I may be using the wrong terminology to explain what I am trying to do. What I need it to do is for any domain request that the server receives that it is not hosting, walk the tree through the root zones on to the correct DNS server and find the answer. The Windows 2000 DNS is doing this for everything. The Windows 2003 DNS is not, which is what stumps me. We use PIX firewalls, no proxies. If the internal DNS is shut down, you can't get anything at all.
I just tried it again and got a very odd result. I setup my workstation to only use one of my DNS servers. I then set that DNS server to not forward to my external servers, restarted the dns service and cleared its cache. Then I did a nslookup against it to bestbuy.com. I got replies for www.bestbuy.com, and using 'set type=mx" for bestbuy.com got the mx records. Without changing any settings I did the same to aol.com and it timed out with no reply (like most of the domains). I then did the same with the server set to forward to my external DNS and got a instant reply. Below is the output. Default Server: atldc2.summitmg.com Address: 10.100.x.x > www.bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: Name: a1103.gc.akamai.net Addresses: 208.254.0.17, 208.254.0.32 Aliases: www.bestbuy.com, www.bestbuy.com.edgesuite.net > set type=mx > bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x bestbuy.com MX preference = 5, mail exchanger = tag5.bestbuy.com bestbuy.com MX preference = 5, mail exchanger = tag6.bestbuy.com tag5.bestbuy.com internet address = 205.215.216.98 tag6.bestbuy.com internet address = 198.22.123.162 > aol.com Server: atldc2.summitmg.com Address: 10.100.x.x DNS request timed out. timeout was 2 seconds. *** Request to atldc2.summitmg.com timed-out Below is after I set it to forward to my other server. > aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: aol.com MX preference = 15, mail exchanger = mailin-04.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-01.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-02.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-03.mx.aol.com mailin-04.mx.aol.com internet address = 64.12.136.153 mailin-04.mx.aol.com internet address = 64.12.137.121 mailin-04.mx.aol.com internet address = 64.12.137.152 mailin-04.mx.aol.com internet address = 64.12.138.89 mailin-04.mx.aol.com internet address = 64.12.138.152 mailin-04.mx.aol.com internet address = 152.163.224.122 mailin-04.mx.aol.com internet address = 205.188.156.154 mailin-01.mx.aol.com internet address = 64.12.137.89 mailin-01.mx.aol.com internet address = 64.12.137.184 mailin-01.mx.aol.com internet address = 64.12.138.57 mailin-01.mx.aol.com internet address = 64.12.138.152 mailin-01.mx.aol.com internet address = 152.163.224.26 mailin-01.mx.aol.com internet address = 205.188.156.122 mailin-01.mx.aol.com internet address = 64.12.136.57 mailin-02.mx.aol.com internet address = 64.12.138.120 mailin-02.mx.aol.com internet address = 64.12.136.89 mailin-02.mx.aol.com internet address = 64.12.136.121 mailin-02.mx.aol.com internet address = 64.12.137.89 mailin-02.mx.aol.com internet address = 64.12.137.184 mailin-02.mx.aol.com internet address = 64.12.138.89 > www.aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: www.aol.com canonical name = www.gwww.aol.com > I am REALLY confused now. It seems to be hit or miss, but misses the largest sites and jambs up email as a result. Miles -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Recursive lookups are doing what for you? Are they handling the lookup for you and returning the answer to the client for MX records or are they referring your client? My guess is that your web browsing works because of a proxy server or firewall that has the ability to chase the records or is even just using the external servers for name resolution (why ask an internal DNS server for an external address right?) Is this the case? -----Original Message----- From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:13 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DNS Lookup Problem - Windows 2003 I am having an issue with a Windows 2003 AD integrated DNS server doing recursive lookups to find MX records for my outbound mail. Prior to our AD deployment, we were running split brained DNS with Windows 2000 DNS servers internally and externally. Post upgrade, our internal DNS moved to Windows 2003 DNS. Afterwards DNS lookups for web sites appeared to work fine as you could surf the web etc. But in the case of our mail servers and nslookup, all MX record requests would fail, thus blocking outbound email. Using Google, TechNet, and a nice thick Windows 2003 book (William Boswell's), I have to the best of my ability, confirmed that the internal Windows 2003 DNS is setup to do recursive lookups for domains other than the ones it hosts, and in the case of web browsing it does in fact work, even after I clear the DNS caches of my internal servers. To get MX lookups to function, I have had to set the internal servers to forward to one of my two public DNS servers running Windows 2000 DNS. Once done the MX lookups function again just as before. I will need to be upgrading our public servers to Windows 2003 in the very near future and I am afraid that once I do, the MX lookups will fail again. Has anyone else run into this? If not, any suggestions on places to look for more info, or settings to confirm, would be MOST appreciated. I'd really like/need to have my internal servers doing all of the lookups on their own. Thanks for any assistance you can provide. Miles ----------------------- Miles Holt, MCP Network Engineer Summit Marketing [EMAIL PROTECTED] 770-303-0426 ----------------------- "Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/