Re: DCPROMO FAILED

My firewall is open on port 53.

On my corperate network I forward all requests to my IPS's caching only
server... Again this is a test network.

Thanks

"Herb Martin" wrote:


"stosti" <stosti@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3D036B57-1BB4-4C73-844C-BD9DD3BCCA27@xxxxxxxxxxxxxxxx
The DNS was setup by Microsoft. If it is setup incorrectly I want my
money
back! What on the firewall could stop the root servers from accessing the
internet?

YOU don't have "root servers" you are trying to access them through
the firewall. Filters on TCP and UDP port 53 outbound requests
and/or response would stop it.

How are we resolving internet IP addresses with no access to root
servers?

By forwarding to a (caching only) DNS server which can do that.
Usually such are located at the firewall/DMZ or at the ISP but the
later isn't as safe and doesn't solve the problem when YOUR firewalls
prevent internal servers from recursing the Internet.

Do you really want your internal (very sensitive) DNS Servers, which
are frequently on DCs, visiting the entire Internet, including places like
dns1.EvilHackersRUs.com???


"stosti" <stosti@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A3F23B52-97E4-4E0A-9868-D24E83777DF9@xxxxxxxxxxxxxxxx
Hi,

Your suggesting to use forwarders for all DNS lookups to the internet?

Yes, it is generally safer and you seem to have some current problem with
"root hints" (i.e., direct recursion) anyway. Perhaps a firewall or some
routing problem is preventing the root hints from testing correctly.

This DCN is setup correctly. It was setup by Microsoft in 2003.

What is a DCN? And having it set up by "Microsoft" (especially over
four
years ago) is no guarantee it is correct.

Even if you paid to have a problem resolved they generally just "fix the
problem"
and don't review and correct inherent design issues.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)






.

Relevant Pages

  • Re: Low power mini-itx system for firewall
    ... and our servers tend to be SCSI). ... there are _firewall_ distributions that don't even need that much. ... get into our internet network, and allowing guest laptops to access only ...
    (comp.security.firewalls)
  • Re: Is this a wise configuration?
    ... A have a single DSL connection to the internet at my house. ... connection goes through a router, ... With this many "test" servers running, however, there are many ... Generally referred to as "DMZ" when you search for firewall info ...
    (comp.os.linux.networking)
  • [fw-wiz] Static NAT not answering
    ... Set up static-nat rule for my web, DNS, Mail servers ... Before, there's no firewall in our company, each ... The static-nat could not work (the external cannot ... cannot access the internet) if we are using ...
    (Firewall-Wizards)
  • Re: DCPROMO FAILED
    ... What on the firewall could stop the root servers from accessing the ... prevent internal servers from recursing the Internet. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Device/Firewall for SOHO in AD 2003 Env
    ... > firewall function is usually just a port blocker - nothing too advanced ... >> We have three servers with its own web contents available on the ... >> Internet. ... >> I want a firewall device to block everything except the web sites ...
    (microsoft.public.win2000.active_directory)