Re: DNS on new DC at new site...
- From: "Billingsley" <billingsley@xxxxxxxxxxxxxxxx>
- Date: Tue, 27 Mar 2007 15:15:41 -0500
Well, I checked with nslookup and 4.2.2.2 replies fine. Is this a
sufficient test to ensure port 53 (UDP/TCP) is enabled inbound/outbound? I
check debug logs on my firewall and it says packets are allowed on port 53
between my internal DNS server and 4.2.2.2 but I still get the strange
errors in 'dcdiag /c'
TEST: Forwarders/Root hints (Forw)
Error: Forwarders list has invalid forwarder: 4.2.2.1
(<name unavailable>)
Error: Forwarders list has invalid forwarder: 4.2.2.2
(<name unavailable>)
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 4.2.2.1 (<name unavailable>)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 4.2.2.1
DNS server: 4.2.2.2 (<name unavailable>)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the
1.0.0.127.in-addr.arpa. failed on the DNS server 4.2.2.2
This is driving me crazy. I look on the internet and I haven't found much
on this error except on this page:
http://technet2.microsoft.com/WindowsServer/en/library/5237db58-a1e8-40cd-ae8a-7f52848a90f21033.mspx?mfr=true
It says:
"Forwarders configured on the DNS server have an invalid IP address or are
not a DNS server, or name resolution is not working (that is, cannot resolve
forest root domain SRV record if it is a non-root domain DC)."
I don't know what this means. It can't resolve domain.local? It isn't a
non-root domain DC so I don't know what is going on. Please decode for me.
-Steven-
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:OF3fGBJcHHA.4836@xxxxxxxxxxxxxxxxxxxxxxx
"Billingsley" <billingsley@xxxxxxxxxxxxxxxx> wrote in message
news:uEgxOUIcHHA.4176@xxxxxxxxxxxxxxxxxxxxxxx
I definitely have port 53 open outbound but should I really be allowing 53
inbound?
Yes, but be clear that I mean the MIRROR where 53 is the SOURCE
port inbound. You cannot send a request out and receive the reply
unless you allow that.
UDP and TCP.
Since my DNS servers are for internal use only it seems like this would
be some sort of security risk. Do you think I should enable port 53
inbound only for 4.2.2.2 and 4.2.2.1.
It is certainly more secure to do so ONLY for the actual external DNS
servers.
Also, you said that I shouldn't be using those for my forwarders...
should I use a couple of DNS servers provided from my ISP?
Yes, or a DNS server on your firewall/gateway which can then recurse
or (also) forward to the ISP -- this eliminates opening anything to your
internal server.
I have used my ISP's DNS servers in the past but they seem to go down (or
change) sporadically.
Then you should NOT use them -- and you should change ISP if you
have an affordable alternative. (really)
People really freak out when the internet "doesn't work." Thanks a lot
for helping me through this!
Sure
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Follow-Ups:
- Re: DNS on new DC at new site...
- From: Mike Luo [MSFT]
- Re: DNS on new DC at new site...
- References:
- DNS on new DC at new site...
- From: Billingsley
- Re: DNS on new DC at new site...
- From: Herb Martin
- Re: DNS on new DC at new site...
- From: Billingsley
- Re: DNS on new DC at new site...
- From: Herb Martin
- Re: DNS on new DC at new site...
- From: Steven Platt
- Re: DNS on new DC at new site...
- From: Herb Martin
- Re: DNS on new DC at new site...
- From: Billingsley
- Re: DNS on new DC at new site...
- From: Herb Martin
- DNS on new DC at new site...
- Prev by Date: Allow Active X for software Install
- Next by Date: Re: Error creating external trust in Windows Server 2003
- Previous by thread: Re: DNS on new DC at new site...
- Next by thread: Re: DNS on new DC at new site...
- Index(es):
Relevant Pages
|
