Re: Windows 2003 DNS: Recursive query fails when looking its own d

Tech-Archive recommends: Fix windows errors by optimizing your registry

Lito Kusnadi <LitoKusnadi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Thank you for everyone's reply. It has been mind-nourishing.
>
> It is true that the "dcserver1.domain.com.au.com.au" is the reason of
> the time out. If I do nslookup dcserver1.domain.com.au. (with the dot
> after the "au"), it gives me the answer without forwarding the query.
> Thank you for the nslookup -d2 clue. It's very helpful.
> As mentioned, in the DNS tab, I tried to uncheck the appending parent
> DNS suffix, but still, it does not want to stop appending the .com.au
> bit.
>
> I'm thinking:
> Does the query: dcserver1.domain.com.au.com.au require to receive an
> answer from an authoritative DNS server? No matter if it's a positive
> answer (i.e. "yes, the domain exists") or a negative answer (i.e.
> "no, the domain not exist").
>
> I believe this is what I don't have at the moment. The DNS for the AD
> is totally separated and isolated from the Internet. It does not do
> forward to the ISP DNS for any unresolved query.
>
> Adding the "." zone would make the DNS authoritative, which I believe
> stops the forwarding. Is this statement correct?

Yes, it does stop the forwarding, but it also stops DNS from being able to
resolve internet names, unless the root zone is delegated with all TLDs. You
can install a delegated root zone, but I think this puts you right back in
the same position. Your DNS server will still have to contact the com.au
servers to verify that domain.com.au.com.au does not exist.

Clearing the check box noted does stop the DNS client from appending parent
suffixes, nslookup being its own animal, appears ignore this setting, or at
least it does on my system.
However, If you assign a custom DNS suffix, nslookup will use it instead.
Use "Append these suffixes (in order)" then enter "domain.com.au" (without
the quotes) only.
You can assign either of these in a GPO to XP and 2k3 machines here:
Computer Configuration
-Administrative templates
-Network
-DNS client

Keep in mind, in an Active Directory environment, internet resolution is not
necessary, internal resolution is REQUIRED. No member of an AD domain should
ever have a DNS server in its list of DNS servers, in any position, on any
interface, that cannot resolve the AD domain. This means that if you need
internet resolution, you must get that resolution from a DNS server that
resolves the AD domain. So you cannot use your ISP's DNS especially, if the
internal DNS has the un-delegated root zone. If the internal DNS has an
un-delegated root zone, it cannot resolve internet names and will timeout,
this will move the ISP's DNS to the preferred DNS server and will leave it
there until TCP/IP is reset.





--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: Non-domain connection problem
    ... "Gregg Hill" wrote: ... You said that you "hard coded the DNS server to a known DNS on the ... Connect to Internet from external network ...
    (microsoft.public.windows.server.sbs)
  • Re: Added router, lost web site
    ... Did your ISP create a DNS record for your FQDN? ... > really have a direct connection. ... > Internet connection information: ... > Preferred DNS server: someisp DNS server address ...
    (microsoft.public.windows.server.sbs)
  • Re: Unix Bind and Windows DNS with Dynamic update issues!!!
    ... >suggest but it does NOT service internal clients directly. ... still have UNIX BIND to do the rest for host name and internet resolution. ... Windows 2003 DNS will acting as another internal DNS server like UNIX BIND? ...
    (microsoft.public.win2000.dns)
  • Re: Some DNS server names will not resolve using internal servers
    ... I have done all the nslookup commands. ... All of our external ISP DNS ... Is there a trace i could do on the DNS server to tell me what is happening? ...
    (microsoft.public.windows.server.dns)
  • Re: Unix Bind and Windows DNS with Dynamic update issues!!!
    ... >> 2) All internal DNS clients NIC\IP properties must specify SOLELY ... >> we are running UNIX BIND as internal and external DNS server. ... > expose your sensitive internal information on the Internet. ... >> internal clients like Windows, Mac etc are pointing to UNIX BIND server to ...
    (microsoft.public.win2000.dns)