RE: [ActiveDir] DNS Lookup Problem - Windows 2003

[ml.adlist]

Title: Message

In my case, yes. Disabling the DNS Fixup on my PIX made the issue disappear as soon as I entered the command. The PIX fixup was mangling the responses back to the dns servers (much like SMTP fixup does when in front of an Exchange server). Later yesterday I removed the acl and static nat entries to those DNS servers. Everything is running smooth as silk now (and I don't have any of my DC's exposed to the internet now either).   Michael, the exchange issue you had during the beta is exactly what I experienced in production. Was your DNS behind a PIX with the DNS Fixup command running? If so, maybe it is not a bug with the Windows DNS, but just a stupid PIX trick.   At this point I don't really care where the "bug" really lies, I have it working the way I want it too now, and I'm not having to bang my head against a wall anymore.   ----------------------- Miles Holt, MCP Network Engineer Summit Marketing [EMAIL PROTECTED] 770-303-0426 ----------------------- "Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse: Dune"    From: Robert Gonzaga (306) [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 10:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 So are we saying it works as long you don't use the fixup command for DNS?  Do you still need to NAT and the conduits (in my case of older PIX ver.)?   -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 6:23 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003   And that's what's confusing.  W2K DNS is told to use TCP for large packets, and you can force that as I recall. So in your case, the firewall was the issue, right?  Slight change in the way that the DNS packets were travelling across?     Al     -----Original Message----- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Eh... I ran across something like that during the w2k3 beta process. Something about w2k didn't support long/extended DNS responses across TCP and w2k3 does. There was also something fishy about w2k3 not properly following referrals in deeply embedded zones.   I changed over to having my w2k3 servers forward to my Unix authoritative servers instead of following root hints and forgot about it.   From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks for the tip. I have added the static entries to my servers. I have to admit, that in my actual operation I have not found that to be the case with the PIX. I did find the final cause of my problems from your tip. The new 6.33 code added a DNS fixup command that had no qualms at all about eating the responses being sent to my Windows 2003 dns servers I don't know why it did not eat them going to the Win2K dns. Once I disabled dns fixup, the problem ended on my test servers, and I just changed the production servers as well. They now receive long mx responses without issues.   ----------------------- Miles Holt, MCP Network Engineer Summit Marketing [EMAIL PROTECTED] 770-303-0426 ----------------------- "Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse: Dune"      From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Um, you *definitely* need to have static NAT and the correct ACL's for you DNS servers. By default, DNS uses UDP connects, which are stateless - so there is no session state to track, and the replies will be rejected.     -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:35 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks, I have really found all the suggestions given helpful. Even when they have rehashed things I  tried before they have encouraged me to try them again. My main frustration with all of this is that with what appears to be an identical configuration, Win2K gives me results and Win2K3 does not and it just makes no sense to me.   The server that I am testing with is one of my production internal DNS servers. It is also a DC. It is a Netserver LH3000 with a single Intel 10/100 nic. Below is the ipconfig /all. Windows IP Configuration      Host Name . . . . . . . . . . . . : atldc1    Primary Dns Suffix  . . . . . . . : summitmg.com    Node Type . . . . . . . . . . . . : Hybrid    IP Routing Enabled. . . . . . . . : No    WINS Proxy Enabled. . . . . . . . : No    DNS Suffix Search List. . . . . . : summitmg.com   Ethernet adapter Local Area Connection:      Connection-specific DNS Suffix  . :    Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN Adapter    Physical Address. . . . . . . . . : 00-30-6E-00-B3-71    DHCP Enabled. . . . . . . . . . . : No    IP Address. . . . . . . . . . . . : 10.100.1.220    Subnet Mask . . . . . . . . . . . : 255.255.0.0    Default Gateway . . . . . . . . . : 10.100.1.230    DNS Servers . . . . . . . . . . . : 10.100.1.206                                        10.100.1.220    Primary WINS Server . . . . . . . : 10.100.1.206    Secondary WINS Server . . . . . . : 10.100.1.207   It is behind a PIX firewall, running 6.33. I have added a static acl for TCP and UDP DNS traffic (port 53) from 208.51.103.75 to the internal ip of 10.100.1.220. Note that it should not NEED this acl as the PIX should nat the outbound request and replies just fine. For the two dns servers I configured for testing this morning, there were no ACL's added. In the case of the Windows 2000 DNS all mx requests work, and for the Windows 2003 DNS only some work. I have found requests for cnn.com and bestbuy.com to work, but requests for aol.com and earthlink.net to fail on the Windows 2003 DNS.   Attached is the results for dns logging on the above server with requests for aol.com and earthlink.net. I can't really make out the log results. If anyone would like to see screen captures of the config pages for this server I will be happy to forward them to you. ----------------------- Miles Holt, MCP Network Engineer Summit Marketing [EMAIL PROTECTED] 770-303-0426 ----------------------- "Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse: Dune"      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 1:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Miles, while it is very possible that you have discovered a bug, I'd like to say it does not appear to be a universal bug at this time :)   Let's see a config of the DNS server in question. Ipconfig /all output with brief notes on what IP belongs to what server. Also, let's see some config info from DNS itself. Listening on what NIC, going through what type of Router/Firewall. Also, turn on Debug logging in DNS, leave it at the default, and then run some more tests and look at the log file for any interesting entries. With this information, we "may" be able to work this out here.     Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon