To be clear, I was using only one DNS for additional testing to avoid messing up my production mail flow. We have multiple internal and public DNS servers in use assigned to clients and servers.
The Windows 2003 servers were configured to resolve by themselves. They were NOT doing this 100% of the time and I can not find a reason why as of yet. This is why I have had to set them to forward. Specifically with aol.com, but with many other sites from my previous postmaster bounce traffic, they are not resolving all records requested, while a Windows 2000 DNS server is. The only system that really shows this less than 100% response is email or any nslookup for just mx records. As a result I am having to forward to a Windows 2000 DNS to insure mail flow (so that the mail servers get valid mx lookups). I do NOT want to do this. I want my Windows 2003 DNS servers to stand alone and resolve records. I have upgraded one of my secondary public DNS servers (clean install) to Windows 2003 now, and it results in the same less than 100% lookups if I use it as a forwarder instead of my Windows 2000 server. I am pretty darn sure I have run into a bug at this point, so I am hoping that some one else has seen the same thing happen to confirm. The Windows 2003 DNS servers are on the same IP's as the former Windows 2000 DNS servers were and the firewall is configured to pass the lookup traffic. The problem is only occurring with my Windows 2003 DNS. Before sending this, I have just performed the following retest. One of my utility file servers is running Windows 2000 on it, so I installed the DNS service and made it a secondary to DNS to my AD integrated DNS servers for my internal zones. I then did nslookups to it for the mx records of aol.com and I got an a reply on the second attempt as it needed to load the records into cache. I did the same to a server that I just finished prepping for our Exchange 2003 migration running Windows 2003 set not to use forwarders. It will not respond with mx records for aol.com no matter how many times you request them. Once I set it to use forwarders it was fine. This has got to be a bug in the Windows 2003 DNS or I am somehow missing a config setting that should be obvious. ----------------------- Miles Holt, MCP Network Engineer Summit Marketing [EMAIL PROTECTED] 770-303-0426 ----------------------- "Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse: Dune" -----Original Message----- From: Ionescu, Julian [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 3:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 If your internal machines are configured to use only one internal DNS, then if that one is not available, you will NOT get any name resolution, the service will simply not be there, regardless of any settings further down the pipe. To prevent that from happening, you could add as a secondary DNS the external server that you have. If the primary is not available, the client requests will go to the next DNS in line, and so on. Internal DNS servers, just like all others, when receiving a request will first check the zones that they host. If they have the zone, they reply with the info. If they don't have the zone, here's what happens: - If they have cached the info previously, they will return the cached info; - If they are configured to forward to other DNS server(s), they will first forward the query to the designated forwarder(s), in the order listed. If it does not get an answer, and if recursion is enabled, it will then try to resolve by itself; If you don't want them to do that, either disable recursion on the forwarders config tab, or make the server a slave DNS server. - If they do not have forwarders, they will attempt to resolve themselves; >From your description, it looks like the internal DNS cannot send queries out to the world (firewall settings, perhaps), and without a forwarder, it will time out. Either allow the internal DNS to go through the firewall, or use forwarders (the external DNS server). As far as your mail server is concerned, make sure that it can see properly whichever DNS it has configured (use nslookup from the mail server). Then check or update the mailprogram configuration to look at that same DNS server, by name, IP or both. Hope this helps... :-) -----Original Message----- From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 1:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 I may be using the wrong terminology to explain what I am trying to do. What I need it to do is for any domain request that the server receives that it is not hosting, walk the tree through the root zones on to the correct DNS server and find the answer. The Windows 2000 DNS is doing this for everything. The Windows 2003 DNS is not, which is what stumps me. We use PIX firewalls, no proxies. If the internal DNS is shut down, you can't get anything at all. I just tried it again and got a very odd result. I setup my workstation to only use one of my DNS servers. I then set that DNS server to not forward to my external servers, restarted the dns service and cleared its cache. Then I did a nslookup against it to bestbuy.com. I got replies for www.bestbuy.com, and using 'set type=mx" for bestbuy.com got the mx records. Without changing any settings I did the same to aol.com and it timed out with no reply (like most of the domains). I then did the same with the server set to forward to my external DNS and got a instant reply. Below is the output. Default Server: atldc2.summitmg.com Address: 10.100.x.x > www.bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: Name: a1103.gc.akamai.net Addresses: 208.254.0.17, 208.254.0.32 Aliases: www.bestbuy.com, www.bestbuy.com.edgesuite.net > set type=mx > bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x bestbuy.com MX preference = 5, mail exchanger = tag5.bestbuy.com bestbuy.com MX preference = 5, mail exchanger = tag6.bestbuy.com tag5.bestbuy.com internet address = 205.215.216.98 tag6.bestbuy.com internet address = 198.22.123.162 > aol.com Server: atldc2.summitmg.com Address: 10.100.x.x DNS request timed out. timeout was 2 seconds. *** Request to atldc2.summitmg.com timed-out Below is after I set it to forward to my other server. > aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: aol.com MX preference = 15, mail exchanger = mailin-04.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-01.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-02.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-03.mx.aol.com mailin-04.mx.aol.com internet address = 64.12.136.153 mailin-04.mx.aol.com internet address = 64.12.137.121 mailin-04.mx.aol.com internet address = 64.12.137.152 mailin-04.mx.aol.com internet address = 64.12.138.89 mailin-04.mx.aol.com internet address = 64.12.138.152 mailin-04.mx.aol.com internet address = 152.163.224.122 mailin-04.mx.aol.com internet address = 205.188.156.154 mailin-01.mx.aol.com internet address = 64.12.137.89 mailin-01.mx.aol.com internet address = 64.12.137.184 mailin-01.mx.aol.com internet address = 64.12.138.57 mailin-01.mx.aol.com internet address = 64.12.138.152 mailin-01.mx.aol.com internet address = 152.163.224.26 mailin-01.mx.aol.com internet address = 205.188.156.122 mailin-01.mx.aol.com internet address = 64.12.136.57 mailin-02.mx.aol.com internet address = 64.12.138.120 mailin-02.mx.aol.com internet address = 64.12.136.89 mailin-02.mx.aol.com internet address = 64.12.136.121 mailin-02.mx.aol.com internet address = 64.12.137.89 mailin-02.mx.aol.com internet address = 64.12.137.184 mailin-02.mx.aol.com internet address = 64.12.138.89 > www.aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: www.aol.com canonical name = www.gwww.aol.com > I am REALLY confused now. It seems to be hit or miss, but misses the largest sites and jambs up email as a result. Miles -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Recursive lookups are doing what for you? Are they handling the lookup for you and returning the answer to the client for MX records or are they referring your client? My guess is that your web browsing works because of a proxy server or firewall that has the ability to chase the records or is even just using the external servers for name resolution (why ask an internal DNS server for an external address right?) Is this the case? -----Original Message----- From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:13 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DNS Lookup Problem - Windows 2003 I am having an issue with a Windows 2003 AD integrated DNS server doing recursive lookups to find MX records for my outbound mail. Prior to our AD deployment, we were running split brained DNS with Windows 2000 DNS servers internally and externally. Post upgrade, our internal DNS moved to Windows 2003 DNS. Afterwards DNS lookups for web sites appeared to work fine as you could surf the web etc. But in the case of our mail servers and nslookup, all MX record requests would fail, thus blocking outbound email. Using Google, TechNet, and a nice thick Windows 2003 book (William Boswell's), I have to the best of my ability, confirmed that the internal Windows 2003 DNS is setup to do recursive lookups for domains other than the ones it hosts, and in the case of web browsing it does in fact work, even after I clear the DNS caches of my internal servers. To get MX lookups to function, I have had to set the internal servers to forward to one of my two public DNS servers running Windows 2000 DNS. Once done the MX lookups function again just as before. I will need to be upgrading our public servers to Windows 2003 in the very near future and I am afraid that once I do, the MX lookups will fail again. Has anyone else run into this? If not, any suggestions on places to look for more info, or settings to confirm, would be MOST appreciated. I'd really like/need to have my internal servers doing all of the lookups on their own. Thanks for any assistance you can provide. Miles ----------------------- Miles Holt, MCP Network Engineer Summit Marketing [EMAIL PROTECTED] 770-303-0426 ----------------------- "Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
