From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 9:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003
-----Original Message-----
From: Michael B. Smith [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 11:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003Eh... I ran across something like that during the w2k3 beta process. Something about w2k didn't support long/extended DNS responses across TCP and w2k3 does. There was also something fishy about w2k3 not properly following referrals in deeply embedded zones.I changed over to having my w2k3 servers forward to my Unix authoritative servers instead of following root hints and forgot about it.
From: ml.adlist [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 11:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003Thanks for the tip. I have added the static entries to my servers. I have to admit, that in my actual operation I have not found that to be the case with the PIX. I did find the final cause of my problems from your tip. The new 6.33 code added a DNS fixup command that had no qualms at all about eating the responses being sent to my Windows 2003 dns servers I don't know why it did not eat them going to the Win2K dns.Once I disabled dns fixup, the problem ended on my test servers, and I just changed the production servers as well. They now receive long mx responses without issues.-----------------------
Miles Holt, MCP
Network Engineer
Summit Marketing
[EMAIL PROTECTED]
770-303-0426
-----------------------
"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:
Dune"
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Sunday, November 02, 2003 3:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003Um, you *definitely* need to have static NAT and the correct ACL's for you DNS servers. By default, DNS uses UDP connects, which are stateless - so there is no session state to track, and the replies will be rejected.--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.-----Original Message-----
From: ml.adlist [mailto:[EMAIL PROTECTED]
Sent: Friday, October 31, 2003 3:35 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003Thanks, I have really found all the suggestions given helpful. Even when they have rehashed things I tried before they have encouraged me to try them again. My main frustration with all of this is that with what appears to be an identical configuration, Win2K gives me results and Win2K3 does not and it just makes no sense to me.The server that I am testing with is one of my production internal DNS servers. It is also a DC. It is a Netserver LH3000 with a single Intel 10/100 nic. Below is the ipconfig /all.
Windows IP ConfigurationHost Name . . . . . . . . . . . . : atldc1
Primary Dns Suffix . . . . . . . : summitmg.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : summitmg.comEthernet adapter Local Area Connection:Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN Adapter
Physical Address. . . . . . . . . : 00-30-6E-00-B3-71
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.100.1.220
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.100.1.230
DNS Servers . . . . . . . . . . . : 10.100.1.206
10.100.1.220
Primary WINS Server . . . . . . . : 10.100.1.206
Secondary WINS Server . . . . . . : 10.100.1.207It is behind a PIX firewall, running 6.33. I have added a static acl for TCP and UDP DNS traffic (port 53) from 208.51.103.75 to the internal ip of 10.100.1.220. Note that it should not NEED this acl as the PIX should nat the outbound request and replies just fine. For the two dns servers I configured for testing this morning, there were no ACL's added. In the case of the Windows 2000 DNS all mx requests work, and for the Windows 2003 DNS only some work. I have found requests for cnn.com and bestbuy.com to work, but requests for aol.com and earthlink.net to fail on the Windows 2003 DNS.Attached is the results for dns logging on the above server with requests for aol.com and earthlink.net. I can't really make out the log results. If anyone would like to see screen captures of the config pages for this server I will be happy to forward them to you.-----------------------
Miles Holt, MCP
Network Engineer
Summit Marketing
[EMAIL PROTECTED]
770-303-0426
-----------------------
"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:
Dune"
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, October 31, 2003 1:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003Miles, while it is very possible that you have discovered a bug, I'd like to say it does not appear to be a universal bug at this time :)Let's see a config of the DNS server in question. Ipconfig /all output with brief notes on what IP belongs to what server. Also, let's see some config info from DNS itself. Listening on what NIC, going through what type of Router/Firewall. Also, turn on Debug logging in DNS, leave it at the default, and then run some more tests and look at the log file for any interesting entries. With this information, we "may" be able to work this out here.Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon