We have a Windows 2003 Active Directory domain called 'domain.com', which also happens to be the domain name of our website. Recently we switched to using our AD servers as our DNS servers but have run into a little snag. Boxes that were using their own SMTP servers now cannot send out mail because AD doesn't contain a DNS record according to 'dig':
[user@hostname]$ dig MX domain.com
; <<>> DiG 9.4.2-P2 <<>> MX domain.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41859
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;domain.com. IN MX
;; AUTHORITY SECTION:
domain.com. 3600 IN SOA win2003adserver.domain.com. hostmaster.domain.com. 6168 900 600 86400 3600
;; Query time: 3 msec
;; SERVER: 10.10.10.27#53(10.10.10.27)
;; WHEN: Mon Jul 27 12:42:44 2009
;; MSG SIZE rcvd: 98
So what it's trying to do is, since there is no valid MX record, send mail through the primary AD server which isn't running SMTP. I should get back an MX record for mail.domain.com with a valid IP for the mail server.
What is the proper way to add an MX record in this situation? According to our Windows admin there is an MX record in the DNS for AD, but according to the above its not relaying it to anyone.
Solution
In this case the AD servers were doing exactly what they were told to do as there was no MX record entered for 'domain.com' that pointed to our mail server (Our AD Admin had entered in an MX record for the subdomain of 'mail.domain.com' instead of 'domain.com' as he didn't read the instructions on the screen for entering a new MX record).
I deleted the MX record and added a new one correctly and everything started working.
Per your "dig" above there isn't an MX record in your AD DNS servers for "domain.com".
Talk to your "Windows admin" again and be sure they understand what you're asking for. If they've added the record but it's still not "showing up" they need to double-check that AD replication (I'm going out on a limb and assuming that the DNS zone is "AD integrated") is working properly to the DNS server computers.
The "proper way" to add the MX record is through either the "DNS Management" snap-in or from one of the various command-line tools that can manipulate the Microsoft DNS server.
(This is yet another example of why naming your AD domain the same as a valid Internet domain name is not a good idea.)
I'm not that big of a fan when it comes to administrating DNS via the windows gui, aside from convential A records and CNAME aliases and the integration with AD the rest could use some improvement.
Anyhow to answer your original question, I have ran into this before. You are having a split DNS situation. The problem is your domain is probably registered with an enterprise root NS. When querying a record it will check there first. Just out of curiosity are the machines using the same DNS servers for name resolution or another source?
One option is the leave the split DNS as is and setup the MX record on the root NS. if you have access to the root ns, if it's linux by any chance you can edit the named.conf and specify the authoritive DNS server to respond to queries for this domain.
you can also setup a shadow subdomain such as [email protected]
Let me know how things work out.
Check to see if you are running a split brain DNS. Basically the DNS servers you are querying are authoritative for the DNS domain but not the server that are running the AD DNS. It's likely that when you decided to simplify your active directory DNS structure the admins left 1 set of dns for external purposes and another for internal. and did not set up replication between them