Solved

Stupid DNS question...

Posted on 2002-07-09
48
211 Views
Last Modified: 2010-04-13
I'll admit it, I know very little about DNS, I'm a DNS moron. I've always lucked out and had another guy on the team (usually a UNIX guy) who has taken care of DNS related issues. Well I don't have that luxury now, and I'm too lazy to look it up myself so I need some help!

I recently put up a 2k domain controller that is running DHCP, DNS, and a few other services. This machine has two NIC's in it, with the external access NIC being configured to use our ISP's DNS entries.

Before this server went up, every machine (workstation) here had a public IP address and was able to successfully resolve our POP server address which is hosted offsite: mail.ourdomain.com. Ever since I put our 2k DNS box up, mail.ourdomain.com is unreachable so I've had to resort to using the POP server's IP address.

How do I fix this and what exactly has happened here?
0
Comment
Question by:Gabe_Rivera
  • 24
  • 14
  • 9
  • +1
48 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 7141143
If all they are using DNs for is accessing a single site then you can use the Hosts files and push it out in a login script.

To fix the DNS, you should See :

From: Housenet    Date: 04/03/2001 05:08AM PST NAT port 25 SMTP not working - all else OK
                 -Lets go through your Nat setup & find the problem.
                 -2 Nics correct ?
                 -Did you enable special ports or address assignment? (dont).
                 -Dhcp server installed ? Pass options to client 003,006,015,044,046..Specify the inside IP of the server
                 for everthing. If its a DC specify the Fqdn of the 2000 domain (not internet domain in the dhcp domain option).
                 -Again if its a DC the foward lookup zone for the Lan should be the only zone listed & bound to the
                 inside IP of the server. (unless you're hosting internet zones)..
                 -The root zone on the DNS server must be deleted & forwarders option must be used (enter ISP's DNS in
                 forwarders), & dont mess with the root hints..
                 -On the server & all clients tcpip properties should be pointing only to the inside IP of the server.

                 -Is it a DC, & can you confirm any of what Im asking here ?


ALso see

 http://www.microsoft.com/windows2000/docs/w2kdns.doc

I hope this helps !

0
 
LVL 17

Expert Comment

by:mikecr
ID: 7141168
Are you saying that your running DNS server on this machine? If you are, go into DNS and configure your zone for your company, or make one up, make sure you delete the (.) or root zone. Then right click on the server and choose properties and go int the forwarders tab and put the ISP's entries in there. The make sure that your clients get the IP address of your DNS server assigned to them and they will be all set. What your server can't resolve it will pass to your ISP. Take the ISP's entries off of the other NIC unless you absolutely need them.
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7141187
Is your internal NIC the first bound adapter (and not the external nic?)
From DNS manager | interfaces tab
stop it from binding to external NIC here
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7143770
Shekerra, my public interface was listed before the private NIC in the interface section. I removed the public interface NIC altogether, and sure enough I could resolve the address that previously couldn't be resolved. However, none of my client machines can resolve the address? Shed some light here for me? Has the DNS update not gone through yet or something?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7143998
Are your clients using your DNS server to resolve names?
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144004
Yes. All clients are pointing to the DNS boxes internal NIC... or I should say that is the address they're getting from DHCP.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7144087
If you do an nslookup on an external site, what do you get? Does it time out trying to resolve the name or do you get an error message from your DNS server?
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144205
If I ping mail.mydomain.com from the DNS server, it resolves the IP of the offsite mail server that serves our POP mail. If I ping mail.mydomain.com from a workstation, I get the following.


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\grivera>nslookup mail.sammonsgroup.com
Server:  atlas.sammonsgroup.com
Address:  192.168.0.2

*** atlas.sammonsgroup.com can't find mail.sammonsgroup.com: Non-existent domain


C:\Documents and Settings\grivera>ping mail.sammonsgroup.com
Ping request could not find host mail.sammonsgroup.com. Please check the name an
d try again.

C:\Documents and Settings\grivera>nslookup mail.mydomain.com
Server:  atlas.mydomain.com
Address:  192.168.0.2

*** atlas.mydomain.com can't find mail.mydomain.com: Non-existent domain


C:\Documents and Settings\grivera>
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144210
Whoops, I meant to change the domain names in all of it, hit send message on accident! =)
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7144273
Did you ipconfig /flushdns on the computers?
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144280
No, I hadn't done that, but I just did and I am still where I started.
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7144302
What is in your event logs in relation to DNS?
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144319
There are about 5 or 6 entries from today, and they all say this:

DNS Server has updated its own host (A) records.  In order to insure that its DS-integrated peer DNS servers are able to replicate with it, they have been updated with the new records through dynamic update.
--------------------------------

0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7144333
backtracking here:
So you are now set up to point to internal DNS only for resolution and is forwarding (other requests to ISP on external server)configured on the DNS server as well as the PTR records?
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144344
Umm, no idea what a PTR record is. But if I understand the rest of your question correctly, yes:

All clients are setup for DHCP, so they're handed the IP of my DNS server for DNS resolution. I set up forwarders on the DNS box which point to my ISP's DNS boxes.
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7144346
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144356
No 6702's in a long time. All I have recently are 6701's.
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7144362
PTR is a pointer to record(s) for reverse lookup
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q289583

0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144384
Bumping up the point reward for this since it's taking up so much time. I appreciate the help very much, by the way.

Ok well I went and checked the settings on the DHCP server as that article suggested and it is setup the way it should be. It is set to automatically update DHCP client information in DNS, the radio button for "Always update DNS" is selected, and so is enable updates for DNS clients that do not support dynamic updates.

No clue what the heck is going on here!!
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7144419
Is smtp the only problem? Do you use exchange (how is your mail set up?)
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144447
Well right now our mail is POP based and it's hosted off site. Within the next 6 weeks I'll be throwing an Exchange server up, which will also be on this DNS box in question.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7144490
Try changing the DNS server to look at himself for name resolution instead of the ISP. Then go into DNS and on Forwarders tab, add the ISP's DNS entries there. Let us know what happens.
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7144560
Ummm, I thought this was how I was already set up??

IP properties, my server's internal NIC is pointing to itself for DNS resolution and I have my ISP's DNS entries set in the IP forwarding section.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7145730
Okay, now that you have verified this, make sure that the DNS address that the workstations are getting to resolve names is that server. Try to go to a website and let us know what happens. Oh, how are your clients getting onto the internet? Are they being natted thru the Windows 2000 machine or thru a router???
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7145992
All of the clients can get to any website, that was never a problem to begin with. The problem is they (the client workstations) can't resolve mail.mydomain.com but the server can!

The DNS server is also acting as a router, that is how they are getting out to the Internet.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7146791
Okay, sorry about that. Now, do you have an MX record in DNS for you mail server?
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7146937
No, I have no MX records.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7146944
Do you have any DNS resource records in your zone that point to mail.ourdomain.com? Can you ping mail.ourdomain.com from any of the workstations and does it resolve to the correct IP address?
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7146947
No, I don't have any resource records in my zone that point to mail.mydomain.com.

And once again, I can ping mail.mydomain.com from the server and it resolves the correct IP address, I can not do this from ANY of the workstations though.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7146975
Wow, this is extremely strange. Do an nslookup on the mail server from a problem workstation and post the results here. Let's see who they are actually looking at to resolve names. You don't happen to have any hosts file on the server for any reason do you?
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7146995
No host files.

C:\Documents and Settings\grivera>nslookup mail.mydomain.com
Server:  atlas.mydomain.com
Address:  192.168.0.2

*** atlas.mydomain.com can't find mail.mydomain.com: Non-existent domain
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7147043
There is definitely something that is screwed up. On the monitoring tab in the DNS section, if you run the simple query and recursive querys against the DNS server, they both come back as failed.

I don't understand how this can be so screwed up and yet still work like a champ.
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7147084
Ok, another update for you.

I got frustrated and just deleted the forward look up zone and reverse lookup zones. I created a new one of each... now the clients can resolve the mail.mydomain.com address!?! I am still failing the query and recursion tests though, not sure why.

0
 
LVL 17

Expert Comment

by:mikecr
ID: 7147094
Did you restart the DNS service on the server? Also, do and ipconfig /flushdns on the server also. If you don't flush the dns cache before you do that it will cause it to fail also.
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7147194
Yep, restarted the service just now, flushed the DNS and still getting the fail results.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7147230
Okay, here's some helpful information.

http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q258263

http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q303811

Check event viewer and see if there are any errors. Also, do you have a firewall of some kind in front of this box?
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7147236
This box is also an ISA server, so yes.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7148753
Stop the Firewall service and tell me if it works then. Are you proxying requests for the internet? If you are the DNS forwarder is trying to resolve a request to the internet and the request is being proxied so the firewall is denying it because it is not coming from the same ip that it was requested on. See if stopping that service solves the problem. If it does, I believe I might know a work around.
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7149300
Yeah, I'm using ISA out of the box so we're using both firewall and proxy services. I stopped the firewall service, ran the tests and they failed once again. I checked both MS articles you submitted and still no luck.
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7149474
Do you have service pack 2 installed on the server?
0
 
LVL 16

Expert Comment

by:GUEEN
ID: 7149490
Also instead of using the DNS tool directly from admin tools - open up your MMC and add the dns there and test from there.
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7149546
Yes, service pack 2 is installed.

Running the DNS snap in from the MMC is one of the things listed in a previous suggested MS article, it make no difference.

What I don't understand is I have another server I just brought online, configured DNS and it runs like a champ... even the tests work properly. I see no difference in the way my problematic server and the server that works are configured. The only difference is the problematic server has two NIC's and is running SBS 2000 and is also acting as a router.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7149593
At this point I would probably uninstall the DNS service, delete the zone files, then reinstall the DNS service and recreate any zones and see if that fixes the problem. Just make sure that you point the domain controller to the new DNS server.
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7149598
What do you mean point the domain controller to the new DNS server? This box is the domain controller!
0
 
LVL 17

Accepted Solution

by:
mikecr earned 175 total points
ID: 7149670
If you created another DNS server and it is working fine, and you have the Domains zone located on it, point the domain controller to the new server for DNS resolution while you remove and reinstall the DNS service. You may want to change your DHCP to pass the new DNS server also. This way clients can do name resolution while your working on this other DNS issue.
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7149680
Good deal, thanks for the input. I'll give this a shot and get back to you with the results.
0
 
LVL 1

Author Comment

by:Gabe_Rivera
ID: 7157432
I ended up trashing all of these servers, blowing away ISA and everything. I'm going to start over from scratch, but I appreciate everyone's help.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7157444
No problem, if you run into any more issues, let us know. Oh, by the way, don't put DNS on the box running ISA server. It's a real pain configuring rules for DNS updates.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Owning a franchise can be the dream of a lifetime. It provides a chance for economic growth. You can be as successful as you want.  To make your franchise successful, you need to market it successfully. Here are six of the best marketing strategies …
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now