Some tips on fixing Warning – Reverse DNS does not match the SMTP Banner

 

 

I have a pretty common error that I get asked about pretty frequently. I wanted to take a moment to hopefully share some information on what the error is, what to focus on, and what tools you need to fix and monitor.

First of all, please understand this paper covers the simplest of scenarios. Multiple sites, Smart Hosts, Bridgeheads, and multiple Accepted Domains will quickly muddy the waters, but for a basic Exchange Server, This Article Applies directly.

 

The Error

Exchange Server 2013 SMTP banner does not match reverse lookup. or

Warning – Reverse DNS does not match the SMTP Banner

 

Disclaim

First be aware, there is a lot of misinformation out there. Stop and read and understand, before you decide which articles are telling you the truth. This error is likely to pop up in a few situations. I wanted to take a minute to clarify this message and what is needed to clear this up.

First you must understand this error  is directional and relative to a point in mail flow. So you really have to nail down your situation before you set out on solving the problem. You risk getting yourself more confused. Speaking of that, let me try to hopefully explain in a simple way.

First let me say the SMTP Banner is more generally a problem for outbound mail. You may still get an error for inbound connectors,  but mail will not usually fail either. Internal mail uses Internal banner (host) and DNS, and external mail uses External Banner and DNS.  An error comes about, generally where you have mail received across the public internet, where a reference is made to an internal FQDN in the SMTP Header.

Inbound Banner

So if you think you have an inbound banner issue, just go into your inbound mail connector, and then try to save it, without making changes. If there is a problem, you should get a pop up message similar to figure A

Figure A. Inbound Banner issues are identifiable

 

Exchange will promptly give you an error when your inbound connector has a banner issue. Why you ask? Because  the Banner is checked by Exchange, against the security settings.  Think of it like a security Guard. They always check you coming in, but once you have cleared security, it is not as difficult to leave.

So I won’t go into the explanation of inbound banners, except to say, by the time your mail hits this server, the lookup is internal, so the Banner should always be internal. In addition, you have a server, with a certificate, matching this FQDN, so it should make sense that these should all be the same name. Do what the error says and set the Banner to the Internal FQDN.

Outbound Banner

Outbound is really the same sort of thing, for any outbound Internal Connectors. Internal connector, Internal FQDN. The change comes when you have an outbound Internet connector. So this connector will be the banner for your reverse look ups by external recipients. That is, unless you have a third party device doing store and forward for you, in which case, you should be able to set the SMTP banner there as well. Assuming you don’t use a smart host, your Send connector header would look like this:

 

Figure B. Send Connector Scoping Tab.

 

This should make sense. You see this is the external facing send connector. Once mail leaves this connector, the mail will be called External Mail. From this point mail will have to rely on MX, DNS or a Smart host to propagate.

So.. What do you think gets queried for the reverse lookup? The mail server at the destination Is going to query public records it finds, against the header and other information it has received, when it looks your mail domain up. So the checks done include reverse lookup, Public MX record, A record, Text Record and SPF record. So all you need to do to is make sure these records contain your correct Public IP address for your Exchange server, the correct resolution of the  Banner to an IP address, and verify the other records contain the same Name and or IP addresses.

A light conversation

So now we get to brass tacks. So I want to focus you to the main things you would need to set correctly. This is:

  1. Public MX record -Domain.com resolves to target mail.domain.com at PUBLIC IP address
  2. An “A Record” that is the value of the Banner “Mail.domain.com”
  3. An “A record” for values for your setup like “auto-discover.domain.com”
  4. TXT or (PTR) record for your Reverse Lookup DNS record. One domain should be assigned to one PTR record- this is what should match the “send” banner
  5. SPF record. – . Special record with special format for Domain verification by Anti-Spam. SPF record tool will help generate your record

Tools you can use to make sure your records are correct:

  1. Install Dig on your client machine for windows- Dig -x Public IP (will find your PTR record)
  2. Dig domain.com will give you your “A” record.
  3. Dig mail.domain.com txt – will show your SPF record.
  4. Dig mx domain.com to query MX record, or Dig @nameserver.domain.com yourdomain.com

So with this Dig tool, you can check and cross check. If you have an IP address in this mix, that you are not aware of, or are not using, then you will need to fix this.

I am not going into too much detail here, but if you have all these records in place, and make sure they point to the public IP address, which sends the exchange server its mail, then you should be happy. Use the web site IPCHICKEN.COM on your Exchange Server. It will tell you your Public IP, normally used for Setting Public DNS records. For non-smart host or bridgehead customers, your value of IPCHICKEN, should be your Public IP values for these records.

In Closing

You have the public information you need to set records above. Set this correctly. Second, go to Exchange Server and set the FQDN correctly and you should no longer have SMTP banner failing to match the reverse lookup:

  • Send Connector Mail Flow -> Send Connector-> Scoping-> FQDN
  • Receive Connector  Mail Flow -> Send Connector-> Scoping-> FQDN

Make sure these FQDN matches its function. Internal connector is internal FQDN.

Send Connector is Public FQDN. Then make the Records match the correct public values and this issue will be resolved.

In closing Here are some tools you can use to troubleshoot:

Exchange Connectivity.

Dig Bind Tool

MX Tool Box

I hope this is helpful and explains what you are seeing, and how you can fix your SMTP banner issue.

Thank you,

 

Louis

 

 

 

Move-CsUser Fails from command line when Migrating User to New Pool. It succeeds from Graphical Interface

 

Hello All,

I am hoping to make some videos about SFB, but I am still low on time. In the mean time, I hope these articles are helpful to some. My Friend called me with an interesting problem. His move-Csuser command failed from the command line. The GUI move succeeded. I provide below a few things to check and set to repair the issue.

Figure 1. Roman Numerals of Lync Issues Colosseum-Entrance_LII

 

There are a couple reasons for the failure you are having. I will list below, along with the most plausible solutions:

I. The difference between the Command line and GUI is permissions related. When you open the command line, you need to be a member of the following groups :

  • 1. RTCUniversalUserAdmins (not CSUserAdministrators
  • 2. CsAdministrator 
  • 3. I know you think you have proper permissions but please check- This is often gotten wrong
      • a. You will check and see you have two permissions – CSAdministrator and RTCUniversalServerAdmins
      • b. You also need to add – you need to be a member of CsAdministrator and RTCUniversalUserAdmins

II. The other side of this issue is the User. The user may have been one of many users who had their default user created without inheritable permissions. Lync move command will fail!! Fix it before making the move command!

Move command fails due to user permissions

III. User is legacy OCS user? Your error contains the text OCSADUser. Without the full text of the error, there is some guesswork here but, perhaps try this out:

Lync fails to move between pools

    • a. Port 135 is blocked between pools. (not sure how the GUI gets around that)
    • b. Run get-CsManagementStoreReplicationStatus on all Servers. Correct failures
    • c. Check any SBAs they need the right ports etc..
    • d. Did you try the –Force yet? Try it out. If it succeeds, then likely we have a data issue.
    • e. Run Get-CsFabricPoolState and Get-CsBackupServiceStatus if either fail, then we know this needs to be fixed first.
    • f. Move-CsLegacyUser -Identity “sip:kate@domain.net”-Target “lync-se.domain.net

IV. Are the users potentially legacy OCS users? They could be. Try Move-CsLegacyUser

V. Weather legacy or not, the database may have a problem. Try to check the database for clarity below

  • a. The error in this link may not match, but it contains the how to check for Database corruption DBANALYZE
  • b. If the user database is not right, and you cant repair then you may have to homogenize the data by completing the CMS move or moving the CMS to another machine.
  • Or you want to Export and Import the User data, after running a –force on the move command. see roman num. 8 below

VI. User or pool Attributes are wrong or corrupt, or not changeable in AD. Note the following attributes. You can even change manually if you know the values for the desired state. For the Pool:

  • a. msRTCSIP-PoolDomainFQDN
  • b. msRTCSIP-PoolDisplayName
  • c. msRTCSIP-BackEndServer

2. For the User

  • a. msRTCSIP-UserRoutingGroupId
  • b. msRTCSIP-UserEnabled
  • c. msRTCSIP-PrimaryHomeServer

VII. Lync Server Move-CsUser and Move-CsLegacyUser commands fail with error –like  SetMoveResourceData failed because the user is not provisioned.

VIII. This is a perfect little process if Force works. So the commands are restated below. Thanks FlinchBot:

  • a. Export-CsUserData -UserFilter “user@flinchbot.com” -Poolfqdn pool.flinchbot.com -filename “e:\tempuser.zip
  • b. Move-CsUser “user@flinchbot.com” -Target pool.flinchbot.com –force
  • c. Update-CsUserData -UserFilter “user@flinchbot.com” -FileName “e:\tempuser.zip” –verbose

IX. If you Move back in version, it will automatically fail without a force. Here is a long time disclaimer:

“WARNING: Moving a user from the current version to an earlier version (or to a service version) can cause data loss”

X. I just had to get to 10. Now I know My Roman numerals. Ok I am leaving you with a more complex example, which includes two of my fixes from above, in combination. I think I have captured a good number of the reasons why Move-CsUser may fail.

Bonus #11 – Issue with Move command and AD Connect

 

I hope this has been fun and informative. This is a summary article about the many reasons you may not be able to run move-CsUser in the command line. I will leave you with a couple last articles which have to do with getting all the user objects that may be causing things to fail. You can manually parse the list to see if there are any that show up with a problem.

 

 

Louis

Testing Skype for Business with Test Cmdlets Script

This gallery contains 2 photos.

Happy Holidays to Everyone, I am trying to put together a little Skype Training class for some New Lync Students. I have found that some of my Scripts had gotten moldy and didn’t work anymore. The Test Skype Script is an important one for a new person to have, So they have some automated tools, […]

Collecting Sip Stack from Exchange Unified Messaging Server

 

Untitled

Hello everyone. Welcome to more things Exchange and Lync or Skype. That sounds like a good title for an article. Maybe Some day. For today, I would like to just make a call out for a logging process, I have used many times in complex Unified Communication Call issues, normally involving lync.

I spent a lot of time Trying to use the event logs of UM to try to find the problem. The fact is the Sip communication is not happening in Exchange, as many of you know. So then what?

What is UCMA! UCMA takes care of the processing of the sip stack. Therefore, it world make sense that a Skype Engineer would be more interested in seeing the out put from its logs.

Maybe I could have read about IIS to find this out, or maybe I just don’t deal with it enough. So I relied on my friends in the Netherlands to help with the syntax. Please see their original article here

The bottom line is you need to know what is happening in UCMA. Check out this TechNet video. It may give you a start to the path you are about to go under:

Things to know: UCMA uses UCWA. UCMA is only for Voice. UCMA takes the sip messages and turns them into C sharp. This is as close to the Sip message as I have seen. Logs can be viewed in Skype with Snooper.

Now That you have watched the video, Please keep this information handy to begin to log UCMA for sip messaging. Did you know the following all rely on UCWA and UCMA? wow!

  • Mobile App
  • Web Client
  • Outlook web APP
  • Exchange UM
  • REST API

Here are the steps to get your logs.

  • 1. Open command window
  • 2.Go to cd C:\Program Files\Microsoft UCMA 4.0\Core Runtime\Tracing
  • 3. Type OCSTracer.exe Start  /Component:Collaboration,TL_noise,tf_component,tf_diag, tf_protocol,tf_connection
    /Component:S4,TL_VERBOSE,tf_component,tf_protocol / LogFileMode:NewFile,20
  • Reproduce our problem
  • OCSTracer.exe Stop /Component:Collaboration /component:s4  /OutputFile:traces.txt /View

 

I hope this is a helpful read and I hope you fix your Voice issues on UM or Lync or Skype, or Exchange or UCWA or UCMA or wherever they may reside!

 

Louis

How to Troubleshoot SQL, Skype, Windows, Active Directory, Exchange and Basic Server issues with one tool! Its called Multi-Perf!

 

5

Figure 1. Perfmon

Hello Everyone,

Well Multi-Perf sounds like it will do a lot! I don’t want to mislead anyone, so I will say up front, Yes it will troubleshoot all those products; One at a time. It is an industry Standard, that you only work on one problem at a time. Therefore, This tool will collect performance information, related to one of the topics of concern. Once the log is collected, you can then review it for specific problems, related to your installation.

1Figure Figure 2. Set-Execution Policy

The benefit of this tool, is That I have been fortunate enough to partner with one of my Best Friends; Tommy Paulk. He is a Master Engineer for Exchange Server. My title Is Skype Architect. See where I am going with this? Tommy created the Exchange Counter set. I created the Skype counter set. Each counter set has been created by a professional in their field of study. The bottom line is you get a script that gives you choices on what set of performance information you need.

So the Multi-Perf is run simply as “Multi-Perf  counter”, where the counters are Basic, Active, SQL, EXCH and Skype

0       Figure 3. Multi-Perf and Readme 

Lets go ahead and get started on explaining what you get for your money here. See Figure 1 at the top of this read? That is the result of any counter set; a sort of mix up of settings that you have to get into, dance with, and somehow survive victoriously. The particulars are beyond the scope of this article; but Begin here. No I take that back, I always make the first link, one I would never read myself. Ok, read this one- Windows Perfmon. Its pretty good.

Now that your up to speed, lets get you some instructions! Figure 2 is set-execution policy. You should open your PowerShell as admin, and run this command : Set-Execution Policy –Execution Policy Unrestricted.

Next you just have to know the syntax of the command:

.\Mult-Perf testname –computer mycomputer –instance my instance. Notice the red lines in figure 4? that represents the 3 data points you are responsible for.

0  Figure 4. Mult-Perf Syntax

If you are not using SQL, then you only have 2 items to put  in!. If you are running on the local computer, you only have to put the test name in! If you forget the test name, you automatically get the Basic counter pack.

So this means this tool will work, regardless of input. You wont get the detail you want, but you get a basic counter log, at a minimum. Let me now give you some example of running syntax.

Figure 5. Run Active test on computer 2

See above, you use the form: .\Program testname –computer computername

If you forget the computer name, it will automatically select the local computer:

 

Figure 6. Run as Program .\Multi-Perf.ps1 only

1

in this case you will have no difference in result, because you are giving the most important test variable in, the test type.

 

Figure 7. with SQL; If you forget to specify the instance, you will get another chance to put it in. 3

If you put the instance in, then that is fine. But if you did not, there is no penalty. This makes the Log tool, infallible and easy to use.

As the last example, I will take you over the case where a person starts the SQL trace, and does not input the Instance:

 

0   Figure A. No instance specified.  

 

Instead of failing, The Script looks up the SQL instances, and presents them for the customer. It also says the user must type the instance name themselves, so there is no accident.

1    Figure B

Once the user types in the instance in Figure B, we move to Figure C and we just ask how many seconds between snapshots. 1-60 is best.

2  Figure C

 

Finally, With Figure D, we are just asking for an Enter, to go ahead and create the counter object. Upon hitting enter, The confirmation that the Counter perfmon is started.

3    Figure D

Finally, with Figure E, you see performance counter is stated. As long as that is the end result, The interceding Steps were all successful. You can see the fruits of your labor in Figure F, which is the running Performance monitor!!

 

4    Figure E

 

Figure F is start-> run-> Perfmon

Untitled Figure F Permon running. Always called Perf.

 

The counter that is created is always called Perf. It will always deleted the old one before another one is created. If you want to keep the old one, just rename it.

 

Ok if you made it this far, you must want your copy. Please have it and go in Peace!

Download Me Here

 

L

 

 

g

My most commonly used blog posts for troubleshooting Exchange

 

Hello Everyone,

I have to share with you, a link from my Mentor and Microsoft Master Engineer Andrew Higginbotham. The title of the article is

My most commonly used blog posts for troubleshooting Exchange

This is a keeper article and covers all of the common items you may expect a Support Organization to handle on a regular basis.

Please visit his Twitter and Follow him at @Ashdrewness

https://twitter.com/ashdrewness

In any case, Here is his article as well. Please visit and find help for exchange troubleshooting!

https://ashdrewness.wordpress.com/2016/11/23/my-most-commonly-used-blog-posts-for-troubleshooting-exchange/

 

Have a Great Thanksgiving! 2016!

Louis

How to remove the Exchange 2013 Mailbox role and Exchange from your Windows Server

Id done this a few times and sometimes I can remember the sequence and sometimes I would forget. There are serious consequences to forgetting.  It takes forever to go back and keep running the removal and fail. The client access role will remove fairly smoothly.With Server 2012, you will find instructions below.  The mail role requires that every object be addressed before the role will come out successfully. Below find the steps to get the mail role and Exchange decommissioned from your server. Once this is completed, go to AD and remove all evidence of Exchange in your ADUC. delete all the security groups, folders, , monitoring and system guids, etc… then you can remove any IIS app pools , folders entries, and registry evidence of Exchange if desired. Reboot your System and begin with Prepare Schema again.

Remove Mailbox Role Exchange 2013

1. Get-user | disable-mailbox
2. Get-PartnerApplication| Remove-PartnerApplication
3. Get-mailboxdatabase
4. Use 3 to run- Get-Mailbox -Arbitration -Database ‘Mailbox Database xxxxxxxxxx’ | Disable-Mailbox -Arbitration
-DisableLastArbitrationMailboxAllowed
5. Get-MailboxDatabase | Get-MailboxStatistics | Where { $_.DisconnectReason -eq “Disabled” } | ft  DisplayName,Database,DisconnectDate
6. Get-Mailbox -Monitoring | Disable-Mailbox
7.>Get-MailboxDatabase | Remove-MailboxDatabase
8. See that database is now deleted with  – Get-MailboxDatabase | Get-MailboxStatistics | Where { $_.DisconnectReason -eq “Disabled” } | ft  DisplayName,Database,DisconnectDate
9. Physically delete the database and log files (leave the mailbox folder for now)
10. verify nothing is left – Get-MailboxStatistics -Database ‘Mailbox Database 0039199658’ | where {$_.DisconnectReason -eq “SoftDeleted”} |foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted}
11. get-mailbox
12 get-mailbox -arbitration
13. get-mailbox -monitoring

At this point reboot the server and verify that IIS and other roles are working correctly. As an extreme measure, you may also remove the prerequisites and reinstall them. (http://technet.microsoft.com/en-us/library/bb691354(v=exchg.150).aspx)

Finally, begin again-
14 cmd -> Setup /Mode:Uninstall /iacceptexchangeserverlicenseterms