I'd
still recommend it, however, as it eliminates the PIX from being a potential
issue in the mix.
--------------------------------------------------------------
Roger D. Seielstad -
MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 7:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003Late to the party again, as usual. Miles, I see that you've found the problem and, unfortunately, you are not going to get a bug-finder fee - at least not from MS and not for DNS :)Roger, you don't "definitely" need ACL as far as PIX is concerned. Actually, you don't need it at all. Even though it's a UDP traffic, PXI knows how to route the response back to the source. Just thought I should point that out.Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Roger Seielstad
Sent: Sun 11/2/2003 12:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003Um, you *definitely* need to have static NAT and the correct ACL's for you DNS servers. By default, DNS uses UDP connects, which are stateless - so there is no session state to track, and the replies will be rejected.--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.-----Original Message-----
From: ml.adlist [mailto:[EMAIL PROTECTED]
Sent: Friday, October 31, 2003 3:35 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003Thanks, I have really found all the suggestions given helpful. Even when they have rehashed things I tried before they have encouraged me to try them again. My main frustration with all of this is that with what appears to be an identical configuration, Win2K gives me results and Win2K3 does not and it just makes no sense to me.The server that I am testing with is one of my production internal DNS servers. It is also a DC. It is a Netserver LH3000 with a single Intel 10/100 nic. Below is the ipconfig /all.
Windows IP ConfigurationHost Name . . . . . . . . . . . . : atldc1
Primary Dns Suffix . . . . . . . : summitmg.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : summitmg.comEthernet adapter Local Area Connection:Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN Adapter
Physical Address. . . . . . . . . : 00-30-6E-00-B3-71
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.100.1.220
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.100.1.230
DNS Servers . . . . . . . . . . . : 10.100.1.206
10.100.1.220
Primary WINS Server . . . . . . . : 10.100.1.206
Secondary WINS Server . . . . . . : 10.100.1.207It is behind a PIX firewall, running 6.33. I have added a static acl for TCP and UDP DNS traffic (port 53) from 208.51.103.75 to the internal ip of 10.100.1.220. Note that it should not NEED this acl as the PIX should nat the outbound request and replies just fine. For the two dns servers I configured for testing this morning, there were no ACL's added. In the case of the Windows 2000 DNS all mx requests work, and for the Windows 2003 DNS only some work. I have found requests for cnn.com and bestbuy.com to work, but requests for aol.com and earthlink.net to fail on the Windows 2003 DNS.Attached is the results for dns logging on the above server with requests for aol.com and earthlink.net. I can't really make out the log results. If anyone would like to see screen captures of the config pages for this server I will be happy to forward them to you.-----------------------
Miles Holt, MCP
Network Engineer
Summit Marketing
[EMAIL PROTECTED]
770-303-0426
-----------------------
"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:
Dune"
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, October 31, 2003 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003Miles, while it is very possible that you have discovered a bug, I'd like to say it does not appear to be a universal bug at this time :)Let's see a config of the DNS server in question. Ipconfig /all output with brief notes on what IP belongs to what server. Also, let's see some config info from DNS itself. Listening on what NIC, going through what type of Router/Firewall. Also, turn on Debug logging in DNS, leave it at the default, and then run some more tests and look at the log file for any interesting entries. With this information, we "may" be able to work this out here.Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
