Exchange 2010 Error 451 4.4.0 Error DNS Query Failed

When logging on to the Exchange Server and looking at the Outbound queues, we noticed mail for only a particular domain being held with the 451 4.4.0 Error DNS Query Failed error. Other symptoms:

1. The nslookup command run on the Exchange server could resolve the domain, proving the internal DNS server was normal.
2. After gaining the MX record from who.is, the nslookup command resolved the mail server’s IPv4 address, proving the receiver’s mail server was resolvable.
3. A telnet session to the MX record successfully contacted the suspected domain’s mail server on port 25.
4. Internal email delivery was functioning.
5. All other external mail delivery was functioning.

Now we’re down to Exchange itself, since everything DNS related on the server is working correctly. This is the current fix we use:

Step 1: Configure and External DNS server
1.Click Server Configuration
2.Right click the server and choose properties
3.Click The External DNS Lookup tab
     1.Choose Use these DNS servers
     2.Add the DNS Server IPv4 address
     3.Click Apply

Step 2: Configure the Hub Transport to use the External DNS for external domains.
1.Click on the Hub Transport of Organization Configuration
2.Choose Send Connectors
3.Right click the connector and choose properties
4.Click the Network Tab
5.Check the Use External DNS Lookup… box

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

After the Configuration, Restart the Transport Service. The queue should empty immediately.

Test your SMTP Mail Server (MX)

管理者在測試郵件功能,通常都是透過命令提示字元來測試與驗證,如果對命令提示字元不熟的管理者,倒是可以試試下列工具,一樣可以達到驗證與測試的效果喔!

Test your SMTP Mail Server (MX)
https://www.wormly.com/test_smtp_server

#550 4.4.7 QUEUE.Expired; message expired

使用者收到的退信紀錄如下:

#550 4.4.7 QUEUE.Expired; message expired

該錯誤訊息可能發生的原因是,郵件網域可能被列入黑名單中或者DNS反查的問題造成的,請透過下列工具來確認問題點, 並且尋求ISP廠商協助除錯

Blacklist Check
http://whatismyipaddress.com/blacklist-check

MX Lookup tool
http://www.mxtoolbox.com/

Lync Server 2010 Control panel not loading (Navigation to the webpage was canceled)

1.Check the Lync pool A record and SRV record (_sipinternalts) in the DNS .

2.Go to Internet Information Services (IIS) Manager, click Edit Bindings on Lync Server Internal Web Site.

Select SSL certificate, Click OK

Restart/Start IIS.

Windows to go

安裝Windows 7 的WAIK工具,並且照下列指令動作,來逐步完成Windows to go

透過Run As來執行Deployment Tools Command Prompt,b,讓執行者有權限去執行後續的動作

透過DiskPart指令將USB Drive制定為硬碟的一部分

接著將系統檔案打包並且解壓縮至USB Drive

打包壓縮OS完成後,將USB Drive設定為可開機硬碟槽

這樣您就順利完成Windows to Go的設定動作,接下來就可以直接拿去開機測試了

This slide couldn't be downloaded. Please contact...., Error reason: Name not resolved

Another features: A/V conf, desktop sharing, whiteboard still works. When two external client (different LAN) trying to share a PPT slide, sender can see notification about uploading success and see the slide, another one got an error:

"This slide couldn't be downloaded. Please contact...., Error reason: Name not resolved"

I've resolved my problem by doing these step:
1.Get right permission for share folder on front end.
2.Reconfigure DNS record for external-web (you can get its name from topo builder)
3.Open requirement ports.

Lync External Web Services without Reverse Proxy

While working on a Lync deployment for a small customer, it came up during the planning stages that they didn't have a reverse proxy server (like ISA/TMG) to publish the Meet/Dialin simple URLs and web components URL, nor were they planning to. In the past, I had tried to make OCS work without a reverse proxy, but some things just didn't work right. After advising them about the risks involved with opening up an internal domain-joined computer to the Internet, I told them I would try to make Lync work without a reverse proxy, but cautioned that it may not work.


During Lync installation, it creates two web sites: Lync Server Internal Web Site and Lync Server External Web Site. As the names suggest, each website is configured for either internal or external access. The internal site is published on ports 80/443, while the external site is published on 8080/4443. Microsoft's documentation says you should use a reverse proxy server to publish the external simple URLs and web components URL and redirect ports 80/443 from the web to the internal Lync server over 8080/4443.

After a few unsuccessful tries at making their firewall proxy 80/443 to 8080/4443, I thought I would try to configure their front-end server with an additional IP address, and setup the Lync Server External Web Site with 80/443 on the new IP address. We updated the firewall rules to redirect 80/443 from the simple URL and web components URL external IP addresses to the new internal IP address over 80/443. We tested external client address book downloading, meeting/dialin URL access, and meeting content downloading. All worked without issue.

Before going the route of adding a new IP address, try to make your firewall redirect 80/443 to 8080/4443. If it works, then you don't have to create the new IP. Please note, if you add any additional components, like the Lync Mobility Service, you may have to reset the ports because it seems that the setup process resets the ports back to 8080/4443.

Microsoft Lync Server Public IM Connectivity Provisioning

雖然目前Microsoft Lync PIM服務是免費的,如需要此整合服務,還是要到下列網站提出申請才行喔!

Microsoft Lync Server Public IM Connectivity Provisioning
https://pic.lync.com/provision/Logon/Logon.aspx?rret=https%3a%2f%2fpic.lync.com%2fprovision%2fAgreementNumber.aspx

Ignore Offline CRL Errors on the CA

Normally, a Windows Server 2003 CA will always check revocation on all certificates in the PKI hierarchy (except the root CA certificate) before issuing an end-entity certificate.

You have imported the CA root to the Lync-edge server, and You can see the detail in the Certificate Store under Trusted Root CA.
You generated the certificate for the internal interface, have it signed, and then assigned it. You got the Error Message

There are two possibilities to get this Error working:
- Recommended: Modify your CA Configuration to include a HTTP CRL Publishing point, publish the CRL to this location and request a new certificate for the internal Lync server with this new CRL location. Make sure that the edge server can download the CRL from this location

- Disable CRL checking on the Edge server. By doing this, you configure the system to no longer check CRL's for certificate revocation. While this is not a recommended practice from a security perspective, it will work.

Or You can try disabling it in IE advanced properties ("Check for publishers certificate revocation" option) and reboot the server and see if it has any affect on lync

The other way to disable this feature, use the following command on the CA, and then restart the CA service:
certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

INSUFF_ACCESS_RIGHTS Error

在Lync Control Panel管理介面上,當執行新增使用者帳號會有下面的錯誤訊息:
“Insufficient access rights to perform the operation 00002098: SecErr:DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0″

解決方法:
You have to go to Active Directory Users and Computers (with Advanced Features turned on in the View Menu), then go to Properties on the User that you can't enable on Lync, and in the Security tab, clic on Advanced. Then check "Include Inheritable Permissions from this object’s parent", accept and the problem will be instantly solved.