RE: Windows DNS scavenging..

[Brian Desmond]

It should be turned on. I generally enable it on a couple of DCs. Remember, you 
have to enable it on the zone and then the DNS Server(s) that will perform the 
scavenging.

First time you do this you might find some record gets cleaned up that was 
dynamically registered but the registrar is long gone yet something is 
depending on it. Take an ldifde dump of your DNS storage in AD in case you need 
to bring back any records.

Thanks,
Brian Desmond
br...@briandesmond.com<mailto:br...@briandesmond.com>

w - 312.625.1438 | c - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Monday, April 8, 2013 9:33 AM
To: NT System Admin Issues
Subject: Windows DNS scavenging..

Do you guys have it turned on? Have you seen any issues from it, any caveats?
David Lum
Sr. Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows DNS scavenging..

[Ziots, Edward]

We have it turned on, and to clean up issues with stale entries and some DDNS 
issues with our DHCP appliance.

Z

Edward E. Ziots, CISSP, CISA, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org
Work:401-444-9081


This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: David Lum [mailto:david@nwea.org]
Sent: Monday, April 08, 2013 10:33 AM
To: NT System Admin Issues
Subject: Windows DNS scavenging..

Do you guys have it turned on? Have you seen any issues from it, any caveats?
David Lum
Sr. Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: Windows DNS scavenging..

[kz20fl]

Hopefully should definitely be there, if I ever get through this legal battle I 
am having over an agency that owe me a load of money.

Sent from my Blackberry, which may be an antique but delivers email RELIABLY

-Original Message-
From: Webster 
Date: Mon, 8 Apr 2013 14:57:31 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: RE: Windows DNS scavenging..

LOL, that is one of my three topics for my conference presentations this year.  
There are a lot of TechNet and MVP articles on the topics of DNS A&S, DHCP and 
what to do, how it works, scripts, etc.  I am trying to figure out how to cover 
this topic and multiple site, multiple domain configurations and GPO & Loopback 
processing into a 75 minute presentation.  I could easily spend 75 minutes on 
each.  Plus I am also doing a PoSH session on my Citrix documentation scripts 
at each conference.  Hope to meet James Rankin finally in London.

Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com<http://www.carlwebster.com/>


From: David Lum [mailto:david@nwea.org]
Sent: Monday, April 08, 2013 10:33 AM
To: NT System Admin Issues
Subject: Windows DNS scavenging..

Do you guys have it turned on? Have you seen any issues from it, any caveats?
David Lum
Sr. Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows DNS scavenging..

[Webster]

LOL, that is one of my three topics for my conference presentations this year.  
There are a lot of TechNet and MVP articles on the topics of DNS A&S, DHCP and 
what to do, how it works, scripts, etc.  I am trying to figure out how to cover 
this topic and multiple site, multiple domain configurations and GPO & Loopback 
processing into a 75 minute presentation.  I could easily spend 75 minutes on 
each.  Plus I am also doing a PoSH session on my Citrix documentation scripts 
at each conference.  Hope to meet James Rankin finally in London.

Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com<http://www.carlwebster.com/>


From: David Lum [mailto:david@nwea.org]
Sent: Monday, April 08, 2013 10:33 AM
To: NT System Admin Issues
Subject: Windows DNS scavenging..

Do you guys have it turned on? Have you seen any issues from it, any caveats?
David Lum
Sr. Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS settings for Trusts

[N Parr]

So here's what I think is happening, still awaiting confirmation from other 
site admin.
Everything you asked below is exactly how I'm set up.
What I discovered is they have a dozen or so DNS servers at their main and 
other remote sites which are all connected via their MPLS links.  I'm 
connecting in via a VPN tunnel.  Pretty sure my VPN tunnel only has access to 
the core subnet where their main DNS is at that I'm already successfully 
exchanging zone information with.  When their zone populates with their SRV 
records it loads all their DC's for all their sites, and they are all weighted 
equally.  Therefore when I try to ping their "domain.local" I get random 
responses from the various DC's they have, most of which I can't connect to 
because I'm guessing the VPN tunnel isn't allowing traffic to any subnet other 
than the core.  I've asked their admin to weight their SRV record for the core 
DC's higher than all the others and see if this fixes the problem.


From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 5:06 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Hi,

Can you please 100% confirm your DNS setup. The servers in question (b) and (d) 
are different, so when you say "answered above", I begin to worry that we're 
overlooking something.


-  Are you saying that the DC in DomainA hosts a secondary copy of the 
DomainB zone?

-  And that the DC in DomainB hosts a secondary copy of the DomainA 
zone?

-  And that the DC in DomainA looks at itself for name resolution?

-  And that the DC in DOmainB also looks at itself for name resolution?

The above 4 are all separate, independent configuration options, and given that 
this should work, but isn't, we'd need to work through each item until we get 
to the point where we identify what the culprit is.

Cheers
Ken


From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 8:29 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts




From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 2:42 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

a)  DomainA and DomainB are in separate Forests?  - Yes

b)  Where does the PDCe in DomainA look first for name resolution (itself? 
Another DNS server?)  Itself (Secondary Forward Lookup Zones created on both 
sides)

c)   The DNS server in (b) - how does it know where to send requests for 
DomainB? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Hosts secondary Copy.  Tried Forwarders but from what I'm 
ready you use either a zone or a forwarder, not both.  I tried a forwarder any 
way and it didn't make a difference.  Glue Records?  I don't think these come 
in to play internally.

d)  For the DC in domainB where you are attempting to create the trust: 
where does it look for name resolution (itself? Another DNS server?)  Can't get 
to the point of making a trust yet because domainB can't ping domainA.local

e)  The DNS server in (d) - how does it know where to send requests for 
DOmainA? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Answered in C)

Cheers
Ken

From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 6:46 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.

________
From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts
Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A records are 
properly created.  But we didn't have to do this on Domain A to get it to work. 
 Either way where am I suppose to create these records?  Under my primary Zone? 
 It do

RE: DNS settings for Trusts

[N Parr]

One of the first things I checked.  Ports are open, firewalls off.  Even tested 
telnet in to most everything listed in that article.  DomainA already has 
multiple trusts set up with other locations.
To make this even more strange, I can ping the remote domainA.local from a 
workstation on domainB and get a response from domainA PDC.  Same ping fails 
from either of my domainB DC's.
Think I'll bounce my DC's tonight and see what happens.


From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Tuesday, March 05, 2013 3:48 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

http://support.microsoft.com/kb/179442

I would look here.
How to configure a firewall for domains and trusts

Just because you can't ping the endpoint doesn't mean it isn't available.

You can do the following if you need to determine if an endpoint is open.

Get a copy of Nmap or if you have a Linux Box you can use tcptraceroute or Nmap 
also.

To test you tell Nmap not to ping the host.

Nmap -sS -sV -P0 -p- ip address of endpoint. ( this will do all 65535 ports and 
tell you what you have open from your system)

Tcptraceroute IP_addresss dest_port ( so if I wanted to tcptraceroute to 
123.45.67.89 port 135 I would do the following)
Tcptraceroute 123.45.67.89 135

HTH I think you up against a FW issue nobody on the other side is telling you 
about..

Z


Edward E. Ziots, CISSP, CISA, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org
Work:401-444-9081


This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: N Parr [mailto:npar...@mortonind.com]
Sent: Tuesday, March 05, 2013 4:29 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts




From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 2:42 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

a)  DomainA and DomainB are in separate Forests?  - Yes

b)  Where does the PDCe in DomainA look first for name resolution (itself? 
Another DNS server?)  Itself (Secondary Forward Lookup Zones created on both 
sides)

c)   The DNS server in (b) - how does it know where to send requests for 
DomainB? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Hosts secondary Copy.  Tried Forwarders but from what I'm 
ready you use either a zone or a forwarder, not both.  I tried a forwarder any 
way and it didn't make a difference.  Glue Records?  I don't think these come 
in to play internally.

d)  For the DC in domainB where you are attempting to create the trust: 
where does it look for name resolution (itself? Another DNS server?)  Can't get 
to the point of making a trust yet because domainB can't ping domainA.local

e)  The DNS server in (d) - how does it know where to send requests for 
DOmainA? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Answered in C)

Cheers
Ken

From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 6:46 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts
Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A 

RE: DNS settings for Trusts

[Ziots, Edward]

http://support.microsoft.com/kb/179442

I would look here.
How to configure a firewall for domains and trusts

Just because you can't ping the endpoint doesn't mean it isn't available.

You can do the following if you need to determine if an endpoint is open.

Get a copy of Nmap or if you have a Linux Box you can use tcptraceroute or Nmap 
also.

To test you tell Nmap not to ping the host.

Nmap -sS -sV -P0 -p- ip address of endpoint. ( this will do all 65535 ports and 
tell you what you have open from your system)

Tcptraceroute IP_addresss dest_port ( so if I wanted to tcptraceroute to 
123.45.67.89 port 135 I would do the following)
Tcptraceroute 123.45.67.89 135

HTH I think you up against a FW issue nobody on the other side is telling you 
about..

Z


Edward E. Ziots, CISSP, CISA, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org
Work:401-444-9081


This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: N Parr [mailto:npar...@mortonind.com]
Sent: Tuesday, March 05, 2013 4:29 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts




From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 2:42 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

a)  DomainA and DomainB are in separate Forests?  - Yes

b)  Where does the PDCe in DomainA look first for name resolution (itself? 
Another DNS server?)  Itself (Secondary Forward Lookup Zones created on both 
sides)

c)   The DNS server in (b) - how does it know where to send requests for 
DomainB? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Hosts secondary Copy.  Tried Forwarders but from what I'm 
ready you use either a zone or a forwarder, not both.  I tried a forwarder any 
way and it didn't make a difference.  Glue Records?  I don't think these come 
in to play internally.

d)  For the DC in domainB where you are attempting to create the trust: 
where does it look for name resolution (itself? Another DNS server?)  Can't get 
to the point of making a trust yet because domainB can't ping domainA.local

e)  The DNS server in (d) - how does it know where to send requests for 
DOmainA? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Answered in C)

Cheers
Ken

From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 6:46 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts
Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A records are 
properly created.  But we didn't have to do this on Domain A to get it to work. 
 Either way where am I suppose to create these records?  Under my primary Zone? 
 It doesn't give any detail and my Google is failing me.
http://technet.microsoft.com/en-us/library/ee307976%28v=ws.10%29.aspx
Thanks



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyri

RE: DNS settings for Trusts

[N Parr]

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 2:42 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts


a)  DomainA and DomainB are in separate Forests?  - Yes

b)  Where does the PDCe in DomainA look first for name resolution (itself? 
Another DNS server?)  Itself (Secondary Forward Lookup Zones created on both 
sides)

c)   The DNS server in (b) - how does it know where to send requests for 
DomainB? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Hosts secondary Copy.  Tried Forwarders but from what I'm 
ready you use either a zone or a forwarder, not both.  I tried a forwarder any 
way and it didn't make a difference.  Glue Records?  I don't think these come 
in to play internally.

d)  For the DC in domainB where you are attempting to create the trust: 
where does it look for name resolution (itself? Another DNS server?)  Can't get 
to the point of making a trust yet because domainB can't ping domainA.local

e)  The DNS server in (d) - how does it know where to send requests for 
DOmainA? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Answered in C)

Cheers
Ken

From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 6:46 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts
Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A records are 
properly created.  But we didn't have to do this on Domain A to get it to work. 
 Either way where am I suppose to create these records?  Under my primary Zone? 
 It doesn't give any detail and my Google is failing me.
http://technet.microsoft.com/en-us/library/ee307976%28v=ws.10%29.aspx
Thanks



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS settings for Trusts

[N Parr]

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts

Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...





On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A records are 
properly created.  But we didn't have to do this on Domain A to get it to work. 
 Either way where am I suppose to create these records?  Under my primary Zone? 
 It doesn't give any detail and my Google is failing me.
http://technet.microsoft.com/en-us/library/ee307976%28v=ws.10%29.aspx
Thanks

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Prevent duplicate DNS entries

[Kennedy, Jim]

Have the ASA act as a dhcp relay for the DC's and have the DC's handle the DNS 
registration.

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, February 27, 2013 4:21 PM
To: NT System Admin Issues
Subject: RE: Prevent duplicate DNS entries

For VPN it's the ASA, which is different than where every other systems gets 
its IP from (a Windows DC).

From: Webster 
[mailto:webs...@carlwebster.com]<mailto:[mailto:webs...@carlwebster.com]>
Sent: Wednesday, February 27, 2013 12:39 PM
To: NT System Admin Issues
Subject: RE: Prevent duplicate DNS entries

What hands out the IP addresses?

Thanks


Webster

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, February 27, 2013 1:40 PM
To: NT System Admin Issues
Subject: Prevent duplicate DNS entries

Kind of related to my earlier query, is there a way to prevent multiple DNS 
entries for a given IP address range with Windows DNS? Our VPN systems have a 
specific range of IP's and for whatever reason there's a nasty habit of many 
systems showing the same IP address in DNS.

Or perhaps the real fix is changing the VPN client (Cisco) to handle DNS 
registration correctly? That would be a different can of worms from my end, 
but...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Prevent duplicate DNS entries

[David Lum]

For VPN it's the ASA, which is different than where every other systems gets 
its IP from (a Windows DC).

From: Webster [mailto:webs...@carlwebster.com]
Sent: Wednesday, February 27, 2013 12:39 PM
To: NT System Admin Issues
Subject: RE: Prevent duplicate DNS entries

What hands out the IP addresses?

Thanks


Webster

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, February 27, 2013 1:40 PM
To: NT System Admin Issues
Subject: Prevent duplicate DNS entries

Kind of related to my earlier query, is there a way to prevent multiple DNS 
entries for a given IP address range with Windows DNS? Our VPN systems have a 
specific range of IP's and for whatever reason there's a nasty habit of many 
systems showing the same IP address in DNS.

Or perhaps the real fix is changing the VPN client (Cisco) to handle DNS 
registration correctly? That would be a different can of worms from my end, 
but...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Prevent duplicate DNS entries

[Webster]

What hands out the IP addresses?

Thanks


Webster

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, February 27, 2013 1:40 PM
To: NT System Admin Issues
Subject: Prevent duplicate DNS entries

Kind of related to my earlier query, is there a way to prevent multiple DNS 
entries for a given IP address range with Windows DNS? Our VPN systems have a 
specific range of IP's and for whatever reason there's a nasty habit of many 
systems showing the same IP address in DNS.

Or perhaps the real fix is changing the VPN client (Cisco) to handle DNS 
registration correctly? That would be a different can of worms from my end, 
but...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Recommendations for DNS/SSL provider

[Damien Solodow]

I really like what I'm seeing for DigiCert, but my concern is that the price 
point may be an issue given that our current (or RapidSSL) are significantly 
lower.

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, February 26, 2013 11:37 AM
To: NT System Admin Issues
Subject: RE: Recommendations for DNS/SSL provider

DigiCert for certs hands down. I can't comment on DNS providers.

Thanks,
Brian Desmond
br...@briandesmond.com<mailto:br...@briandesmond.com>

w - 312.625.1438 | c - 312.731.3132

From: Damien Solodow [mailto:damien.solo...@harrison.edu]
Sent: Monday, February 25, 2013 2:25 PM
To: NT System Admin Issues
Subject: Recommendations for DNS/SSL provider

Currently we are using GoDaddy for our SSL certs, domain registration and 
parking/forwarding of some domains.
Our main DNS zones are hosted internally, but we use them to point/redirect 
various domains to our main ones.

There is currently some discussion about moving away from them due to various 
concerns around them (not just technical issues).

I wanted to see of anyone had suggestions/recommendations on alternatives that 
aren't going to trigger a huge price jump.
Are we going to be better off having a provider/company for SSL and another for 
DNS, or are there good options that provide both?

As far as certificates, so far I'm liking the looks of DigiCert and RapidSSL 
but am open to options.

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE
500 North Meridian St
Suite 500
Indianapolis, IN 46204-1213
www.harrison.edu<http://www.harrison.edu/>


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Recommendations for DNS/SSL provider

[Brian Desmond]

DigiCert for certs hands down. I can't comment on DNS providers.

Thanks,
Brian Desmond
br...@briandesmond.com<mailto:br...@briandesmond.com>

w - 312.625.1438 | c - 312.731.3132

From: Damien Solodow [mailto:damien.solo...@harrison.edu]
Sent: Monday, February 25, 2013 2:25 PM
To: NT System Admin Issues
Subject: Recommendations for DNS/SSL provider

Currently we are using GoDaddy for our SSL certs, domain registration and 
parking/forwarding of some domains.
Our main DNS zones are hosted internally, but we use them to point/redirect 
various domains to our main ones.

There is currently some discussion about moving away from them due to various 
concerns around them (not just technical issues).

I wanted to see of anyone had suggestions/recommendations on alternatives that 
aren't going to trigger a huge price jump.
Are we going to be better off having a provider/company for SSL and another for 
DNS, or are there good options that provide both?

As far as certificates, so far I'm liking the looks of DigiCert and RapidSSL 
but am open to options.

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE
500 North Meridian St
Suite 500
Indianapolis, IN 46204-1213
www.harrison.edu<http://www.harrison.edu/>


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Recommendations for DNS/SSL provider

[Damien Solodow]

The issues raised by the team member who started the discussion center around 
some of their practices (obnoxious/exploitive commercials, support for SOPA, 
etc). I'm not really seeing those as business driving decisions, but there are 
other issues that do annoy me like their less than friendly website, the 
required intermediate certificates, and the fact that most things seem to have 
two sets of SSL instructions, one for GoDaddy and one for everyone else. :)

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

-Original Message-
From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] 
Sent: Monday, February 25, 2013 9:52 PM
To: NT System Admin Issues
Subject: RE: Recommendations for DNS/SSL provider



> There is currently some discussion about moving away from them due to 
>various  concerns around them (not just technical issues).



Alright, you can't just leave us there:) What's the issue? I have a few 
companies setup with them?


jlc
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Recommendations for DNS/SSL provider

[Jeff Frantz]

I've used DNS Made Easy for 7 or 8 years with no issues.  For SSL, I was using 
Thawte which is part of VeriSign.  As soon as Symantec bought VeriSign, I 
bailed on the impending doom and now use Network Solutions SSL certs.  Network 
Solutions SSL prices are reasonable.  I've found if you have a Network 
Solutions account, log in and browse around the SSL area.  Then in a day or two 
you'll get a nice discount offer email to save of anywhere from 20%-50% on 
their certificates.

-Jeff

From: Damien Solodow [mailto:damien.solo...@harrison.edu]
Sent: Monday, February 25, 2013 3:25 PM
To: NT System Admin Issues
Subject: Recommendations for DNS/SSL provider

Currently we are using GoDaddy for our SSL certs, domain registration and 
parking/forwarding of some domains.
Our main DNS zones are hosted internally, but we use them to point/redirect 
various domains to our main ones.

There is currently some discussion about moving away from them due to various 
concerns around them (not just technical issues).

I wanted to see of anyone had suggestions/recommendations on alternatives that 
aren't going to trigger a huge price jump.
Are we going to be better off having a provider/company for SSL and another for 
DNS, or are there good options that provide both?

As far as certificates, so far I'm liking the looks of DigiCert and RapidSSL 
but am open to options.

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE
500 North Meridian St
Suite 500
Indianapolis, IN 46204-1213
www.harrison.edu<http://www.harrison.edu/>


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Recommendations for DNS/SSL provider

[Joseph L. Casale]

> There is currently some discussion about moving away from them due to various
> concerns around them (not just technical issues).



Alright, you can't just leave us there:) What's the issue? I have a few 
companies setup
with them?


jlc
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Recommendations for DNS/SSL provider

[Jeremiah Rumball]

I've used Thawte a good bit in the past. I can't speak to how their prices
compare to others but their support has always been great.



On Mon, Feb 25, 2013 at 3:40 PM, Walker, Michael wrote:

>  We have been using Comodo for the last 14 years or so.  They are not
> quite as cheap as GoDaddy but is still less than Verisign.  
>
> I wouldn't say their customer / technical support is excellent but they
> have been helpful whenever I needed something.  
>
> ** **
>
> *Michael Walker*
>
> *Senior Network Engineer*
>
> Citrus Valley Health Partners
>
> 1115 S. Sunset Ave, West Covina, CA  91723
>
> *Phone/Fax/Pager: (888) 299-6882*
>
> *mwal...@mail.cvhp.org*  
>
> ** **
>
> *From:* Damien Solodow [mailto:damien.solo...@harrison.edu]
> *Sent:* Monday, February 25, 2013 12:25 PM
> *To:* NT System Admin Issues
> *Subject:* Recommendations for DNS/SSL provider
>
> ** **
>
> Currently we are using GoDaddy for our SSL certs, domain registration and
> parking/forwarding of some domains. 
>
> Our main DNS zones are hosted internally, but we use them to
> point/redirect various domains to our main ones.
>
> ** **
>
> There is currently some discussion about moving away from them due to
> various concerns around them (not just technical issues).
>
> ** **
>
> I wanted to see of anyone had suggestions/recommendations on alternatives
> that aren’t going to trigger a huge price jump. 
>
> Are we going to be better off having a provider/company for SSL and
> another for DNS, or are there good options that provide both?
>
> ** **
>
> As far as certificates, so far I’m liking the looks of DigiCert and
> RapidSSL but am open to options.
>
> ** **
>
> DAMIEN SOLODOW
>
> Systems Engineer
>
> 317.447.6033 (office)
>
> 317.447.6014 (fax)
>
> HARRISON COLLEGE
>
> 500 North Meridian St
>
> Suite 500
>
> Indianapolis, IN 46204-1213
>
> www.harrison.edu
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Recommendations for DNS/SSL provider

[Walker, Michael]

We have been using Comodo for the last 14 years or so.  They are not quite as 
cheap as GoDaddy but is still less than Verisign.
I wouldn't say their customer / technical support is excellent but they have 
been helpful whenever I needed something.

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
1115 S. Sunset Ave, West Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: Damien Solodow [mailto:damien.solo...@harrison.edu]
Sent: Monday, February 25, 2013 12:25 PM
To: NT System Admin Issues
Subject: Recommendations for DNS/SSL provider

Currently we are using GoDaddy for our SSL certs, domain registration and 
parking/forwarding of some domains.
Our main DNS zones are hosted internally, but we use them to point/redirect 
various domains to our main ones.

There is currently some discussion about moving away from them due to various 
concerns around them (not just technical issues).

I wanted to see of anyone had suggestions/recommendations on alternatives that 
aren't going to trigger a huge price jump.
Are we going to be better off having a provider/company for SSL and another for 
DNS, or are there good options that provide both?

As far as certificates, so far I'm liking the looks of DigiCert and RapidSSL 
but am open to options.

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE
500 North Meridian St
Suite 500
Indianapolis, IN 46204-1213
www.harrison.edu<http://www.harrison.edu/>


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Steven Peck]

Years ago our networking team insisted on having them on so we had a
discussion.  Cisco's response at the time was ... we comply with RFC821 and
RFC822.  My reply was those were deprecated years ago and here's the
current standard (2821/2822 at the time) and that was all it took to get
them disabled.

My guess is Cisco still hasn't updated them.

On Thu, Jan 24, 2013 at 5:15 AM, Kennedy, Jim
wrote:

> The one that amazes me is the smtp fixup on Cisco. That one has been an
> issue for 10 years or so.
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Wednesday, January 23, 2013 5:44 PM
> To: NT System Admin Issues
> Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
> On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
> > To clarify...the dns fixup refers to Cisco firewalls/asa's.
>
>   I've noticed that Cisco's "fixup" features tend to break things.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

Add to the below...your ISP turned on dns fixup this weekend on their internet 
facing firewall since they don't have that issue and the below scenario fits 
the symptoms anyway.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, January 28, 2013 12:10 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Mon, Jan 28, 2013 at 11:50 AM, Robert Peterson  
wrote:
> ... once we added our ISP's DNS resolvers as "Forwarder" we 
> immediately restored DNS performance.
> Could something happened over last weekend to limit use of Root Hints?

  Nothing globally, or DNS would stop working.

  My guess is your routers/firewalls don't like EDNS0, *and* your ISP 
nameservers don't support EDNS0, so when talking to your ISP nameservers, EDNS0 
doesn't get used, and your firewalls don't gag.
This is a pure guess on my part, but what you describe is *the* classic problem 
report for EDNS0 incompatibility.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Ben Scott]

On Mon, Jan 28, 2013 at 11:50 AM, Robert Peterson
 wrote:
> ... once we added our ISP's DNS resolvers as "Forwarder" we
> immediately restored DNS performance.
> Could something happened over last weekend to limit use of Root Hints?

  Nothing globally, or DNS would stop working.

  My guess is your routers/firewalls don't like EDNS0, *and* your ISP
nameservers don't support EDNS0, so when talking to your ISP
nameservers, EDNS0 doesn't get used, and your firewalls don't gag.
This is a pure guess on my part, but what you describe is *the*
classic problem report for EDNS0 incompatibility.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Robert Peterson]

If found the main "road block" or "bottleneck" that we were experiencing with 
DNS services, just not sure why we didn't see these issues years before.

We were directed years ago to NOT setup "Forwarders" in DNS, and instead rely 
totally on Root Hints if our DNS could not resolve, it's been that way for 
multiple years.  However, once we added our ISP's DNS resolvers as "Forwarder" 
we immediately restored DNS performance.

Could something happened over last weekend to limit use of Root Hints? 



-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Thursday, January 24, 2013 9:26 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

I still wonder why just this past weekend it hit you. Sounded very sudden.

-Original Message-
From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Thursday, January 24, 2013 10:22 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Thank you everyone for your help.
Applied some recommendations last night from this article... so far so good.
http://support.microsoft.com/kb/956188


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Thursday, January 24, 2013 7:16 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

The one that amazes me is the smtp fixup on Cisco. That one has been an issue 
for 10 years or so.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, January 23, 2013 5:44 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim  
wrote:
> To clarify...the dns fixup refers to Cisco firewalls/asa's.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Andrew S. Baker]

Indeed...





*ASB
**http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>*
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Thu, Jan 24, 2013 at 8:15 AM, Kennedy, Jim
wrote:

> The one that amazes me is the smtp fixup on Cisco. That one has been an
> issue for 10 years or so.
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Wednesday, January 23, 2013 5:44 PM
> To: NT System Admin Issues
> Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
> On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
> > To clarify...the dns fixup refers to Cisco firewalls/asa's.
>
>   I've noticed that Cisco's "fixup" features tend to break things.
>
> -- Ben
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

I still wonder why just this past weekend it hit you. Sounded very sudden.

-Original Message-
From: Robert Peterson [mailto:robert.peter...@prin.edu] 
Sent: Thursday, January 24, 2013 10:22 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Thank you everyone for your help.
Applied some recommendations last night from this article... so far so good.
http://support.microsoft.com/kb/956188


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Thursday, January 24, 2013 7:16 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

The one that amazes me is the smtp fixup on Cisco. That one has been an issue 
for 10 years or so.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, January 23, 2013 5:44 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim  
wrote:
> To clarify...the dns fixup refers to Cisco firewalls/asa's.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Robert Peterson]

Thank you everyone for your help.
Applied some recommendations last night from this article... so far so good.
http://support.microsoft.com/kb/956188


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Thursday, January 24, 2013 7:16 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

The one that amazes me is the smtp fixup on Cisco. That one has been an issue 
for 10 years or so.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, January 23, 2013 5:44 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim  
wrote:
> To clarify...the dns fixup refers to Cisco firewalls/asa's.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

The one that amazes me is the smtp fixup on Cisco. That one has been an issue 
for 10 years or so.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, January 23, 2013 5:44 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim  
wrote:
> To clarify...the dns fixup refers to Cisco firewalls/asa's.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Ben Scott]

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim
 wrote:
> To clarify…the dns fixup refers to Cisco firewalls/asa’s.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kurt Buff]

To test this for your environment...

Get this:
http://www.techrepublic.com/article/use-dig-to-administer-windows-dns-servers/5032892

Then do this:
https://www.dns-oarc.net/oarc/services/replysizetest

Kurt

On Wed, Jan 23, 2013 at 1:15 PM, Robert Peterson
 wrote:
> We do not have Cisco firewalls, though everything else is Cisco (switches, 
> routers, VOIP)
> Has anyone seen this issue using Fortinet firewalls?
> Thx,
> Robert
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Wednesday, January 23, 2013 3:05 PM
> To: NT System Admin Issues
> Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
> Defintely better to fix the firewall than to limit the size of DNS queries on 
> the server.
> Other firewalls have needed similar fixes, too - not just Cisco.
> Kurt
>
> On Wed, Jan 23, 2013 at 11:44 AM, Kennedy, Jim  
> wrote:
>> Yes. At some point your DNS servers are talking to the outside
>> work…directly or via forwarders I would assume.  If dns fixup is
>> enabled you need to allow longer lookups.
>>
>> fixup protocol dns maximum-length 4096
>>
>> Or turn off eDNS on the 2003 servers.
>> dnscmd /Config /EnableEDnsProbes 0
>
>> From: Robert Peterson [mailto:robert.peter...@prin.edu]
>> Sent: Wednesday, January 23, 2013 2:39 PM
>>
>> To: NT System Admin Issues
>> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>> Thank you Jim.
>>
>> We have no Cisco firewalls, but all Cisco switches, routers. A new
>> switch may have went in last week.  We also are in the middle of a
>> Cisco VOIP project, past 6 months. Phones all up, but they are still
>> working out tweaks, etc. Trying to make a “Jabber” client work on desktops 
>> and PDAs.
>>
>> Something on the Cisco side I should dig into?
>>
>> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
>> Sent: Wednesday, January 23, 2013 1:14 PM
>> To: NT System Admin Issues
>> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>>
>>
>>
>> Did someone put in a shiny new Cisco firewall this past weekend?
>
>
>> From: Robert Peterson [mailto:robert.peter...@prin.edu]
>> Sent: Wednesday, January 23, 2013 2:02 PM
>> To: NT System Admin Issues
>> Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>>
>> Hoping this is an old problem and someone has ideas?
>>
>> We have Server 2003 R2 SP2 Domain Controllers, four of them.
>>
>> Since this past weekend, we saw a large increase in Event 5504 warnings.
>> Eventually the DC gives an Event 7502 and DNS services hang.
>>
>> When DNS hangs, memory usage of the DNS service has grown to 800,000K,
>> after reboot the memory usage starts around 50,000K.
>>
>> Found a registry setting to add an EnableDuplicateQuerySuppression DWORD “0”
>> setting.  This has stopped the memory growth/leaks, and replaced the
>> 5504 errors with numerous 404 and 408 errors, till probably due to the
>> registry change to suppress “dups” it has quit logging those.
>>
>> DNS memory usage is stable around 100,000K and DNS services to our
>> users is remaining stable too.
>>
>> However, I feel this is just a stopgap and I need to resolve the real
>> culprit… thoughts? Ideas?
>>
>> As always… great listserv & thanks!
>> Robert
>>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Robert Peterson]

We do not have Cisco firewalls, though everything else is Cisco (switches, 
routers, VOIP)
Has anyone seen this issue using Fortinet firewalls?
Thx,
Robert

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, January 23, 2013 3:05 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Defintely better to fix the firewall than to limit the size of DNS queries on 
the server.
Other firewalls have needed similar fixes, too - not just Cisco.
Kurt

On Wed, Jan 23, 2013 at 11:44 AM, Kennedy, Jim  
wrote:
> Yes. At some point your DNS servers are talking to the outside 
> work…directly or via forwarders I would assume.  If dns fixup is 
> enabled you need to allow longer lookups.
>
> fixup protocol dns maximum-length 4096
>
> Or turn off eDNS on the 2003 servers.
> dnscmd /Config /EnableEDnsProbes 0

> From: Robert Peterson [mailto:robert.peter...@prin.edu]
> Sent: Wednesday, January 23, 2013 2:39 PM
>
> To: NT System Admin Issues
> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
> Thank you Jim.
>
> We have no Cisco firewalls, but all Cisco switches, routers. A new 
> switch may have went in last week.  We also are in the middle of a 
> Cisco VOIP project, past 6 months. Phones all up, but they are still 
> working out tweaks, etc. Trying to make a “Jabber” client work on desktops 
> and PDAs.
>
> Something on the Cisco side I should dig into?
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, January 23, 2013 1:14 PM
> To: NT System Admin Issues
> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
>
>
> Did someone put in a shiny new Cisco firewall this past weekend?


> From: Robert Peterson [mailto:robert.peter...@prin.edu]
> Sent: Wednesday, January 23, 2013 2:02 PM
> To: NT System Admin Issues
> Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
> Hoping this is an old problem and someone has ideas?
>
> We have Server 2003 R2 SP2 Domain Controllers, four of them.
>
> Since this past weekend, we saw a large increase in Event 5504 warnings.
> Eventually the DC gives an Event 7502 and DNS services hang.
>
> When DNS hangs, memory usage of the DNS service has grown to 800,000K, 
> after reboot the memory usage starts around 50,000K.
>
> Found a registry setting to add an EnableDuplicateQuerySuppression DWORD “0”
> setting.  This has stopped the memory growth/leaks, and replaced the 
> 5504 errors with numerous 404 and 408 errors, till probably due to the 
> registry change to suppress “dups” it has quit logging those.
>
> DNS memory usage is stable around 100,000K and DNS services to our 
> users is remaining stable too.
>
> However, I feel this is just a stopgap and I need to resolve the real 
> culprit… thoughts? Ideas?
>
> As always… great listserv & thanks!
> Robert
>


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kurt Buff]

Defintely better to fix the firewall than to limit the size of DNS
queries on the server.

Other firewalls have needed similar fixes, too - not just Cisco.

Kurt

On Wed, Jan 23, 2013 at 11:44 AM, Kennedy, Jim
 wrote:
> Yes. At some point your DNS servers are talking to the outside work…directly
> or via forwarders I would assume.  If dns fixup is enabled you need to allow
> longer lookups.
>
>
>
> fixup protocol dns maximum-length 4096
>
>
>
> Or turn off eDNS on the 2003 servers.
>
>
>
> dnscmd /Config /EnableEDnsProbes 0
>
>
>
>
>
>
>
>
>
> From: Robert Peterson [mailto:robert.peter...@prin.edu]
> Sent: Wednesday, January 23, 2013 2:39 PM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
>
>
> Thank you Jim.
>
> We have no Cisco firewalls, but all Cisco switches, routers. A new switch
> may have went in last week.  We also are in the middle of a Cisco VOIP
> project, past 6 months. Phones all up, but they are still working out
> tweaks, etc. Trying to make a “Jabber” client work on desktops and PDAs.
>
>
>
> Something on the Cisco side I should dig into?
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, January 23, 2013 1:14 PM
> To: NT System Admin Issues
> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
>
>
> Did someone put in a shiny new Cisco firewall this past weekend?
>
>
>
> From: Robert Peterson [mailto:robert.peter...@prin.edu]
> Sent: Wednesday, January 23, 2013 2:02 PM
> To: NT System Admin Issues
> Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
>
>
> Hoping this is an old problem and someone has ideas?
>
>
>
> We have Server 2003 R2 SP2 Domain Controllers, four of them.
>
> Since this past weekend, we saw a large increase in Event 5504 warnings.
> Eventually the DC gives an Event 7502 and DNS services hang.
>
>
>
> When DNS hangs, memory usage of the DNS service has grown to 800,000K, after
> reboot the memory usage starts around 50,000K.
>
>
>
> Found a registry setting to add an EnableDuplicateQuerySuppression DWORD “0”
> setting.  This has stopped the memory growth/leaks, and replaced the 5504
> errors with numerous 404 and 408 errors, till probably due to the registry
> change to suppress “dups” it has quit logging those.
>
>
>
> DNS memory usage is stable around 100,000K and DNS services to our users is
> remaining stable too.
>
>
>
> However, I feel this is just a stopgap and I need to resolve the real
> culprit… thoughts? Ideas?
>
>
>
> As always… great listserv & thanks!
>
> Robert
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

To clarify...the dns fixup refers to Cisco firewalls/asa's.

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, January 23, 2013 2:48 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Yes. At some point your DNS servers are talking to the outside work...directly 
or via forwarders I would assume.  If dns fixup is enabled you need to allow 
longer lookups.

fixup protocol dns maximum-length 4096

Or turn off eDNS on the 2003 servers.

dnscmd /Config /EnableEDnsProbes 0




From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:39 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Thank you Jim.
We have no Cisco firewalls, but all Cisco switches, routers. A new switch may 
have went in last week.  We also are in the middle of a Cisco VOIP project, 
past 6 months. Phones all up, but they are still working out tweaks, etc. 
Trying to make a "Jabber" client work on desktops and PDAs.

Something on the Cisco side I should dig into?

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, January 23, 2013 1:14 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Did someone put in a shiny new Cisco firewall this past weekend?

From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:02 PM
To: NT System Admin Issues
Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Hoping this is an old problem and someone has ideas?

We have Server 2003 R2 SP2 Domain Controllers, four of them.
Since this past weekend, we saw a large increase in Event 5504 warnings. 
Eventually the DC gives an Event 7502 and DNS services hang.

When DNS hangs, memory usage of the DNS service has grown to 800,000K, after 
reboot the memory usage starts around 50,000K.

Found a registry setting to add an EnableDuplicateQuerySuppression DWORD "0" 
setting.  This has stopped the memory growth/leaks, and replaced the 5504 
errors with numerous 404 and 408 errors, till probably due to the registry 
change to suppress "dups" it has quit logging those.

DNS memory usage is stable around 100,000K and DNS services to our users is 
remaining stable too.

However, I feel this is just a stopgap and I need to resolve the real 
culprit... thoughts? Ideas?

As always... great listserv & thanks!
Robert

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

Yes. At some point your DNS servers are talking to the outside work...directly 
or via forwarders I would assume.  If dns fixup is enabled you need to allow 
longer lookups.

fixup protocol dns maximum-length 4096

Or turn off eDNS on the 2003 servers.

dnscmd /Config /EnableEDnsProbes 0




From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:39 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Thank you Jim.
We have no Cisco firewalls, but all Cisco switches, routers. A new switch may 
have went in last week.  We also are in the middle of a Cisco VOIP project, 
past 6 months. Phones all up, but they are still working out tweaks, etc. 
Trying to make a "Jabber" client work on desktops and PDAs.

Something on the Cisco side I should dig into?

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, January 23, 2013 1:14 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Did someone put in a shiny new Cisco firewall this past weekend?

From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:02 PM
To: NT System Admin Issues
Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Hoping this is an old problem and someone has ideas?

We have Server 2003 R2 SP2 Domain Controllers, four of them.
Since this past weekend, we saw a large increase in Event 5504 warnings. 
Eventually the DC gives an Event 7502 and DNS services hang.

When DNS hangs, memory usage of the DNS service has grown to 800,000K, after 
reboot the memory usage starts around 50,000K.

Found a registry setting to add an EnableDuplicateQuerySuppression DWORD "0" 
setting.  This has stopped the memory growth/leaks, and replaced the 5504 
errors with numerous 404 and 408 errors, till probably due to the registry 
change to suppress "dups" it has quit logging those.

DNS memory usage is stable around 100,000K and DNS services to our users is 
remaining stable too.

However, I feel this is just a stopgap and I need to resolve the real 
culprit... thoughts? Ideas?

As always... great listserv & thanks!
Robert

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Robert Peterson]

Thank you Jim.
We have no Cisco firewalls, but all Cisco switches, routers. A new switch may 
have went in last week.  We also are in the middle of a Cisco VOIP project, 
past 6 months. Phones all up, but they are still working out tweaks, etc. 
Trying to make a "Jabber" client work on desktops and PDAs.

Something on the Cisco side I should dig into?

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, January 23, 2013 1:14 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Did someone put in a shiny new Cisco firewall this past weekend?

From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:02 PM
To: NT System Admin Issues
Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Hoping this is an old problem and someone has ideas?

We have Server 2003 R2 SP2 Domain Controllers, four of them.
Since this past weekend, we saw a large increase in Event 5504 warnings. 
Eventually the DC gives an Event 7502 and DNS services hang.

When DNS hangs, memory usage of the DNS service has grown to 800,000K, after 
reboot the memory usage starts around 50,000K.

Found a registry setting to add an EnableDuplicateQuerySuppression DWORD "0" 
setting.  This has stopped the memory growth/leaks, and replaced the 5504 
errors with numerous 404 and 408 errors, till probably due to the registry 
change to suppress "dups" it has quit logging those.

DNS memory usage is stable around 100,000K and DNS services to our users is 
remaining stable too.

However, I feel this is just a stopgap and I need to resolve the real 
culprit... thoughts? Ideas?

As always... great listserv & thanks!
Robert

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Has anyone used ActiveRoles DNS Manager?

[David Lum]

Solved. Need the 2005 client

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, December 19, 2012 12:16 PM
To: NT System Admin Issues
Subject: Has anyone used ActiveRoles DNS Manager?

http://www.quest.com/activeroles-server/dnsm.aspx

Trying to install it it's telling me I need to install SQL Native client (or 
later). Installing the 2008 R2 native client it still says I need it. I'd call 
Quest but I'm hesitant because they'll just send me to a sales droid, so if I 
can avoid it...
David Lum
Sr. Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Phil Hershey]

Thanks.  It turned out to be a bad interaction between the 12/13 updates
and the Active Administrator agent.

-Philip Hershey

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Thursday, December 13, 2012 1:05 PM
To: NT System Admin Issues
Subject: RE: DNS/Replication broken after MS updates?

+1

It will fail and warn in weird ways depending upon how you have the
security set up on dynamic registration.

-Original Message-
From: Steve Kradel [mailto:skra...@zetetic.net]
Sent: Thursday, December 13, 2012 4:02 PM
To: NT System Admin Issues
Subject: Re: DNS/Replication broken after MS updates?

You would see a bunch of errors in the Directory Service log if
replication were actually busted.  IME it's normal for the dcdiag DNS
tests (and dcpromo, often) to complain about DNS delegations, even in a
perfectly healthy environment.

--Steve

On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:
> Our DCs are set to install MS updates automatically, and apparently 
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS 
> test finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn 
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4 PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is 
> unavailable.  Of course the RPC Server service is up and running on 
> all the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external 
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty

> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Free, Bob]

I've actually had an experienced  PFE tell me there is no reason to run that 
arg in production unless you have a "really good reason and know exactly what 
you are doing"

-Original Message-
From: Webster [mailto:webs...@carlwebster.com] 
Sent: Thursday, December 13, 2012 2:11 PM
To: NT System Admin Issues
Subject: RE: DNS/Replication broken after MS updates?

Why are you having to force replication between all domain controllers?  Find 
and fix what is broken.

Thanks


Webster

> -Original Message-
> From: Phil Hershey [mailto:phers...@agia.com]
> Subject: RE: DNS/Replication broken after MS updates?
> 
> Ah, but what tipped me off is definitely not normal.  I have a batch 
> file that runs a series of REPADMIN /SYNCALL commands to force 
> replication between all the DCs.  It hasn't thrown an error in 
> literally years, and normally takes about 5 seconds to complete.  No 
> every single server coughs up the RPC Server is unavailable error.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



PG&E is committed to protecting our customers' privacy. 
To learn more, please visit http://www.pge.com/about/company/privacy/customer/

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Webster]

Why are you having to force replication between all domain controllers?  Find 
and fix what is broken.

Thanks


Webster

> -Original Message-
> From: Phil Hershey [mailto:phers...@agia.com]
> Subject: RE: DNS/Replication broken after MS updates?
> 
> Ah, but what tipped me off is definitely not normal.  I have a batch file that
> runs a series of REPADMIN /SYNCALL commands to force replication
> between all the DCs.  It hasn't thrown an error in literally years, and 
> normally
> takes about 5 seconds to complete.  No every single server coughs up the
> RPC Server is unavailable error.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Phil Hershey]

Ah, but what tipped me off is definitely not normal.  I have a batch
file that runs a series of REPADMIN /SYNCALL commands to force
replication between all the DCs.  It hasn't thrown an error in literally
years, and normally takes about 5 seconds to complete.  No every single
server coughs up the RPC Server is unavailable error.

You're right though, the DS event log is clean.  So is the FRS log.

Perhaps I should just head home on time, not worry about and have a
beer. 

-Philip Hershey

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.


-Original Message-
From: Steve Kradel [mailto:skra...@zetetic.net] 
Sent: Thursday, December 13, 2012 12:42 PM
To: NT System Admin Issues
Subject: Re: DNS/Replication broken after MS updates?

You would see a bunch of errors in the Directory Service log if
replication were actually busted.  IME it's normal for the dcdiag DNS
tests (and dcpromo, often) to complain about DNS delegations, even in a
perfectly healthy environment.

--Steve

On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:
> Our DCs are set to install MS updates automatically, and apparently 
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS 
> test finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn 
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4 PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is 
> unavailable.  Of course the RPC Server service is up and running on 
> all the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external 
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty

> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Kennedy, Jim]

+1

It will fail and warn in weird ways depending upon how you have the security 
set up on dynamic registration.

-Original Message-
From: Steve Kradel [mailto:skra...@zetetic.net] 
Sent: Thursday, December 13, 2012 4:02 PM
To: NT System Admin Issues
Subject: Re: DNS/Replication broken after MS updates?

You would see a bunch of errors in the Directory Service log if replication 
were actually busted.  IME it's normal for the dcdiag DNS tests (and dcpromo, 
often) to complain about DNS delegations, even in a perfectly healthy 
environment.

--Steve

On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:
> Our DCs are set to install MS updates automatically, and apparently 
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS 
> test finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn 
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4 PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is 
> unavailable.  Of course the RPC Server service is up and running on 
> all the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external 
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty 
> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/Replication broken after MS updates?

[Richard Stovall]

See D. Lum's earlier post titled "Heads up: MS12-081 KB2758857 issue."

They might be related somehow.  Uninstalling 2758857 solved his issues.  It
might be worth a shot starting with that one if you do think it's related
to yesterday's updates.

In every environment I've ever managed, no matter how small, I've always
disabled auto updates on DCs.  Just a thought...


On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:

> Our DCs are set to install MS updates automatically, and apparently
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS test
> finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4     PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is
> unavailable.  Of course the RPC Server service is up and running on all
> the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty
> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/Replication broken after MS updates?

[Steve Kradel]

You would see a bunch of errors in the Directory Service log if
replication were actually busted.  IME it's normal for the dcdiag DNS
tests (and dcpromo, often) to complain about DNS delegations, even in
a perfectly healthy environment.

--Steve

On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:
> Our DCs are set to install MS updates automatically, and apparently
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS test
> finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4 PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is
> unavailable.  Of course the RPC Server service is up and running on all
> the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty
> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

DNS/Replication broken after MS updates?

[Phil Hershey]

Our DCs are set to install MS updates automatically, and apparently
yesterday morning they did.  Now replication is busted.  DCDIAG DNS test
finishes with:

Summary of DNS test results:

 
Auth Basc Forw Del  Dyn
RReg Ext
 
_
Domain: agia.in

   dc-ca1   PASS PASS PASS FAIL PASS
PASS n/a  
   mail-dc2 PASS PASS PASS FAIL PASS
FAIL n/a  
   mail-dc5 PASS PASS PASS FAIL PASS
PASS n/a  
   dc-az1   PASS PASS PASS FAIL PASS
PASS n/a  
   mail-dc3 PASS PASS PASS FAIL PASS
PASS n/a  
   mail-dc4 PASS PASS PASS FAIL PASS
PASS n/a  
 
 . agia.in failed test DNS

Not good.  READMIN SYNCALL passes all error out with RPC Server is
unavailable.  Of course the RPC Server service is up and running on all
the DCs.

Checking the DNS event log shows a 4014 error that's empty, of course.
Plus a few event  4521's showing rejected DNS packets from external
sources.

Any chance the MS updates from yesterday caused this?  It seems mighty
coincidental.

Thanks.



Philip Hershey
AGIA Insurance Services
Carpinteria, CA 



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS settings in GPO or logon script

[Kurt Buff]

Why the wait?

Spin up a set of DHCP scopes now, and start the migration. Your only catch
will be to make sure that the DHCP server is configured to send probes to
make sure an address isn't taken before assigning a lease.

Kurt

On Thu, Nov 29, 2012 at 12:40 PM, itli...@imcu.com  wrote:

> We will be moving to a more DHCP type shop in the next couple of years.
> But not quite yet.
>
> ** **
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Posted At:* Thursday, November 29, 2012 3:05 PM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS settings in GPO or logon script
>
> *Subject:* Re: DNS settings in GPO or logon script
>
> ** **
>
> Well, I assign all my IP addresses via reservations, so I'm essentially
> static.  I thought I'd float it, just in case. 
>
> ** **
>
> ** **
>
> ** **
>
> On Thu, Nov 29, 2012 at 2:44 PM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
>
> He has 24 LANs statically addressed.
>
>  
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Thursday, November 29, 2012 2:40 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* Re: DNS settings in GPO or logon script
>
>  
>
> Isn't it better to set this via the DHCP server (assuming one is being
> used)?
>
>  
>
> On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
> christopher_bod...@glic.com> wrote:
>
> I would start with something like this in PowerShell.
>
> http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell
>
>
> I'd modify it to look at the current DNS server config of the adapter and
> only modify it if it's got the old DNS server address. I think that's what
> you are trying to do. 
>
> *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services 
>
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com ****
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> *www.guardianlife.com 
>
>
>
>
>
>
> From:"itli...@imcu.com" 
> To:"NT System Admin Issues"  >
> Date:11/29/2012 01:54 PM 
>
> Subject:DNS settings in GPO or logon script 
> --
>
>
>
>
>
> I have active directory server 2008r2 standard.
> I want to push DNS primary and secondary.  I can netsh it but not everyone
> has the same adapter settings name?
> I have all static addressing on all 24 LAN’s.
> How am I going to get this done? 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>  
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: DNS settings in GPO or logon script

[Jonathan Link]

Sometimes you have to rip the bandaid off. :-)

On Thursday, November 29, 2012, itli...@imcu.com wrote:

> We will be moving to a more DHCP type shop in the next couple of years.
> But not quite yet.
>
> ** **
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com  'cvml', 'jonathan.l...@gmail.com');>]
> *Posted At:* Thursday, November 29, 2012 3:05 PM
> *Posted To:* itli...@imcu.com  'itli...@imcu.com');>
> *Conversation:* DNS settings in GPO or logon script
> *Subject:* Re: DNS settings in GPO or logon script
>
> ** **
>
> Well, I assign all my IP addresses via reservations, so I'm essentially
> static.  I thought I'd float it, just in case. 
>
> ** **
>
> ** **
>
> ** **
>
> On Thu, Nov 29, 2012 at 2:44 PM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
>
> He has 24 LANs statically addressed.
>
>  
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Thursday, November 29, 2012 2:40 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* Re: DNS settings in GPO or logon script
>
>  
>
> Isn't it better to set this via the DHCP server (assuming one is being
> used)?
>
>  
>
> On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
> christopher_bod...@glic.com> wrote:
>
> I would start with something like this in PowerShell.
>
> http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell
>
>
> I'd modify it to look at the current DNS server config of the adapter and
> only modify it if it's got the old DNS server address. I think that's what
> you are trying to do. 
>
> *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services 
>
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com 
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> *www.guardianlife.com 
>
>
>
>
>
>
> From:"itli...@imcu.com" 
> To:"NT System Admin Issues"  >
> Date:11/29/2012 01:54 PM 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com 'cvml', 'listmana...@lyris.sunbeltsoftware.com');>
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: DNS settings in GPO or logon script

[itli...@imcu.com]

We will be moving to a more DHCP type shop in the next couple of years.
But not quite yet.

 

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Posted At: Thursday, November 29, 2012 3:05 PM
Posted To: itli...@imcu.com
Conversation: DNS settings in GPO or logon script
Subject: Re: DNS settings in GPO or logon script

 

Well, I assign all my IP addresses via reservations, so I'm essentially
static.  I thought I'd float it, just in case. 

 

 

 

On Thu, Nov 29, 2012 at 2:44 PM, Kennedy, Jim <
kennedy...@elyriaschools.org> wrote:

He has 24 LANs statically addressed.

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Thursday, November 29, 2012 2:40 PM


To: NT System Admin Issues

Subject: Re: DNS settings in GPO or logon script

 

Isn't it better to set this via the DHCP server (assuming one is being
used)?

 

On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
christopher_bod...@glic.com> wrote:

I would start with something like this in PowerShell. 

http://digitaldeviation.com/articles/change-dns-servers-remotely-powersh
ell
<http://digitaldeviation.com/articles/change-dns-servers-remotely-powers
hell>  


I'd modify it to look at the current DNS server config of the adapter
and only modify it if it's got the old DNS server address. I think
that's what you are trying to do. 

Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise
Architecture and Engineering Services 

Tel 610-807-6459  
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 

 

The Guardian Life Insurance Company of America

www.guardianlife.com <http://www.guardianlife.com/>  








From:"itli...@imcu.com"  
To:"NT System Admin Issues" <
ntsysadmin@lyris.sunbelt-software.com> 
Date:11/29/2012 01:54 PM 

Subject:DNS settings in GPO or logon script 

____




  
I have active directory server 2008r2 standard. 
I want to push DNS primary and secondary.  I can netsh it but not
everyone has the same adapter settings name? 
I have all static addressing on all 24 LAN's. 
How am I going to get this done? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: DNS settings in GPO or logon script

[Jonathan Link]

Well, I assign all my IP addresses via reservations, so I'm essentially
static.  I thought I'd float it, just in case.




On Thu, Nov 29, 2012 at 2:44 PM, Kennedy, Jim
wrote:

>  He has 24 LANs statically addressed.
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Thursday, November 29, 2012 2:40 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: DNS settings in GPO or logon script
>
> ** **
>
> Isn't it better to set this via the DHCP server (assuming one is being
> used)?
>
> ** **
>
> On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
> christopher_bod...@glic.com> wrote:
>
> I would start with something like this in PowerShell.
>
> http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell
>
>
> I'd modify it to look at the current DNS server config of the adapter and
> only modify it if it's got the old DNS server address. I think that's what
> you are trying to do.
>
> 
>
> *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services 
>
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com 
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> *www.guardianlife.com 
>
>
>
>
>
>
> From:"itli...@imcu.com" 
> To:"NT System Admin Issues"  >
> Date:11/29/2012 01:54 PM 
>
> Subject:DNS settings in GPO or logon script 
>  --
>
>
>
>
>
> I have active directory server 2008r2 standard.
> I want to push DNS primary and secondary.  I can netsh it but not everyone
> has the same adapter settings name?
> I have all static addressing on all 24 LAN’s.
> How am I going to get this done? 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: DNS settings in GPO or logon script

[Kennedy, Jim]

He has 24 LANs statically addressed.

From: Jonathan Link [mailto:jonathan.l...@gmail.com]
Sent: Thursday, November 29, 2012 2:40 PM
To: NT System Admin Issues
Subject: Re: DNS settings in GPO or logon script

Isn't it better to set this via the DHCP server (assuming one is being used)?

On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar 
mailto:christopher_bod...@glic.com>> wrote:
I would start with something like this in PowerShell.

http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell


I'd modify it to look at the current DNS server config of the adapter and only 
modify it if it's got the old DNS server address. I think that's what you are 
trying to do.

Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>

[cid:image001.jpg@01CDCE40.0D4D2200]

The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>







From:"itli...@imcu.com<mailto:itli...@imcu.com>" 
mailto:itli...@imcu.com>>
To:"NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Date:11/29/2012 01:54 PM
Subject:DNS settings in GPO or logon script
____




I have active directory server 2008r2 standard.
I want to push DNS primary and secondary.  I can netsh it but not everyone has 
the same adapter settings name?
I have all static addressing on all 24 LAN's.
How am I going to get this done?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: DNS settings in GPO or logon script

[itli...@imcu.com]

Will that set them on Windows 7 and Windows 8 machines as well or just
windows xp?

 

From: David Lum [mailto:david@nwea.org] 
Posted At: Thursday, November 29, 2012 1:59 PM
Posted To: itli...@imcu.com
Conversation: DNS settings in GPO or logon script
Subject: RE: DNS settings in GPO or logon script

 

Policies...Administrative Templates...Network/DNS client...DNS suffix
search...

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Thursday, November 29, 2012 10:41 AM
To: NT System Admin Issues
Subject: DNS settings in GPO or logon script

 

 

I have active directory server 2008r2 standard.

I want to push DNS primary and secondary.  I can netsh it but not
everyone has the same adapter settings name?

I have all static addressing on all 24 LAN's.

How am I going to get this done?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS settings in GPO or logon script

[Jonathan Link]

Isn't it better to set this via the DHCP server (assuming one is being
used)?


On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
christopher_bod...@glic.com> wrote:

> I would start with something like this in PowerShell.
>
> http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell
>
>
> I'd modify it to look at the current DNS server config of the adapter and
> only modify it if it's got the old DNS server address. I think that's what
> you are trying to do.
>
>
>  *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services  Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> **www.guardianlife.com* <http://www.guardianlife.com/>
>
>
>
>
>
>
> From:    "itli...@imcu.com" 
> To:"NT System Admin Issues"  >
> Date:11/29/2012 01:54 PM
> Subject:    DNS settings in GPO or logon script
> --
>
>
>
>
> I have active directory server 2008r2 standard.
> I want to push DNS primary and secondary.  I can netsh it but not everyone
> has the same adapter settings name?
> I have all static addressing on all 24 LAN’s.
> How am I going to get this done?
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ 
> <*http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/*<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>>
>  ~
>
> ---
> To manage subscriptions click here: *
> http://lyris.sunbelt-software.com/read/my_forums/*<http://lyris.sunbelt-software.com/read/my_forums/>
> or send an email to 
> *listmana...@lyris.sunbeltsoftware.com*
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: DNS settings in GPO or logon script

[Christopher Bodnar]

I would start with something like this in PowerShell. 

http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell


I'd modify it to look at the current DNS server config of the adapter and 
only modify it if it's got the old DNS server address. I think that's what 
you are trying to do.



Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   "itli...@imcu.com" 
To: "NT System Admin Issues" 
Date:   11/29/2012 01:54 PM
Subject:DNS settings in GPO or logon script



 
I have active directory server 2008r2 standard.
I want to push DNS primary and secondary.  I can netsh it but not everyone 
has the same adapter settings name?
I have all static addressing on all 24 LAN’s.
How am I going to get this done?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
<>

Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Jonathan Link]

Violently agreeing. :D


On Fri, Nov 9, 2012 at 12:23 PM, Michael B. Smith wrote:

> Then I think we are saying the same thing, just in different ways. :)
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, November 8, 2012 1:09 PM
> To: NT System Admin Issues
> Subject: Re: Confused about DNS resolution on a server with 2 NICs on a DMZ
>
> On Thu, Nov 8, 2012 at 10:04 AM, Michael B. Smith 
> wrote:
> > Your statements are true in regards to DNS in the abstract. But as you
> allude to, different adapters may have access to different servers and the
> results you obtain - especially when both adapters point to DNS servers
> that have different answers for queries can be surprising.
>
>   That's what I'm trying to say: There's one DNS namespace/cache.
> Resolver query order may be determined by adapter priority, but the
> answers feed into the same cache.  If you try to treat it as anything
> *other* than a system-wide thing, you get those surprises.
>
>   The fact that people fall into the trap of treating Windows DNS as not
> system-wide, doesn't mean it's not actually system-wide.
>
>   If DNS *wasn't* system-wide, having different resolvers configured on
> different network adapters might be able to work -- you'd be able to
> maintain different, disjoint namespaces simultaneously.  But it doesn't
> work that way, and that's the problem.
>
>   Bad car analogy time: My car has one steering wheel.  More than one
> person can grab the wheel and try to steer at once.  It won't end well,
> because while you can provide multiple inputs, steering is a car-wide thing.
>
>   (As an aside: This isn't a Windows-specific problem, either.  You can
> configure multiple resolvers on *nix or most other OSes, too, and if those
> resolvers have different ideas of what the namespace is, the same problems
> occur.)
>
> -- Ben
>
> > -Original Message-
> > From: Ben Scott [mailto:mailvor...@gmail.com]
> > Sent: Thursday, November 8, 2012 8:31 AM
> > To: NT System Admin Issues
> > Subject: Re: Confused about DNS resolution on a server with 2 NICs on
> > a DMZ
> >
> > On Wed, Nov 7, 2012 at 6:49 PM, Michael B. Smith 
> wrote:
> >>>  DNS is not specific to a given network adapter.  It's a system-wide
> thing.
> >>
> >> Your first two sentences are not really true with Windows. It's
> >> complicated. :P
> >
> >   My understanding is that the Windows DNS subsystem has a single
> namespace, shared across the entire system.  If a record is cached by the
> local resolver, that cached record is the same for the entire system.  Is
> that incorrect?
> >
> >   I realize the order in which full-service resolvers are tried is
> driven by network adapter priority.
> >
> >   Assuming my understanding is correct: If it's all one namespace, I
> think it's best to consider it a system-wide thing.  DNS *is* the
> namespace, as far as most things are concerned.  Playing games with the
> resolver order to try and influence that single namespace is a very bad
> idea.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Michael B. Smith]

Then I think we are saying the same thing, just in different ways. :)

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, November 8, 2012 1:09 PM
To: NT System Admin Issues
Subject: Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

On Thu, Nov 8, 2012 at 10:04 AM, Michael B. Smith  wrote:
> Your statements are true in regards to DNS in the abstract. But as you allude 
> to, different adapters may have access to different servers and the results 
> you obtain - especially when both adapters point to DNS servers that have 
> different answers for queries can be surprising.

  That's what I'm trying to say: There's one DNS namespace/cache.
Resolver query order may be determined by adapter priority, but the answers 
feed into the same cache.  If you try to treat it as anything
*other* than a system-wide thing, you get those surprises.

  The fact that people fall into the trap of treating Windows DNS as not 
system-wide, doesn't mean it's not actually system-wide.

  If DNS *wasn't* system-wide, having different resolvers configured on 
different network adapters might be able to work -- you'd be able to maintain 
different, disjoint namespaces simultaneously.  But it doesn't work that way, 
and that's the problem.

  Bad car analogy time: My car has one steering wheel.  More than one person 
can grab the wheel and try to steer at once.  It won't end well, because while 
you can provide multiple inputs, steering is a car-wide thing.

  (As an aside: This isn't a Windows-specific problem, either.  You can 
configure multiple resolvers on *nix or most other OSes, too, and if those 
resolvers have different ideas of what the namespace is, the same problems 
occur.)

-- Ben

> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, November 8, 2012 8:31 AM
> To: NT System Admin Issues
> Subject: Re: Confused about DNS resolution on a server with 2 NICs on 
> a DMZ
>
> On Wed, Nov 7, 2012 at 6:49 PM, Michael B. Smith  
> wrote:
>>>  DNS is not specific to a given network adapter.  It's a system-wide thing.
>>
>> Your first two sentences are not really true with Windows. It's 
>> complicated. :P
>
>   My understanding is that the Windows DNS subsystem has a single namespace, 
> shared across the entire system.  If a record is cached by the local 
> resolver, that cached record is the same for the entire system.  Is that 
> incorrect?
>
>   I realize the order in which full-service resolvers are tried is driven by 
> network adapter priority.
>
>   Assuming my understanding is correct: If it's all one namespace, I think 
> it's best to consider it a system-wide thing.  DNS *is* the namespace, as far 
> as most things are concerned.  Playing games with the resolver order to try 
> and influence that single namespace is a very bad idea.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Ben Scott]

On Thu, Nov 8, 2012 at 10:04 AM, Michael B. Smith  wrote:
> Your statements are true in regards to DNS in the abstract. But as you allude 
> to, different adapters may have access to different servers and the results 
> you obtain - especially when both adapters point to DNS servers that have 
> different answers for queries can be surprising.

  That's what I'm trying to say: There's one DNS namespace/cache.
Resolver query order may be determined by adapter priority, but the
answers feed into the same cache.  If you try to treat it as anything
*other* than a system-wide thing, you get those surprises.

  The fact that people fall into the trap of treating Windows DNS as
not system-wide, doesn't mean it's not actually system-wide.

  If DNS *wasn't* system-wide, having different resolvers configured
on different network adapters might be able to work -- you'd be able
to maintain different, disjoint namespaces simultaneously.  But it
doesn't work that way, and that's the problem.

  Bad car analogy time: My car has one steering wheel.  More than one
person can grab the wheel and try to steer at once.  It won't end
well, because while you can provide multiple inputs, steering is a
car-wide thing.

  (As an aside: This isn't a Windows-specific problem, either.  You
can configure multiple resolvers on *nix or most other OSes, too, and
if those resolvers have different ideas of what the namespace is, the
same problems occur.)

-- Ben

> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, November 8, 2012 8:31 AM
> To: NT System Admin Issues
> Subject: Re: Confused about DNS resolution on a server with 2 NICs on a DMZ
>
> On Wed, Nov 7, 2012 at 6:49 PM, Michael B. Smith  
> wrote:
>>>  DNS is not specific to a given network adapter.  It's a system-wide thing.
>>
>> Your first two sentences are not really true with Windows. It's
>> complicated. :P
>
>   My understanding is that the Windows DNS subsystem has a single namespace, 
> shared across the entire system.  If a record is cached by the local 
> resolver, that cached record is the same for the entire system.  Is that 
> incorrect?
>
>   I realize the order in which full-service resolvers are tried is driven by 
> network adapter priority.
>
>   Assuming my understanding is correct: If it's all one namespace, I think 
> it's best to consider it a system-wide thing.  DNS *is* the namespace, as far 
> as most things are concerned.  Playing games with the resolver order to try 
> and influence that single namespace is a very bad idea.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Michael B. Smith]

In the best of all possible worlds...

Your statements are true in regards to DNS in the abstract. But as you allude 
to, different adapters may have access to different servers and the results you 
obtain - especially when both adapters point to DNS servers that have different 
answers for queries can be surprising.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, November 8, 2012 8:31 AM
To: NT System Admin Issues
Subject: Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

On Wed, Nov 7, 2012 at 6:49 PM, Michael B. Smith  wrote:
>>  DNS is not specific to a given network adapter.  It's a system-wide thing.
>
> Your first two sentences are not really true with Windows. It's 
> complicated. :P

  My understanding is that the Windows DNS subsystem has a single namespace, 
shared across the entire system.  If a record is cached by the local resolver, 
that cached record is the same for the entire system.  Is that incorrect?

  I realize the order in which full-service resolvers are tried is driven by 
network adapter priority.

  Assuming my understanding is correct: If it's all one namespace, I think it's 
best to consider it a system-wide thing.  DNS *is* the namespace, as far as 
most things are concerned.  Playing games with the resolver order to try and 
influence that single namespace is a very bad idea.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Ben Scott]

On Wed, Nov 7, 2012 at 6:49 PM, Michael B. Smith  wrote:
>>  DNS is not specific to a given network adapter.  It's a system-wide thing.
>
> Your first two sentences are not really true with Windows. It's complicated. 
> :P

  My understanding is that the Windows DNS subsystem has a single
namespace, shared across the entire system.  If a record is cached by
the local resolver, that cached record is the same for the entire
system.  Is that incorrect?

  I realize the order in which full-service resolvers are tried is
driven by network adapter priority.

  Assuming my understanding is correct: If it's all one namespace, I
think it's best to consider it a system-wide thing.  DNS *is* the
namespace, as far as most things are concerned.  Playing games with
the resolver order to try and influence that single namespace is a
very bad idea.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Michael B. Smith]

Your first two sentences are not really true with Windows. It's complicated. :P

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, November 7, 2012 12:06 PM
To: NT System Admin Issues
Subject: Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

On Wed, Nov 7, 2012 at 10:13 AM, Michael Leone  wrote:
> So, today's confusion ... we have a webserver on our DMZ, Win 2008 R2. 
> It has 2 NICs, and external and an internal. The external NIC has DNS 
> settings pointing to our ISp (Verizon, in our case). The internal NIC 
> has DNS settings of our internal LAN.

  DNS is not specific to a given network adapter.  It's a system-wide thing.  
You should prolly be directing all DNS queries to your internal resolvers, and 
not be specifying any outside resolvers at all.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Ben Scott]

On Wed, Nov 7, 2012 at 10:13 AM, Michael Leone  wrote:
> So, today's confusion ... we have a webserver on our DMZ, Win 2008 R2. It
> has 2 NICs, and external and an internal. The external NIC has DNS settings
> pointing to our ISp (Verizon, in our case). The internal NIC has DNS
> settings of our internal LAN.

  DNS is not specific to a given network adapter.  It's a system-wide
thing.  You should prolly be directing all DNS queries to your
internal resolvers, and not be specifying any outside resolvers at
all.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Michael Leone]

On Wed, Nov 7, 2012 at 11:13 AM, Christopher Bodnar
 wrote:
> If you want the MS resource that is taken from, it's here:
>
> http://technet.microsoft.com/en-us/library/bb457118.aspx

Thanks. The other link said I needed to become a Premium member to
download or print, and I wasn't about to pay $9 to print the one
document.

So the resolution will just automatically cycle through all the
adapters; that's what I was figuring, from observation. Good to know
...
>
>
> Christopher Bodnar
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com
>
>
>
> The Guardian Life Insurance Company of America
>
> www.guardianlife.com
>
>
>
>
>
>
> From:Christopher Bodnar 
> To:"NT System Admin Issues" 
> Date:11/07/2012 11:02 AM
> Subject:Re: Confused about DNS resolution on a server with 2 NICs on
> a DMZ
> 
>
>
>
> Have you taken a look at this yet?
>
> http://www.scribd.com/doc/63870216/108/Multihomed-Name-Resolution
>
> Christopher Bodnar
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com
>
>
> The Guardian Life Insurance Company of America
>
> www.guardianlife.com
>
>
>
>
>
>
> From:Michael Leone 
> To:"NT System Admin Issues" 
> Date:11/07/2012 10:14 AM
> Subject:Confused about DNS resolution on a server with 2 NICs on a
> DMZ
> 
>
>
>
> So, today's confusion ... we have a webserver on our DMZ, Win 2008 R2. It
> has 2 NICs, and external and an internal. The external NIC has DNS settings
> pointing to our ISp (Verizon, in our case). The internal NIC has DNS
> settings of our internal LAN.
>
> So how come, if I say "ping ", the name resolves and
> I can ping? (I can understand how the ping succeeds; we have a static route
> to our internal servers). But how is the name resolving to the internal
> address?
>
> Using another of my internal servers as a target (i.e., not on the DMZ):
>
> If I do "ping ", it says could not find host. That's good; we
> don't have our domain name set in the NIC properties.
>
> if I do "ping ", it says "Pinging  [internal IP]". And how does
> it know to do that??
>
> It appears that it's succeeding by using the internal NIC, but how does it
> know to use the internal NIC to resolve a name? If it was an internal IP, I
> could understand it - it would use the static route.
>
> Is it normal behavior to use the DMZ NIC, and - if that fails - silently use
> the INTERNAL NIC? That makes no sense to me either, but that's all I am
> coming up with, for why this is working.
>
> Can somebody clear up my age-fogged brain about this??
>
> There is no HOSTS file, these are not domain members.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Christopher Bodnar]

If you want the MS resource that is taken from, it's here:

http://technet.microsoft.com/en-us/library/bb457118.aspx



Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   Christopher Bodnar 
To: "NT System Admin Issues" 
Date:   11/07/2012 11:02 AM
Subject:Re: Confused about DNS resolution on a server with 2 NICs 
on a DMZ



Have you taken a look at this yet? 

http://www.scribd.com/doc/63870216/108/Multihomed-Name-Resolution 


Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 



The Guardian Life Insurance Company of America

www.guardianlife.com 






From:Michael Leone  
To:"NT System Admin Issues" 
 
Date:11/07/2012 10:14 AM 
Subject:    Confused about DNS resolution on a server with 2 NICs on a 
DMZ 



So, today's confusion ... we have a webserver on our DMZ, Win 2008 R2. It 
has 2 NICs, and external and an internal. The external NIC has DNS 
settings pointing to our ISp (Verizon, in our case). The internal NIC has 
DNS settings of our internal LAN. 

So how come, if I say "ping ", the name resolves 
and I can ping? (I can understand how the ping succeeds; we have a static 
route to our internal servers). But how is the name resolving to the 
internal address? 

Using another of my internal servers as a target (i.e., not on the DMZ): 

If I do "ping ", it says could not find host. That's good; we 
don't have our domain name set in the NIC properties. 

if I do "ping ", it says "Pinging  [internal IP]". And how 
does it know to do that?? 

It appears that it's succeeding by using the internal NIC, but how does it 
know to use the internal NIC to resolve a name? If it was an internal IP, 
I could understand it - it would use the static route. 

Is it normal behavior to use the DMZ NIC, and - if that fails - silently 
use the INTERNAL NIC? That makes no sense to me either, but that's all I 
am coming up with, for why this is working. 

Can somebody clear up my age-fogged brain about this?? 

There is no HOSTS file, these are not domain members. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<><>

Re: Confused about DNS resolution on a server with 2 NICs on a DMZ

[Christopher Bodnar]

Have you taken a look at this yet?

http://www.scribd.com/doc/63870216/108/Multihomed-Name-Resolution



Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   Michael Leone 
To: "NT System Admin Issues" 
Date:   11/07/2012 10:14 AM
Subject:Confused about DNS resolution on a server with 2 NICs on a 
DMZ



So, today's confusion ... we have a webserver on our DMZ, Win 2008 R2. It 
has 2 NICs, and external and an internal. The external NIC has DNS 
settings pointing to our ISp (Verizon, in our case). The internal NIC has 
DNS settings of our internal LAN.

So how come, if I say "ping ", the name resolves 
and I can ping? (I can understand how the ping succeeds; we have a static 
route to our internal servers). But how is the name resolving to the 
internal address?

Using another of my internal servers as a target (i.e., not on the DMZ):

If I do "ping ", it says could not find host. That's good; we 
don't have our domain name set in the NIC properties.

if I do "ping ", it says "Pinging  [internal IP]". And how 
does it know to do that??

It appears that it's succeeding by using the internal NIC, but how does it 
know to use the internal NIC to resolve a name? If it was an internal IP, 
I could understand it - it would use the static route. 

Is it normal behavior to use the DMZ NIC, and - if that fails - silently 
use the INTERNAL NIC? That makes no sense to me either, but that's all I 
am coming up with, for why this is working.

Can somebody clear up my age-fogged brain about this??

There is no HOSTS file, these are not domain members.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: DNS?

[itli...@imcu.com]

Yes and so does www.imcu.com 'a' record.  Only the stupid mail is
screwy???

 

From: Walker, Michael [mailto:mwal...@mail.cvhp.org] 
Posted At: Monday, October 29, 2012 12:49 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Does your other A Record "board.imcu.com" resolve correctly?

 

Michael Walker

Senior Network Engineer

Citrus Valley Health Partners

140 W. College Street, Covina, CA  91723

Phone/Fax/Pager: (888) 299-6882

mwal...@mail.cvhp.org <mailto:mwal...@mail.cvhp.org>  

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:34 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

Just mail.imcu.com no ip address.

Ping not host

I am getting very frustrated because it is staring me in the face

 

 

From: Walker, Michael [mailto:mwal...@mail.cvhp.org] 
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it
resolve to?

 

Michael Walker

Senior Network Engineer

Citrus Valley Health Partners

140 W. College Street, Covina, CA  91723

Phone/Fax/Pager: (888) 299-6882

mwal...@mail.cvhp.org <mailto:mwal...@mail.cvhp.org>  

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

Public ip works.  DNS, ping, https, activesync the whole thing.

I want to access it internally using a name instead of an IP address.

Currently with I can not https://mail.imcu.com/exchange with or without
the 'imcu.com' zone internally.

If I use a hosts file entry the above works.

If I use the ip (10.0.50.14) the https link works.

Not sure I need to go out my firewall just to come back in to get to my
exchange box?

 

 

From: Richard McClary [mailto:richard.mccl...@aspca.org] 
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Let's see...  You have a private LAN, and you are hoping the public can
reach the system at that same (private, internal) IP?

 

Why not register an external IP for that system, then do a mapped IP
address ("MIP") through your firewall?

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM

RE: DNS?

[Walker, Michael]

Does your other A Record "board.imcu.com" resolve correctly?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:34 AM
To: NT System Admin Issues
Subject: RE: DNS?

Just mail.imcu.com no ip address.
Ping not host
I am getting very frustrated because it is staring me in the face


From: Walker, Michael [mailto:mwal...@mail.cvhp.org]
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it resolve to?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

Public ip works.  DNS, ping, https, activesync the whole thing.
I want to access it internally using a name instead of an IP address.
Currently with I can not https://mail.imcu.com/exchange with or without the 
'imcu.com' zone internally.
If I use a hosts file entry the above works.
If I use the ip (10.0.50.14) the https link works.
Not sure I need to go out my firewall just to come back in to get to my 
exchange box?


From: Richard McClary [mailto:richard.mccl...@aspca.org]
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

RE: DNS?

[Damien Solodow]

It won't; nbtstat is for WINS, not DNS.

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 12:35 PM
To: NT System Admin Issues
Subject: RE: DNS?

Nbtstat -a 10.0.50.4 does not resolve the mail.imcu.com either??

From: Walker, Michael [mailto:mwal...@mail.cvhp.org]
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it resolve to?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

Public ip works.  DNS, ping, https, activesync the whole thing.
I want to access it internally using a name instead of an IP address.
Currently with I can not https://mail.imcu.com/exchange with or without the 
'imcu.com' zone internally.
If I use a hosts file entry the above works.
If I use the ip (10.0.50.14) the https link works.
Not sure I need to go out my firewall just to come back in to get to my 
exchange box?


From: Richard McClary [mailto:richard.mccl...@aspca.org]
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at 
mail.imcu.com<http://mail.imcu.com>?

Most MTA's will fall back to the A record for the domain, so you could also put

RE: DNS?

[Damien Solodow]

What is the name/IP of the DNS server you created the zone on?
Does the zone show SOA/NS records?
Is it an AD integrated zone?

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 12:34 PM
To: NT System Admin Issues
Subject: RE: DNS?

Just mail.imcu.com no ip address.
Ping not host
I am getting very frustrated because it is staring me in the face


From: Walker, Michael [mailto:mwal...@mail.cvhp.org]
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it resolve to?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

Public ip works.  DNS, ping, https, activesync the whole thing.
I want to access it internally using a name instead of an IP address.
Currently with I can not https://mail.imcu.com/exchange with or without the 
'imcu.com' zone internally.
If I use a hosts file entry the above works.
If I use the ip (10.0.50.14) the https link works.
Not sure I need to go out my firewall just to come back in to get to my 
exchange box?


From: Richard McClary [mailto:richard.mccl...@aspca.org]
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain point

RE: DNS?

[itli...@imcu.com]

Nbtstat -a 10.0.50.4 does not resolve the mail.imcu.com either??

 

From: Walker, Michael [mailto:mwal...@mail.cvhp.org] 
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it
resolve to?

 

Michael Walker

Senior Network Engineer

Citrus Valley Health Partners

140 W. College Street, Covina, CA  91723

Phone/Fax/Pager: (888) 299-6882

mwal...@mail.cvhp.org <mailto:mwal...@mail.cvhp.org>  

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

Public ip works.  DNS, ping, https, activesync the whole thing.

I want to access it internally using a name instead of an IP address.

Currently with I can not https://mail.imcu.com/exchange with or without
the 'imcu.com' zone internally.

If I use a hosts file entry the above works.

If I use the ip (10.0.50.14) the https link works.

Not sure I need to go out my firewall just to come back in to get to my
exchange box?

 

 

From: Richard McClary [mailto:richard.mccl...@aspca.org] 
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Let's see...  You have a private LAN, and you are hoping the public can
reach the system at that same (private, internal) IP?

 

Why not register an external IP for that system, then do a mapped IP
address ("MIP") through your firewall?

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint secu

RE: DNS?

[itli...@imcu.com]

Just mail.imcu.com no ip address.

Ping not host

I am getting very frustrated because it is staring me in the face

 

 

From: Walker, Michael [mailto:mwal...@mail.cvhp.org] 
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it
resolve to?

 

Michael Walker

Senior Network Engineer

Citrus Valley Health Partners

140 W. College Street, Covina, CA  91723

Phone/Fax/Pager: (888) 299-6882

mwal...@mail.cvhp.org <mailto:mwal...@mail.cvhp.org>  

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

Public ip works.  DNS, ping, https, activesync the whole thing.

I want to access it internally using a name instead of an IP address.

Currently with I can not https://mail.imcu.com/exchange with or without
the 'imcu.com' zone internally.

If I use a hosts file entry the above works.

If I use the ip (10.0.50.14) the https link works.

Not sure I need to go out my firewall just to come back in to get to my
exchange box?

 

 

From: Richard McClary [mailto:richard.mccl...@aspca.org] 
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Let's see...  You have a private LAN, and you are hoping the public can
reach the system at that same (private, internal) IP?

 

Why not register an external IP for that system, then do a mapped IP
address ("MIP") through your firewall?

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: u

RE: DNS?

[Walker, Michael]

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it resolve to?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

Public ip works.  DNS, ping, https, activesync the whole thing.
I want to access it internally using a name instead of an IP address.
Currently with I can not https://mail.imcu.com/exchange with or without the 
'imcu.com' zone internally.
If I use a hosts file entry the above works.
If I use the ip (10.0.50.14) the https link works.
Not sure I need to go out my firewall just to come back in to get to my 
exchange box?


From: Richard McClary [mailto:richard.mccl...@aspca.org]
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at 
mail.imcu.com<http://mail.imcu.com>?

Most MTA's will fall back to the A record for the domain, so you could also put 
up an A record for imcu.com<http://imcu.com>. But I wouldn't count on that. 
Exchange didn't until 2007 or so.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

I have added a new Forward lookup zone for IMCU.COM<http://IMCU.COM> on my 
local active Directory.
I have added an 'a' record for 10.0.50.4 for 
mail.imcu.com<http://mail.imcu.com>  in that zone.
I do not resolve the mail to the ip.
If I add that

FW: DNS?

[itli...@imcu.com]

Oops can't send as myself.

-Original Message-
From: David McSpadden 
Sent: Monday, October 29, 2012 12:11 PM
To: 'NT System Admin Issues'
Subject: RE: DNS?

Will do.
Right now It's not Mr or Mrs.  It's confused.
I'll dig and see what I can find on mail.imcu.com internally.


-Original Message-
From: Steve Kradel [mailto:skra...@zetetic.net] Posted At: Monday,
October 29, 2012 12:09 PM Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

Mr. or Ms. ITLists, it appears you have a bad or incomplete A record for
mail.imcu.com.  However, nslookup is not a good tool for DNS
troubleshooting; I would suggest you use 'dig' (it's part of the BIND
tools package) with the 'debug' option to tell the DNS server not to
search recursively.

On Mon, Oct 29, 2012 at 11:54 AM, itli...@imcu.com 
wrote:
> Public ip works.  DNS, ping, https, activesync the whole thing.
>
> I want to access it internally using a name instead of an IP address.
>
> Currently with I can not https://mail.imcu.com/exchange with or 
> without the 'imcu.com' zone internally.
>
> If I use a hosts file entry the above works.
>
> If I use the ip (10.0.50.14) the https link works.
>
> Not sure I need to go out my firewall just to come back in to get to 
> my exchange box?
>
>
>
>
>
> From: Richard McClary [mailto:richard.mccl...@aspca.org]
> Posted At: Monday, October 29, 2012 11:41 AM
>
>
> Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: RE: DNS?
>
>
>
> Let's see...  You have a private LAN, and you are hoping the public
can 
> reach the system at that same (private, internal) IP?
>
>
>
> Why not register an external IP for that system, then do a mapped IP 
> address
> ("MIP") through your firewall?
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Monday, October 29, 2012 9:59 AM
> To: NT System Admin Issues
> Subject: RE: DNS?
>
>
>
> You are accessing it from external though.  External is working fine.
>
> I am wanting an internal zone since my domain is imcu.local and my 
> mail is imcu.com...
>
> I hope to God you can use the internal ip address from the wild.
>
> That would send me home in a bucket.
>
>
>
>
>
> From: Steve Ens [mailto:stevey...@gmail.com] Posted At: Monday, 
> October 29, 2012 10:53 AM Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: Re: DNS?
>
>
>
> For me it's the other way around...
>
> On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:
>
> Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange

> fails???
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Posted At: Monday, October 29, 2012 10:12 AM Posted To: 
> itli...@imcu.com
> Conversation: DNS?
> Subject: RE: DNS?
>
>
>
> That looks correct. Be sure to flush dns on the machine doing the
lookup.
>
>
>
> To be sure you should first do an nslookup on the domain's MX and make

> sure you get mail.imcu.com
>
>
>
> nslookup
>
> Set type=MX
>
> Imcu.com
>
>
>
> That should return mail.imcu.com
>
>
>
> Then check the A record for mail.imcu.com and you should be good to
go.
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Monday, October 29, 2012 10:09 AM
> To: NT System Admin Issues
> Subject: RE: DNS?
>
>
>
> I'll recycle the dnscache and post my internal DNS records here to 
> make sure I am doing it correctly.
>
> New Primary Zone
>
> IMCU.COM
>
> imcu.com A 12.145.145.177.176
>
> imcu.com MX mail.imcu.com
>
> mail.imcu.com A 10.0.50.4(internal address))
>
> www.imcu.com A 12.145.177.176  (external address for managed
> website))
>
> board.imcu.com A 10.0.10.21 (internal address))
>
>
>
>
>
> Should that be all that I need?
>
> I have vpn.imcu.com, ftp.imcu.com but they are programmatically only 
> accessible through the firewall so outside in only.
>
>
>
> After the recycle of dnscache I should be able to do an nslookup for 
> mail.imcu.com and get the ip 10.0.50.4 just like in my hosts 
> file(Which I have commented out until after this experiment works or
> fails)
>
> Thanks
>
>
>
>
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Posted At: Monday, October 29, 2012 8:18 AM Posted To: 
> itli...@imcu.com
> Conversation: DNS?
> Subject: RE: DNS?
>
>
>
> Did you also add an MX record for that domain pointing at
mail.imcu.com?
>
>
>
> Most MTA's will fall back to the A record for

Re: DNS?

[Steve Kradel]

Mr. or Ms. ITLists, it appears you have a bad or incomplete A record
for mail.imcu.com.  However, nslookup is not a good tool for DNS
troubleshooting; I would suggest you use 'dig' (it's part of the BIND
tools package) with the 'debug' option to tell the DNS server not to
search recursively.

On Mon, Oct 29, 2012 at 11:54 AM, itli...@imcu.com  wrote:
> Public ip works.  DNS, ping, https, activesync the whole thing.
>
> I want to access it internally using a name instead of an IP address.
>
> Currently with I can not https://mail.imcu.com/exchange with or without the
> ‘imcu.com’ zone internally.
>
> If I use a hosts file entry the above works.
>
> If I use the ip (10.0.50.14) the https link works.
>
> Not sure I need to go out my firewall just to come back in to get to my
> exchange box?
>
>
>
>
>
> From: Richard McClary [mailto:richard.mccl...@aspca.org]
> Posted At: Monday, October 29, 2012 11:41 AM
>
>
> Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: RE: DNS?
>
>
>
> Let’s see…  You have a private LAN, and you are hoping the public can reach
> the system at that same (private, internal) IP?
>
>
>
> Why not register an external IP for that system, then do a mapped IP address
> (“MIP”) through your firewall?
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Monday, October 29, 2012 9:59 AM
> To: NT System Admin Issues
> Subject: RE: DNS?
>
>
>
> You are accessing it from external though.  External is working fine.
>
> I am wanting an internal zone since my domain is imcu.local and my mail is
> imcu.com…
>
> I hope to God you can use the internal ip address from the wild.
>
> That would send me home in a bucket.
>
>
>
>
>
> From: Steve Ens [mailto:stevey...@gmail.com]
> Posted At: Monday, October 29, 2012 10:53 AM
> Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: Re: DNS?
>
>
>
> For me it's the other way around...
>
> On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com  wrote:
>
> Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
> fails???
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Posted At: Monday, October 29, 2012 10:12 AM
> Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: RE: DNS?
>
>
>
> That looks correct. Be sure to flush dns on the machine doing the lookup.
>
>
>
> To be sure you should first do an nslookup on the domain’s MX and make sure
> you get mail.imcu.com
>
>
>
> nslookup
>
> Set type=MX
>
> Imcu.com
>
>
>
> That should return mail.imcu.com
>
>
>
> Then check the A record for mail.imcu.com and you should be good to go.
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Monday, October 29, 2012 10:09 AM
> To: NT System Admin Issues
> Subject: RE: DNS?
>
>
>
> I’ll recycle the dnscache and post my internal DNS records here to make sure
> I am doing it correctly.
>
> New Primary Zone
>
> IMCU.COM
>
> imcu.com A 12.145.145.177.176
>
> imcu.com MX mail.imcu.com
>
> mail.imcu.com A 10.0.50.4(internal address))
>
> www.imcu.com A 12.145.177.176  (external address for managed
> website))
>
> board.imcu.com A 10.0.10.21 (internal address))
>
>
>
>
>
> Should that be all that I need?
>
> I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
> accessible through the firewall so outside in only.
>
>
>
> After the recycle of dnscache I should be able to do an nslookup for
> mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which I
> have commented out until after this experiment works or fails)
>
> Thanks
>
>
>
>
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Posted At: Monday, October 29, 2012 8:18 AM
> Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: RE: DNS?
>
>
>
> Did you also add an MX record for that domain pointing at mail.imcu.com?
>
>
>
> Most MTA’s will fall back to the A record for the domain, so you could also
> put up an A record for imcu.com. But I wouldn’t count on that. Exchange
> didn’t until 2007 or so.
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Sunday, October 28, 2012 1:50 PM
> To: NT System Admin Issues
> Subject: DNS?
>
>
>
> I have added a new Forward lookup zone for IMCU.COM on my local active
> Directory.
>
> I have added an ‘a’ record for 10.0.50.4 for mail.imcu.com  in that zone.
>
> I do not resolve the mail to the ip.
>
> If I add that record in my hosts file I can browse it easily.
>
> What is wrong in my DNS set up?
>
> Server 2003 active directory.
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

Public ip works.  DNS, ping, https, activesync the whole thing.

I want to access it internally using a name instead of an IP address.

Currently with I can not https://mail.imcu.com/exchange with or without
the 'imcu.com' zone internally.

If I use a hosts file entry the above works.

If I use the ip (10.0.50.14) the https link works.

Not sure I need to go out my firewall just to come back in to get to my
exchange box?

 

 

From: Richard McClary [mailto:richard.mccl...@aspca.org] 
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Let's see...  You have a private LAN, and you are hoping the public can
reach the system at that same (private, internal) IP?

 

Why not register an external IP for that system, then do a mapped IP
address ("MIP") through your firewall?

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security tha

RE: DNS?

[Richard McClary]

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at 
mail.imcu.com<http://mail.imcu.com>?

Most MTA's will fall back to the A record for the domain, so you could also put 
up an A record for imcu.com<http://imcu.com>. But I wouldn't count on that. 
Exchange didn't until 2007 or so.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

I have added a new Forward lookup zone for IMCU.COM<http://IMCU.COM> on my 
local active Directory.
I have added an 'a' record for 10.0.50.4 for 
mail.imcu.com<http://mail.imcu.com>  in that zone.
I do not resolve the mail to the ip.
If I add that record in my hosts file I can browse it easily.
What is wrong in my DNS set up?
Server 2003 active directory.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris

Re: DNS?

[Steve Ens]

Haha, I thought it might be an external IP...yep, there is an issue with
your DNS entry.

On Mon, Oct 29, 2012 at 9:58 AM, itli...@imcu.com  wrote:

> You are accessing it from external though.  External is working fine.
>
> I am wanting an internal zone since my domain is imcu.local and my mail is
> imcu.com…
>
> I hope to God you can use the internal ip address from the wild.
>
> That would send me home in a bucket.
>
> ** **
>
> ** **
>
> *From:* Steve Ens [mailto:stevey...@gmail.com]
> *Posted At:* Monday, October 29, 2012 10:53 AM
>
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* Re: DNS?
>
> ** **
>
> For me it's the other way around...
>
> On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
> wrote:
>
> Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchangefails???
> 
>
>  
>
>  
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Posted At:* Monday, October 29, 2012 10:12 AM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* RE: DNS?
>
>  
>
> That looks correct. Be sure to flush dns on the machine doing the lookup.*
> ***
>
>  
>
> To be sure you should first do an nslookup on the domain’s MX and make
> sure you get mail.imcu.com
>
>  
>
> nslookup
>
> Set type=MX
>
> Imcu.com
>
>  
>
> That should return mail.imcu.com
>
>  
>
> Then check the A record for mail.imcu.com and you should be good to go.***
> *
>
>  
>
> *From:* itli...@imcu.com [mailto:itli...@imcu.com ]
> *Sent:* Monday, October 29, 2012 10:09 AM
> *To:* NT System Admin Issues
> *Subject:* RE: DNS?
>
>  
>
> I’ll recycle the dnscache and post my internal DNS records here to make
> sure I am doing it correctly.
>
> New Primary Zone
>
> IMCU.COM
>
> imcu.com A 12.145.145.177.176
>
> imcu.com MX mail.imcu.com
>
> mail.imcu.com A 10.0.50.4(internal address))
>
> www.imcu.com A 12.145.177.176  (external address for managed
> website))
>
> board.imcu.com A 10.0.10.21 (internal address))
>
>  
>
>  
>
> Should that be all that I need?
>
> I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
> accessible through the firewall so outside in only.
>
>  
>
> After the recycle of dnscache I should be able to do an nslookup for
> mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which I
> have commented out until after this experiment works or fails)
>
> Thanks
>
>  
>
>  
>
>  
>
>  
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Posted At:* Monday, October 29, 2012 8:18 AM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* RE: DNS?
>
>  
>
> Did you also add an MX record for that domain pointing at mail.imcu.com?**
> **
>
>  
>
> Most MTA’s will fall back to the A record for the domain, so you could
> also put up an A record for imcu.com. But I wouldn’t count on that.
> Exchange didn’t until 2007 or so.
>
>  
>
> *From:* itli...@imcu.com [mailto:itli...@imcu.com ]
> *Sent:* Sunday, October 28, 2012 1:50 PM
> *To:* NT System Admin Issues
> *Subject:* DNS?
>
>  
>
> I have added a new Forward lookup zone for IMCU.COM on my local active
> Directory.
>
> I have added an ‘a’ record for 10.0.50.4 for mail.imcu.com  in that zone.*
> ***
>
> I do not resolve the mail to the ip.
>
> If I add that record in my hosts file I can browse it easily.
>
> What is wrong in my DNS set up?
>
> Server 2003 active directory.
>
>  
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Ent

RE: DNS?

[Kennedy, Jim]

Something is wrong with the DNS entry for that host that you just created.

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 11:07 AM
To: NT System Admin Issues
Subject: RE: DNS?

Now when using my hosts file of 10.0.50.4 mail.imcu.com, going to 
https://mail.imcu.com/exchange works.
Comment it out and it stops??

From: Steve Ens 
[mailto:stevey...@gmail.com]<mailto:[mailto:stevey...@gmail.com]>
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at 
mail.imcu.com<http://mail.imcu.com>?

Most MTA's will fall back to the A record for the domain, so you could also put 
up an A record for imcu.com<http://imcu.com>. But I wouldn't count on that. 
Exchange didn't until 2007 or so.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

I have added a new Forward lookup zone for IMCU.COM<http://IMCU.COM> on my 
local active Directory.
I have added an 'a' record for 10.0.50.4 for 
mail.imcu.com<http://mail.imcu.com>  in that zone.
I do not resolve the mail to the ip.
If I add that record in my hosts file I can browse it easily.
What is wrong in my DNS set up?
Server 2003 active directory.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ 

RE: DNS?

[itli...@imcu.com]

Now when using my hosts file of 10.0.50.4 mail.imcu.com, going to
https://mail.imcu.com/exchange works.

Comment it out and it stops??

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 

RE: DNS?

[itli...@imcu.com]

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T 

Re: DNS?

[Steve Ens]

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com  wrote:

> Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchangefails???
> 
>
> ** **
>
> ** **
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Posted At:* Monday, October 29, 2012 10:12 AM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* RE: DNS?
>
> ** **
>
> That looks correct. Be sure to flush dns on the machine doing the lookup.*
> ***
>
> ** **
>
> To be sure you should first do an nslookup on the domain’s MX and make
> sure you get mail.imcu.com
>
> ** **
>
> nslookup
>
> Set type=MX
>
> Imcu.com
>
> ** **
>
> That should return mail.imcu.com
>
> ** **
>
> Then check the A record for mail.imcu.com and you should be good to go.***
> *
>
> ** **
>
> *From:* itli...@imcu.com [mailto:itli...@imcu.com ]
> *Sent:* Monday, October 29, 2012 10:09 AM
> *To:* NT System Admin Issues
> *Subject:* RE: DNS?
>
> ** **
>
> I’ll recycle the dnscache and post my internal DNS records here to make
> sure I am doing it correctly.
>
> New Primary Zone
>
> IMCU.COM
>
> imcu.com A 12.145.145.177.176
>
> imcu.com MX mail.imcu.com
>
> mail.imcu.com A 10.0.50.4(internal address))
>
> www.imcu.com A 12.145.177.176  (external address for managed
> website))
>
> board.imcu.com A 10.0.10.21 (internal address))
>
> ** **
>
> ** **
>
> Should that be all that I need?
>
> I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
> accessible through the firewall so outside in only.
>
> ** **
>
> After the recycle of dnscache I should be able to do an nslookup for
> mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which I
> have commented out until after this experiment works or fails)
>
> Thanks
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Posted At:* Monday, October 29, 2012 8:18 AM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* RE: DNS?
>
> ** **
>
> Did you also add an MX record for that domain pointing at mail.imcu.com?**
> **
>
> ** **
>
> Most MTA’s will fall back to the A record for the domain, so you could
> also put up an A record for imcu.com. But I wouldn’t count on that.
> Exchange didn’t until 2007 or so.
>
> ** **
>
> *From:* itli...@imcu.com [mailto:itli...@imcu.com ]
> *Sent:* Sunday, October 28, 2012 1:50 PM
> *To:* NT System Admin Issues
> *Subject:* DNS?
>
> ** **
>
> I have added a new Forward lookup zone for IMCU.COM on my local active
> Directory.
>
> I have added an ‘a’ record for 10.0.50.4 for mail.imcu.com  in that zone.*
> ***
>
> I do not resolve the mail to the ip.
>
> If I add that record in my hosts file I can browse it easily.
>
> What is wrong in my DNS set up?
>
> Server 2003 active directory.
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

>From my PC (win8):   ( I can https://10.0.50.4/exchange and get in but I
get a failed browser going to https://mail.imcu.com/exchange)

 

C:\Windows\System32\Drivers\etc>ipconfig /flushdns

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

 

C:\Windows\System32\Drivers\etc>nslookup mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

 

C:\Windows\System32\Drivers\etc>nslookup

Default Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

> set type=mx

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

mail.imcu.com

primary name server = 0304090304zu55.imcu.local

responsible mail addr = hostmaster.imcu.local

serial  = 2

refresh = 900 (15 mins)

retry   = 600 (10 mins)

expire  = 86400 (1 day)

default TTL = 3600 (1 hour)

> imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

imcu.comMX preference = 10, mail exchanger = mx1.imcu.com

> imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

imcu.comMX preference = 10, mail exchanger = mail.imcu.com

> set type=mx

> imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

imcu.comMX preference = 10, mail exchanger = mail.imcu.com

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

mail.imcu.com

primary name server = 0304090304zu55.imcu.local

responsible mail addr = hostmaster.imcu.local

serial  = 2

refresh = 900 (15 mins)

retry   = 600 (10 mins)

expire  = 86400 (1 day)

default TTL = 3600 (1 hour)

> set type=a

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

> www.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:www.imcu.com

Address:  12.145.177.146

 

> board.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:board.imcu.com

Address:  10.0.10.21

 

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

> 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ 

RE: DNS?

[itli...@imcu.com]

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

So once I do this I will get my internal address not my external
address.

 

C:\Windows\System32\Drivers\etc>nslookup mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

 

C:\Windows\System32\Drivers\etc>nslookup

Default Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

> Set type=MX

*** Can't find address for server type=MX: Non-existent domain

> Imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Non-authoritative answer:

Name:Imcu.com

Address:  12.145.177.146

 

> set type=mx

> imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Non-authoritative answer:

imcu.comMX preference = 5, mail exchanger = mx1.imcu.com

 

mx1.imcu.cominternet address = 38.109.185.193

> set type=a

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

> 

38.109.185.193 is my external address.

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

C:\Windows\System32\Drivers\etc>nslookup mail.imcu.com
Server:  0304090304zu55.imcu.local
Address:  10.0.50.205

Name:mail.imcu.com


C:\Windows\System32\Drivers\etc>

Why no IP address??


-Original Message-
From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] 
Posted At: Sunday, October 28, 2012 3:29 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

>I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.
>I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.
>I do not resolve the mail to the ip.
>If I add that record in my hosts file I can browse it easily.
>What is wrong in my DNS set up?
>Server 2003 active directory.

Recycle the dnscache service. If you looked it up before your new fwd
zone was instantiated, your dns server returned a failure response and
it was cached.

The hosts file lookup doesn't use this.

This does assume your client is using that dns server and it and the
zone are setup correctly...
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[Kennedy, Jim]

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com

Then check the A record for mail.imcu.com and you should be good to go.

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM
imcu.com A 12.145.145.177.176
imcu.com MX mail.imcu.com
mail.imcu.com A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  (external address for 
managed website))
board.imcu.com A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com, ftp.imcu.com<ftp://ftp.imcu.com> but they are 
programmatically only accessible through the firewall so outside in only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which I have 
commented out until after this experiment works or fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at mail.imcu.com?

Most MTA's will fall back to the A record for the domain, so you could also put 
up an A record for imcu.com. But I wouldn't count on that. Exchange didn't 
until 2007 or so.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

I have added a new Forward lookup zone for IMCU.COM on my local active 
Directory.
I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that zone.
I do not resolve the mail to the ip.
If I add that record in my hosts file I can browse it easily.
What is wrong in my DNS set up?
Server 2003 active directory.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[Joseph L. Casale]

>I have added a new Forward lookup zone for IMCU.COM on my local active 
>Directory.
>I have added an ‘a’ record for 10.0.50.4 for mail.imcu.com  in that zone.
>I do not resolve the mail to the ip.
>If I add that record in my hosts file I can browse it easily.
>What is wrong in my DNS set up?
>Server 2003 active directory.

Recycle the dnscache service. If you looked it up before your new fwd zone was
instantiated, your dns server returned a failure response and it was cached.

The hosts file lookup doesn't use this.

This does assume your client is using that dns server and it and the zone are 
setup
correctly...
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: 6 DNS server suddenly down. (solved)

[Michael B. Smith]

Did you attempt to reboot everything at once?

The Exchange errors occur because Exchange cannot determine what its AD site 
should be. Exchange 2010 SP2 should fix this automagically about 10 minutes 
after netlogon finally starts. If it doesn't, you can hardcode the site that 
Exchange should be in. That should be on my blog.

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, October 17, 2012 5:48 PM
To: NT System Admin Issues
Subject: RE: 6 DNS server suddenly down. (solved)

I hate it when two things go wrong at once, or I just notice them at once and 
think they went wrong at once.

The NSLookup issue was because somehow my IPV6 nics had given themselves an 
entry for dns lookups.  That causes the issue I saw with NSLookup according to 
google. I will look more into why that happened tomorrow.

The Exchange errors were because the Transport Service had started before the 
Netlogon service had started.

From: Kennedy, Jim
Sent: Wednesday, October 17, 2012 3:46 PM
To: NT System Admin Issues
Subject: 6 DNS server suddenly down.


All my DNS servers just blew up. AD integrated 2008 R2. Single Forest/Domain.

Desktops, clients can all resolve internal and internet IP's via these DNS 
servers without any trouble. The issue seems to be with AD records. My Exchange 
servers are screaming at me that they can't find GC's, can't find the topology. 
The DC's are saying they can't register themselves with themselves.  NSLookup 
on the DC comes back with timeouts or 'unknown' on everything they look up, 
including themselves. I have rebooted a couple of them.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: 6 DNS server suddenly down. (solved)

[Kennedy, Jim]

I hate it when two things go wrong at once, or I just notice them at once and 
think they went wrong at once.

The NSLookup issue was because somehow my IPV6 nics had given themselves an 
entry for dns lookups.  That causes the issue I saw with NSLookup according to 
google. I will look more into why that happened tomorrow.

The Exchange errors were because the Transport Service had started before the 
Netlogon service had started.

From: Kennedy, Jim
Sent: Wednesday, October 17, 2012 3:46 PM
To: NT System Admin Issues
Subject: 6 DNS server suddenly down.


All my DNS servers just blew up. AD integrated 2008 R2. Single Forest/Domain.

Desktops, clients can all resolve internal and internet IP's via these DNS 
servers without any trouble. The issue seems to be with AD records. My Exchange 
servers are screaming at me that they can't find GC's, can't find the topology. 
The DC's are saying they can't register themselves with themselves.  NSLookup 
on the DC comes back with timeouts or 'unknown' on everything they look up, 
including themselves. I have rebooted a couple of them.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: 2008R2 DNS, Network Location issue

[Michael B. Smith]

Second NIC and only one default gateway. What you are doing is inherently 
non-deterministic in Windows.

From: Greg Sweers [mailto:gswe...@acts360.com]
Sent: Monday, September 10, 2012 12:58 PM
To: NT System Admin Issues
Subject: 2008R2 DNS, Network Location issue

How do you handle servers that have 2 IP ranges on them and you get the 
wonderful Private network setting which really does not allow anything to 
communicate properly.

We have a secondary IP range listed on these boxes to communicate to an app.  
The Domain Controllers also have this secondary IP range on their virtual 
adapter.  While this is present, it all works  just fine.  When you remove this 
secondary IP range from the DC's virtual adapter, none of the guest machines 
continue working properly and if you reboot it takes like 20 mins for anything 
to happen while NLA just holds up everything.
Eventually the server comes up but things like Exchange, SQL, DFS don't work.  
All resolution internally is fine.  If we remove the secondary IP range from an 
affected server, it immediately goes to domain network and most everything 
works.  A reboot and we are back in business on that box.

Should I split that secondary IP to a separate NIC across all of our boxes?

I know its something do to with how NLA is finding the DC's on that secondary 
range.  I just don't know if I am going to have the same problem with just 
adding another NIC?

Greg Sweers
CEO
ACTS360.com<http://www.acts360.com/>
P.O. Box 1193
Brandon, FL  33509
813-657-0849 Office
813-758-6850 Cell


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: 2008R2 DNS, Network Location issue

[Greg Sweers]

It's an communications software that runs on a separate ip range for vlans and 
the devices that they use.  But it has to have communications to ad and 
exchange. It's old and going away but it's still needed for awhile.

Sent from my iPhone

On Sep 10, 2012, at 21:10, "David Lum" 
mailto:david@nwea.org>> wrote:

Silly Andrew…stop trying to get to the root cause…

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, September 10, 2012 11:14 AM
To: NT System Admin Issues
Subject: Re: 2008R2 DNS, Network Location issue

Can you tell us more about this app and why everyone needs a second IP to talk 
to it?
ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market…



On Mon, Sep 10, 2012 at 12:58 PM, Greg Sweers 
mailto:gswe...@acts360.com>> wrote:
How do you handle servers that have 2 IP ranges on them and you get the 
wonderful Private network setting which really does not allow anything to 
communicate properly.

We have a secondary IP range listed on these boxes to communicate to an app.  
The Domain Controllers also have this secondary IP range on their virtual 
adapter.  While this is present, it all works  just fine.  When you remove this 
secondary IP range from the DC’s virtual adapter, none of the guest machines 
continue working properly and if you reboot it takes like 20 mins for anything 
to happen while NLA just holds up everything.
Eventually the server comes up but things like Exchange, SQL, DFS don’t work.  
All resolution internally is fine.  If we remove the secondary IP range from an 
affected server, it immediately goes to domain network and most everything 
works.  A reboot and we are back in business on that box.

Should I split that secondary IP to a separate NIC across all of our boxes?

I know its something do to with how NLA is finding the DC’s on that secondary 
range.  I just don’t know if I am going to have the same problem with just 
adding another NIC?

Greg Sweers
CEO
ACTS360.com<http://www.acts360.com/>
P.O. Box 1193
Brandon, FL  33509
813-657-0849 Office
813-758-6850 Cell




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

I'm going to remove the older address after hours--maybe this weekend--and see 
what happens.


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Wednesday, August 15, 2012 1:10 PM
To: NT System Admin Issues
Subject: Re: DNS Lookup Failing for One Address

If you don't have any old equipment with static listings of the older IP 
address of the DC, remove the older IP address.

If you do have older equipment with static listings, but don't have any newer 
equipment with static listings, and want to preserve the old address, then 
during off-hours remove the newer address and reboot.

If you have different sets of equipment that points to both addresses, you'll 
need to fix one or the other set of equipment.

Kurt

On Wed, Aug 15, 2012 at 9:14 AM, John Hornbuckle 
 wrote:
> And we have a winner!!!
>
>
>
> So, I was totally unfamiliar with conditional forwarding. I just tried
> what you suggested, and voila—it works.
>
>
>
> I realize this is a workaround, and I still want to tackle the root of
> the problem. But this at least buys me some time.
>
>
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 11:09 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Another option is to set up conditional forwarding on the ‘bad’ dns
> server to one of your ‘good’ dns servers for just studyisland.com
>
>
>
> That way you will be out of the business of manually working on that
> zone as studyisland moves or changes things.
>
>
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 11:06 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> While officially supported, having multiple IP addresses on a single
> DC is not recommended and has caused problems all the way back to NT 3.5.
>
>
>
> If you just want to make this work – host the domain locally. Create
> it in your DNS servers. Probably the quickest way to fix the problem.
>
>
>
> Meinolf Weber wrote a very lengthy response to someone’s question, a
> few years ago, about what can go wrong on a DC with multiple IP
> addresses. Took me a few minutes to find it, link below. Much of it
> doesn’t apply in your case, of course, but still a worthwhile read.
>
>
>
> http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem
> -t705909.html
>
>
>
> I can surmise that what is happening here is that you are having to
> talk to a server that doesn’t like asynchronous routing of DNS replies and 
> requests.
> That’s becoming more and more common as DNS spoofing becomes more and
> more common. Couldn’t verify that without a network trace (wireshark /
> netmon). I probably would’ve done that by now and if you really want
> to track the issue down, that’s the next best step IMO.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:43 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> And I did consider that.
>
>
>
> :)
>
>
>
> However, (A.) this server’s configuration hasn’t changed in the years
> since it was deployed, (B.) we’ve done the same thing at our other
> sites that aren’t having problems, and (C.) DNS is working 100%
> correctly at the site in question except for the failure of lookups
> against this one single domain name.
>
>
>
> So while I’m open to all possibilities (honestly—I’m getting
> desperate), my gut instinct is that this isn’t the cause of the problem.
>
>
>
>
>
> John
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 10:36 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> I have a theory. Often when Mr. Smith asks a question he isn’t looking
> for an answer to that question, he is pointing you towards the answer
> for your problem.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:33 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Yup. When we decommissioned the old server this server replaced, some
> devices were still looking for it for DNS (they had static settings).
> So we assigned the old server’s address to the new one as a second address.
>
>
>
>
>
> John
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 

Re: DNS Lookup Failing for One Address

[Kurt Buff]

If you don't have any old equipment with static listings of the older
IP address of the DC, remove the older IP address.

If you do have older equipment with static listings, but don't have
any newer equipment with static listings, and want to preserve the old
address, then during off-hours remove the newer address and reboot.

If you have different sets of equipment that points to both addresses,
you'll need to fix one or the other set of equipment.

Kurt

On Wed, Aug 15, 2012 at 9:14 AM, John Hornbuckle
 wrote:
> And we have a winner!!!
>
>
>
> So, I was totally unfamiliar with conditional forwarding. I just tried what
> you suggested, and voila—it works.
>
>
>
> I realize this is a workaround, and I still want to tackle the root of the
> problem. But this at least buys me some time.
>
>
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 11:09 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Another option is to set up conditional forwarding on the ‘bad’ dns server
> to one of your ‘good’ dns servers for just studyisland.com
>
>
>
> That way you will be out of the business of manually working on that zone as
> studyisland moves or changes things.
>
>
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 11:06 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> While officially supported, having multiple IP addresses on a single DC is
> not recommended and has caused problems all the way back to NT 3.5.
>
>
>
> If you just want to make this work – host the domain locally. Create it in
> your DNS servers. Probably the quickest way to fix the problem.
>
>
>
> Meinolf Weber wrote a very lengthy response to someone’s question, a few
> years ago, about what can go wrong on a DC with multiple IP addresses. Took
> me a few minutes to find it, link below. Much of it doesn’t apply in your
> case, of course, but still a worthwhile read.
>
>
>
> http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html
>
>
>
> I can surmise that what is happening here is that you are having to talk to
> a server that doesn’t like asynchronous routing of DNS replies and requests.
> That’s becoming more and more common as DNS spoofing becomes more and more
> common. Couldn’t verify that without a network trace (wireshark / netmon). I
> probably would’ve done that by now and if you really want to track the issue
> down, that’s the next best step IMO.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:43 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> And I did consider that.
>
>
>
> :)
>
>
>
> However, (A.) this server’s configuration hasn’t changed in the years since
> it was deployed, (B.) we’ve done the same thing at our other sites that
> aren’t having problems, and (C.) DNS is working 100% correctly at the site
> in question except for the failure of lookups against this one single domain
> name.
>
>
>
> So while I’m open to all possibilities (honestly—I’m getting desperate), my
> gut instinct is that this isn’t the cause of the problem.
>
>
>
>
>
> John
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 10:36 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> I have a theory. Often when Mr. Smith asks a question he isn’t looking for
> an answer to that question, he is pointing you towards the answer for your
> problem.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:33 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Yup. When we decommissioned the old server this server replaced, some
> devices were still looking for it for DNS (they had static settings). So we
> assigned the old server’s address to the new one as a second address.
>
>
>
>
>
> John
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 10:05 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Your DC has multiple IP addresses?
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 9:08 AM
>
>
> To: NT Syst

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

And we have a winner!!!

So, I was totally unfamiliar with conditional forwarding. I just tried what you 
suggested, and voila-it works.

I realize this is a workaround, and I still want to tackle the root of the 
problem. But this at least buys me some time.



From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 11:09 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Another option is to set up conditional forwarding on the 'bad' dns server to 
one of your 'good' dns servers for just studyisland.com

That way you will be out of the business of manually working on that zone as 
studyisland moves or changes things.


From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-

RE: DNS Lookup Failing for One Address

[Michael B. Smith]

To David's point - except when used in bonding (for failover) - most big 
environments would avoid this with a 10-foot pole. The behavior can seem quite 
non-deterministic and can be difficult to debug.

From: Webster [mailto:webs...@carlwebster.com]
Sent: Wednesday, August 15, 2012 11:34 AM
To: NT System Admin Issues
Subject: Re: DNS Lookup Failing for One Address

Your commute to work with Ken would be brutal!



Carl Webster

Consultant and Citrix Technology Professional

http://www.CarlWebster.com<http://www.carlwebster.com/>

From: David Lum mailto:david@nwea.org>>
Subject: RE: DNS Lookup Failing for One Address

Wow, it would never, ever occur to me to give a DC multiple IP addresses. 
Multiple NIC's, yes, but teamed. Amazing that's it's supported, but that just 
may be my ignorance due to my SMB-scale focus.

I need to work with Ken and experience big environments!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[Ziots, Edward]

I can look at a network trace for you, if you want to send it over, I
have done it for others on the list to help them out with problems, and
its good practice. 

 

Z

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 11:12 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Alas, network traces are outside of my skillset. I may have to bring in
outside help for that. I'm a technology generalist-lots of breadth, less
depth.

 

If I wanted to host the domain locally... I would just go to Forward
Lookup Zones, right-click, select "New Zone", and go from there? With us
being AD-integrated, this won't screw anything up?

 

I'll read the link you sent, too. Thanks for that.

 

 

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

While officially supported, having multiple IP addresses on a single DC
is not recommended and has caused problems all the way back to NT 3.5.

 

If you just want to make this work - host the domain locally. Create it
in your DNS servers. Probably the quickest way to fix the problem.

 

Meinolf Weber wrote a very lengthy response to someone's question, a few
years ago, about what can go wrong on a DC with multiple IP addresses.
Took me a few minutes to find it, link below. Much of it doesn't apply
in your case, of course, but still a worthwhile read.

 

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t
705909.html

 

I can surmise that what is happening here is that you are having to talk
to a server that doesn't like asynchronous routing of DNS replies and
requests. That's becoming more and more common as DNS spoofing becomes
more and more common. Couldn't verify that without a network trace
(wireshark / netmon). I probably would've done that by now and if you
really want to track the issue down, that's the next best step IMO.

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

And I did consider that.

 

:)

 

However, (A.) this server's configuration hasn't changed in the years
since it was deployed, (B.) we've done the same thing at our other sites
that aren't having problems, and (C.) DNS is working 100% correctly at
the site in question except for the failure of lookups against this one
single domain name.

 

So while I'm open to all possibilities (honestly-I'm getting desperate),
my gut instinct is that this isn't the cause of the problem.

 

 

John

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

I have a theory. Often when Mr. Smith asks a question he isn't looking
for an answer to that question, he is pointing you towards the answer
for your problem.

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Yup. When we decommissioned the old server this server replaced, some
devices were still looking for it for DNS (they had static settings). So
we assigned the old server's address to the new one as a second address.

 

 

John

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Your DC has multiple IP addresses?

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Oh, and to add... Each of my sites has its own DNS server. All other DNS
servers are resolving this address fine. All servers are behind the same
firewall.

 

Curiouser and curiouser.

 

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Per the suggestions from the list, I put dig on my squirrely DNS server
and ran dig +trace www.studyisland.com. Results are:

 

===

; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com

;; global options:  printcmd

.   19740   IN  NS  b.root-servers.net.

.   19740   IN  NS  c.root-servers.net.

.   19740   IN  NS  d.root-servers.net.

.   19740   IN  NS  e.root-servers.net.

. 

RE: DNS Lookup Failing for One Address

[David Lum]

Wow, it would never, ever occur to me to give a DC multiple IP addresses. 
Multiple NIC's, yes, but teamed. Amazing that's it's supported, but that just 
may be my ignorance due to my SMB-scale focus.

I need to work with Ken and experience big environments!

Dave

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 8:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN 

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Alas, network traces are outside of my skillset. I may have to bring in outside 
help for that. I'm a technology generalist-lots of breadth, less depth.

If I wanted to host the domain locally... I would just go to Forward Lookup 
Zones, right-click, select "New Zone", and go from there? With us being 
AD-integrated, this won't screw anything up?

I'll read the link you sent, too. Thanks for that.



From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   1

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

Another option is to set up conditional forwarding on the 'bad' dns server to 
one of your 'good' dns servers for just studyisland.com

That way you will be out of the business of manually working on that zone as 
studyisland moves or changes things.


From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

I did disable DNS on one of the two addresses and restarted the service. No 
difference.

I haven't tried removing the whole address from the TCP/IP settings.



From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 10:55 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Well, since you are desperate. :)  Remove one of the addresses, bounce the DC 
and retest.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:44 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.17280

RE: DNS Lookup Failing for One Address

[Michael B. Smith]

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

Well, since you are desperate. :)  Remove one of the addresses, bounce the DC 
and retest.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:44 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

Yep, and I prefer it that way.

From: Free, Bob [mailto:r...@pge.com]
Sent: Wednesday, August 15, 2012 10:49 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

AKA fishing lesson :)

From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 7:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup