Re: DNS Problem
- From: "SPG" <nomail@xxxxxxxxxx>
- Date: Thu, 21 Feb 2008 17:20:29 -0500
OK Ace, here it is: I installed the AV without any problems. It is running
just great. I created the delegate for www in our zone. It asked for DNS
servers & their IP's and I gave it to them. Now the weird part: without
doing anything to IIS. That same day 2 machines could access our website
and go anywhere and back, but any other workstation would either bring up
the default website (like "Under Construction") or just crash out and said
"see your admin". The next day it would be only 1 different machine that
would access the website and all of the others would get the above errors.
I then tried redirecting with the default website in IIS but still got the
same errors with all machines and not 1 machine could access the website.
Today I put the default website in IIS back to its original setup, deleted
the delegate, and did a "A" record in the zone with the www.domain.com and
its IP address. Everyone can fly anywhere on the net, including our
website. I did nothing else to IIS and I am going to leave it that way. By
the way, this all started when I installed a newer version of our AV. That
newer version is the one I put back in. We use Panda for our workstations
and our servers, and have for a number of years.
Thanks for all of the help
I am "outa" here,
Sam
"Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx> wrote in message
news:uDHFMksbIHA.5164@xxxxxxxxxxxxxxxxxxxxxxx
In news:erfddarbIHA.4344@xxxxxxxxxxxxxxxxxxxx,
SPG <nomail@xxxxxxxxxx> typed:
Have Windows 2003 Server R2, Exchange 2003 Server, DNS and a DC all
rolled into one Server. All workstations, WinXP SP2, have the
primary DNS pointing to the DC (this is necessary for MS Outlook to
access the Exchange Server). The secondary DNS points to our ISP's
DNS server (incase our DC goes down we can still get to the
internet). All workstations are registered in our DNS in both
Forward and Reverse zones. Our ISP's DNS servers are in our
Forwarders. We live on email and the internet.
Here is the problem:
We have a website hosted on the outside. It is the same name (ie.,
abc.com) as our Lan domain name. When pinging our
domain name we get nothing. When using NSLOOKUP it points to our DC.
Thus, IE cannot go to our website. Is there
a way to solve our problem ?
Thanks,
Sam
First, I wouild like to address your DNS strategy. Numerous errors can be
caused by this configuration. The Microsoft best practice, and what all
engineers will tell you, the cardinal rule with AD is to never use a DNS
server IP address on any machine (DC, servers and workstations) that does
not host the AD zone name or have some sort of reference to it (stubs,
conditional forwarding, secondary zone, etc). Reason is AD requires
exclusive access to it's zone name on the DNS server.This zone stores
numerous amounts of information for AD to function, as well as other
applications that are direcotry-enabled and exclusively rely on adctive
directory to work. One example of such an app is Exchange. If there wasn't
a global catalog available, or a way to query where it is, Exchange will
fail. AD stores all of Exchange's configuration information. Matter of
fact when you use the Exchange System Manager, it is not communicating
with Exchange. It's actually communicating with active directory's
Configuration Container.
I do not believe your ISP's DNS knows how to query your internal zone name
if a client, Exchange or the DC itself were to query it asking where the
GC service is running.
Plus another reason why not is the client side resolver service, which is
the service on any machine - DC or workstation - that queries DNS and what
to do with the answer. It will query the first in the list, but if that
doesn't respond, it will remove it from the 'eligible resolver list' for
15 minutes and go on to the next. So say if the client happens to try to
authenticate to AD in order to access a printer, and it's stuck on the
ISP's, it will fail to connect.
Another best practice, besides making sure ALL machines only use the DC as
DNS, inclding itself, is to configure a forwarder to your ISP within the
DNS server properties (rt-click DNS servername, properties, Forwarding
tab). If not sure how, please read the following article. Besides, if the
DC goes down, so will email, domain functions, etc. This is a worst case
scenario and wouldn't matter to config your machines with the ISP's DNS.
If you need, you can configure your own workstation to the ISP's during
such a crisis in case you need outside communication to research the
problem.
323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
(forwarding) :
http://support.microsoft.com/?id=323380
Here are some additional reading that explains in more detail of what I
mentioned above including additional information.
825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/?id=825036
Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain (whether it was upgraded or not, this is full of useful information
relating to AD and DNS, among other info):
http://support.microsoft.com/?id=555040
Domain Controller's Domain Name System Suffix Does Not Match Domain Name:
http://support.microsoft.com/?id=257623
Clients cannot dynamically register DNS records in a single-label forward
lookup zone:
http://support.microsoft.com/?id=826743
300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names
http://support.microsoft.com/?id=300684
As far as accessing your external domain in a same name in/out config, you
have two choices:
1. Create a www record under your zone, and provide the actual external IP
of the website.
2. Delegate www under the zone and provide two nameservers hosting the
external zone. Nslookup will help you find that or check with your
registrar for the registered nameservers for the zone.
In either choice, you will be limited to ONLY using http://www.domain.com.
Reason why is back to AD and it's DNS reliance. The (same as parent) A
record is actually the LdapIpAddress (some refer to the blank domain name
of a zone) of all DCs in a domain. In your case with the one DC, it is the
IP of that DC. That is the record in a website scenario that is created to
access it by http://www.domain.com. IN AD it is a necessary record for
GPOs and other domain functions to operate. So you are limited in this
area. However there is a work around. You can install IIS. Under the
default website, configure a redirect to www.domain.com. All http calls to
the DC's IP will redirect to www, which you will have had a record or
delegation created to get to.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
.
- Follow-Ups:
- Re: DNS Problem
- From: Ace Fekay [MVP]
- Re: DNS Problem
- References:
- DNS Problem
- From: SPG
- Re: DNS Problem
- From: Ace Fekay [MVP]
- DNS Problem
- Prev by Date: Re: DHCP IP Issue
- Next by Date: Re: CLIENT DNS update
- Previous by thread: Re: DNS Problem
- Next by thread: Re: DNS Problem
- Index(es):
Relevant Pages
|
