Learn Exchange Server 2000: Setting Up DNS for Internet Access
by Michael Bell
This article in the 'Learning Exchange Server 2000 in 15 Minutes a Week' series looks at setting up the DNS so that Exchange 2000 can access the Internet. The article also covers the Nslookup utility for troubleshooting DNS settings.
One of the most frequent problems I see people having with Exchange 2000, and the question I am probably asked the most relates to setting up Exchange 2000 to access the Internet. In this article I will explain how to set up DNS to allow an Exchange 2000 server to access the Internet, as well as how to use Nslookup to troubleshoot DNS settings. Obviously, I can't cover all possible configurations, but I am going to try and cover the most basic configuration.
I am going to go with the understanding that most of you already have your Exchange Server installations completed. If not, then this isn't the article that will cover that. For installing Exchange, take a look at one of my earlier articles.
Once you have Exchange 2000 installed, there isn't much else to be done on the Exchange side. Exchange is tightly integrated with Active Directory, but more importantly, it is very tightly integrated with IIS. This integration allows Exchange 2000 to connect to the Internet without requiring any connectors to be installed or configured. This version of Exchange is a little different, as previous ones required a connector of some type to be configured. For example, Exchange 5.5 required an Internet Mail Service Connector (IMS) to access the internet.
There are a couple of different ways that we could configure DNS for our Exchange 2000 server. For example, I might be running DSL with a firewall like Proxy 2.0 or ISA Server in place. This would mean that we would have a public IP on the external network card of the firewall. If we were running our own DNS server, we could simply put the appropriate Host (A) and Mail Exchanger (MX) records into our DNS database.
With this setup, when a client queries our DNS server, the record fors our Exchange 2000 server would be returned, and the client would be able to communicate with our server. This is a simple configuration from the standpoint of DNS, although it would require additional work to get the Exchange Server communicating from behind the firewall. For additional information on how to configure this, see Q276388 and Q308599.
However, judging from the questions that I am getting, the majority of users aren't setting up their servers in this type of environment. The majority of the questions I am seeing are centered around small companies that are running a single Exchange 2000 server and their own DNS servers for internal purposes, but using an ISP for external name resolution. Although this situation is a little more complicated than our previous example, it is by no means impossible.
Probably the biggest problem facing most people is a lack of understanding of how DNS works. For this, I recommend reading 'DNS and BIND', by Paul Albitz and Cricket Liu. You can find this book just about any place that sells books on technology. Another good resource would be the Windows 2000 help files, as well as the Windows 2000 Resource Kit.
Now, lets get back to our problem. We have our Exchange 2000 Server installed, and we have our internal DNS working, taking care of Active Directory and all its needs. So how do we configure it to allow our internal clients to be able to send e-mail out to the Internet and also allow internet users to send e-mail to internal users?
The first thing we need to take a look at is how we get our email out to the Internet. In this case, setting up our internal DNS server to forward requests that it can't handle to our ISP's DNS server should do the trick. So what I would need to do would be to go into the DNS MMC, right click on the DNS server object, go to properties, and then select the Forwarders tab. I would type in the address or addresses of my ISP's DNS server(s), clicking add after each one. My DNS server will simply send the requests that it can't resolve out to my ISP's DNS Server. This will allow my clients to get their e-mail out to the internet, but at this point, I am only halfway done. I still need some way to give users access to my Exchange server. The trick here is that my Exchange server is running on my internal network, probably running on a Private IP address.
In this case, we have to add the appropriate MX and A records to our ISP's DNS Server. The records would point to the public IP address for our company, typically the external interface of our firewall. Now, we would need to use something like Network Address Translation (NAT) to convert the incoming request and redirect it to our Exchange server. In my earlier example using ISA server, publishing Exchange from behind the ISA server allows you to accomplish this task with a minimal of effort, because ISA will forward the requests for Exchange to the appropriate address, allowing external clients access to our internal Exchange server.
Given that we have configured everything correctly, our internal clients should be capable of sending and receiving both internal and internet e-mail. But how do we know that we set up DNS correctly? Enter Nslookup.
Nslookup is a troubleshooting utility that allows us to query a DNS database for the presence of appropriate records, among other things. For internal DNS, we can simply open up the DNS MMC console and verify that we have correctly configured the Forward and Reverse Lookup Zones. This is easy enough because we are in charge of these zones; we manage, create and delete them. But what about our ISP's DNS database? How do you know that they have correctly configured the A and MX records. The answer would be to do a simple query of their DNS database using Nslookup. From Windows NT 4.0, 2000, and XP, simply drop to a command prompt and type in Nslookup
Once you hit enter, you can now query the DNS database. In my case, I have typed in that I am looking for an MX record. The second option tells the Nslookup utility what domain name I am looking for. In this case, it is my business domain, Bellcs.com. The screen would look like this:
You can also see from looking at the second screen shot that I am querying my ISP's DNS server, which is 220.127.116.11. However, this ISP isn't authoritative for this particular domain name, as you can see from the reply that has been returned. It does show that I do have a configured Mail Server, as well as the Name Servers for my domain.
So this is how I can see what is in my ISPs DNS database without having access to the physical DNS server. Obviously, there is a lot more to Nslookup than what I have shown here. For more information about this utility, simply type
nslookup and press Enter. Then type
help and press Enter. You can also lookup Nslookup in Windows 2000 Help, or online at Technet.
That should do it for now. Hopefully this helps to shed some light on configuring your Exchange 2000 servers to access the internet, as well as the DNS settings necessary to make it work.