Public DNS behind NAT w/ Exchange 2K

[Poontos]

Any assistance would be greatly appreciated with the following scenario:

-Personal Use
-Domain Registered for this situation
-External (An ISP) DNS available and currently configured like so:

A Record -> example.org -> DSL IP
A Record -> mail.example.org -> DSL IP
A Record -> www.example.org -> DSL IP
MX Record -> mail.example.org -> DSL IP
etc...

Physically:

DSL Connection - Static IP
|
|
PPPoE/NAT/Firewall/Gateway/Switch
| |
| |
v 192.168.1.100 v 192.168.1.etc.
Win2K w/ Exchange 2000 Other PC's...

(Will obviously forward ports 80 & 25 to the sever once it is secure.)

What I am wondering is:

-How would I setup the DNS on the Win2K server. I am not very familiar
custom scenarios for Win2K DNS, so some detailed info would be greatly
appreciated. Or how would I setup the DNS if I were to disable the external
provided DNS and do it all locally? Preferrably going to use the external DNS
for now, and then see how that goes.

-Once I have the DNS setup, which Exchange SMTP settings should be modified
to coincide with the DNS, as I know there are a few DNS related SMTP settings
that need to be changed, but there are a few that I am not familiar with.

Thank you!

 

[Thor86]

Mail Exchanger or MX records in your publicly available DNS server determines which ip/host will receive all mail for your particular domain.

Win2k DNS entries:

New Primary Domain
(host/ip) xxx.xxx.xxx.xxx
(alias/subdomain) examplemail
(mail exchanger - primary 10) examplemail.domain.com
(mail exchanger - secondary 20) anothermail.domain.com

Exchange domains:
examplemail.domain.com

Backup MX server:
anothermail.domain.com

 

[Poontos]

So with the external DNS setup the way it is described above, I could setup the internal DNS like so:

Forward Zone: intranet.example.org
Reverse Zone: 1.168.192.in-addr.arpa

-No secondary, so I do not allow zone transfers
-No BDC, so I do not allow dynamic updates.
-Any other settings I may need?

The SMTP settings for Exchange, I noticed there is obviously some DNS stuff in there... any tips?

Thank you!

 

[mattbta]

Is there any reason why you need separate DNS? I setup my domain with an Active Directory forward lookup zone that accepts dynamic updates. Setup exchange to use the internal IP of that server for dns and all works fine.

My DNS for my registered domain is handled by www.dyndns.org and I don't have any MX records setup at all. From what I read, for my simple one server setup it was not necessary. DNS points ANYTHING with domain.com towards my current IP. (Router config handles port forwarding)

Internal computers use the AD dns for their name resolution needs.

Just use the DNS MMC snapin and set up a forward look-up zone, it's pretty easy, all you have to do is click through the wizard and pick a name for your dns server.

BTW- if you're going to be accessing your email, you'll also need to forward the pop3 port and/or imap- 110 and 135.

 

[Poontos]

Bump...


mattbta, thx for the response, I will respond shortly, I just have to get a power bar to plug the PC back in.

 

[n0cmonkey]

Please tell me you arent running IIS, Exchange, and DNS on one machine...

 

[watts3000]

Sorry was going to commet on your smtp setup but realized you were wanting to know about dns.

 

[N11]

Originally posted by: n0cmonkey
Please tell me you arent running IIS, Exchange, and DNS on one machine...

From what I've seen it's common practice to keep IIS on the Exchange server (I haven't seen smtp connectors handled externally for an entire exchange organization but I'll bet an MS tech here has a way to do it). Exchange 2000 does rely on IIS for handling smtp.

Now that I think about it I don't think the exchange installation will proceed without IIS installed.

 

[watts3000]

Exchange 2000 does not rely on iis for smtp exchange comes with its own virutal smtp server. It relies on iis for the deployment of outlook web access. If you do not want iis and exchange on the same box you can disable http support through the exchange manager and uninstall iis. I have seen companies run outlook web access on a separate box then exchange.

 

[Poontos]

Originally posted by: n0cmonkey
Please tell me you arent running IIS, Exchange, and DNS on one machine...

If this was not at home and I had more funds for more servers/computers, I would indeed have each respective service on a seperate server. So, in my case I have no choice. Sorry to disappoint.

 

[N11]

Originally posted by: watts3000
Exchange 2000 does not rely on iis for smtp exchange comes with its own virutal smtp server. It relies on iis for the deployment of outlook web access. If you do not want iis and exchange on the same box you can disable http support through the exchange manager and uninstall iis. I have seen companies run outlook web access on a separate box then exchange.

I believe you are confusing Exchange 5.5 with Exchange 2000. Exchange 2000 requires IIS to utilize the common protocols.

All messages handled by exchange 2000 are routed through IIS' advanced queing engine -- you won't find yourself in an exchange 2000 environment without IIS. The first line of Sybex's exchange 2000 reference manual stipulates the requirement of IIS.

 

[Santa]

Depending how how stable you feel your Internet connection is. If you absolutly want to host your own DNS server for quick host and zone changes you may want to check to see if your ISP can be a slave DNS server for you. This means they would be your secondary DNS server entry at the domain register and they would pull or do zone transfer's with you.

You will need to make sure the right ports are forwarded to your machine for zone transfers and also the correct permissions allowed on the firewall for this action.

DNS is quite simple to setup really.

Most of your entries will be host entries such as www, mail. You will then need to create an MX record as you noted you have with your ISP but on your local DNS server.

Reverse lookups should be auto populated by your PTR record and this is a checkmark you check when creating the host so make sure you definitly have the www and mail host correctly in the reverse lookup zone.

btw your reverse zone should not be 1.168.192-in-addr-arpa. You need to make sure when creating your host and zones that you are creating them based on your external IP address or your users will get confused when polling your DNS server for name resolution and getting a 192.168.x.x address in return.

So first off if you check with your ISP to see if they can do zone transfer with you and be a slave DNS for you and if not if you don't mind manually keeping them updated.
Then you would create the zone.. then populate it with the host and records you want. After that you need to go to your domain registry and change the primary DNS to point to your external public IP and the ISP DNS server is the secondary DNS server. 24-48 hours later for propagation you should be up and running.

oh and from a local DNS server caching your DNS queries you want to make sure you enable the option for it to forward onto your ISP's DNS server but this is only for your internal clients not for queries done against your server from outside.

Remember.. if your Internet connection is not reliable you may begin losing email and web hits so think about this carefully. I currently host my own domain but forward my mail to my ISP's mail server since they are needing to keep their up to make money they have many more safeguards than its worth for me to buy for home.

Merry Christmas!

 

[Garion]

I'll throw my two cents in here..

First of all, in a small network, you need to pick your battles. IMHO, if you don't *have* to do something, don't do it. This goes for Internet-facing DNS, as well as DNS-based delivery of e-mail. You could certainly move both functions inside, but why?

I would strongly recommend you do two things:

1: Let your ISP handle your DNS. They do this for a living and have the bandwidth and dedicated servers for it. DNS is a pain, and a HUGE potential security hole. They pay attention to these things on a daily basis - It's their job and they will be able to do a better job at it than you will, especially through a DSL line. This is especially important, as you've got a bunch of 192.168.1.x internal IP's in your DNS that you *really* don't want advertised to the Internet, and it can be tricky to configure MSDNS not to answer for everything to the Internet.

2: Let your ISP deliver your e-mail for you - Don't try to do it yourself unless they prove too flakey and can't do a good job of it. You should just point your Exchange server at one of their mail relays and be done with it - No need for you to try to deliver directly to the remote site and have to deal with all the reverse DNS, ICMP probes, queueing issues, etc. that direct delivery entails.

Tighten down your router/firewall rules as much as possible, and avoid as much unencrypted data as you can. Depending on the amount of OWA traffic, you might consider adding SSL on your IIS box and only allowing HTTPS for your OWA traffic. Of course, this depends on your company and the capacity of your server. I work for a big bank, so we're very paranoid.

One last piece of advice for you.. There are *two* OWA modes out there - Most people don't realize this. The Rich and the Reach clients.

The Rich client is the classic "big-fat-bloated" OWA. Huge XML and ASP pages all over the place and it takes *forever* to load unless you're on a broadband connection. This is the default client you get when you connect to OWA with IIS.

The Reach client is a thin, light client that retains 90% of the functionality, but at ~1/5th of the bandwidth requirements. Most users prefer this client since it saves a huge amount of time in loading pages and most don't miss the features. When you connect to a OWA server with an older Netscape or pre-5.0 IE browser, you get the Reach mode client.

What we've done at work is to setup two DNS names - something like owa.example.com and owalight.example.com. The same web server services both, and is setup to look at the host headers of the request to determine which client to use. This requires some ISAPI filter coding, but nothing too difficult - Just do a google on "exchange reach mode" and you'll find several links about it.

- G


[edit]

.. And I missed the "for personal use" part. My answer was based on doing it for your company's network. For your own network, if you just want to learn this stuff, go wild.

You, in general, have it pretty much right, and other posters have been dead-on too..

Edit your domain registration to point your primary DNS server to your DSL IP, and your secondary to your ISP's. Talk to them and get them to do zone transfers from your box, so they can actually be a secondary for you.

Once the records are there, get your DNS server setup. It's fairly straightforward in Win2K, actually. Make sure your network is using the right domain name (example.com), then setup some host entries. This can, however, make a few things wierd. For example, if you use that box as your DNS server for other hosts on your network and you go to resolve "www.example.com", you're going to get your DSL IP, not the machine's private IP. The easy way around that is *not* to call your server www or mail or anything that you'd ever want to be resolveable from the outside.

I'd still recommend that you forward your mail to a mail relay at your ISP - Delivering it yourself can be a pain.

- G

 

[Poontos]

Thanks so much for all the info.

I was wondering if anyone could provide further assistance in the actual configuration of MS DNS in the following scenario:

(For those that have not been able to follow the whole thread, here is a quick summary)

DNS setup at Registrar: example.org (NS1 = ns.externalisp.org NS2 = ns2.externalsip.org)

So, all DNS is configured at the external ISP, with A and MX records pointing to my static DSL IP.

Alternatives are good to know for future, however, I am convinced that I can do the following:

Setup a fully functional Exchange 2000 Server, behind NAT, plugged into a gateway/firewall/router that has the public IP. The key is the Microsoft DNS configuration necessary for Exchange, and obviously active directory, as well as allowing me to recieve and send mail to RFC strict (reverse DNS lookup, etc.) MTA's around the 'Net.

My problem is: I would greatly appreciate if someone could walk me through how to setup the MS DNS for this specific scenerio, and I would be off to the races.

If this is not possible, I will go the route that others have suggested (primary DNS = my MS server, secondary DNS = externalisp, who allows transfers to and from my dns server here), either way, a quick walk through the specific settings would be greatly appreciated.

Thanks!

 

[Saltin]

Poontos,

The easiest way to do what you want is to just seperate your two DNS zones.
You have your ISP handling the external FQDN/IP mappings, which makes it alot easier for you.

So, ISP's DNS is handling the mail server's external A and MX record, perfect.

Internally, just do things as normal. Set up a forward lookup zone on your internal DNS server that matches your internal domain name. Set up an internal reverse lookupzone that matches your internal subnet. Make sure all the machines point to the internal DNS server (including your DC and Exchange), and then make sure your internal DNS server is set to forward to your ISP's DNS server.