I am trying to find the name of the SMTP server responsible for delivering outgoing Exchange messages.
I can easily find the incoming SMTP server name though the MX record, but I need the SMTP server for the outgoing messages. Autodiscover does not help either - it has everything and a kitchen sink (EWS endpoint, etc.), but not the outgoing SMTP server name.
Is it in the Active Directory (for the on-prem Exchange servers)?
Thank you!
Which version of Exchange are you running?
You can run the following from an Exchange Management Shell, it should provide you with sufficient information.
Get-SendConnector | Select-Object -Property Identity,Enabled,SmartHosts,AddressSpaces,SourceTransportServers
Or from the ECP/EAC, select mail flow, and then select Send Connectors. If you have more than one, you'll have to poke around and find the one that is enabled, for the address space '*' with the lowest cost - that will most likely be your default connector. Open/view the send connector. Select Scoping, on the bottom half of the popup window, you will see a "Source server" box. The server(s) in that box are those responsible for getting outbound email out of the Exchange organization.
However, there is a possibility that Exchange just sends to a smart host which scans, logs or otherwise handles your outbound mail before it actually leaves your network. There would be an entry under "SmartHosts" if that were the case in the powershell output or under "Delivery" in the EAC.
As a side note, there is no real de facto "outbound smtp" server like there is a de facto "inbound smtp server" (i.e the MX). I think about as close as you can get is to have a name, address, or block designated in your SPF record, but its not quite the same thing.
Edit - find information in Active Directory:
Get-ADObject -Filter 'objectClass -eq "msExchRoutingSMTPConnector" -SearchBase "CN=Configuration,DC=domain,dc=com"
Will give you a list of send connectors, the routingList Attribute will tell you what namespace each connector is valid for and what the cost is. Unfortunately, from these objects, I do not know how to obtain the server names included in those send connectors.
You could also find these via ADSIedit or another tool that would allow you to browse the configuration in AD. The rough path is:
CN=Connections,CN=ExchangeRouting Group (xxxxxx),CN=RoutingGroups,CN=Exchange Administrative Group (xxxxxx),CN=Administrative Groups,CN=ExchangeOrganization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com".
Your mileage may vary.
Related
I've a GPO that won't work in Azure AD. I need to create multiple GPOs to map network drives. I've put the GPO right under the domain
I've mapped the drive, and targeted at a security group. Tried with an OU first, but that didn't work either.
So did I place the GPO wrong, or did I map the drive wrong? The client has a dynamic IP and it's DNS servers are the IP of the servers
When I run gpudate on the client, It seems that the server is unreachable:
Let me know if you need additional information
• Your procedure of mapping a network drive is correct but the error snapshot that you have posted regarding the reachability of the AD/DNS servers is a matter of concern due to which the group policies were not able to replicate and apply authoritatively from the AD or Group policy server. Thus, please check the connectivity of the DC/Group policy server from the client system as below: -
A) Check the SYSVOL replication is happening correctly or not. DFRS (Distributed File Replication Service) is used for SYSVOL replication, to confirm that run the below command and check its result
‘ dfsrmig.exe /getglobalstate ’ --> If the result shows: 3 (ELIMINATED), then its Ok
B) Then check whether which DC has the FSMO roles installed on it. For that, run the below command and check the IP and hostname whether it is configured as the correct DNS in IP configuration in the client system or not
‘ netdom query fsmo ’
C) Once the above is done, please check the replication between the DCs is working correctly or not by executing the below commands one by one and analyzing their results
‘ Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl
Repadmin /syncall /APeD ‘
D) Ensure that the ‘gpt.ini’ file exists on your DC at ‘\domain.local\SysVol\domain.local\Policies{Policy_GUID}\’ path and if not then your GPO server might be at risk of corruption of essential system files. Please reset it. Also, do ensure that your DNS server or DC is reachable and pingable through the below commands successfully. Try to reset the DNS resolver cache on client computers.
‘ ping<hostname of DC>
Nslookup<hostname of DC>
Ipconfig /flushdns ’ on client systems
Lastly, ensure that your DC and domain is accessible via RPC protocol through the below command: -
‘ nltest /dsgetdc:hostname of DC ’
If all of the above commands return positive results, then you should check your client’s network and domain settings for any issues as everything else is correct on the DC end.
This is question is related to an earlier one I asked, but more specific and hopefully easier to answer.
Essentially, I can't connect to my RDS instance. I tried in my SQL editor (datagrips) and also by pinging the server on the console. Comments on my previous question led me to believe that my problem has to do with the security group. Upon investigation, however, everything seems to be in order--my security group has an inbound rule that should allow all inbound access.
Security Group:
Console Ping:
What is going on here?
EDIT:
It was pointed out that all inbound access does not mean what I thought it did. However I also tried allowing inbound access for my specific IP with still no luck.
Here is the inbound rule for My IP:
EDIT 2:
Not sure what this means but it's not timing out on the EC2...
See comments for context?
inbound rule that should allow all inbound access
It does not. It only allows inbound traffic from SG with id of sg-ea3.... This means that you can't connect to it from home, work etc. To allow all inbound access the source should be 0.0.0.0/0, but it would be better to have your exact home/work ip address <your-ip-address>/32.
PowerShell Script
New-Cluster -Name "DI-XXX-YY-CLUSTER" -Node "di-XXX-YY-db1","di-XXX-YY-db2" -NoStorage -StaticAddress 172.17.XX.YYY
Set-ClusterQuorum -NodeAndFileShareMajority "\\DI-XXX-YY-WS1\ClusterQuorum"
Invoke-Command -ComputerName "DI-XXX-YY-WS1" -ScriptBlock { mkdir c:\Quorum}
Invoke-Command -ComputerName "DI-XXX-YY-WS1" -ScriptBlock { New-SmbShare -Name "Quorum" -Path "c:\Quorum" -FullAccess "didevtest.local\DI-XXX-YY-CLUSTE"}
Add-ClusterNode -Cluster "DI-XXX-YY-CLUSTER" -Name "di-XXX-YY-db2" -NoStorage
The Server manager on the second node (di-XXX-YY-db2) showing a warning.
Incomplete communication with DI-XXX-YY-CLUSTER. The following nodes
or cluster roles might be offline or have connectivity issues
Server Manager->All Servers
The Server Manager refresh fails on the second node (di-XXX-YY-db2)
Windows error log entries
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the
server di-XXX-XX-db1$. The target name used was
MSServerClusterMgmtAPI/DI-XXX-XX-CLUSTER.didevtest.local. This
indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name
(SPN) is registered on an account other than the account the target
service is using. Ensure that the target SPN is only registered on the
account used by the server. This error can also happen if the target
service account password is different than what is configured on the
Kerberos Key Distribution Center for that target service. Ensure that
the service on the server and the KDC are both configured to use the
same password. If the server name is not fully qualified, and the
target domain (DIDEVTEST.LOCAL) is different from the client domain
(DIDEVTEST.LOCAL), check if there are identically named server
accounts in these two domains, or use the fully-qualified name to
identify the server.
DCOM was unable to communicate with the computer
DI-XXX-XX-CLUSTER.didevtest.local using any of the configured
protocols; requested by PID 14d4
(C:\Windows\system32\ServerManager.exe).
You are creating a Windows Server Failover Cluster (WSFC), not an FCI. FCI is the clustered instance of SQL Server.
That said, check networking (including DNS), firewall, and most importantly, AD. If the WSFC is not coming online, it could be any of these things. Make sure that the CNO is precreated or the account creating the WSFC has rights to create objects in AD. If the object is there but not in DNS, similar issue - make sure DNS is right.
Also, why are you running Add-ClusterNode? The WSFC is being formed with both nodes in New-Cluster.
Check the logs and Event Viewer. They will give you a clue as to why things are messed up.
One NIC is fine if it's virtualized. There are cases where you would have two NICs (always in physical). Do you have two NICs in one server but not the other?
Also read all the text and not just go by the yellow/green/blue. Sometimes the problem is in the notes.
That said, again, go check SPNs and DNS. Look for things like duplicate or stale DNS records or duplicate SPNs.
You can search for "KRB_AP_ERR_MODIFIED cluster" on the web to see quite a few different solutions, but most are DNS related (including what I mentioned).
I have a domain name.com that points to IP 123.123.123.123 where I have installed a apache2 server.
I also have sub domains like ftp.name.com / etc.name.com that also point to the same ip address.
I want that when a user types in browser name.com to be restricted access, like when the apache server is down (or like when you try to access a domain that does not exist) but in the same time I want the user to be able to access the sub domains. Does it make sense? Is it possible?
"Like when the apache server is down" will not be possible because if it's down, it does not accept connections. But it will have to accept the connection to receive the HTTP header which tells the server the requested (sub)domain.
A possible solution would be to change your DNS entries. Let ftp.name.com point to your server (123.123.123.123 in your example) and configure www.name.com to an unused / invalid ip address. This way your ftp.name.com server will not receive name.com queries at all.
Our customers add a unique service (_careq) with an SRV record to their DNS servers so our software can just do a DnsQuery lookup and get the host's name.
The problem is some customers don't put the SRV record in the correct location (it should read _careq._tcp.[FQDN], but customers can put it in _careq._tcp.[subdomain].[FQDN], etc).
Rather than fixing every customer's DNS server, is there a way to just send a query to the DNS server with our service name (_careq) and have it search its entire DNS tree?
If not, is there another/better way to do a DNS lookup for our host server?
You can't get there from here.
DNS does not publish a list of subdomains. Game Over.
Well, "game over" unless they have zone transfers enabled for your client and that is fairly unlikely.
As for an alternative: perhaps zeroconf can do what you want.