Re: Problem with DNS over VPN

"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in
news:O7i$ug5QFHA.2356@xxxxxxxxxxxxxxxxxxxx:

> "adamofevil" <adamofevil@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:Xns963A97500C27Aadamofevil@xxxxxxxxxxxxxxxx
>> Domain Name: lenderservices.local
>> Server: Windows 2003 SBS 192.168.168.2
>>
>> DNS: Single AD integrated zone lenderservices.local (no . zone)
>> Configured for forwarding to ISP DNS servers
>>
>> Location #1 contains the server, subnet 192.168.168.0/24
>> Location #2 contains no server, subnet 192.168.0.0/24
>>
>> Location #1 & 2 are connected via a gateway-gateway VPN
>
> May we presume the VPN routes in general and is unfiltered?
> Ping, telnet server 80, etc.?

Yes. Ping, telnet, RDP and everything else under the sun seems to work
fine through the VPN.

>> Clients at location #2 are configured with static addresses pointing
>> DNS
> to
>> 192.168.168.2
>
> So they must get DNS requests fulfilled across the WAN/VPN?
>
> Not illegal but slow probably.

Well there are only 4 workstations at location #2, so I didn't see the
need to recommend another server at that location. They should still be
able to get DNS over the WAN though, and it just doesn't seem to work
properly.

>> Clients at location #2 are able to resolve hostnames but not FQDN
>> names
>
> This sounds like they are using broadcasts to resolve the simple
> computer names through NetBIOS and failing to resolve DNS
> names with suffixes (FQDN means something different that you
> believe).
>
> What about the computer DNS names in the System Control panel?
> Are they named fully? (Not just "computer" but
> "computer.domain.com"?) They need to be.

They are all computer.lenderservices.local

>> Clients at location #2 are unable to resolve the majority of external
>> DNS requests
>
> What does the following give:
>
> nslookup DC_NAME.lenderservices.local
>
> (Copy and paste the full answer and request, do not type it, and
> please don't use pictures of the screen.)

C:\Documents and Settings\abrass>nslookup server.lenderservices.local
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.168.2: Timed out
*** Default servers are not available
Server: UnKnown
Address: 192.168.168.2

DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Documents and Settings\abrass>

> See if the following is different:
> nslookup DC_NAME.lenderservices.local 192.168.168.2

C:\Documents and Settings\abrass>nslookup server.lenderservices.local
192.168.1
68.2
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.168.2: Timed out
Server: UnKnown
Address: 192.168.168.2

DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Documents and Settings\abrass>

>> When attempting to NSLOOKUP from a client at location #2, the
>> response is:
>>
>> DNS request timed out.
>> timeout was 2 seconds.
>> *** Can't find server name for address 192.168.168.2: Timed out
>> *** Default servers are not available
>
> The above MAY be perfectly normal -- this is an artifact
> of the way that NSLookup works in looking up the NAME
> of the server that is being used.
>
> All that REALLY matters is if you get the right answer to
> the question (so show your commands also).
>
> The following may be part of the above, or an actual problem,
> but without the full question/response we cannot tell:
>
>> Default Server: UnKnown
>> Address: 192.168.168.2

C:\Documents and Settings\abrass>nslookup
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.168.2: Timed out
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.168.2

> www.macromedia.com
Server: UnKnown
Address: 192.168.168.2

DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
>

The requests work fine from location #1, just not location #2.

>> Any help would be appreciated. The only temporary resolution I have
>> found to this is to add a secondary DNS of the local router which
>> resolves the problem of looking up external addresses but does not
>> resolve the problem of being unable to resolve FQDN and also seems to
>> prevent them from accessing the local web server.
>
> Clients must NOT use multiple DNS servers that do not
> return the same answer, so your temporary solution is
> going to cause trouble even if you fix the real problem.

Well I needed to get them able to surf the internet until I find a way to
solve this problem. I know exactly what you mean though, and I wish for
this to work properly rather than "jimmy rig" it.

>
> The following is not specific to your problem (see above),
> but it may be of help now or later:
>
> Full checklist for DNS for AD
> 1) Dynamic for the zone supporting AD --- CHECK
> 2) All internal DNS clients NIC\IP properties must specify SOLELY
> that internal, dynamic DNS server (set.) --- CHECK
> 3) DCs and even DNS servers are DNS clients too -- see #2 --- CHECK
> 4) If you have more than one Domain, every DNS server must
> be able to resolve ALL domains (either directly or
> indirectly) --- ONLY ONE DOMAIN
>
> netdiag /fix
>
> ...or maybe:
>
> dcdiag /fix
>
> (Win2003 can do this from Support tools):
> nltest /dsregdns /server:DC-ServerNameGoesHere
> http://support.microsoft.com/kb/q260371/

I'll have to get my hands on these support tools before I can run them as
they dont seem to be installed on the server at the moment. As of yet
nothing else has worked.

> Ensure that DNS zones/domains are fully replicated to all DNS
> servers for that (internal) zone/domain. -- ONLY ONE SERVER
>
> Also useful may be running DCDiag on each DC, sending the
> output to a text file, and searching for FAIL, ERROR, WARN.
>
> Single Label domain zone names are a problem Google:
> [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

Will check into this too. Thanks for the advice.
.

Relevant Pages

  • Re: blocking annoying login popup applets
    ... > DNS server as centralized within my local network? ... Another machine is definitely not necessary for a local caching DNS ... Choice of djbdns vs. BIND: ... domains will resolve to 192.168.27.1. ...
    (comp.os.linux.networking)
  • Issues migrating SBS 2003 domain to Server 2008 Standard
    ... We are stuck migrating our SBS 2003 domain to Server 2008. ... Fatal Error:DsGetDcName (SRV-EXCH) call failed, ... Verify your Domain Name Sysytem (DNS) is ... network connectivity to a domain controller. ...
    (microsoft.public.windows.server.sbs)
  • Re: AD management snap in cannot find DC (netdiag /v workstation)
    ... The name.local entries are used by my apache server to implement ... change button, more button, the "Primary DNS suffix of this ... Attr: subschemaSubentry ... Owner of the binding path: ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS not authoritative for domain
    ... I am using an internal DHCP server which is also my DNS and WINS ... I have configured a PPTP VPN using ISA to test whether or not I had an issue ... >> I can correctly resolve short and FQDN inside my domain. ...
    (microsoft.public.windows.server.dns)
  • Re: Dns.GetHostEntry functionality
    ... server as well as a DNS server. ... It is only the device that cannot resolve the name. ... The router is connected to the cable modem to the internet, but the router has DHCP turned off. ... don't have a network server you normally will not have a DNS server. ...
    (microsoft.public.dotnet.framework.compactframework)