", and it will not have an answer for that.
>
> I hope this helped. If your DNS setting in IP properties are set
> correctly, and the DCs are registering their SRV records, and you are
> still having problems, the tests that Herb indicated are helpful in
> diagnosing such problems. If you are still having problems and ran the
> tests, please post the results so we can take a look at them for you.

I'll give the tests a go and letcha know ;) 

>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Paramount: What's up with taking Enterprise off the air??
> Infinite Diversities in Infinite Combinations.
> =================================
>
Anonymous
April 8, 2005 3:42:00 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23AGmR$9OFHA.1268@TK2MSFTNGP14.phx.gbl...
>> Arrived at work this morning to find that our PDC had purged the DNS
> zone -
>> AD portion of our only domain. Replication between our two DC was
> failing,
>> reporting with "RPC server not found..." errors. I found a KB article
> that
>> helped me get the AD portion reloaded. I did this same thing on both DNS
>> servers in our domain. I restarted all the netlogon services, as the KB
>> directed. I then found another KB article that helped me rebuild the
>> NTDS
>> connector things in AD S&S. Replication from the PDC to the SDC works
> fine.
>> The Exchange server had been spitting out MSExchangeAL,
> MSExchangeFBPublish
>> and MSExchangeSA errors all day. After the fixes I applied, those all
> went
>> away. Everything seemed back to normal.
>
> Chances are you don't have ALL of your DCs and other internal
> DNS clients set to use your INTERNAL DNS ONLY.
>
> Internal DNS clients much use strictly your internal DNS servers
> on the NIC->IP properties.
>
>> Is there a correlation between the POP and DNS problems?
>
> Well, yes, for finding the POP server (DNS name-->IP) but
> other than that POP isn't really related to DNS.*
>
> Unless you have your POP server (somehow) set to use
> integrated authentication where it checks the user against
> your Windows accounts (instead of using separate POP
> accounts.)
>
> AD authentication problems are frequently DNS problems.
>
>> Your thoughts are appreciated. TIA :-]
>
>
> DNS for AD
> 1) Dynamic for the zone supporting AD
> 2) All internal DNS clients NIC\IP properties must specify SOLELY
> that internal, dynamic DNS server (set.)
> 3) DCs and even DNS servers are DNS clients too -- see #2
> 4) If you have more than one Domain, every DNS server must
> be able to resolve ALL domains (either directly or indirectly)
>
> netdiag /fix
>
> ...or maybe:
>
> dcdiag /fix
>
> (Win2003 can do this from Support tools):
> nltest /dsregdns /server:D C-ServerNameGoesHere
> http://support.microsoft.com/kb/q260371/
>
> Ensure that DNS zones/domains are fully replicated to all DNS
> servers for that (internal) zone/domain.
>
> Also useful may be running DCDiag on each DC, sending the
> output to a text file, and searching for FAIL, ERROR, WARN.
>
> Single Label domain zone names are a problem Google:
> [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


Result of netidag tests on both DNS servers: all passed
Result of dcdiag tests on both DNS servers: all passed

The "nltest" command above did not work. I tried it with "nltest /dsregdns
/server:<our DC server name>" and "nltest /dsregdns:<our DNS host name (same
as DC server)>", both of which just spat out the options for nltest, meaning
the command was not accepted.

The domain name is not single labeled.

It's weird. Everything is working fine except POP authentication. It's
like the POP virtual server is not speaking to AD at all. I tried
telnetting into port 110 and even that would not let me login.

Any other ideas? I'm completely stumped. I had MS support on the phone for
two hours earlier this morning and they could not figure it out either. I'm
awaiting callback from them.

Thank you for all of your assistance. It is greatly appreciated :]
Anonymous
April 9, 2005 8:47:46 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

> > (Win2003 can do this from Support tools):
> > nltest /dsregdns /server:D C-ServerNameGoesHere
> > http://support.microsoft.com/kb/q260371/
> >
> > Ensure that DNS zones/domains are fully replicated to all DNS
> > servers for that (internal) zone/domain.
> >
> > Also useful may be running DCDiag on each DC, sending the
> > output to a text file, and searching for FAIL, ERROR, WARN.
> >

> Result of netidag tests on both DNS servers: all passed
> Result of dcdiag tests on both DNS servers: all passed

Then you don't likely have a DNS problem, and the DCs
are probably fully replicated.

> The "nltest" command above did not work. I tried it with "nltest
/dsregdns
> /server:<our DC server name>" and "nltest /dsregdns:<our DNS host name
(same
> as DC server)>", both of which just spat out the options for nltest,
meaning
> the command was not accepted.

This NLTest command has been 'improved' for Win2003
so the switches work differently if you are using it on
Win2000 (as indicated.)

> The domain name is not single labeled.

Then it's not an issue.

> It's weird. Everything is working fine except POP authentication. It's
> like the POP virtual server is not speaking to AD at all. I tried
> telnetting into port 110 and even that would not let me login.

What form of authentication protection is Pop using?

(My Pop server uses as hash so it is impossible for me
to just "type in" the "pass PASSWORD" command and
I must run a Perl program to create the hash if I wish to
login directly with Telnet/NetCat.)

What error does Pop give?

Is the Pop server able to authenticate you if you log
into it's console or terminal server?

Since you Pop server is (apparently) using integrated
authentication we need to make sure IT is able to
find the DCs properly and authenticate you or whatever
it does precisely.

This would mean for instance that it is in the domain
(or trusting domain relationship) and that it's DNS client
settings are correct -- pointing ONLY to internal DNS
on the client NIC.

> Any other ideas? I'm completely stumped. I had MS support on the phone
for
> two hours earlier this morning and they could not figure it out either.
I'm
> awaiting callback from them.
>
> Thank you for all of your assistance. It is greatly appreciated :]
>
>
Anonymous
April 11, 2005 3:44:38 AM

Archived from groups: microsoft.public.exchange2000.admin,microsoft.public.win2000.dns (More info?)

BigDogBrian wrote:

> Oops, sorry :( 

No biggy...
Anonymous
April 11, 2005 3:50:47 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

BigDogBrian wrote:
> The "nltest" command above did not work. I tried it with "nltest
> /dsregdns /server:<our DC server name>" and "nltest /dsregdns:<our
> DNS host name (same as DC server)>", both of which just spat out the
> options for nltest, meaning the command was not accepted.
>
> The domain name is not single labeled.
>
> It's weird. Everything is working fine except POP authentication. It's
> like the POP virtual server is not speaking to AD at all. I
> tried telnetting into port 110 and even that would not let me login.
>
> Any other ideas? I'm completely stumped. I had MS support on the
> phone for two hours earlier this morning and they could not figure it
> out either. I'm awaiting callback from them.
>
> Thank you for all of your assistance. It is greatly appreciated :]

I got a dumb question, is the POP service started? Is this Exchange 2000 or
2003? By default in Exchange 2003, POP and IMAP are disabled. If it's
already running, is thre any Event log errors in the App Log? Have you tried
restarting the POP virtual server.? Restarting the POP service too? You can
go into the Ex server's properties (in the ESM) and enable Full logging for
the POP service, which the results show up in the App Event Log. Be sure to
turn it off when you;re done, since it consumes resources.

As far as the nlstest, at this point, if everything else is running fine,
and there are no Event log errors, I wouldn't worry about it, unless you
figure out where your syntax is wrong.

Ace
Anonymous
April 13, 2005 5:48:38 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I apologize that I haven't gotten back to y'all yet. I got pulled off of
this problem and into some research for a lawsuit the past few days.

You know what the problem ended up being? Username. Well, sort of. Prior
to the DNS trouble we experienced last week, POP users were able to login to
POP/SMTP using the username "<domain>\%username%" (as in domain\bob) to
authenticate. Following the DNS crash and subsequent repair, they had to
start using "domain\username\alias" (i.e. domain\bob\bob.smith) instead. As
soon as I found out how to turn on the POP3 event log it took about ten
minutes to solve that one. Weird. Their aliases hadn't changed or
anything, it just stopped working the way it worked before. Based on the KB
article describing that problem (don't have the URL handy at the moment) it
sounded like the POP users *never* should have been able to authenticate
without using the alias. I dunno. Worked fine before...

Thank you very much for your assistance. It is greatly appreciated :-]

-brian


"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:ukTGomkPFHA.3336@TK2MSFTNGP10.phx.gbl...
> BigDogBrian wrote:
>> The "nltest" command above did not work. I tried it with "nltest
>> /dsregdns /server:<our DC server name>" and "nltest /dsregdns:<our
>> DNS host name (same as DC server)>", both of which just spat out the
>> options for nltest, meaning the command was not accepted.
>>
>> The domain name is not single labeled.
>>
>> It's weird. Everything is working fine except POP authentication. It's
>> like the POP virtual server is not speaking to AD at all. I
>> tried telnetting into port 110 and even that would not let me login.
>>
>> Any other ideas? I'm completely stumped. I had MS support on the
>> phone for two hours earlier this morning and they could not figure it
>> out either. I'm awaiting callback from them.
>>
>> Thank you for all of your assistance. It is greatly appreciated :]
>
> I got a dumb question, is the POP service started? Is this Exchange 2000
> or 2003? By default in Exchange 2003, POP and IMAP are disabled. If it's
> already running, is thre any Event log errors in the App Log? Have you
> tried restarting the POP virtual server.? Restarting the POP service too?
> You can go into the Ex server's properties (in the ESM) and enable Full
> logging for the POP service, which the results show up in the App Event
> Log. Be sure to turn it off when you;re done, since it consumes resources.
>
> As far as the nlstest, at this point, if everything else is running fine,
> and there are no Event log errors, I wouldn't worry about it, unless you
> figure out where your syntax is wrong.
>
> Ace
>
!