Re: SELF Attribute not updating through firewall

Well, the two excahnge admins sent me several links on what RUS is, including
a tutorial!)
DCDIAG passed all tests. Results below:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\bdmeyer.COLUMBIASC.000>cd \

C:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: LEGAL\subdomaindc
Starting test: Connectivity
......................... subdomaindc passed test Connectivity

Doing primary tests

Testing server: LEGAL\subdomaindc
Starting test: Replications
......................... subdomaindc passed test Replications
Starting test: NCSecDesc
......................... subdomaindc passed test NCSecDesc
Starting test: NetLogons
......................... subdomaindc passed test NetLogons
Starting test: Advertising
......................... subdomaindc passed test Advertising
Starting test: KnowsOfRoleHolders
......................... subdomaindc passed test KnowsOfRoleHolders
Starting test: RidManager
......................... subdomaindc passed test RidManager
Starting test: MachineAccount
......................... subdomaindc passed test MachineAccount
Starting test: Services
......................... subdomaindc passed test Services
Starting test: ObjectsReplicated
......................... subdomaindc passed test ObjectsReplicated
Starting test: frssysvol
......................... subdomaindc passed test frssysvol
Starting test: kccevent
......................... subdomaindc passed test kccevent
Starting test: systemlog
......................... subdomaindc passed test systemlog

Running enterprise tests on : columbiasc.ads
Starting test: Intersite
......................... columbiasc.ads passed test Intersite
Starting test: FsmoCheck
......................... columbiasc.ads passed test FsmoCheck

C:\>

--
Bruce D. Meyer, CCNA, MCSE
Network Analyst
City of Columbia, SC


"Bruce D. Meyer" wrote:

Yup, you're right. I noticed that right after I sent it. Oh well. at least
one of us was correct! :-)

Don't know what the acronym RUS stands for. New users are created on the
Exchange Server.
The users access their email from behind the firewall. I misspoke on the
earlier message also when I said we tested from outside the firewall, that
was from actually inside the firewall.

What I see is when the user attempts to check their email from behind the
firewall, their DC (behind the firewall) tries to connect outside the
firewall, presumably for authentication. (port 389)

I haven't tried DCDIAG, I will try that tommorrow when I am back at work.
(Wednesday AM)

Bear with me please, I am the Network analyst, not the Exchange Admin that
set everything up. I run your questions by them so they probably know what
the RUS is.
--
Bruce D. Meyer, CCNA, MCSE
Network Analyst
City of Columbia, SC


"Ed Crowley [MVP]" wrote:

Actually I didn't use the word you quoted, "in", I said "against".

Do the newly created users get e-mail addresses from the RUS? Are the
Outlook users crossing the firewall? Have you tried running DCDIAG?
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Bruce D. Meyer" <BruceDMeyer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:60DC2E42-0D82-48F4-822E-27B27E385279@xxxxxxxxxxxxxxxx
As far as the Recipient Update service, no, it is not running 'in' the
subdomain, as their is only a single Exchange server on the whole Forest,
and
it resides in the root domain (I know, improper term, but...). However,
their
is a Recipient Update service running FOR the subdomain on the Exchange
server.

As far as the Exchange Setup / Domain prep, It was run in the Forest root
domain, and seperately again in the subdomain.






--
Bruce D. Meyer, CCNA, MCSE
Network Analyst
City of Columbia, SC


"Ed Crowley [MVP]" wrote:

Also, is there a Recipient Update Service running against the subdomain?
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Bruce D. Meyer" <BruceDMeyer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4C31ED7D-BC27-430E-AB99-4ECF161A2C86@xxxxxxxxxxxxxxxx
We have an AD forest recently upgraded Exchange 5.5 to 2003 SP2.
I think that something we did in the last month or two in regards to
shutting down the old NT servers has caused this oddity to occur:

Our Forest is two domains. One domain has about 1,000 users, the
subdomain
has about 12.
The subdomain is behind a PIX firewall.
We recently upgraded Exchange 5.5 to Exchange 2003.

Everything has worked for quite some time.

I think that something we did recently, as we shut down more and more
of
the
old NT servers has caused the following odd problem, but I can't figure
out
what is causing it.

When the Exchange Admins create a new user in this subdomain behind the
firewall, the SELF attribute doesn't update and change to the username
as
it
should.

Also, that user cannot open up Outlook on their computer successfully.

I started debug fixup udp and noticed that the domain controller for
that
subdomain (which is also behind the firewall) for some reason is trying
to
use port 138 to a domain controller that is not in it's site
replication
topology. If the DC should be talking to the root DC in the forest, and
that
is how to PIX has been configured for several years. (Exchange 5.5
days)

If I allow Port 138 traffic to go through the firewall, the subdomains
DC
will indeed go to that other DC and the user can then successfully open
Outlook and send and receive email.

Oddly, the SELF attribute never gets updated.

We placed a machine on the outside of the firewall, logged into the
subdomain as a user from that subdomain, and even though the user can
send
and receive email, the SELF attribute never gets updated to the logged
in
users name.

I am using secure DC to DC isakmp through the firewall replication as
recommended in a KB as the best way to handle DC to DC replication
through
a
firewall.

Frankly, I am not even sure what my next troubleshooting step should
be.
Any
help is greatly appreciated.

Bruce D. Meyer, CCNA, MCSE
Network Analyst
City of Columbia, SC





--
Bruce D. Meyer, CCNA, MCSE
Network Analyst
City of Columbia, SC






.

Relevant Pages

  • Re: Unable to Receive Email from the internet
    ... Are you running this on Longhorn server? ... Test from outside your firewall: ... Exchange Server 2007: internet email without Edge ... looking at the firewall inbound rules on my LHS. ...
    (microsoft.public.exchange.setup)
  • Re: Open ports?
    ... You can't install Exchange without IIS. ... This server isn't going to be as secure as possible. ... >>> However, if this is your domain controller, putting a firewall between ...
    (microsoft.public.win2000.security)
  • Re: OMA?
    ... You would need to open up port 80 to the Exchange server only. ... > would I have to open up port 80 on my firewall, ...
    (microsoft.public.exchange.connectivity)
  • Re: SBS2008 - Exchange 2007 + Connection Control
    ... But then why not do it in Exchange if the facility is there to do it? ... as it will make troubleshooting a huge PITA. ... but the fact that you can't do this in your firewall should be ... Microsoft Exchange> Server Configuration> Hub Transport> ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2008 - Exchange 2007 + Connection Control
    ... But then why not do it in Exchange if the facility is there to do ... but the fact that you can't do this in your firewall should ... Microsoft Exchange> Server Configuration> Hub Transport> ... Currently this would appear by default to permit connections ...
    (microsoft.public.windows.server.sbs)