Some tips on fixing Warning – Reverse DNS does not match the SMTP Banner

 

 

I have a pretty common error that I get asked about pretty frequently. I wanted to take a moment to hopefully share some information on what the error is, what to focus on, and what tools you need to fix and monitor.

First of all, please understand this paper covers the simplest of scenarios. Multiple sites, Smart Hosts, Bridgeheads, and multiple Accepted Domains will quickly muddy the waters, but for a basic Exchange Server, This Article Applies directly.

 

The Error

Exchange Server 2013 SMTP banner does not match reverse lookup. or

Warning – Reverse DNS does not match the SMTP Banner

 

Disclaim

First be aware, there is a lot of misinformation out there. Stop and read and understand, before you decide which articles are telling you the truth. This error is likely to pop up in a few situations. I wanted to take a minute to clarify this message and what is needed to clear this up.

First you must understand this error  is directional and relative to a point in mail flow. So you really have to nail down your situation before you set out on solving the problem. You risk getting yourself more confused. Speaking of that, let me try to hopefully explain in a simple way.

First let me say the SMTP Banner is more generally a problem for outbound mail. You may still get an error for inbound connectors,  but mail will not usually fail either. Internal mail uses Internal banner (host) and DNS, and external mail uses External Banner and DNS.  An error comes about, generally where you have mail received across the public internet, where a reference is made to an internal FQDN in the SMTP Header.

Inbound Banner

So if you think you have an inbound banner issue, just go into your inbound mail connector, and then try to save it, without making changes. If there is a problem, you should get a pop up message similar to figure A

Figure A. Inbound Banner issues are identifiable

 

Exchange will promptly give you an error when your inbound connector has a banner issue. Why you ask? Because  the Banner is checked by Exchange, against the security settings.  Think of it like a security Guard. They always check you coming in, but once you have cleared security, it is not as difficult to leave.

So I won’t go into the explanation of inbound banners, except to say, by the time your mail hits this server, the lookup is internal, so the Banner should always be internal. In addition, you have a server, with a certificate, matching this FQDN, so it should make sense that these should all be the same name. Do what the error says and set the Banner to the Internal FQDN.

Outbound Banner

Outbound is really the same sort of thing, for any outbound Internal Connectors. Internal connector, Internal FQDN. The change comes when you have an outbound Internet connector. So this connector will be the banner for your reverse look ups by external recipients. That is, unless you have a third party device doing store and forward for you, in which case, you should be able to set the SMTP banner there as well. Assuming you don’t use a smart host, your Send connector header would look like this:

 

Figure B. Send Connector Scoping Tab.

 

This should make sense. You see this is the external facing send connector. Once mail leaves this connector, the mail will be called External Mail. From this point mail will have to rely on MX, DNS or a Smart host to propagate.

So.. What do you think gets queried for the reverse lookup? The mail server at the destination Is going to query public records it finds, against the header and other information it has received, when it looks your mail domain up. So the checks done include reverse lookup, Public MX record, A record, Text Record and SPF record. So all you need to do to is make sure these records contain your correct Public IP address for your Exchange server, the correct resolution of the  Banner to an IP address, and verify the other records contain the same Name and or IP addresses.

A light conversation

So now we get to brass tacks. So I want to focus you to the main things you would need to set correctly. This is:

  1. Public MX record -Domain.com resolves to target mail.domain.com at PUBLIC IP address
  2. An “A Record” that is the value of the Banner “Mail.domain.com”
  3. An “A record” for values for your setup like “auto-discover.domain.com”
  4. TXT or (PTR) record for your Reverse Lookup DNS record. One domain should be assigned to one PTR record- this is what should match the “send” banner
  5. SPF record. – . Special record with special format for Domain verification by Anti-Spam. SPF record tool will help generate your record

Tools you can use to make sure your records are correct:

  1. Install Dig on your client machine for windows- Dig -x Public IP (will find your PTR record)
  2. Dig domain.com will give you your “A” record.
  3. Dig mail.domain.com txt – will show your SPF record.
  4. Dig mx domain.com to query MX record, or Dig @nameserver.domain.com yourdomain.com

So with this Dig tool, you can check and cross check. If you have an IP address in this mix, that you are not aware of, or are not using, then you will need to fix this.

I am not going into too much detail here, but if you have all these records in place, and make sure they point to the public IP address, which sends the exchange server its mail, then you should be happy. Use the web site IPCHICKEN.COM on your Exchange Server. It will tell you your Public IP, normally used for Setting Public DNS records. For non-smart host or bridgehead customers, your value of IPCHICKEN, should be your Public IP values for these records.

In Closing

You have the public information you need to set records above. Set this correctly. Second, go to Exchange Server and set the FQDN correctly and you should no longer have SMTP banner failing to match the reverse lookup:

  • Send Connector Mail Flow -> Send Connector-> Scoping-> FQDN
  • Receive Connector  Mail Flow -> Send Connector-> Scoping-> FQDN

Make sure these FQDN matches its function. Internal connector is internal FQDN.

Send Connector is Public FQDN. Then make the Records match the correct public values and this issue will be resolved.

In closing Here are some tools you can use to troubleshoot:

Exchange Connectivity.

Dig Bind Tool

MX Tool Box

I hope this is helpful and explains what you are seeing, and how you can fix your SMTP banner issue.

Thank you,

 

Louis

 

 

 

New Skype for Business and Exchange Certification Track aka New Lync Exchange Upgrade Certifications to MCSE Productivity

Before I jump right in this evening, let me share the exciting picture of Saturday night Live Season 42, episode 2. This is a lovely commentary on the second presidential Debate. I recommend catching Saturday night live season 42. the Debates are hilarious!

Untitled

No matter if your for Trump Or Hillary, please be nice to each other! This is a great country and all of our problems are small to those who have less. No matter what! All we have is each other! Anyway for the New Certification information, first be aware that you should be transitioned automatically. If you have Server 2012 MCSE and Exchange or Lync MCSE, you should now see this in your transcript

Untitled

From this point forward (9/26/2016), you will be on the new program. This means you will be trying to keep the following certifications valid:

  • MCSE: Cloud Platform and Infrastructure – focusing on skills validation for Windows Server and Microsoft Azure
  • MCSE: Mobility – focusing on skills validation for Windows Client and Enterprise Mobility Suite
  • MCSE: Data Management and Analysis – focusing on skills validation for both on-premises and cloud-based Microsoft data products and services
  • MCSE: Productivity – focusing on skills validation for Office 365, SharePoint, Exchange, and Skype for Business
  • MCSD: App Builder – focusing on skills validation for Web and Mobile app development

It’s a nice change because you just have to take one test a year to be able to keep your certification. Microsoft uses an elective system, so Productivity, for example could be Skype, Exchange or SharePoint. In addition, the advanced topics are also on the same certification, but you don’t have to take the advanced certification until the following year, and you still have the MCSE.

So this is a tradeoff. You get the certification up front, but you will ultimately want to complete all the exams, over time.

The old way, you had to scram to get all the exams done, and then you had a long period of no growth perhaps, followed by another scramble period.

I think the new method matches reality. And on that note, Having taken the 2016 Server Exam Beta (70-743) for Infrastructure upgrade; the new testing methodology has finally moved to the future. No more questions with the same boring beginning. The questions are straight forward. By the end of the exam, you are telling yourself, you deserve to fail if you don’t know the information.

I was very satisfied with the new test format. So in closing, we have a new Certification format, and new Test format coming our way.

The resources I have used and recommended are Born to Learn and Microsoft virtual Academy. These are both much better then the past, and the material is generally helpful.

https://mva.microsoft.com/

https://borntolearn.mslearn.net/

 

Good luck and happy Certifying!!!

Louis

Fix your Exchange Errors: the name on the security certificate is invalid or does not match

 

Hello Exchange Admins,

I found a great new tool from Digicert. I had to share it with everyone. Now days you cant have .local on your public certificate. This can create certificate pop ups. Digicert, always a proactive company, has come up with a tool, to remedy this problem.

They make changes to your Web services, to change the names to .com, eliminating the problems with Exchange. This also generates a roll back script, to get you back to the default settings, if there are any problems.

I don’t see the down side to this approach! Thanks Digicert, for putting the work in, so we all benefit.

The Tool is located here:

https://blog.digicert.com/replace-internal-names-certificates-part-2/

They also have a part 1 article on replacing your internal certificates, but part 2 is an awsome edition to the tool box, for Exchange people.

Thank you Digicert!

 

Here is part 1 on Internal Names

Thanks Again,

Louis

Skype Database cannot be opened. It is in the middle of a Restore

 

Hello All. I had a case that I have solved several times, but I forgot this particular morning, what I did to fix it. This is when I generally make a Blog. So the scenario is when you run the Topology Builder and complete a Mirror. However, at the end of the Mirror Creation, you get an error in the topology builder. This error may take many forms.

 

Untitled

 

The error boils down to: Database cannot be opened. It is in the middle of a restore. If the mirror has not replicated, then your in another boat. However, In my case, The Mirror Databases seem to have restored completely.

I am not saying this will work for everyone, but if your issue is the SQL script got stuck, you may be able to just terminate the restore script, and re-publish your topology. If this works, great. If not, at least you had something to try.

Otherwise, this restore state never stops. It just sits in this state, and the mirror never finishes.

 

Untitled

See the above results over trying to publish this mirror over and over and over. Hopefully this small step is all you need to fix your issue.

 

I have had another issue where this was only part of the issue. Next step is you want to check your SQL error log and see if the SPN account has an error. Look for:

 

“The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Windows return code: 0x2098, state: 15”

This is an indication you need to check into your Permissions to SQL or the Service account permissions to both Computer accounts.

If you don’t have these kinds of errors, then you may be fortunate. Try running this script if the issue is just that something is stuck at the end of the script:

Untitled

Happy troubleshooting!

 

Louis

Skype for Business Does not Use Bots or BOT Framework in 2016

BOTS?

What brought my attention to this subject was an memo from a coworker. It was just a run of the mill comment, and it really was the implied meaning I took away from it. I got the impression, that some of my friends were thinking that the BOTS were going to be available to them in SKYPE for Business (SFB). Comments are generally warm, with the reception of SFB, but one persons BOT comment was left un-answered, presumably because most SFB people are not privy to any information about these BOTS.

I will tell you, I didn’t reply. But my instincts wanted to tell them BOTS are not part of SFB. Honestly, I didn’t know for sure. Really, I don’t know what a Bot is! So, if not for posterity, let it be my own curiosity which let me to find out; What are we missing in SFBLAND, that is so exciting in the rest of the industry? As is turns out, I think we should be paying attention. Its not going to be long, before we are up to our necks in BOT support!

Below I really lay out a case for the inclusion of BOTS in SFB, but I would reach out to my colleagues to ask them, is there any reason why SFB is left out at this phase? Is there a big awesome change coming? Is there a secret project a foot? Is it Top Secret? No I am not a conspiracy theorist, so let me just leave that where it lay!

BOTS ARE HAPPENING! 

For the Skype for Business Users, if you had been ignoring BOT notifications in your email, let me catch you up! so much of this is going to be directly relevant to SFB at some point!

  • “BOTS” are Artificial Intelligence In Microsoft’s usage.
  • The closest I found to a definition was “conversation agents
  • Microsoft recently released a BOT framework, for Developers and programmers.
  • This Framework, includes a BOT connector service, with a goal of enabling communication with Disparate platforms such as LinkedIn,Facebook,Skype,Slack,stack and more. You get it?
  • Wand Labs Seems to have something to do with Bots. This company should be working with SFB for some Long term guidance, I would think. Why Else is SFB is not yet involved with BOTSVILLE?  
  • Cortana is supposed to be a BOT.
  • SFB is coming out for the mac! SKYPE is too, With Group Chat!
  • The above may not seem related, but I think it is! See the Skype Release is for Android, IOS and windows platforms. No one seems to be left out.
  • To underscore the point I made about group chat, that is what enabled the First Bot to work, and it works on SKYPE and it works with the MAC!
  • More then 20,000 Developers signed up for BOT Framework, and now there are more then 30,000 Signed up. Why? I think there is a synergy building here:

Microsoft has chosen to merge the Skype Bot Platform and the Microsoft Bot Framework

I would encourage you to read the papers I am placing into the links. I had to go through a lot of articles to get this trend about BOTS. It does look like a rather huge thing, looking into the future. I encourage you to tell me your thoughts on how this may play out.

Here is what was said on the MAC preview for SKYPE:

Skype Bots, a way to bring expertise, products, services and entertainment into daily messaging on Skype, are now available in preview on two additional platforms: Mac and on the Web.

 

SKYPE FOR BUSINESS has NO BOTS

Ok so now that I have detailed the exciting part, let me shut down the idea that SKYPE for Business is involved with any of this. See below from the MS blog site, confirming:

There is currently no story yet for Skype for Business. With the Microsoft Bot Framework you can build a bot that “channels” through multiple chat application like Skype, FB Messenger, KiK, Slack, Telegram etc. Skype for Business is not yet part of the available channels and no information is available when that will be available.

Some very promising statements have been made, and it looks like there is a concerted effort, by Microsoft, to initiate this BOT to work across the entire platform and the entire Industry:

“BOTS are a new way to bring expertise, products, services and entertainment into daily messaging on Skype”

“Skype bots can introduce both audio and video experiences, the company (Microsoft) said.

In fact, there has already been requests, at the Developer level, to bring BOTS on board with SFB. Below is the question asked at the BOT NET feedback web site:

Any plans for Skype for Business?
Bots offer a great opportunity to the enterprise users. I would be interested in private internal bots with Skype for Business available as a conversation channel.

Conclusion

So at this point, the only thing I have proved, in this article, is that SFB does not work with BOTS. When A customer calls to support, we can now tell them that Microsoft Skype for Business Does not have support for BOTS. 

Ill leave the conversation up to my readers. Do you think it will be long before SFB gets into the BOT world? The more important question is what is the hold up? Is there something else coming, that is a larger piece of the puzzle?

I hope this has raised your awareness about the BOTS and let you know we are likely going to be hit with BOT questions, until SFB finally joins the FOLD.

I do think that having SIRI on my Skype for Business Client is going to be just fine with me!!

 

Louis

Flash: The Best way to Fix your Exchange 2013/2016 Unified Messaging, UM Dial Plan, is to redeploy it. It is not as hard as it sounds.

 

Hello!!  I’m Lester Tarkenson and welcome to another installment of Fun with Dialplans. today we will be discussing how the real professionals troubleshoot their Dialplans.

The first thing a seasoned person does, when they see a dial plan, created by a customer, who has never had a dial plan working before; why of course! They chuck it! Yes, there are many reasons for this, but I can name off just a few:

  • 1. Once your gateway and hunt group are married together, changes made manually, may cause objects to be out of sync, causing failure of the Dial Plan
  • 2. Spaces are not allowed in certain circumstances
  • 3. Strange Characters and long object names are both possible reasons for failure in  the Unified Messaging setup. (now called UM heretofore)
  • You have to restart the UMSERVICE and the UMCALLROUTERSERVICE after making every change in UM. Trust me this will get you at some point.

For these reasons and more, It is best to just build from the bottom up. It is very good advice, until you begin to try to take the UM apart. It fails all over the place, yet some commands do work. It quickly becomes a struggle to just get you back to were you were, with no harm done.

Lets just take a deep breath and enjoy a quick Poem:

DIAL PLANS IN THE SKY
MY DIAL PLAN TASTSE LIKE PIE
HUNT GROUP ON MY SLEEVE

Ok. I am deeply sorry for that. Try to recover. I know it will be hard. But, you will have a ton of time to make me a nice Haiku email, because rebuilding the Dial Plan will work instantly and you can move on with your life. so lets begin.

Remove what you can in the Exchange Admin Center

Let me say, without any need to have to tell any of you: Make a copy of all your settings. use screen shot, back up, notepad, whatever it takes, but do something to make sure you have the settings to rebuild with!

The first thing you do is use the GUI to get as much deleted as you can.

Figure 1. Untitled

 

Open up the Dial plan and start with the UM Maalox Policy and the Auto Attendant. Go in and delete and remove all that you can. Whatever is left, will be for us, in the Exchange Management Shell. You can work with Maalox or the Mailbox, it is your choice!

 

Figure 22

Getting the UM dial Plan Un Nested

So now this part may require some freestyle, so I am including all UM commands in the EMS for 2016. One small chart. I like it! See below. The goal is to get the UM objects un-nested. Then you can delete them with the Shell. Use your get commands, and then use your remove and delete commands, where appropriate. I am going off memory at this point, so I will be improving steps over time. using Figure 1 and 2, go in and manually remove everything.

Figure 3.mychart

Break the nesting with Exchange Management Shell

Do not run the Exchange Script UCExchUtil.Ps1, at any point during this process. Once you have removed as much, from the Dial Plan, as you can, using the Administrative Center; You now move to the Exchange shell and run these commands:

  • Set-UMCallRouterSettingS -DialPlanS $null
  • Set-UMMailboxPolicy -UMDialPlan $null
  • Remove-ummailboxpolicy -identity policyname
  • Remove-umhuntgroup -identity gatewayID\Huntgroupname
  • Set-UMService -idenity Servername -DialPlanS $null
  • Set-UMMailbox uSername -UMMailboxPolicy $null
  • Remove-umdialplan -identity Umdialplan

This will allow you to remove the Dial Plan and the Gateway. If the gateway is not removed by now, remove it in the GUI

Now that you have the Dial Plan and gateway removed, you are Free to begin with a new Dial Plan. Make sure you follow a good document on setting the Dial Plan up.

How to Integrate the UM Dial Plan and Lync/SFB

I could not do a better job at showing you the Lync Integration then Dean Suzuki. Look at his articles here. There are steps for the whole integration here:

And this is the end. I realize the title is a lot to live up to. However, the process is not hard, it just doesn’t have a lot of documentation out there that talks about it.

I hope you will be rebuilding your Dial Plans and gateways  for fun and enjoyment. Don’t forget to run your .\ExchUcUtil.PS1 command when you are finished. This will solidify your settings and you will be taking UM calls after you restart the UMCALLROUTER service and UM service on each Exchange Server 2013/2016.

Oauth For Lync and Exchange Special Considerations

Enabling Lync and Skype for Business for Integration with Exchange 2013/2016.

I want to call your attention to an issue with Lync and Exchange Open Standards for Authentication (called oath from here forward). I have discovered a few things about Oauth, That might be a topic of confusion for many.

It will be very common for most to jump right into articles such as the following.

https://technet.microsoft.com/en-us/library/jj649094(v=exchg.150).aspx

In addition, there are several modes you can install Oauth. You can focus on Server to Server, Cross Premise, and On premise partner. This leaves open the possibility of going down all kinds of fox holes. Therefore, I am going to try to layout the simple steps you are trying to accomplish when you do a Lync to Exchange Integration.

So when it comes to Oauth and Lync with Exchange, we are basically connecting two Enterprise applications. We are not connecting Autodiscover, EWS and other virtual directories, like we are doing with an Office 365 Integration. Therefore, Test-Oauthconnectivity. Will not work the same way.

If you have a concern or do not understand this, please compare the two articles in this paragraph. Notice, The Exchange online integration makes use of the Test-OauthConnectivity article. Notice the Lync/Exchange Oauth Article does not.

The bottom line is test-OauthConnectivity is not the way to test to verify that Lync and Exchange are correctly using Oauth correctly. I present below, the basis for doing the Lync Exchange Integration.

The Lync/Exchange Integration Is a partner application authentication. What this means to me, is the two applications have objects in AD that clear the servers to be able to talk to one another. This is independent of the IIS virtual Directories. The confusion is due to the Office 365 integration or Hybridization is becoming popular. The documentation is very similar, and many documents speak of Oauth and Integration. Test-OauthConnectivity -EWS is the one of the common items you will see. However, you won’t see it in any Lync documentation where exchange is concerned.

I think Lync and Exchange communication is more simple then the Office 365 Integration.

Here is the basic documentation for performing the SFB/Exchange integration . You don’t see anything about test-OauthConfiguration. However, you will see something here:

https://technet.microsoft.com/en-us/library/jj218623(v=exchg.160).aspx

Finally some light of day. What it says is

“For the Test-OAuthConnectivity cmdlet to succeed for other partner applications, you first need to create the partner application by using the Configure-EnterpriseApplication.ps1 script.”

Basically you don’t use the command to test OAUTH if you have not generated the Partner Applications. Once you have created the partner Applications, You wont need Test-Oauth, because for OAuth to work, the Enterprise Applications will need to succeed to be created. They wont be created broken.

So… This leaves us with no way to test. Well That is not exactly true.

Pre-Integration testing of Lync and Exchange

So before you begin the Procedure for Lync and Exchange to integrate, All you need to do is set the Oauth Certificate on both EX and SFB servers. They both will have a URL that becomes active, once the Certificates have been set correctly, and the virtual directories have become operational. These Two URL’s become your evidence of configuration succeeding, going into the Oauth Integration.

They are Http://autodiscover.domain.com/autodiscover/metadata/json/1

And Https://LynFQDN.domain.com/autodiscover/metadata/json/1

These URL’s are literal substitutions for use by the opposing servers. You can see on the Lync side, the Lync application looks to the Exchange URL, as a direct value for the Json token it needs to authenticate:

1

 

Remember, the URL must work before you use it in a command. Now the second Enterprise application, From Exchange to Lync:

 

2

I have some other articles on Oauth Which you may find helpful. Pease stay awhile and look around:

The last link above really goes into elements of a Full setup. But the goal is to get to steps 13 and 14, which is to get the JSON urls working. Once those are working you can execute your enterprise application commands, like the screen shots above, or the steps I provide at the end of the article.  However, you must first verify the URL for your Oath is working. Just put it into a browser as follows:

4

Finally, Run your command on the Exchange and Lync or Skype for Business servers:

Exchange

As long as you stay with configure or remove, you wont need anything else. Back out of the configuration and start over with configure, if you made any mistake.

Skype For Business

With Skype for business, there are a few eventualities, but essentially as long as the commands succeed, you will be in business.

 

One Last Thing

One Last thing. If for some reason you find that the Exchange or Lync Oauth token does not work when you try to use the URL for the Json token, the consensus is the only thing you can really do to repair this (It should not ever be broken, perhaps you need to re cert the Oauth Cert), is to repair the virtual Directories. I have a Friend  who is an Exchange Engineer, who has a great blog where this is laid our here.  John Alec Dixon is a better Exchange Engineer then I ever was a Lync Engineer. He found the issue. The Front end Virtual Directory path. Its not something we cross check often. Yes this can be incorrect.

In addition, You should check this article out if you need to repair your virtual Directories:

https://ashdrewness.wordpress.com/2014/09/10/troubleshooting-issues-with-client-access-servers/

Finally one point which provoked this article. I had one case in my life, where the Oath URL did not work. Non of the above was applicable to fixing it. This turned out to be a simple patch mismatch. There is no warning, or event which will tell you this. You just get a 404 IE error. The fix

a. Launch IIS Manager
b. Expand Default Web Site
c. Select Autodiscover vDir
d. Click Advanced Settings under Manage Application
e. Change physical path to:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\Autodiscover

 

I hope this helps

 

Louis