|
Split DNS is not the solution you need from the sound of
it. Split-brain dns is for hosting the same zone internally and
externally. I agree with Deji, that it sounds like your firewall may
be misconfigured. What gets logged there during the try? What do you
see when you turn up nslookup logging?
The forwarder is what you want to have work, but it sounds
like your clients have access to the external DNS on their own. That
doesn't sound right.
How did you configure ISA to allow DNS requests to the
external DNS host?
Al From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, March 22, 2004 6:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS not intergrating into AD Hey
Deji, Hope you are well,
thanks for the link very interesting. Unfortunately after I applied I still can
get that forwarder to work L
Thanks once again for
your time and effort Carlos From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of deji Agba Carlos, you did not mention your flavor of
Windows. But I think what you described is a Win2K3 DNS behavior (EDNS-0)
-especially since you mentioned ISA. Try http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_pro_ModifyEDNS.asp HTH Sincerely, Microsoft MVP - Active
Directory From: Carlos
Magalhaes Ok boys and girls I have a nice
little question, I have a single domain single forest
setup. I have Active Directory Integrated domains. I have forwarders to an
External DNS server. And I have a reverse lookup zone
created. Now the problems, I first noted that
I can easily do internal name resolution not a problem at all. Then I tried to
external domain resolution thinking that the DNS server would use its wonderful
forwarder to resolve the address but it failed. Here are the
commands: Nslookup> Default Server:
internalDC.InternalDomain.net Address: <Internal
IP> >
SomeInternalMachine Server:
internalDC.InternalDomain.net Address: <Internal
IP> Name:
SomeInternalMachine.InternalDomain.net Address: <Internal
IP> > Nice... Ok now let's look at external
lookup: >
google.com Server:
internalDC.InternalDomain.net Address: <Internal
IP> DNS request timed
out. timeout was 2
seconds. *** Request to
internalDC.InternalDomain.net > Hmm which lead me to believe it
might be my ISA server, then I did another test: > server
ExternalDnsServer DNS request timed
out. timeout was 2
seconds. Default Server:
[ExternalDnsServer] Address:
ExternalDnsServer >
google.com Server:
[ExternalDnsServer] Address:
ExternalDnsServer Name:
google.com Addresses: 216.239.57.99,
216.239.39.99, 216.239.37.99 So I deduce that I can do DNS
queries in and out of the network (plus I checked all the Rules etc on the ISA
server) Now checking the DNS there is no "."
(root) zone in my Forward lookup zones (there is one in my Cache Zone (and if I
delete it , it comes back). Then I checked the famous
RootDNSServers Container in the Domain -- > System -� MirosoftDNS container,
nothing there three is only the reverse lookup zone data in that folder. Then I
performed the task to net stop dns, net stop netlogon, copy cache.dns from the
samples folder to the dns folder net start netlogon, net start dns. Apparently
this is suppose to recreate the RootDNSServers Container in AD, but it doesn't
(all these operations are being performed as Entp Admins.)
I forced replication on all the
servers replication is working and replicating but NO RootDNSServer object under
MicrosoftDNS container. Enabled Auditing on the System
container in AD for any success or failure and allowed to be applied to its
child objects checked the child objects and the auditing was enabled. Tried the
process above again, NOTHING in the event log like DNS didn't even try to create
the container (the DNS server is on the DC and is AD
intergrated). So I though what the heck let me
create a secondary DNS server on the other DC to see what is going on, when I
created it the Forward lookup zones did not replicate but the reverse look up
zones did, I went the primary DNS server changed DNS option to replication from
All DNS server in Active Directory Forest to All DNS server in Active Directory
Domain (remembering that this is a ONE FOREST ONE DOMAIN Setup). Then
refreshed the Secondary DNS server and vola the Forward lookup Zones are there,
Check AD for the RootDNSServers container and it was there (but NO ROOT HINTS
within the container as its suppose to be), then I thought ok let me be clever
and try the , netlogon and DNS stop and start and copy Cache.dns file Q article
to get everything wrong and RootDNSServer disappeared again, and ever since I
have followed everything I have done here and have not been able to get it
back? That's the first problem, then I
have FW | DC
(DNS) I am trying to get all clients to
pass all forward request to an DNS server address outside of the firewall, as
you saw in the example above if I sepify that address with the SERVER
<EXTERNALDNSSERVERADDY> command in Nslookup it works but it doesn't work
with the domain controller passing the packets to that address EVEN THOUGH that
address is set up as a FORWARDER. The only replication error I had is when I the time server went wacky, it put the one DC in 2003 and the other DC in 2004 , then the replication failed and I had TombStone errors on Replication, I applied the Reg hack for the work around (set the Strict Replication Consistency REG_DWORD value to 0 on the DCs getting the 'tombstone' error.), then replicating and removing the registry setting. I have almost lost hope and am
thinking of creating a split brain DNS (I am not sure the advantages are really
that great for this network - but I am sure you will convince me they are :P) As
I stressed internal reverse lookups are working 100%. Replication has not
reported any problems either. Any
help?
Carlos
Magalhaes DISCLAIMER: The
information contained in or attached to this email is intended only for the use
of the individual or entity to which it is addressed. If you are not the intended
recipient, or a person responsible for delivering it to the
intended recipient, you are not authorized to and must not disclose, copy, distribute, or retain
this message or any part of it. It may contain information which is confidential
and/or covered by legal, professional or other privilege (or other rules or laws
with similar effect in jurisdictions outside the The views
expressed in this email may not necessarily be compatible with your views and no
representation is made to their usefulness to your well-being. However, by
continuing to read this E-Mail, you are willingly acknowledging that your
well-being is not our responsibility, and that you are the intended recipient
(didn't we cover this already?
:)). DISCLAIMER: The
information contained in or attached to this email is intended only for the use
of the individual or entity to which it is addressed. If you are not the intended
recipient, or a person responsible for delivering it to the
intended recipient, you are not authorized to and must not disclose, copy, distribute, or retain
this message or any part of it. It may contain information which is confidential
and/or covered by legal, professional or other privilege (or other rules or laws
with similar effect in jurisdictions outside the The views
expressed in this email may not necessarily be compatible with your views and no
representation is made to their usefulness to your well-being. However, by
continuing to read this E-Mail, you are willingly acknowledging that your
well-being is not our responsibility, and that you are the intended recipient
(didn't we cover this already?
:)). |
- RE: [ActiveDir] DNS not intergrating into AD deji Agba
- RE: [ActiveDir] DNS not intergrating into AD Carlos Magalhaes
- RE: [ActiveDir] DNS not intergrating into AD Mulnick, Al
- RE: [ActiveDir] DNS not intergrating into AD Carlos Magalhaes
- RE: [ActiveDir] DNS not intergrating into AD Carlos Magalhaes
- RE: [ActiveDir] DNS not intergrating into AD Mulnick, Al
