Re: Problem by routing external users in DNS

Tech-Archive recommends: Fix windows errors by optimizing your registry

> But my major problem is why they dont register with ip-address 10.10.x.x
> in our DNS when they can ping our DNS server, and they can use our
> connection
the internet through the VPN-tunnel. Is it something thats not set correct
in our AD or is it more likely an issue in our firewall.

Only thing that I can think of at the moment is that you are using secure
only dynamic updates, and the client hasn't authenticated with a DC when the
DHCP Client Service tries to register in DNS.

Are you actually blocking anything on the firewall?

One issue, which is separate, but you might be interested in (I've just
fixed this issue in work) is that firewalls, such as a nokia checkpoint,
don't allow ping messages over a certain size. This will cause GPO to fail,
as GPO slow link detection is done by sending three 2048 byte pings at the
DC and calculating the round trip cost.

Another thing to consider is that VPN devices use a smaller MTU than
Ethernet routers and firewalls. If the VPN device isn't returning ICMP
Destination Host unreachable (ICMP 3,4) ICMP messages, then Windows will
hang waiting for a response and then resending packets again. This can
cause a number of issues, such as very slow logons, Kerberos to break
(packet loss when fragmenting), etc. Perhaps this is playing hell with the
DNS stuff - that will use UDP by default, and will only use TCP when the
packet exceeds a certain size (I can't remember what size).

You can test for MTU problems by pinging the opposite side of the VPN with
the do not fragment bit set (-f) and varying the payload size (-l 1398),
e.g.

C:\dev\vbs\>ping r2-dc-01 -f -l 1398


--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net


.

Relevant Pages

  • Re: DNS Server set to forwarder randomly going out to root servers
    ... We implemented the EDNS0 change to no avail. ... The firewall is actually acting as a caching DNS server. ...
    (microsoft.public.windows.server.dns)
  • Re: Can Not Ping By Name
    ... >>> Make sure there's no firewall packaged with the VPN client. ... >>DNS server is the same physical server as the Exchange, ... > Network problem solving - general advice: ...
    (microsoft.public.windowsxp.network_web)
  • Re: ICS problem between 2 XP instances
    ... >>>being able to ping my default gateway. ... Make sure that a firewall program on FamilyPC isn't blocking pings ... >> DNS Server = your ISP's DNS server ... I do also have Trend Micro PC-Cillin, ...
    (microsoft.public.windowsxp.network_web)
  • RE: Problem pinging IP and host names - Server 2003 DNS
    ... Connection-specific DNS Suffix. ... And here is one of the clients which I can not ping by IP or Hostname ... I went to my DNS server, deleted their A record, went to their ...
    (microsoft.public.windows.server.dns)
  • Re: dns server behind a firewall?
    ... > cause I wanted to be sure about the server IP switching. ... Your DNS will be down during switchover ... No. Doublecheck that the DNS server allows queries on all ... >>> firewall and want me to do the job, thats why I m posting again. ...
    (microsoft.public.windows.server.dns)