• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

Cannot access www.microsoft.com when using our internal DNS server

We have a joint windows and netware environment.  Prior to the windows domain environment being added for a feiw users, we pointed workstation DNS to our ISP's dns servers.  No problems.  With the advent of the windows AD environment, the Windows 2003 domain controller, also the DNS server, is now being used as the DNS controller for some of the users connected to the domain.

For testing, we have some other users, not logged into the domain, that are pointing to our Windows 2003 DNS server, 192.168.1.40.  However, when we try to access www.microsoft.com, it does not respond.  Pinging it does not resolve the IP address (which does is we use one of the workstations that connects directly to our ISP's dns servers.  

Also, if we try to access www.cnn.com, it is real slow.  Other external websites do not appear to be a problem.  The gateway address 192.168.1.1 does pass through an IPRISM internet filtering/management device.  All the other users that connect directly to the ISP's DNS, not being forwarded through the Windows 2003 DNS server, also go through the IPRISM device.

Any ideas on what is the problem or how to troubleshoot it?

Cliff.
0
cwsoft05
Asked:
cwsoft05
  • 4
  • 3
1 Solution
 
feptiasCommented:
The internal DNS server should be able to resolve microsoft or any other external name by forwarding the request to an external DNS server. Usually the external DNS server you specify is the ISP's server.

To set forwarding on your internal DNS server, open the DNS management console, right click on the DNS server and select properties. There is a tab on this form called Forwarders. Under "DNS Domain" it should say "All other DNS domains" and this line should be highlighted. In the section below called "Selected domain's forwarder IP address list" you should add your ISP's DNS server IP address.
0
 
cwsoft05Author Commented:
That is the problem.  We have this configured exactly as you state and it works for other addresses, but not www.microsoft.com.  That will not resolve.  In addition, some other sites, like cnn.com resolve very slowly.  From the server, we can ping (no response but it provides address) for microsoft.com, but not www.microsoft.com.

We are trying to determing what is causing a few sites to not work, like www.microsoft.com.  
0
 
feptiasCommented:
Have you tried the following?
1. Make sure you don't have a forward lookup zone defined called microsoft.com (unlikely, but it would cause your problem)
2. Try increasing the value of "Number of seconds before forward query times out" - mine is set to 18 for example.
3. Adding alternative forwarder IP addresses to the list of forwarders
4. Ticking the box "Do not use recursion for this domain" or unticking it if already ticked. This tells your DNS server whether it should try resolving the address itself from the root down or if it should only use the forwarder (called "slaving" I believe)
5. Using the debug logging (I haven't used it myself, but I guess it is straightforward).
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
cwsoft05Author Commented:
3.  We have 4 addresses, which are the same 4, 2 from our DSL provider and 2 from our cable provider, that we use without problem for those users that do not go through Windows 2003 DNS as they are not connected to the domain, just to the netware system (which does not have DNS configured) and go directly to the ISP.

Will look at the other items.
0
 
cwsoft05Author Commented:
None of your suggestions worked.  I then turned on debugging and looked at the log.  Put in the error message for the dns lookup that was failing it it pointed to extended dns and limitations on DNS UDP packet size at 512 and the fact that the edns can cause error with some site.  The Cisco PIX had a fixup dns max packet size 512.  Changing that to 1500 resolved the problem.
0
 
cwsoft05Author Commented:
feptias did not really answer the question but I will allocate the points anyways.
0
 
feptiasCommented:
Thanks. I'm pleased you've fixed it.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now