RE: [ActiveDir] DNS not intergrating into AD

[Carlos Magalhaes]

Ok, here is the main test that seems to prove to me (I would like any suggestions out there on how to test the dns and firewall otherwise) that DNS queries via the firewall are working:   If I launch NSLOOKUP, specified SERVER externalDnsServe.domain.com ,then did a lookup on google.com it would resolve google.com, have a look at the results below.   But if I just do a nslookup , it resolves my internal DNS server, then try google.com , I get a DNS time out , again check below.   If you know any other way to check please let me know :) Thanks for you time and effort once again.   Carlos Magalhaes - [EMAIL PROTECTED] �(if you want to chat directly:) )   Nslookup>   Default Server:� internalDC.InternalDomain.net Address:� <Internal IP>   > SomeInternalMachine Server:� internalDC.InternalDomain.net Address:� <Internal IP>   Name:��� SomeInternalMachine.InternalDomain.net Address:� <Internal IP> >      Nice…   Ok now let's look at external lookup:   > google.com Server:� internalDC.InternalDomain.net Address:� <Internal IP>   DNS request timed out. ��� timeout was 2 seconds. *** Request to internalDC.InternalDomain.net >    Hmm which lead me to believe it might be my ISA server, then I did another test:   > server ExternalDnsServer DNS request timed out. ��� timeout was 2 seconds. Default Server:� [ExternalDnsServer] Address:� ExternalDnsServer   > google.com Server:� [ExternalDnsServer] Address:� ExternalDnsServer   Name:��� google.com Addresses:� 216.239.57.99, 216.239.39.99, 216.239.37.99   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 22, 2004 4:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS not intergrating into AD   Split DNS is not the solution you need from the sound of it.  Split-brain dns is for hosting the same zone internally and externally.  I agree with Deji, that it sounds like your firewall may be misconfigured.  What gets logged there during the try?  What do you see when you turn up nslookup logging?   The forwarder is what you want to have work, but it sounds like your clients have access to the external DNS on their own.  That doesn't sound right.    How did you configure ISA to allow DNS requests to the external DNS host?      Al   From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, March 22, 2004 6:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS not intergrating into AD Hey Deji,   Hope you are well, thanks for the link very interesting. Unfortunately after I applied I still can get that forwarder to work L   Thanks once again for your time and effort   Carlos     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Monday, March 22, 2004 10:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS not intergrating into AD   Carlos,   you did not mention your flavor of Windows. But I think what you described is a Win2K3 DNS behavior (EDNS-0) -especially since you mentioned ISA. Try http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_pro_ModifyEDNS.asp   HTH     Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   From: Carlos Magalhaes Sent: Sun 3/21/2004 10:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS not intergrating into AD Ok boys and girls I have a nice little question,   I have a single domain single forest setup. I have Active Directory Integrated domains. I have forwarders to an External DNS server. And I have a reverse lookup zone created.   Now the problems, I first noted that I can easily do internal name resolution not a problem at all. Then I tried to external domain resolution thinking that the DNS server would use its wonderful forwarder to resolve the address but it failed.   Here are the commands:   Nslookup>   Default Server:  internalDC.InternalDomain.net Address:  <Internal IP>   > SomeInternalMachine Server:  internalDC.InternalDomain.net Address:  <Internal IP>   Name:    SomeInternalMachine.InternalDomain.net Address:  <Internal IP> >      Nice...   Ok now let's look at external lookup:   > google.com Server:  internalDC.InternalDomain.net Address:  <Internal IP>   DNS request timed out.     timeout was 2 seconds. *** Request to internalDC.InternalDomain.net >    Hmm which lead me to believe it might be my ISA server, then I did another test:   > server ExternalDnsServer DNS request timed out.     timeout was 2 seconds. Default Server:  [ExternalDnsServer] Address:  ExternalDnsServer   > google.com Server:  [ExternalDnsServer] Address:  ExternalDnsServer   Name:    google.com Addresses:  216.239.57.99, 216.239.39.99, 216.239.37.99     So I deduce that I can do DNS queries in and out of the network (plus I checked all the Rules etc on the ISA server) Now checking the DNS there is no "." (root) zone in my Forward lookup zones (there is one in my Cache Zone (and if I delete it , it comes back).   Then I checked the famous RootDNSServers Container in the Domain -- > System -� MirosoftDNS container, nothing there three is only the reverse lookup zone data in that folder. Then I performed the task to net stop dns, net stop netlogon, copy cache.dns from the samples folder to the dns folder net start netlogon, net start dns. Apparently this is suppose to recreate the RootDNSServers Container in AD, but it doesn't (all these operations are being performed as Entp Admins.)   I forced replication on all the servers replication is working and replicating but NO RootDNSServer object under MicrosoftDNS container.   Enabled Auditing on the System container in AD for any success or failure and allowed to be applied to its child objects checked the child objects and the auditing was enabled. Tried the process above again, NOTHING in the event log like DNS didn't even try to create the container (the DNS server is on the DC and is AD intergrated).   So I though what the heck let me create a secondary DNS server on the other DC to see what is going on, when I created it the Forward lookup zones did not replicate but the reverse look up zones did, I went the primary DNS server changed DNS option to replication from All DNS server in Active Directory Forest to All DNS server in Active Directory Domain (remembering that this is a ONE FOREST ONE DOMAIN Setup).  Then refreshed the Secondary DNS server and vola the Forward lookup Zones are there, Check AD for the RootDNSServers container and it was there (but NO ROOT HINTS within the container as its suppose to be), then I thought ok let me be clever and try the , netlogon and DNS stop and start and copy Cache.dns file Q article to get everything wrong and RootDNSServer disappeared again, and ever since I have followed everything I have done here and have not been able to get it back?   That's the first problem, then I have   FW  | DC (DNS)   I am trying to get all clients to pass all forward request to an DNS server address outside of the firewall, as you saw in the example above if I sepify that address with the SERVER <EXTERNALDNSSERVERADDY> command in Nslookup it works but it doesn't work with the domain controller passing the packets to that address EVEN THOUGH that address is set up as a FORWARDER.   The only replication error I had is when I the time server went wacky, it put the one DC in 2003 and the other DC in 2004 , then the replication failed and I had TombStone errors on Replication, I applied the Reg hack for the work around  (set the Strict Replication Consistency REG_DWORD value to 0 on the DCs getting the 'tombstone' error.), then replicating and removing the registry setting.       I have almost lost hope and am thinking of creating a split brain DNS (I am not sure the advantages are really that great for this network - but I am sure you will convince me they are :P) As I stressed internal reverse lookups are working 100%. Replication has not reported any problems either.   Any help? Thanks a million for any clues and help   Carlos Magalhaes             DISCLAIMER: This Electronic Mail originated from the Private Mail Servers of the Akomolafe Family. The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorized to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal, professional or other privilege (or other rules or laws with similar effect in jurisdictions outside the USA). The views expressed in this email may not necessarily be compatible with your views and no representation is made to their usefulness to your well-being. However, by continuing to read this E-Mail, you are willingly acknowledging that your well-being is not our responsibility, and that you are the intended recipient (didn't we cover this already? :)). DISCLAIMER: This Electronic Mail originated from the Private Mail Servers of the Akomolafe Family. The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorized to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal, professional or other privilege (or other rules or laws with similar effect in jurisdictions outside the USA). The views expressed in this email may not necessarily be compatible with your views and no representation is made to their usefulness to your well-being. However, by continuing to read this E-Mail, you are willingly acknowledging that your well-being is not our responsibility, and that you are the intended recipient (didn't we cover this already? :)).