Late to the party again, as usual. Miles, I see that you've found the problem and, unfortunately, you are not going to get a bug-finder fee - at least not from MS and not for DNS :) Roger, you don't "definitely" need ACL as far as PIX is concerned. Actually, you don't need it at all. Even though it's a UDP traffic, PXI knows how to route the response back to the source. Just thought I should point that out. Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Roger Seielstad
Sent: Sun 11/2/2003 12:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Um, you *definitely* need to have static NAT and the correct ACL's for you
DNS servers. By default, DNS uses UDP connects, which are stateless - so
there is no session state to track, and the replies will be rejected.
--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-----Original Message-----
From: ml.adlist [mailto:[EMAIL PROTECTED]
Sent: Friday, October 31, 2003 3:35 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Thanks, I have really found all the suggestions given helpful. Even
when they have rehashed things I tried before they have encouraged me to try
them again. My main frustration with all of this is that with what appears to
be an identical configuration, Win2K gives me results and Win2K3 does not and
it just makes no sense to me.
The server that I am testing with is one of my production internal
DNS servers. It is also a DC. It is a Netserver LH3000 with a single Intel
10/100 nic. Below is the ipconfig /all.
Windows IP Configuration
Host Name . . . . . . . . . . . . : atldc1
Primary Dns Suffix . . . . . . . : summitmg.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : summitmg.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN
Adapter
Physical Address. . . . . . . . . : 00-30-6E-00-B3-71
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.100.1.220
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.100.1.230
DNS Servers . . . . . . . . . . . : 10.100.1.206
10.100.1.220
Primary WINS Server . . . . . . . : 10.100.1.206
Secondary WINS Server . . . . . . : 10.100.1.207
It is behind a PIX firewall, running 6.33. I have added a static acl
for TCP and UDP DNS traffic (port 53) from 208.51.103.75 to the internal ip
of 10.100.1.220. Note that it should not NEED this acl as the PIX should nat
the outbound request and replies just fine. For the two dns servers I
configured for testing this morning, there were no ACL's added. In the case
of the Windows 2000 DNS all mx requests work, and for the Windows 2003 DNS
only some work. I have found requests for cnn.com and bestbuy.com to work,
but requests for aol.com and earthlink.net to fail on the Windows 2003 DNS.
Attached is the results for dns logging on the above server with
requests for aol.com and earthlink.net. I can't really make out the log
results. If anyone would like to see screen captures of the config pages for
this server I will be happy to forward them to you.
-----------------------
Miles Holt, MCP
Network Engineer
Summit Marketing
[EMAIL PROTECTED]
770-303-0426
-----------------------
"Show me a completely smooth operation and I'll show you someone
who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:
Dune"
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, October 31, 2003 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Miles, while it is very possible that you have discovered a bug, I'd
like to say it does not appear to be a universal bug at this time :)
Let's see a config of the DNS server in question. Ipconfig /all
output with brief notes on what IP belongs to what server. Also, let's see
some config info from DNS itself. Listening on what NIC, going through what
type of Router/Firewall. Also, turn on Debug logging in DNS, leave it at the
default, and then run some more tests and look at the log file for any
interesting entries. With this information, we "may" be able to work this out
here.
Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
<<winmail.dat>>
