Wednesday, December 22, 2010

451 4.4.0 DNS query failed

Problem: Emails to a particular domain were not going through. Emails to all other domains were being received fine.

dcswa-ex01 = Edge Transport
dcswa-ex02 = Hub Transport

domain.com = sending companies email suffix.
example.com = recieving companies email suffix.

Symptoms

Emails sent to example.com are not arriving to the destination. Doriseng.com emails are being passed from the hub transport server dcswa-ex02 to the edge transport server dcswa-ex01 successfully. The emails then sit in the edge transport queue for example.com with the following error:

LastError : 451 4.4.0 DNS query failed



Dcswa-ex01 is resolving DNS correctly for example.com, we can verify this by using the nslookup utility.



The edge transport server Dcswa-ex01 is able to open TCP25 connections to example.com SMTP servers.



The Exchange 2010 connectivity logs shows that the DNS queries exchange is generating for example.com were timing out on the edge transport server:

2010-12-22T02:26:15.708Z,08CD6F05CD2DBD8F,SMTP,example.com,+,DnsConnectorDelivery afb8a1d5-3e6f-4e6b-8bab-17e38b9d7bad;QueueLength=1
2010-12-22T02:27:21.458Z,08CD6F05CD2DBD8F,SMTP,example.com,>,DNS server returned ErrorTimeout reported by 0.0.0.0
2010-12-22T02:27:21.458Z,08CD6F05CD2DBD8F,SMTP,example.com,-,Messages: 0 Bytes: 0 (The DNS query for 'DnsConnectorDelivery':'example.com':'afb8a1d5-3e6f-4e6b-8bab-17e38b9d7bad' failed with error : ErrorTimeout)


Resolution

On the Edge Transport server dcswa-ex01 set the external DNS servers to use for external mail relay.



On the hub transport server dcswa-ex01 configure "Use the External DNS Lookup setting on the transport server" for all send connectors configured for edge sync with dcswa-ex01.



Force an Edge Sync on the hub transport server dcswa-ex02:



Restart the Microsoft Exchange Transport service on the edge transport server to utilize the new DNS settings.

After making this change it took 5-10 minutes for the email to successfully leave the queue!

Looking at the queue for example.com again:



The email was successfully delivered as it no longer resides in the queue.

If we look at the SMTP send log on the edge transport server dcswa-ex01 we can see that the email transferred correctly. One interesting thing I found about example.com was they are digitally encrypting all email communication traffic, I don't see how this would cause DNS to fail but I want to point that out.

2010-12-22T03:59:00.740Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,0,,81.80.156.146:25,*,,attempting to connect
2010-12-22T03:59:01.052Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,1,202.160.101.139:2546,81.80.156.146:25,+,,
2010-12-22T03:59:01.365Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,2,202.160.101.139:2546,81.80.156.146:25,<,220 example.com [ESMTP Server] service ready;DORIS ENGINEERING Email Gateway ok; 12/22/10 04:57:30, 2010-12-22T03:59:01.365Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,3,202.160.101.139:2546,81.80.156.146:25,>,EHLO dcswa-ex01.cloud.dcswa,
2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,4,202.160.101.139:2546,81.80.156.146:25,<,250-example.com, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,5,202.160.101.139:2546,81.80.156.146:25,<,250-SIZE 13631488, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,6,202.160.101.139:2546,81.80.156.146:25,<,250-8BITMIME, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,7,202.160.101.139:2546,81.80.156.146:25,<,250 STARTTLS, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,8,202.160.101.139:2546,81.80.156.146:25,>,STARTTLS,
2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,9,202.160.101.139:2546,81.80.156.146:25,<,220 Ready to start TLS, 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,10,202.160.101.139:2546,81.80.156.146:25,*,,Sending certificate 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,11,202.160.101.139:2546,81.80.156.146:25,*,CN=dcswa-ex01,Certificate subject 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,12,202.160.101.139:2546,81.80.156.146:25,*,CN=dcswa-ex01,Certificate issuer name 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,13,202.160.101.139:2546,81.80.156.146:25,*,67E29A29EDE76AAF4BDBC5340D3185F0,Certificate serial number 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,14,202.160.101.139:2546,81.80.156.146:25,*,2A3B56F723AD7056F9372E486B3192E0EF877C6D,Certificate thumbprint 2010-12-22T03:59:01.990Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,15,202.160.101.139:2546,81.80.156.146:25,*,dcswa-ex01;dcswa-ex01.cloud.dcswa,Certificate alternate names 2010-12-22T03:59:02.646Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,16,202.160.101.139:2546,81.80.156.146:25,*,,Received certificate 2010-12-22T03:59:02.646Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,17,202.160.101.139:2546,81.80.156.146:25,*,B6CDD7D2A3CAC50AB653830A828037EC0D0B3901,Certificate thumbprint 2010-12-22T03:59:02.646Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,18,202.160.101.139:2546,81.80.156.146:25,>,EHLO dcswa-ex01.cloud.dcswa,
2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,19,202.160.101.139:2546,81.80.156.146:25,<,250-example.com, 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,20,202.160.101.139:2546,81.80.156.146:25,<,250-SIZE 13631488, 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,21,202.160.101.139:2546,81.80.156.146:25,<,250 8BITMIME, 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,22,202.160.101.139:2546,81.80.156.146:25,*,29980,sending message 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,23,202.160.101.139:2546,81.80.156.146:25,>,MAIL FROM: SIZE=5233,
2010-12-22T03:59:03.271Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,24,202.160.101.139:2546,81.80.156.146:25,<,250 Sender OK,
2010-12-22T03:59:03.271Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,25,202.160.101.139:2546,81.80.156.146:25,>,RCPT TO:,
2010-12-22T03:59:03.583Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,26,202.160.101.139:2546,81.80.156.146:25,<,250 Recipient OK,
2010-12-22T03:59:03.583Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,27,202.160.101.139:2546,81.80.156.146:25,>,RCPT TO:,
2010-12-22T03:59:03.896Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,28,202.160.101.139:2546,81.80.156.146:25,<,250 Recipient OK,
2010-12-22T03:59:03.896Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,29,202.160.101.139:2546,81.80.156.146:25,>,RCPT TO:,
2010-12-22T03:59:04.208Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,30,202.160.101.139:2546,81.80.156.146:25,<,250 Recipient OK,
2010-12-22T03:59:04.208Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,31,202.160.101.139:2546,81.80.156.146:25,>,DATA,
2010-12-22T03:59:04.521Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,32,202.160.101.139:2546,81.80.156.146:25,<,354 Start mail input; end with .,
2010-12-22T03:59:05.146Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,33,202.160.101.139:2546,81.80.156.146:25,<,250 OK: <1f3f0b7e00007399@example.com>,
2010-12-22T03:59:05.146Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,34,202.160.101.139:2546,81.80.156.146:25,>,QUIT,
2010-12-22T03:59:05.458Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,35,202.160.101.139:2546,81.80.156.146:25,<,221 [ESMTP Server] service closing transmission channel,


There is another workaround that has been documented on the internet to add the external MX servers to the local "hosts" file on the edge transport server. I tested this and it does work however I do not recommend it. If another domain does fail, it will be a manual exercise on a case by case basis.

Tuesday, December 21, 2010

How to Force EdgeSync Synchronization

You can use the Start-EdgeSynchronization cmdlet to force synchronization to start immediately. You may want to do this to start initial replication immediately after you create the Edge Subscription or if you have made significant changes to the configuration or recipients in Active Directory. The Start-EdgeSynchronization cmdlet resets the EdgeSync synchronization schedule. The time of the subsequent synchronization intervals is based on the time that this command is initiated.

Note:
If you try to run this procedure during regular synchronization, an error will occur.

Start-EdgeSynchronization

How to Setup Auto QOS Cisco

The config below sets up Auto QOS (Quality of Service) on a Cisco Switch.

Single interface
Conf t
Int fa0/1
Auto-qos voip trust
End
Write mem


Multiple Interface
Conf t
Int range fa0/1 – 24 (to what ever port you want)
Auto-qos voip trust
End
Write mem

Sunday, December 12, 2010

Cisco ADSL Config with NAT

Below is a basic ADSL for Cisco routers with ADSL chip sets installed. This config if for a PPPoE based connection. I set this config up to use Amnet Broadband.

ip cef

interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
dsl operating-mode auto
hold-queue 224 in

interface Vlan1
ip address 10.60.59.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452


interface Dialer0
description Amnet ADSL
bandwidth 1300
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 999999
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname USERNAME
ppp chap password 0 PASSWORD
ppp pap sent-username USERNAME password 0 PASSWORD

ip route 0.0.0.0 0.0.0.0 Dialer0

ip nat inside source list 1 interface Dialer0 overload

access-list 1 permit 10.60.59.0 0.0.0.255


To port forwards to the config create static NAT entries like this:

ip nat inside source static tcp 10.60.59.10 25 interface Dialer0 25
ip nat inside source static tcp 10.60.59.10 3389 interface Dialer0 3389


To get some verbose logging on your ADSL connection please see the following website:

https://supportforums.cisco.com/docs/DOC-14125

Monday, December 6, 2010

SBS 2008 System Synchronizing but Not Downloading Updates

I had an issue where wsus on a Windows SBS 2008 system was saying it was synchronizing successfully, but it wasn't downloading updates. All you would get was a message in the event logs from Windows Server Update Services (event id 10032) saying that "The server is failing to download some updates". Clients would show that they needed updates through the WSUS console and via the SBS Console, but the updates would never show up on the server for installation. In the local client WindowsUpdate.log file you would see something similar to the following

2010-10-12 10:39:45:574 784 1a20 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2010-10-12 10:39:45:574 784 1a20 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://...
2010-10-12 10:39:49:011 784 1a20 PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2010-10-12 10:39:49:011 784 1a20 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://...
2010-10-12 10:39:52:433 784 1a20 Agent * Found 0 updates and 57 categories in search; evaluated appl. rules of 643 out of 1075 deployed entities

So why would the WSUS server recognize the server needed updates and the client not recognize and download them? Further investigation uncovered the fact that the WSUS Content Repository was nearly empty. Total size of the repository was less than 100 MB. Obviously, none of the patch data had been downloaded.

So why was the sync successful? Moving on, after more investigation, I discovered that the ISA server was blocking what appeared to be anonymous web traffic from the SBS server even though there was a access rule set to allow all http, https, and ftp traffic from the SBS server. So, skipping to the solution. First, ISA 2004 has a problem with BITS 7.0 that is used in Windows 2008 and Windows 7. Because the initial synchronization from WSUS ONLY downloads metadata, ISA was letting that out and it would show success in the consoles. Then WSUS turns over processing and downloading of the actual patch files (.cabs, etc.) to BITS. ISA was blocking BITS background download processing so what we had was metadata for the updates, but no updates. WSUS knew the servers needed the updates, but the servers had nothing to download because the actual content for the updates wasn’t there. The fix is to change the processing of update downloads using BITS from a background to a foreground process. ISA seems to allow that just fine.

Do it by running the following query against the WSUS database. The connection can be made via SQL Management Studio Express in most cases…you are just looking to run the query against the SUSDB database.

update tbConfigurationC set BitsDownloadPriorityForeground=1

If you are using Windows 2008 with the Microsoft Internal Database (as SBS 2008 does), this proves to be a little more challenging because you have to connect with SQ Management Studio Express using named pipes instead of TCP/IP. Connect using named pipes by using this as the server

\\.\pipe\mssql$microsoft##ssee\sql\query

Sunday, December 5, 2010

HP ML350 G6 hangs at Completing Installation on a Windows 2008 and SBS2008

I had a HP ML350 G6 server that was unable to complete the SBS 2008 install. Everytime it would hang forever at the Completing Installation stage of the Windows setup.



All hardware roms were running latest firmware.

It got to the stage where I had to start removing server hardware to find out what was causing SBS Installation to fail.

The item that was causing the problem was a HP Smart Array P212 SAS Controller which was connected to a HP StorageWorks Ultrium 920 SAS Tape Drive. After removing this card the SBS 2008 installation completed successfully.

Below is a picture of this SAS Card taken from my iPhone 4G:



I removed this card, completed the install of SBS 2008, then installed the card again once Windows was up and running on the system.

Wednesday, December 1, 2010

VBS - List all users in OU

The following script lists all users in an organisational unit:

Set objDictionary = CreateObject("Scripting.Dictionary")

Set objOU = GetObject("LDAP://OU=myou,DC=domain,DC=local")
objOU.Filter = Array("User")

For Each objUser in objOU
strUser = objUser.displayName
If Not objDictionary.Exists(strUser) Then
Wscript.Echo strUser
End If
Next


Very handy if you want to add all users in an OU to a security group!