Hello all and thanks in advance for your time and expertise. I'm no exchange expert but but my boss has me doing some troubleshooting on the exchange box (we have exchange 2003 sp2 on server 2003). We have different namespaces for the internal and external network. For example sake, our internetal network is test.net and out external network is test.org. Our exchange box is part of the test.org domain and is a domain controller for this domain. I'm assuming exchange sets up AD on the exchange server as part of the setup. OK, here comes my first question: Should this server point to itself as its primary dns server? Can the secondary dsn server be a domain controller/dns server on the internal network. Aditionally, this dns server has a forwarder configured. I ask this because when we enabled the filter recepients in the message delivery area of esm, which filters messages for nonvalid e-mail addresses not in AD - no e-mail was being delivered. This setting filtered all e-mail as though all of the e-mail addresses were invalid. Any ideas on why this happened. Could it be a dns problem. Anyway, your help and expertise is greatly appreciated.

I'm assuming exchange sets up AD on the exchange server as part of the setup. No, it doesn't. Actually this is generally a bad setup. Exchange lives more happily on a member server. Should this server point to itself as its primary dns server? Can the secondary dsn server be a domain controller/dns server on the internal network. Aditionally, this dns server has a forwarder configured. If you have DNS installed locally on the Exchange Server then it's normal to use that as the primary DNS but it can also be any other interna DNS server. The same goes for the secondary DNS entry. A Forwarder is a pointer towards a DNS server that you want to resolve the DNS quesries your internal DNS Server can't answer. I ask this because when we enabled the filter recepients in the message delivery area of esm, which filters messages for nonvalid e-mail addresses not in AD - no e-mail was being delivered. This setting filtered all e-mail as though all of the e-mail addresses were invalid. Any ideas on why this happened. Could it be a dns problem. Anyway, your help and expertise is greatly appreciated. Have you done it like this? - Filter Out Mail to Non-Existent Users - Exchange 2003Jesper Bernle | Blog: http://xchangeserver.wordpress.com

On Sun, 3 Apr 2011 01:57:04 +0000, pendal1 wrote: >Hello all and thanks in advance for your time and expertise. I'm no exchange expert but but my boss has me doing some troubleshooting on the exchange box (we have exchange 2003 sp2 on server 2003). We have different namespaces for the internal and external network. For example sake, our internetal network is test.net and out external network is test.org. Our exchange box is part of the test.org domain and is a domain controller for this domain. That sounds backwards. Your Exchange server is part of the test.NET AD forest (I'm assuming you have only one AD domain in the forest). >I'm assuming exchange sets up AD on the exchange server as part of the setup. The AD is managed by domain controllers. Exchange uses the AD to store its configuration data, but it doesn't manage or install the AD. >OK, here comes my first question: >Should this server point to itself as its primary dns server? It can, and it probably should. >Can the secondary dsn server be a domain controller/dns server on the internal network. Aditionally, this dns server has a forwarder configured. This should answer your questions. It's really not an Exchange design thing though, it's a DNS/AD infrastructure design decision: http://support.microsoft.com/kb/825036 >I ask this because when we enabled the filter recepients in the message delivery area of esm, which filters messages for nonvalid e-mail addresses not in AD - no e-mail was being delivered. This setting filtered all e-mail as though all of the e-mail addresses were invalid. Any ideas on why this happened. Could it be a dns problem. Anyway, your help and expertise is greatly appreciated. Checking for e-mail addresses that don't exist in the directory doesn't use DNS, it uses LDAP. Unless there's something seriously wrong, legitimate SMTP addresses should not be rejected. These links should guide you in configuring the recipient filtering: http://support.microsoft.com/kb/886208 http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html If you're using your Exchange server as a SMTP relay for internal applications, be careful! This will refuse to accept any e-mail sent to addresses that don't exist in the AD. You'll probably have to set up another SMTP Virtual Server just for those applications to use and NOT enable recipient filtering on the VS, and limit access to just the IP addresses on you internal network --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Jesper, thanks for the information. As I indicated, I'm not an exchange expert so that is good information regarding exchange being more happy on a member server. I will let my boss know as well. Here's some additional info: The exchange server is on a different domain than our internal domain. Our external domain ends with a .org prefix and that's the domain our exchange server is on. We use the AD users and computers on the exchange server to reset passwords for our mail accounts and this is the only resource we can use to accomplish that that I know of. The exchagne box also has DNS installed. As for the filtering recipients, we followed the directions per your link exactly except for the IP address setting for the "default virtual server properties. The link showed the setting used the ALL assigned and we used the specific IP of the exchange box. Not sure if that matters but it's the only difference I could find. Anyway, as I indicated earlier, when we enabled this setting, mail was delivered to the box as we could tell with GFI monitoring but none of the mail was being delivered. Not sure what we did wrong.

Hi Rich, thanks for the help 1 - We have an internal network with one forest that ends with a .net prefix. We also have a namespace that ends with a .org prefix which is not part of our .net forest. The exchange box lives on the .org domain. This exchange box has AD users and computers installed on it and we use ad users and computers on exchange to reset mail acct passwords. This is the only domain controllers for this .org domain. However, and this predates me, on the dns servers on the .net domain, there is a forward lookup zone for the .org domain and replication on the dns server on the exchagne box is set to replicate to all the dns servers in the forest. We are not, accoring to my boss, using the exchange server as a smtp relay for internal apps. Here's an interesting tidbit that may help us. My boss just told me he thinks the problem with all of our mail being blocked after we enabled recipient filtering on the exchange box is because he had basically the same task enabled in GFI Mail essentials. Like recipeint filtering on exchange, the GFI Mail Essentials has the abiltity to filter sender and receiver mail if the addresses are not in AD. He thinks having both enabled caused a conflict which I guess now makes sense because when we disabled filtering recipients on exchange, mail was once again delivered. Please let me know if you agree this caused the problem. Would you recommend using exchange to do the filtering or should he stick with GFI. In the article you gave me, it indicated using exchange to do the filtering saves CPU load and disk space. Anyway, your time and expertise are greatly appreciated.

On Sun, 3 Apr 2011 18:04:00 +0000, pendal1 wrote: >1 - We have an internal network with one forest that ends with a .net prefix. We also have a namespace that ends with a .org prefix which is not part of our .net forest. The exchange box lives on the .org domain. No, it doesn't. Your Exchange organization may handle e-mail for the domain ending in ".org", but the server(s) is a member of the the AD forest using the domain ending in ".net". You Exchange organization is capable of dealing with many DNS domain, but it's a member of only one AD Domain. >This exchange box has AD users and computers installed on it and we use ad users and computers on exchange to reset mail acct passwords. I'm sure you use ADUC for many other things as well. :-) >This is the only domain controllers for this .org domain. However, and this predates me, on the dns servers on the .net domain, there is a forward lookup zone for the .org domain and replication on the dns server on the exchagne box is set to replicate to all the dns servers in the forest. I guess I'd have to ask if you make use of your ISP's DNS to manage the zone ending in ".org"? If you don't, your firewall must allow ports 53/UDP and 53/TCP to reach your DC from the Internet. If you're using a "split-brain" DNS then the ".org" DNS zone should either be a "stub" zone (which "points" to the ISP's DNS server), or it should contain only the names you want to be able to resolve from within your network. But these, too, are DNS design considerations, not Exchange. >We are not, accoring to my boss, using the exchange server as a smtp relay for internal apps. > >Here's an interesting tidbit that may help us. My boss just told me he thinks the problem with all of our mail being blocked after we enabled recipient filtering on the exchange box is because he had basically the same task enabled in GFI Mail essentials. Like recipeint filtering on exchange, the GFI Mail Essentials has the abiltity to filter sender and receiver mail if the addresses are not in AD. He thinks having both enabled caused a conflict which I guess now makes sense because when we disabled filtering recipients on exchange, mail was once again delivered. Please let me know if you agree this caused the problem. Which I can't say definitively, I don't think one has anything to do with the other. Exchange will just use the RCPT TO e-mail addresses it receives from your spam filter (which should never fail since they've already been vetted). >Would you recommend using exchange to do the filtering or should he stick with GFI. Let the spam filter handle it. Do the detection as close to the source of spam as possible. >In the article you gave me, it indicated using exchange to do the filtering saves CPU load and disk space. Sure . . . when compared to accepting all badly addressed messages and then having to send NDRs. But if Exchange never sees those bad addresses the result is identical. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Rich, thanks so much for your time and information. However, I'm confused by your saying the exchange box is part of our .net forest. The exchange box is installed on a server that is also the only domain controller for .org. - our external forest registered on the internet. Unless I'm confused and it's been a long day, we have internal and external namespaces which are totally distinct forests. What am I missing? And yes, I use AD Users and Computers for many things :) Rich thank your time and insight.

There's also a two-way external trust between these two domains. Do you recommend only a one way outgoing trust from the publicly accessible domain to the internal domain for security purposes. Not sure why they have a two-way trust here. Thanks.

On Mon, 4 Apr 2011 02:36:46 +0000, pendal1 wrote: > > >Rich, thanks so much for your time and information. > >However, I'm confused by your saying the exchange box is part of our .net forest. You said: "1 - We have an internal network with one forest that ends with a .net prefix. We also have a namespace that ends with a .org prefix which is not part of our .net forest. The exchange box lives on the .org domain." If the Exchange server "lives on the .org domain" and you have "one forest that ends with a .net prefix" then the _only_ place that Exchange server can be is in the AD forest with the one domain that uses the ".net" TLD. >The exchange box is installed on a server that is also the only domain controller for .org. That is completely opposite of what you said before. Please read again what you posted. >- our external forest registered on the internet. You have TWO Active Directory forests? If that's so then you can start by restating your AD topology. >Unless I'm confused and it's been a long day, we have internal and external namespaces which are totally distinct forests. What am I missing? I think you're failing to make the distiction between a DNS domain (which I believe is the one using the .org TLD), and an Active Directory Domain (the one using the .net TLD). You may assign e-mail addresses in the domain using the .org TLD but that doesn't mean the Exchange server is a *member* of that AD domain. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Mon, 4 Apr 2011 02:54:38 +0000, pendal1 wrote: >There's also a two-way external trust between these two domains. Oh, fer cryin' out loud. So you have TWO Active Directory forests? >Do you recommend only a one way outgoing trust from the publicly accessible domain to the internal domain for security purposes. Not sure why they have a two-way trust here. Thanks. How you organize your trusts depends on what you, well, trust! Does the "internal" forest ever have to allow accounts from the "external" forest permission to access anything? If not then there's no reason to trust it. I really think you need to move this line of questioning to an AD forum. It's not an Exchange design you're asking about. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

So, I assume that the topology looks like below: Forest A: Test.Org (A single Internet-facing exchange 2003 server, installed on DC) Forest B: Test.Net (Not Internet-facing, no exchange server) Two-way trust has been established between Forest A and B The current question is, mail flow fails after enabled recipient filtering, right? Whether user objects exist in Test.Org or Test.Net? Quote: “My boss just told me he thinks the problem with all of our mail being blocked after we enabled recipient filtering on the exchange box is because he had basically the same task enabled in GFI Mail essentials” If you disable the task on the GFI, will recipient filtering work? James Luo TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks James. That's exactly correct. "If you disable the task on the GFI, will recipient filtering work?" James, my boss doesn't want to disable the task on GFI Mail essentials. However, I think if we did disable it, and then enabled recipient filtering - recipient filtering would work. I agree with him that somehow these two processes (gfi mail essentials filtering mail from nonvalid e-mail addresses not in AD and recipient filtering enabled on exchange) basically doing the same task were causing a conflict. Why? I don't know but when we disabled recipient filtering on exchange and let GFI handle the filtering by itself mail started flowing again. When there was a problem we had event id 3005 out the wazoo in the app log on exchange. Anyway, I'll wait to see what you think in terms if there was a conflict between these two processes filtering mail and then I'll close this question. Appecaite your time very much.

Rich, you seem to be getting a little frustrated and I guess that's my fault. I should have clearly indicated we have two AD Forests. However, to my mind, I was clear on indicating our mail server was part of a totally different namespace (should have said forest) ending in .org - not .net. Not sure how a domain can be a part of a forest and not end in the same prefix. The DNS namespace refers to the structure of the domains and the mail server is on the .org domain or test.org namespace which is a different forest. Sorry for any confusion. Anyway, I'll close this question and move on which I'm sure you'll be thrilled with. As I said, I'm not an exchange expert - never worked on it at all and that's obvious - and I wasn't involved at all in setting up the current structure so I was getting some info as I went along. I think it's important for both sides in this forum to ask questions if they're confused about anything rather than getting defensive. Thanks again.

On Mon, 4 Apr 2011 16:17:36 +0000, pendal1 wrote: >Rich, you seem to be getting a little frustrated and I guess that's my fault. I should have clearly indicated we have two AD Forests. However, to my mind, I was clear on indicating our mail server was part of a totally different namespace (should have said forest) ending in .org - not .net. "Namespace", when used in the context of Exchange e-mail usually refers to the SMTP domain(s) used in the various Recipient policies. In which AD forest the server is amember is irrelevant to how the e-mail is handled. >Not sure how a domain can be a part of a forest and not end in the same prefix. Because the domains that are handled by Exchange for e-mail are DNS domains, not AD Domains. They _may_ be the same, but they usually aren't. You'll see an AD Domain "somename.local" and an e-mail domain "somename.com". The server is a member of "somename.local" and e-mail is sent and received as "somename.com". >The DNS namespace refers to the structure of the domains and the mail server is on the .org domain or test.org namespace which is a different forest. Sorry for any confusion. > >Anyway, I'll close this question and move on which I'm sure you'll be thrilled with. As I said, I'm not an exchange expert - never worked on it at all and that's obvious - and I wasn't involved at all in setting up the current structure so I was getting some info as I went along. I think it's important for both sides in this forum to ask questions if they're confused about anything rather than getting defensive. Thanks again. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

I’ve not found any similar case while both of the recipient filtering and GFI task have been enabled. So the cause can’t be pinpointed to conflict between two features. How about a test on the weekend when there’s no user at the office? For event 3005, it would be more related to ActiveSync. Is there any issue on the mobile synchronization for the users? Error messages when you try to synchronize a Windows Mobile device to Exchange Server 2003 on a Windows SBS 2003-based computerPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi James. No - we don't have any sych problems between our mobile users and syncing mail between their phones and exchange. Appreciate all your time and information.