We help IT Professionals succeed at work.

Forward and reverse lookup zones on win2k server with external firewall

AmberJ
AmberJ asked
on
6,320 Views
Last Modified: 2010-04-11
Howdy -- can someone explain this setup to me?

Got a forward lookup zone ip address of the host DNS server w/ IP address of 192.168.1.2

Reverse lookup zone pointer to DNS server is 192.168.1.1

Clients resolve to DNS server 192.168.1.1

Firewall resolves at 192.168.1.1:xx

All of the clients (on winxp) except one (on win2K) take up to 3 minutes to log in...I've read that this is most often a DNS problem which happens when the DNS server isn't pointed to itself.

Now, the DNS server ISN'T pointed to itself in the reverse lookup zone, but if I change it to point at itself, will the firewall (which handles DHCP) still be able to lease IP addresses to the clients?   And how do I figure out if our Win2k server (DNS server) is actually 192.168.1.1 or 192.168.1.2?  
Comment
Watch Question

John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
It is also important to set up your dhcp server (in this case the firewall) to hand out the address of the W2K server to the clients so that they can find the active directory information they need.  You should have no problem with the firewall handing out dhcp this way


Hope this helps!
D
>Now, the DNS server ISN'T pointed to itself in the reverse lookup zone, but if I change it to point at itself, will the firewall
>(which handles DHCP) still be able to lease IP addresses to the clients?
Sure, why not? As long as you're not running DHCP on more than one machine with the same scope.
All you addresses should have both an A record and an in.arpa record.



>And how do I figure out if our Win2k server (DNS server) is actually 192.168.1.1 or 192.168.1.2?  
Type IPCONFIG /ALL in a dos window.


John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
to find out which address is which on the servers do an ipconfig /all and note the address information given.
I forgot the part about noting the address...

Author

Commented:

OK -- the server resolves to 192.168.1.2 -- the server in the forward lookupzone is called 192.168.1.2 -- in the reverse look up zone there were *two* pointers to the server:  one for 192.168.1.1 and another for 192.168.1.5.  I deleted both of them and added a new pointer to the server of 192.168.1.1.

I also changed the primary DNS server from 192.168.1.1 to .2 in the firewall under primary DNS server info.

These changes resulted in lost internet connectivity, so I restored everything to the original settings (except for the 192.168.1.5 pointer to the dns server -- what the heck was that all about?).   Once restored, we were back online.

I don't get it.  

What I also don't get:  If the server is 192.168.1.2 and the firewall is 192.168.1.1:xx, *what* is 192.168.1.1???

And another thing I don't get:  ipconfig shows the default gateway as being 192.168.1.1.  But if my win2k server is 192.168.1.2 and my firewall is 192.168.1.1:81 who's the default gateway?

Here's a thought:  When I changed the firewall dhcp service to seek primary dns server 192.168.1.2, I did not change the dhcp scope.  Dhcp scope is 192.168.1.11 to 192.168.1.55.  Since dns server was changed to 192.168.1.2, should I have changed the starting address in the dhcp scope from 192.168.1.11 to 192.168.1.21?

>>Sure, why not? As long as you're not running DHCP on more than one machine with the same scope.

Well, the DHCP server and client are disabled on the win2k server.  THe firewall is responsible for our DHCP.  

>>All you addresses should have both an A record and an in.arpa record.

Isn't the in.arpa record created automatically when you create a new pointer in reverse lookup zones?

A record, A record?  Refresh my memory.

THANKS THANKS THANKS




>These changes resulted in lost internet connectivity
Loss of connectivity or loss of DNS resolution?

>If the server is 192.168.1.2 and the firewall is 192.168.1.1:xx, *what* is 192.168.1.1
The firewall, 1:81 is the management interface of the firewall

>should I have changed the starting address in the dhcp scope from 192.168.1.11 to 192.168.1.21?
Doesn't matter, as long as there's nothing on the addresses in the scope

>Isn't the in.arpa record created automatically when you create a new pointer in reverse lookup zones?
The "A" record is the forward lookup under my.zone, the in.arpa record is the reverse lookup under 192.168.1.0.
The reverse lookup is created IF you leave the "create reverse" box checked when entering a record and there is already a 192.168.1.0 zone in the machine.

SO:
The firewall should be your default router (192.168.1.1 NOT :81).

From your dns server, can you resolve names by using nslookup?

Author

Commented:
>>These changes resulted in lost internet connectivity
>Loss of connectivity or loss of DNS resolution?

Loss of connectivity.  DNS names resolved and ipconfig /renew let the ws recognize 192.168.1.2 as their DNS server...  

>>should I have changed the starting address in the dhcp scope from 192.168.1.11 to 192.168.1.21?
>Doesn't matter, as long as there's nothing on the addresses in the scope

This confuses me.  If the DNS server is 192.168.1.2, don't the possible IP addresses need to come after this number?

>The "A" record is the forward lookup under my.zone,

You mean the host (A) record, right?  There is no my.zone on our server, so I'm assuming you're talking about the main server folder in forward lookup zones, which I just checked the properties of, and which was not allowing dynamic updates.  I just changed that setting to allow dynamic updates.  

>the in.arpa record is the reverse lookup under 192.168.1.0.
>The reverse lookup is created IF you leave the "create reverse" box checked when entering a record and there is already a >192.168.1.0 zone in the machine.

OK -- you've lost me here.  When I create a new pointer, there's no "create reverse" checkbox to check.  192.168.1.0 does not appear to be a zone in the machine.  Do I need to create it?

Let me see if we're on the same page:  You're saying that if I change the reverse lookup zone to point to our server instead of the firewall, and if I change the name of the DNS server in the firewall from the firewall to the DNS server, everything should work.  I just have to make sure that the server has an A record (which is really just a pointer in the forward lookup zone) and that ALL pointers have reverse lookups (aka in.arpa records?).  What about 192.168.1.0 what's that about?

Thanks Chicagoan


This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
>>192.168.1.0 does not appear to be a zone in the machine.  Do I need to create it?
>you should have a 1,168,192,in,arpa zone in yor reverse lookup zones

Gotcha -- thanks.  

>>I just changed that setting to allow dynamic updates.  
>That works with windows clients, but your other devices need explicit entries

It's just the seven windows clients and a firewall running IP cop.

>Changing your DNS server ought not to make any difference in your connectivity, unless you can't resolve.

Something to do with the 'allow dynamic naming' setting I just checked (which heretofore was unchecked)?  I ipconfig /all -ed several of the workstations and they resolved with a dynamic ip address and the name of the .2 settting as their DNS server.  (When I changed the settings the first time)

This time, I checked the 'allow dynamic naming' box,  changed the reverse lookup zone pointer and the DNS server name in the firewall (which handles DHCP).

Everyone's got connectivity, and get this:  if you log any user on the network -- it logs almost instantly EXCEPT for on their own ws - where it still takes 1mn!  

What's that all about?

something to do with their profiles I'd guess, are you caching 'my document' in roming profiles?

Author

Commented:

Nope -- ipconfig /renew fixed it.  

You're the best!  

Thanks for helping me through this!

Now what do I do with the points?  Dimante told me what to do, but chicagoan broke it down into win2k chunks I could understand.

Whatcha think?  

Thanks guys...
glad you're up!
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
glad it is working for you.

Author

Commented:
Yaaaaaaaaawn!  Not for long. :)

Author

Commented:
>each record in your forward lookup zone should have a corresponding reverse entry

This just sank in:

I've got a name server record in forward lookup zones that doesn't have a corresponding record in reverse lookup.  It's our email/web server.  However, there's no option to add a new name server in reverse lookup zones.  

Is this going to be cool?

 

Author

Commented:

I'm having intermittent problems pinging our email server (and google as well) --  isn't this DNS related as well?  

One mo' we can download email, the next mo' we can't contact the mail server.  Our mail server sez evrythingz cool on their end.

>isn't this DNS related as well
what is the result of NSLOOKUP when this happens?
If it resolves, do a tracert and post it

Author

Commented:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

H:\>ping www.google.com
Ping request could not find host www.google.com. Please check the name and try a
gain.

H:\>ping www.amstat.org
Ping request could not find host www.amstat.org. Please check the name and try aga
in.

H:\>ping 216.56.143.132 (ipaddress of amstat.org)

Pinging 216.56.143.132 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 216.56.143.132:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

H:\>nslookup
Default Server:  ruby.amstat.org
Address:  192.168.1.2

Maybe 'cause our webhost is the same name as our server domain?  But why can't I ping google?
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
Have you checked your machines for viruses?  The trojan.Qhosts virus will cause you to be unable to resolve google, etc.


D
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
um can you ping www.microsoft.com?
>H:\>nslookup
>Default Server:  ruby.amstat.org
>Address:  192.168.1.2

that's your default DNS server

what is 192.168.1.2?

Author

Commented:
>>H:\>nslookup
>>Default Server:  ruby.amstat.org
>>Address:  192.168.1.2

>that's your default DNS server

>what is 192.168.1.2?

My default DNS server's IP address.  

Dimante asked if I can ping www.microsoft.com.  Nope.  Request times out.

I wonder if this is something to do with our internet connection sharing?  Whack.

I scanned my machine with Symantec (updated virus definition as of today) and didn't find any viruses.

Like I said, this is an intermittent problem.  Maybe the DNS problem is fixed and I should try another question?
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
If you cannot resolve microsoft.com then the problem still lies with DNS.  Can you try to do the same thing from the dns server itself?

Author

Commented:
I just pinged (pang? :)) www.microsoft.com from the DNS server -- request timed out

I pinged google and got a reply, I pinged our website and got a timeout.

Same deal on our workstations.  


Author

Commented:
later...

Reply from google and our website,

Timeout from www.microsoft.com

Author

Commented:
even later...

 Same deal
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
You said you have an email / web server... Is this in the DMZ...  I am still sanding by the fact that DNS is somehow misconfigured.  Maybe (to the best of your ability)  you can depict a map of how your network is put together logically.  Because from what has been explained so far puzzle pieces are missing...


D

Author

Commented:
>Maybe (to the best of your ability)  you can depict a map of how your network is put together >logically.  Because from what has been explained so far puzzle pieces are missing...

We have dell poweredge 1400 server hooked into a 10 port gigabit switch.  We also have a 12- port, 100 megabit switch.  I'm not sure, but I think all 22 ports rout through a belkin 24 port- 4-color switch.  

Seven workstations, a printer, and a linux server are plugged into the switches.






John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
So is the dell poweredge running the DNS? And the DMZ?  What servers are in that?

Author

Commented:
Yes, the poweredge is running DNS.

I don't know about DMZ...  How can I find out?

There's a service called DMZ pinholes on the firewall (ipcop)

Author

Commented:
The DMZ service on the firewall appears to be enabled, but there's no source or destination IP address in those DMZ fields.  No destination port, either.  

John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
How does your Internet connection play into this scenerio?  Do you have a router there?

Author

Commented:
An old 486 with IP cop is our internet connection
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
please depict your net as <Internet>--<DNS server>--<??> in the order from the outside in to the LAN and I think I can help you.

D

Author

Commented:

<internet>--<dhcp server>--<dns server>--<LAN>

A
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
What OS is your old 486 box running?

Author

Commented:
I think it's linux
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
Can you do an ipconfig /all on the dns server and post the output here?

Author

Commented:
ipconfig /all

ows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : RUBY
    Primary DNS Suffix  . . . . . . . : amstat.org
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : amstat.org

rnet adapter Internal Gigabit:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    Physical Address. . . . . . . . . : 00-10-18-01-93-DD
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.2
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    DNS Servers . . . . . . . . . . . : 192.168.1.1
                                        209.124.156.9
    Primary WINS Server . . . . . . . : 192.168.1.1

Whoa!  Should the NIC in our server be set to itself as DNS server?  
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
Yes, and no external dns servers should be listed.
and is 192.168.1.1 running WINS?  Is anything?

D

Author

Commented:
isn't the external DNS server necessary for DNS caching for internet?
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
No, if the DNS server is set up correctly it should go out to the root servers itself for addresses it cannot resolve.

Make sure your local DNS server does not have a "." zone in forward lookup zones.  If it does delete it.

D

Author

Commented:

Ahhhhh yes... Internet connectivity is now about what I would expect it to be.

Google resolves and replies
Our webserver resolves and replies

Microsoft.com resolves, but doesn't reply.

This is really an interesting topic -- do you have any reading recommendations?
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
So everything is now working as you expected!  Fabulos!

Microsoft definately will not respond to ping (they smartened up ;-))  If you are truly interested in the MCSE track then the Microsoft press books on active directory (Will cover DNS in depth also) are good places to start.  There are further tweaks that need to be done with DNS in larger environments.  These books will cover some but not all aspects.  Glad everything is working well!

D

P.S. Did you have to remove the "." zone or was it not there?

Author

Commented:

Fabulous is right!  We'd been suffering 18 long months until I took things into my own ignorant hands.  Thanks MUCHO.

The "." zone wasn't there, I guess... What's it for, anyway?  Everyone warns against having one, why IS there one?

MCSE, eh?  I'll check it out.  Any suggestions for less platform-specific info on DNS/DHCP?

I'm new to this service, so I'm not sure how to split points between you and chicagoan...What do you all think?

A very happy,

A (can I go home now?)
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
DNS plays a very different role in W2K then it does in its normal implementation.  But DNS specific books can be found at:
http://www.oreilly.com/

They generally have well written books on many subjects related to computers.

As far as the points split....  I don't really want to tell you how to do it but generally the person that gives you the solution to your problem is given the most points and is given the Accepted answer credit.  Anyone that you feel also has helped you fix the problem is given an assisted answer and is awarded some of the points as well.  The grade you choose is based on how well you feel your question was answered..

Does that make sense??  I am rambling..........

D  

Author

Commented:
Err?  I meant the answers to be the other way around -- w/ dimante being accepted and chicagoan providing assistance.

I gave the bulk of the points to dimante because he gave me the answers every time, and chicagoan got a chunk of points because he gave me a couple of answers, too, and he helped me figure out how to carry out some of dimante's answers.  

You guys are the coolest!  Thanks a million!
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
You're welcome!  I enjoyed helping you.

D

Author

Commented:

:)

Author

Commented:
Rahhhh!  I guess I'm too optimistic.  :(  Having trouble again.  These intermittent ones are the worst.  

I couldn't ping our webserver, google, or microsoft.  Then I did an ipconfig/ dnsflush and I was able to ping said sites.

I wonder if it has something to do with the fact that our webserver has the same name as a domain on our Win2K server?

Do I need to open another question since I already awarded points?

A

Author

Commented:

Dimante -- Still getting an external DNS server listing when I do ipconfig /all, despite my having removed it from the NIC
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
No we can keep going with this one.  No need to open another one.  That DNS server has to be specified somewhere in your settings.  Make sure you check the tcp/IP advanced options for that number... and make sure you do not have that server listed as a forwarder.

D

Author

Commented:
Correct DNS server is specified in the local server's NIC under tcp/ip advanced options.

Sorry to be clueless here, but where would the server be listed as a forwarder if it were indeed a forwarder?

Author

Commented:
Clue:  When pinging our webserver -- the domain cannot be found but when I ping the IP address of our webserver, I get a reply.  DNS, yes, but where?
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
I am going to need more information to help you solve this one.  It is going to involve giving me some print screens of your dns server setup etc.  If you use myeename@myeename.net you know dimante that is my email address.  WHat I want to see is your ipconfig /all output a print screen of you network connections window and a full view of your DNS mmc with advanced options chosen.  I will copy any correspondance from email here in this question.
John Gates, CISSPLead IT Security Analyst, Global Threat Management
CERTIFIED EXPERT

Commented:
Amber please open a new question even if it is 10 or 20 points and link to this one...  

Also...
 Rahhhh!  I guess I'm too optimistic.  :(  Having trouble again.  These intermittent ones are the worst.  

I couldn't ping our webserver, google, or microsoft.  Then I did an ipconfig/ dnsflush and I was able to ping said sites.

I wonder if it has something to do with the fact that our webserver has the same name as a domain on our Win2K server?

Was this from a client machine?

D

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.