Internal DNS Server behind ISA Server

How do you configure an internal DNS server to resolve internal and external IP addresses when that server has no direct access to the Internet?


Server 1 - Windows 2003 Domain Controller

This is a Windows 2003 Server with AD integrated DNS that handles all name resolution for our internal network.  This server is the domain controller and has no direct connection to the Internet. All internet access for this server is handled by a Windows 2003 server running ISA 2000.

Network card
IP -

I set up forwarders to our ISP's DNS servers but I don't think this server can access them or the root DNS servers.


Server 2 - Windows 2003 w/ ISA 2000

This computer has ISA loaded and working, but only if I set the cards up in the following configuration and bind order.

Second Network card
IP - Public Address from ISP
DNS - ISP's DNS Server

First Network card
IP -

This computer can access the Internet and resolve internal and external names.  I'd like to change the bind order and remove the ISP DNS information from card 2, but I can't do that until I get our Internal DNS server to work properly.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


You would have to create a protocol rule that allows the Server1 to contact the outside world using DNS. To do this, first off all create "host set" ( not quite sure how it's called, not behind a ISA server now), this is a policy element. Then create a protocol allow rule that allows the server to access all locations using UDP port 53. This should do the trick..

Although i would use the ISA server to do the DNS resolvance, because i guess your ISA is your proxy server and all machines are configured to use either a proxy server or the default gateway, it will always connect the ISA server when going to the internet. This way your internal DNS server's security will not be jeaperdized and it will not lose performance..
mplattnerAuthor Commented:
I added the publishing rules and the protocol rule on the ISA server, but the other Server 1 is still not working correctly.  It doesn't seem to be trying to use the ISA server at all for DNS forwarding.  It only uses the ISA server for Internet access.  For example, if I ping <external IP> from Server 1 it tries to send it through the default gateway on our internal network.  Opening Internet Explorer and browsing around works fine.

Do you think it would be easier (and better) to move DNS to the ISA server?  What would be involved in moving the AD integrated DNS from Server 1 to the ISA server?
No, don't move the internal DNS server from the DC to ISA, just let the DC do internal DNS resolvance. But for external DNS resolvance (to internet for example) use the ISA server. Just let the external DNS servers be placed on the external interface of the ISA server..
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

mplattnerAuthor Commented:
Our ISA server is already able to resolve external names by using our ISP's DNS servers.  

The problem is I'm forced to have DNS info on both network cards on the ISA server and I had to change the network adapter binding order.

ISA Server Net Card 2
IP - public address
DNS - ISP DNS Servers  <-- used to resolve external names

ISA Server Net Card 1
IP -
DNS - <-- seems to not even be used by the ISA server


The ISA server only uses the ISP DNS and can only resolve external names.  I have to use WINS for internal name resolution.  

I've been told that the best practice is to set ISA to point to the internal DNS server for the network, and then use forwarders on that DNS server to resolve external IP addresses.  I can't do that though since my internal DNS server doesn't seem to work properly (ie. isn't using root servers or forwarders) since it doesn't have a direct internet connection.
Has Server 1 got a default route set that points to Server 2's LAN IP?

C:\>route add -p mask

If not it won't know where to route non-LAN packets.

You can either set that or using a default gateway of on Server1's NIC Properties.

Or, to be more secure just add persistent routes to the routing table of Server1 that tell it how to get to the ISP DNS servers, if these are set as forwarders for Server 1's DNS service.

C:\>route add -p <ISP DNS Server 1 IP> mask
C:\>route add -p <ISP DNS Server 2 IP> mask

try doing a trace route from Server1 to see what it does when trying to reach those ISP DNS servers.
Ok, then indeed, do what TJWorlds says and try to get a connection from server1  to the outside world by using a tracert (best is to first try on ip address and after that on DNS name).. Then you can check if you either have a routing problem or the ISA is not letting DNS packets through..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mplattnerAuthor Commented:
Thank you for the help everyone.  I needed to set the packet filter rules on the ISA server and add a static route on Server 1.  Everything seems to be working well now!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.