RE: DNS settings for Trusts

[N Parr]

So here's what I think is happening, still awaiting confirmation from other 
site admin.
Everything you asked below is exactly how I'm set up.
What I discovered is they have a dozen or so DNS servers at their main and 
other remote sites which are all connected via their MPLS links.  I'm 
connecting in via a VPN tunnel.  Pretty sure my VPN tunnel only has access to 
the core subnet where their main DNS is at that I'm already successfully 
exchanging zone information with.  When their zone populates with their SRV 
records it loads all their DC's for all their sites, and they are all weighted 
equally.  Therefore when I try to ping their "domain.local" I get random 
responses from the various DC's they have, most of which I can't connect to 
because I'm guessing the VPN tunnel isn't allowing traffic to any subnet other 
than the core.  I've asked their admin to weight their SRV record for the core 
DC's higher than all the others and see if this fixes the problem.


From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 5:06 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Hi,

Can you please 100% confirm your DNS setup. The servers in question (b) and (d) 
are different, so when you say "answered above", I begin to worry that we're 
overlooking something.


-  Are you saying that the DC in DomainA hosts a secondary copy of the 
DomainB zone?

-  And that the DC in DomainB hosts a secondary copy of the DomainA 
zone?

-  And that the DC in DomainA looks at itself for name resolution?

-  And that the DC in DOmainB also looks at itself for name resolution?

The above 4 are all separate, independent configuration options, and given that 
this should work, but isn't, we'd need to work through each item until we get 
to the point where we identify what the culprit is.

Cheers
Ken


From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 8:29 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts




From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 2:42 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

a)  DomainA and DomainB are in separate Forests?  - Yes

b)  Where does the PDCe in DomainA look first for name resolution (itself? 
Another DNS server?)  Itself (Secondary Forward Lookup Zones created on both 
sides)

c)   The DNS server in (b) - how does it know where to send requests for 
DomainB? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Hosts secondary Copy.  Tried Forwarders but from what I'm 
ready you use either a zone or a forwarder, not both.  I tried a forwarder any 
way and it didn't make a difference.  Glue Records?  I don't think these come 
in to play internally.

d)  For the DC in domainB where you are attempting to create the trust: 
where does it look for name resolution (itself? Another DNS server?)  Can't get 
to the point of making a trust yet because domainB can't ping domainA.local

e)  The DNS server in (d) - how does it know where to send requests for 
DOmainA? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Answered in C)

Cheers
Ken

From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 6:46 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.

____________
From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts
Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A records are 
properly created.  But we didn't have to do this on Domain A to get it to work. 
 Either way where am I suppose to create these records?  Under my primary Zone? 
 It do

RE: DNS settings for Trusts

[N Parr]

One of the first things I checked.  Ports are open, firewalls off.  Even tested 
telnet in to most everything listed in that article.  DomainA already has 
multiple trusts set up with other locations.
To make this even more strange, I can ping the remote domainA.local from a 
workstation on domainB and get a response from domainA PDC.  Same ping fails 
from either of my domainB DC's.
Think I'll bounce my DC's tonight and see what happens.


From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Tuesday, March 05, 2013 3:48 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

http://support.microsoft.com/kb/179442

I would look here.
How to configure a firewall for domains and trusts

Just because you can't ping the endpoint doesn't mean it isn't available.

You can do the following if you need to determine if an endpoint is open.

Get a copy of Nmap or if you have a Linux Box you can use tcptraceroute or Nmap 
also.

To test you tell Nmap not to ping the host.

Nmap -sS -sV -P0 -p- ip address of endpoint. ( this will do all 65535 ports and 
tell you what you have open from your system)

Tcptraceroute IP_addresss dest_port ( so if I wanted to tcptraceroute to 
123.45.67.89 port 135 I would do the following)
Tcptraceroute 123.45.67.89 135

HTH I think you up against a FW issue nobody on the other side is telling you 
about..

Z


Edward E. Ziots, CISSP, CISA, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org
Work:401-444-9081


This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: N Parr [mailto:npar...@mortonind.com]
Sent: Tuesday, March 05, 2013 4:29 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts




From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 2:42 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

a)  DomainA and DomainB are in separate Forests?  - Yes

b)  Where does the PDCe in DomainA look first for name resolution (itself? 
Another DNS server?)  Itself (Secondary Forward Lookup Zones created on both 
sides)

c)   The DNS server in (b) - how does it know where to send requests for 
DomainB? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Hosts secondary Copy.  Tried Forwarders but from what I'm 
ready you use either a zone or a forwarder, not both.  I tried a forwarder any 
way and it didn't make a difference.  Glue Records?  I don't think these come 
in to play internally.

d)  For the DC in domainB where you are attempting to create the trust: 
where does it look for name resolution (itself? Another DNS server?)  Can't get 
to the point of making a trust yet because domainB can't ping domainA.local

e)  The DNS server in (d) - how does it know where to send requests for 
DOmainA? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Answered in C)

Cheers
Ken

From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 6:46 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts
Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A 

RE: DNS settings for Trusts

[Ziots, Edward]

http://support.microsoft.com/kb/179442

I would look here.
How to configure a firewall for domains and trusts

Just because you can't ping the endpoint doesn't mean it isn't available.

You can do the following if you need to determine if an endpoint is open.

Get a copy of Nmap or if you have a Linux Box you can use tcptraceroute or Nmap 
also.

To test you tell Nmap not to ping the host.

Nmap -sS -sV -P0 -p- ip address of endpoint. ( this will do all 65535 ports and 
tell you what you have open from your system)

Tcptraceroute IP_addresss dest_port ( so if I wanted to tcptraceroute to 
123.45.67.89 port 135 I would do the following)
Tcptraceroute 123.45.67.89 135

HTH I think you up against a FW issue nobody on the other side is telling you 
about..

Z


Edward E. Ziots, CISSP, CISA, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org
Work:401-444-9081


This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: N Parr [mailto:npar...@mortonind.com]
Sent: Tuesday, March 05, 2013 4:29 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts




From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 2:42 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

a)  DomainA and DomainB are in separate Forests?  - Yes

b)  Where does the PDCe in DomainA look first for name resolution (itself? 
Another DNS server?)  Itself (Secondary Forward Lookup Zones created on both 
sides)

c)   The DNS server in (b) - how does it know where to send requests for 
DomainB? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Hosts secondary Copy.  Tried Forwarders but from what I'm 
ready you use either a zone or a forwarder, not both.  I tried a forwarder any 
way and it didn't make a difference.  Glue Records?  I don't think these come 
in to play internally.

d)  For the DC in domainB where you are attempting to create the trust: 
where does it look for name resolution (itself? Another DNS server?)  Can't get 
to the point of making a trust yet because domainB can't ping domainA.local

e)  The DNS server in (d) - how does it know where to send requests for 
DOmainA? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Answered in C)

Cheers
Ken

From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 6:46 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts
Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A records are 
properly created.  But we didn't have to do this on Domain A to get it to work. 
 Either way where am I suppose to create these records?  Under my primary Zone? 
 It doesn't give any detail and my Google is failing me.
http://technet.microsoft.com/en-us/library/ee307976%28v=ws.10%29.aspx
Thanks



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyri

RE: DNS settings for Trusts

[N Parr]

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, March 05, 2013 2:42 PM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts


a)  DomainA and DomainB are in separate Forests?  - Yes

b)  Where does the PDCe in DomainA look first for name resolution (itself? 
Another DNS server?)  Itself (Secondary Forward Lookup Zones created on both 
sides)

c)   The DNS server in (b) - how does it know where to send requests for 
DomainB? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Hosts secondary Copy.  Tried Forwarders but from what I'm 
ready you use either a zone or a forwarder, not both.  I tried a forwarder any 
way and it didn't make a difference.  Glue Records?  I don't think these come 
in to play internally.

d)  For the DC in domainB where you are attempting to create the trust: 
where does it look for name resolution (itself? Another DNS server?)  Can't get 
to the point of making a trust yet because domainB can't ping domainA.local

e)  The DNS server in (d) - how does it know where to send requests for 
DOmainA? Does it host a secondary copy? You have configured forwarders? You 
have glue records?  Answered in C)

Cheers
Ken

From: N Parr [mailto:npar...@mortonind.com]
Sent: Wednesday, 6 March 2013 6:46 AM
To: NT System Admin Issues
Subject: RE: DNS settings for Trusts

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts
Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A records are 
properly created.  But we didn't have to do this on Domain A to get it to work. 
 Either way where am I suppose to create these records?  Under my primary Zone? 
 It doesn't give any detail and my Google is failing me.
http://technet.microsoft.com/en-us/library/ee307976%28v=ws.10%29.aspx
Thanks



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS settings for Trusts

[N Parr]

Domain B can't resolve Domain A.  Can't ping domain.local or any host.  And if 
we can't ping domain.local then we can't begin to create the trust.
No errors in the event log.


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, March 05, 2013 12:20 PM
To: NT System Admin Issues
Subject: Re: DNS settings for Trusts

Can you describe the type of lookup failures you are receiving?






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...





On Tue, Mar 5, 2013 at 12:43 PM, N Parr 
mailto:npar...@mortonind.com>> wrote:
I'm having some issues getting DNS to resolve properly on a trust we are trying 
to set up and it doesn't make much sense why I'm having problems.
Domain A can resolve everything on Domain B just fine but Domain B can't 
resolve Domain A.
Both are 08 Domains.
The zones are fully populated and there's no issues replicating records.
All the ports are open across the VPN, I can telnet back and forth, I can ping 
any IP.
According to this article I need to make sure my SRV and Host A records are 
properly created.  But we didn't have to do this on Domain A to get it to work. 
 Either way where am I suppose to create these records?  Under my primary Zone? 
 It doesn't give any detail and my Google is failing me.
http://technet.microsoft.com/en-us/library/ee307976%28v=ws.10%29.aspx
Thanks

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Steven Peck]

Years ago our networking team insisted on having them on so we had a
discussion.  Cisco's response at the time was ... we comply with RFC821 and
RFC822.  My reply was those were deprecated years ago and here's the
current standard (2821/2822 at the time) and that was all it took to get
them disabled.

My guess is Cisco still hasn't updated them.

On Thu, Jan 24, 2013 at 5:15 AM, Kennedy, Jim
wrote:

> The one that amazes me is the smtp fixup on Cisco. That one has been an
> issue for 10 years or so.
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Wednesday, January 23, 2013 5:44 PM
> To: NT System Admin Issues
> Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
> On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
> > To clarify...the dns fixup refers to Cisco firewalls/asa's.
>
>   I've noticed that Cisco's "fixup" features tend to break things.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

Add to the below...your ISP turned on dns fixup this weekend on their internet 
facing firewall since they don't have that issue and the below scenario fits 
the symptoms anyway.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, January 28, 2013 12:10 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Mon, Jan 28, 2013 at 11:50 AM, Robert Peterson  
wrote:
> ... once we added our ISP's DNS resolvers as "Forwarder" we 
> immediately restored DNS performance.
> Could something happened over last weekend to limit use of Root Hints?

  Nothing globally, or DNS would stop working.

  My guess is your routers/firewalls don't like EDNS0, *and* your ISP 
nameservers don't support EDNS0, so when talking to your ISP nameservers, EDNS0 
doesn't get used, and your firewalls don't gag.
This is a pure guess on my part, but what you describe is *the* classic problem 
report for EDNS0 incompatibility.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Ben Scott]

On Mon, Jan 28, 2013 at 11:50 AM, Robert Peterson
 wrote:
> ... once we added our ISP's DNS resolvers as "Forwarder" we
> immediately restored DNS performance.
> Could something happened over last weekend to limit use of Root Hints?

  Nothing globally, or DNS would stop working.

  My guess is your routers/firewalls don't like EDNS0, *and* your ISP
nameservers don't support EDNS0, so when talking to your ISP
nameservers, EDNS0 doesn't get used, and your firewalls don't gag.
This is a pure guess on my part, but what you describe is *the*
classic problem report for EDNS0 incompatibility.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Robert Peterson]

If found the main "road block" or "bottleneck" that we were experiencing with 
DNS services, just not sure why we didn't see these issues years before.

We were directed years ago to NOT setup "Forwarders" in DNS, and instead rely 
totally on Root Hints if our DNS could not resolve, it's been that way for 
multiple years.  However, once we added our ISP's DNS resolvers as "Forwarder" 
we immediately restored DNS performance.

Could something happened over last weekend to limit use of Root Hints? 



-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Thursday, January 24, 2013 9:26 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

I still wonder why just this past weekend it hit you. Sounded very sudden.

-Original Message-
From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Thursday, January 24, 2013 10:22 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Thank you everyone for your help.
Applied some recommendations last night from this article... so far so good.
http://support.microsoft.com/kb/956188


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Thursday, January 24, 2013 7:16 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

The one that amazes me is the smtp fixup on Cisco. That one has been an issue 
for 10 years or so.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, January 23, 2013 5:44 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim  
wrote:
> To clarify...the dns fixup refers to Cisco firewalls/asa's.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Andrew S. Baker]

Indeed...





*ASB
**http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>*
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Thu, Jan 24, 2013 at 8:15 AM, Kennedy, Jim
wrote:

> The one that amazes me is the smtp fixup on Cisco. That one has been an
> issue for 10 years or so.
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Wednesday, January 23, 2013 5:44 PM
> To: NT System Admin Issues
> Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
> On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
> > To clarify...the dns fixup refers to Cisco firewalls/asa's.
>
>   I've noticed that Cisco's "fixup" features tend to break things.
>
> -- Ben
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

I still wonder why just this past weekend it hit you. Sounded very sudden.

-Original Message-
From: Robert Peterson [mailto:robert.peter...@prin.edu] 
Sent: Thursday, January 24, 2013 10:22 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Thank you everyone for your help.
Applied some recommendations last night from this article... so far so good.
http://support.microsoft.com/kb/956188


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Thursday, January 24, 2013 7:16 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

The one that amazes me is the smtp fixup on Cisco. That one has been an issue 
for 10 years or so.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, January 23, 2013 5:44 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim  
wrote:
> To clarify...the dns fixup refers to Cisco firewalls/asa's.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Robert Peterson]

Thank you everyone for your help.
Applied some recommendations last night from this article... so far so good.
http://support.microsoft.com/kb/956188


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Thursday, January 24, 2013 7:16 AM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

The one that amazes me is the smtp fixup on Cisco. That one has been an issue 
for 10 years or so.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, January 23, 2013 5:44 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim  
wrote:
> To clarify...the dns fixup refers to Cisco firewalls/asa's.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

The one that amazes me is the smtp fixup on Cisco. That one has been an issue 
for 10 years or so.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, January 23, 2013 5:44 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim  
wrote:
> To clarify...the dns fixup refers to Cisco firewalls/asa's.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Ben Scott]

On Wed, Jan 23, 2013 at 2:48 PM, Kennedy, Jim
 wrote:
> To clarify…the dns fixup refers to Cisco firewalls/asa’s.

  I've noticed that Cisco's "fixup" features tend to break things.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kurt Buff]

To test this for your environment...

Get this:
http://www.techrepublic.com/article/use-dig-to-administer-windows-dns-servers/5032892

Then do this:
https://www.dns-oarc.net/oarc/services/replysizetest

Kurt

On Wed, Jan 23, 2013 at 1:15 PM, Robert Peterson
 wrote:
> We do not have Cisco firewalls, though everything else is Cisco (switches, 
> routers, VOIP)
> Has anyone seen this issue using Fortinet firewalls?
> Thx,
> Robert
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Wednesday, January 23, 2013 3:05 PM
> To: NT System Admin Issues
> Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
> Defintely better to fix the firewall than to limit the size of DNS queries on 
> the server.
> Other firewalls have needed similar fixes, too - not just Cisco.
> Kurt
>
> On Wed, Jan 23, 2013 at 11:44 AM, Kennedy, Jim  
> wrote:
>> Yes. At some point your DNS servers are talking to the outside
>> work…directly or via forwarders I would assume.  If dns fixup is
>> enabled you need to allow longer lookups.
>>
>> fixup protocol dns maximum-length 4096
>>
>> Or turn off eDNS on the 2003 servers.
>> dnscmd /Config /EnableEDnsProbes 0
>
>> From: Robert Peterson [mailto:robert.peter...@prin.edu]
>> Sent: Wednesday, January 23, 2013 2:39 PM
>>
>> To: NT System Admin Issues
>> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>> Thank you Jim.
>>
>> We have no Cisco firewalls, but all Cisco switches, routers. A new
>> switch may have went in last week.  We also are in the middle of a
>> Cisco VOIP project, past 6 months. Phones all up, but they are still
>> working out tweaks, etc. Trying to make a “Jabber” client work on desktops 
>> and PDAs.
>>
>> Something on the Cisco side I should dig into?
>>
>> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
>> Sent: Wednesday, January 23, 2013 1:14 PM
>> To: NT System Admin Issues
>> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>>
>>
>>
>> Did someone put in a shiny new Cisco firewall this past weekend?
>
>
>> From: Robert Peterson [mailto:robert.peter...@prin.edu]
>> Sent: Wednesday, January 23, 2013 2:02 PM
>> To: NT System Admin Issues
>> Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>>
>> Hoping this is an old problem and someone has ideas?
>>
>> We have Server 2003 R2 SP2 Domain Controllers, four of them.
>>
>> Since this past weekend, we saw a large increase in Event 5504 warnings.
>> Eventually the DC gives an Event 7502 and DNS services hang.
>>
>> When DNS hangs, memory usage of the DNS service has grown to 800,000K,
>> after reboot the memory usage starts around 50,000K.
>>
>> Found a registry setting to add an EnableDuplicateQuerySuppression DWORD “0”
>> setting.  This has stopped the memory growth/leaks, and replaced the
>> 5504 errors with numerous 404 and 408 errors, till probably due to the
>> registry change to suppress “dups” it has quit logging those.
>>
>> DNS memory usage is stable around 100,000K and DNS services to our
>> users is remaining stable too.
>>
>> However, I feel this is just a stopgap and I need to resolve the real
>> culprit… thoughts? Ideas?
>>
>> As always… great listserv & thanks!
>> Robert
>>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Robert Peterson]

We do not have Cisco firewalls, though everything else is Cisco (switches, 
routers, VOIP)
Has anyone seen this issue using Fortinet firewalls?
Thx,
Robert

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, January 23, 2013 3:05 PM
To: NT System Admin Issues
Subject: Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Defintely better to fix the firewall than to limit the size of DNS queries on 
the server.
Other firewalls have needed similar fixes, too - not just Cisco.
Kurt

On Wed, Jan 23, 2013 at 11:44 AM, Kennedy, Jim  
wrote:
> Yes. At some point your DNS servers are talking to the outside 
> work…directly or via forwarders I would assume.  If dns fixup is 
> enabled you need to allow longer lookups.
>
> fixup protocol dns maximum-length 4096
>
> Or turn off eDNS on the 2003 servers.
> dnscmd /Config /EnableEDnsProbes 0

> From: Robert Peterson [mailto:robert.peter...@prin.edu]
> Sent: Wednesday, January 23, 2013 2:39 PM
>
> To: NT System Admin Issues
> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
> Thank you Jim.
>
> We have no Cisco firewalls, but all Cisco switches, routers. A new 
> switch may have went in last week.  We also are in the middle of a 
> Cisco VOIP project, past 6 months. Phones all up, but they are still 
> working out tweaks, etc. Trying to make a “Jabber” client work on desktops 
> and PDAs.
>
> Something on the Cisco side I should dig into?
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, January 23, 2013 1:14 PM
> To: NT System Admin Issues
> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
>
>
> Did someone put in a shiny new Cisco firewall this past weekend?


> From: Robert Peterson [mailto:robert.peter...@prin.edu]
> Sent: Wednesday, January 23, 2013 2:02 PM
> To: NT System Admin Issues
> Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
> Hoping this is an old problem and someone has ideas?
>
> We have Server 2003 R2 SP2 Domain Controllers, four of them.
>
> Since this past weekend, we saw a large increase in Event 5504 warnings.
> Eventually the DC gives an Event 7502 and DNS services hang.
>
> When DNS hangs, memory usage of the DNS service has grown to 800,000K, 
> after reboot the memory usage starts around 50,000K.
>
> Found a registry setting to add an EnableDuplicateQuerySuppression DWORD “0”
> setting.  This has stopped the memory growth/leaks, and replaced the 
> 5504 errors with numerous 404 and 408 errors, till probably due to the 
> registry change to suppress “dups” it has quit logging those.
>
> DNS memory usage is stable around 100,000K and DNS services to our 
> users is remaining stable too.
>
> However, I feel this is just a stopgap and I need to resolve the real 
> culprit… thoughts? Ideas?
>
> As always… great listserv & thanks!
> Robert
>


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kurt Buff]

Defintely better to fix the firewall than to limit the size of DNS
queries on the server.

Other firewalls have needed similar fixes, too - not just Cisco.

Kurt

On Wed, Jan 23, 2013 at 11:44 AM, Kennedy, Jim
 wrote:
> Yes. At some point your DNS servers are talking to the outside work…directly
> or via forwarders I would assume.  If dns fixup is enabled you need to allow
> longer lookups.
>
>
>
> fixup protocol dns maximum-length 4096
>
>
>
> Or turn off eDNS on the 2003 servers.
>
>
>
> dnscmd /Config /EnableEDnsProbes 0
>
>
>
>
>
>
>
>
>
> From: Robert Peterson [mailto:robert.peter...@prin.edu]
> Sent: Wednesday, January 23, 2013 2:39 PM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
>
>
> Thank you Jim.
>
> We have no Cisco firewalls, but all Cisco switches, routers. A new switch
> may have went in last week.  We also are in the middle of a Cisco VOIP
> project, past 6 months. Phones all up, but they are still working out
> tweaks, etc. Trying to make a “Jabber” client work on desktops and PDAs.
>
>
>
> Something on the Cisco side I should dig into?
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, January 23, 2013 1:14 PM
> To: NT System Admin Issues
> Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
>
>
> Did someone put in a shiny new Cisco firewall this past weekend?
>
>
>
> From: Robert Peterson [mailto:robert.peter...@prin.edu]
> Sent: Wednesday, January 23, 2013 2:02 PM
> To: NT System Admin Issues
> Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers
>
>
>
> Hoping this is an old problem and someone has ideas?
>
>
>
> We have Server 2003 R2 SP2 Domain Controllers, four of them.
>
> Since this past weekend, we saw a large increase in Event 5504 warnings.
> Eventually the DC gives an Event 7502 and DNS services hang.
>
>
>
> When DNS hangs, memory usage of the DNS service has grown to 800,000K, after
> reboot the memory usage starts around 50,000K.
>
>
>
> Found a registry setting to add an EnableDuplicateQuerySuppression DWORD “0”
> setting.  This has stopped the memory growth/leaks, and replaced the 5504
> errors with numerous 404 and 408 errors, till probably due to the registry
> change to suppress “dups” it has quit logging those.
>
>
>
> DNS memory usage is stable around 100,000K and DNS services to our users is
> remaining stable too.
>
>
>
> However, I feel this is just a stopgap and I need to resolve the real
> culprit… thoughts? Ideas?
>
>
>
> As always… great listserv & thanks!
>
> Robert
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

To clarify...the dns fixup refers to Cisco firewalls/asa's.

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, January 23, 2013 2:48 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Yes. At some point your DNS servers are talking to the outside work...directly 
or via forwarders I would assume.  If dns fixup is enabled you need to allow 
longer lookups.

fixup protocol dns maximum-length 4096

Or turn off eDNS on the 2003 servers.

dnscmd /Config /EnableEDnsProbes 0




From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:39 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Thank you Jim.
We have no Cisco firewalls, but all Cisco switches, routers. A new switch may 
have went in last week.  We also are in the middle of a Cisco VOIP project, 
past 6 months. Phones all up, but they are still working out tweaks, etc. 
Trying to make a "Jabber" client work on desktops and PDAs.

Something on the Cisco side I should dig into?

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, January 23, 2013 1:14 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Did someone put in a shiny new Cisco firewall this past weekend?

From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:02 PM
To: NT System Admin Issues
Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Hoping this is an old problem and someone has ideas?

We have Server 2003 R2 SP2 Domain Controllers, four of them.
Since this past weekend, we saw a large increase in Event 5504 warnings. 
Eventually the DC gives an Event 7502 and DNS services hang.

When DNS hangs, memory usage of the DNS service has grown to 800,000K, after 
reboot the memory usage starts around 50,000K.

Found a registry setting to add an EnableDuplicateQuerySuppression DWORD "0" 
setting.  This has stopped the memory growth/leaks, and replaced the 5504 
errors with numerous 404 and 408 errors, till probably due to the registry 
change to suppress "dups" it has quit logging those.

DNS memory usage is stable around 100,000K and DNS services to our users is 
remaining stable too.

However, I feel this is just a stopgap and I need to resolve the real 
culprit... thoughts? Ideas?

As always... great listserv & thanks!
Robert

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Kennedy, Jim]

Yes. At some point your DNS servers are talking to the outside work...directly 
or via forwarders I would assume.  If dns fixup is enabled you need to allow 
longer lookups.

fixup protocol dns maximum-length 4096

Or turn off eDNS on the 2003 servers.

dnscmd /Config /EnableEDnsProbes 0




From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:39 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Thank you Jim.
We have no Cisco firewalls, but all Cisco switches, routers. A new switch may 
have went in last week.  We also are in the middle of a Cisco VOIP project, 
past 6 months. Phones all up, but they are still working out tweaks, etc. 
Trying to make a "Jabber" client work on desktops and PDAs.

Something on the Cisco side I should dig into?

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, January 23, 2013 1:14 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Did someone put in a shiny new Cisco firewall this past weekend?

From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:02 PM
To: NT System Admin Issues
Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Hoping this is an old problem and someone has ideas?

We have Server 2003 R2 SP2 Domain Controllers, four of them.
Since this past weekend, we saw a large increase in Event 5504 warnings. 
Eventually the DC gives an Event 7502 and DNS services hang.

When DNS hangs, memory usage of the DNS service has grown to 800,000K, after 
reboot the memory usage starts around 50,000K.

Found a registry setting to add an EnableDuplicateQuerySuppression DWORD "0" 
setting.  This has stopped the memory growth/leaks, and replaced the 5504 
errors with numerous 404 and 408 errors, till probably due to the registry 
change to suppress "dups" it has quit logging those.

DNS memory usage is stable around 100,000K and DNS services to our users is 
remaining stable too.

However, I feel this is just a stopgap and I need to resolve the real 
culprit... thoughts? Ideas?

As always... great listserv & thanks!
Robert

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

[Robert Peterson]

Thank you Jim.
We have no Cisco firewalls, but all Cisco switches, routers. A new switch may 
have went in last week.  We also are in the middle of a Cisco VOIP project, 
past 6 months. Phones all up, but they are still working out tweaks, etc. 
Trying to make a "Jabber" client work on desktops and PDAs.

Something on the Cisco side I should dig into?

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, January 23, 2013 1:14 PM
To: NT System Admin Issues
Subject: RE: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Did someone put in a shiny new Cisco firewall this past weekend?

From: Robert Peterson [mailto:robert.peter...@prin.edu]
Sent: Wednesday, January 23, 2013 2:02 PM
To: NT System Admin Issues
Subject: DNS concerns - Server 2003 R2 SP2 Domain Controllers

Hoping this is an old problem and someone has ideas?

We have Server 2003 R2 SP2 Domain Controllers, four of them.
Since this past weekend, we saw a large increase in Event 5504 warnings. 
Eventually the DC gives an Event 7502 and DNS services hang.

When DNS hangs, memory usage of the DNS service has grown to 800,000K, after 
reboot the memory usage starts around 50,000K.

Found a registry setting to add an EnableDuplicateQuerySuppression DWORD "0" 
setting.  This has stopped the memory growth/leaks, and replaced the 5504 
errors with numerous 404 and 408 errors, till probably due to the registry 
change to suppress "dups" it has quit logging those.

DNS memory usage is stable around 100,000K and DNS services to our users is 
remaining stable too.

However, I feel this is just a stopgap and I need to resolve the real 
culprit... thoughts? Ideas?

As always... great listserv & thanks!
Robert

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Phil Hershey]

Thanks.  It turned out to be a bad interaction between the 12/13 updates
and the Active Administrator agent.

-Philip Hershey

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Thursday, December 13, 2012 1:05 PM
To: NT System Admin Issues
Subject: RE: DNS/Replication broken after MS updates?

+1

It will fail and warn in weird ways depending upon how you have the
security set up on dynamic registration.

-Original Message-
From: Steve Kradel [mailto:skra...@zetetic.net]
Sent: Thursday, December 13, 2012 4:02 PM
To: NT System Admin Issues
Subject: Re: DNS/Replication broken after MS updates?

You would see a bunch of errors in the Directory Service log if
replication were actually busted.  IME it's normal for the dcdiag DNS
tests (and dcpromo, often) to complain about DNS delegations, even in a
perfectly healthy environment.

--Steve

On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:
> Our DCs are set to install MS updates automatically, and apparently 
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS 
> test finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn 
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4 PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is 
> unavailable.  Of course the RPC Server service is up and running on 
> all the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external 
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty

> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Free, Bob]

I've actually had an experienced  PFE tell me there is no reason to run that 
arg in production unless you have a "really good reason and know exactly what 
you are doing"

-Original Message-
From: Webster [mailto:webs...@carlwebster.com] 
Sent: Thursday, December 13, 2012 2:11 PM
To: NT System Admin Issues
Subject: RE: DNS/Replication broken after MS updates?

Why are you having to force replication between all domain controllers?  Find 
and fix what is broken.

Thanks


Webster

> -Original Message-
> From: Phil Hershey [mailto:phers...@agia.com]
> Subject: RE: DNS/Replication broken after MS updates?
> 
> Ah, but what tipped me off is definitely not normal.  I have a batch 
> file that runs a series of REPADMIN /SYNCALL commands to force 
> replication between all the DCs.  It hasn't thrown an error in 
> literally years, and normally takes about 5 seconds to complete.  No 
> every single server coughs up the RPC Server is unavailable error.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



PG&E is committed to protecting our customers' privacy. 
To learn more, please visit http://www.pge.com/about/company/privacy/customer/

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Webster]

Why are you having to force replication between all domain controllers?  Find 
and fix what is broken.

Thanks


Webster

> -Original Message-
> From: Phil Hershey [mailto:phers...@agia.com]
> Subject: RE: DNS/Replication broken after MS updates?
> 
> Ah, but what tipped me off is definitely not normal.  I have a batch file that
> runs a series of REPADMIN /SYNCALL commands to force replication
> between all the DCs.  It hasn't thrown an error in literally years, and 
> normally
> takes about 5 seconds to complete.  No every single server coughs up the
> RPC Server is unavailable error.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Phil Hershey]

Ah, but what tipped me off is definitely not normal.  I have a batch
file that runs a series of REPADMIN /SYNCALL commands to force
replication between all the DCs.  It hasn't thrown an error in literally
years, and normally takes about 5 seconds to complete.  No every single
server coughs up the RPC Server is unavailable error.

You're right though, the DS event log is clean.  So is the FRS log.

Perhaps I should just head home on time, not worry about and have a
beer. 

-Philip Hershey

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.


-Original Message-
From: Steve Kradel [mailto:skra...@zetetic.net] 
Sent: Thursday, December 13, 2012 12:42 PM
To: NT System Admin Issues
Subject: Re: DNS/Replication broken after MS updates?

You would see a bunch of errors in the Directory Service log if
replication were actually busted.  IME it's normal for the dcdiag DNS
tests (and dcpromo, often) to complain about DNS delegations, even in a
perfectly healthy environment.

--Steve

On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:
> Our DCs are set to install MS updates automatically, and apparently 
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS 
> test finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn 
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4 PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is 
> unavailable.  Of course the RPC Server service is up and running on 
> all the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external 
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty

> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/Replication broken after MS updates?

[Kennedy, Jim]

+1

It will fail and warn in weird ways depending upon how you have the security 
set up on dynamic registration.

-Original Message-
From: Steve Kradel [mailto:skra...@zetetic.net] 
Sent: Thursday, December 13, 2012 4:02 PM
To: NT System Admin Issues
Subject: Re: DNS/Replication broken after MS updates?

You would see a bunch of errors in the Directory Service log if replication 
were actually busted.  IME it's normal for the dcdiag DNS tests (and dcpromo, 
often) to complain about DNS delegations, even in a perfectly healthy 
environment.

--Steve

On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:
> Our DCs are set to install MS updates automatically, and apparently 
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS 
> test finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn 
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4 PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is 
> unavailable.  Of course the RPC Server service is up and running on 
> all the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external 
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty 
> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/Replication broken after MS updates?

[Richard Stovall]

See D. Lum's earlier post titled "Heads up: MS12-081 KB2758857 issue."

They might be related somehow.  Uninstalling 2758857 solved his issues.  It
might be worth a shot starting with that one if you do think it's related
to yesterday's updates.

In every environment I've ever managed, no matter how small, I've always
disabled auto updates on DCs.  Just a thought...


On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:

> Our DCs are set to install MS updates automatically, and apparently
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS test
> finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4 PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is
> unavailable.  Of course the RPC Server service is up and running on all
> the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty
> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/Replication broken after MS updates?

[Steve Kradel]

You would see a bunch of errors in the Directory Service log if
replication were actually busted.  IME it's normal for the dcdiag DNS
tests (and dcpromo, often) to complain about DNS delegations, even in
a perfectly healthy environment.

--Steve

On Thu, Dec 13, 2012 at 2:52 PM, Phil Hershey  wrote:
> Our DCs are set to install MS updates automatically, and apparently
> yesterday morning they did.  Now replication is busted.  DCDIAG DNS test
> finishes with:
>
> Summary of DNS test results:
>
>
> Auth Basc Forw Del  Dyn
> RReg Ext
>
> _
> Domain: agia.in
>
>dc-ca1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc2 PASS PASS PASS FAIL PASS
> FAIL n/a
>mail-dc5 PASS PASS PASS FAIL PASS
> PASS n/a
>dc-az1   PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc3 PASS PASS PASS FAIL PASS
> PASS n/a
>mail-dc4 PASS PASS PASS FAIL PASS
> PASS n/a
>
>  . agia.in failed test DNS
>
> Not good.  READMIN SYNCALL passes all error out with RPC Server is
> unavailable.  Of course the RPC Server service is up and running on all
> the DCs.
>
> Checking the DNS event log shows a 4014 error that's empty, of course.
> Plus a few event  4521's showing rejected DNS packets from external
> sources.
>
> Any chance the MS updates from yesterday caused this?  It seems mighty
> coincidental.
>
> Thanks.
>
>
>
> Philip Hershey
> AGIA Insurance Services
> Carpinteria, CA
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS settings in GPO or logon script

[Kurt Buff]

Why the wait?

Spin up a set of DHCP scopes now, and start the migration. Your only catch
will be to make sure that the DHCP server is configured to send probes to
make sure an address isn't taken before assigning a lease.

Kurt

On Thu, Nov 29, 2012 at 12:40 PM, itli...@imcu.com  wrote:

> We will be moving to a more DHCP type shop in the next couple of years.
> But not quite yet.
>
> ** **
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Posted At:* Thursday, November 29, 2012 3:05 PM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS settings in GPO or logon script
>
> *Subject:* Re: DNS settings in GPO or logon script
>
> ** **
>
> Well, I assign all my IP addresses via reservations, so I'm essentially
> static.  I thought I'd float it, just in case. 
>
> ** **
>
> ** **
>
> ** **
>
> On Thu, Nov 29, 2012 at 2:44 PM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
>
> He has 24 LANs statically addressed.
>
>  
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Thursday, November 29, 2012 2:40 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* Re: DNS settings in GPO or logon script
>
>  
>
> Isn't it better to set this via the DHCP server (assuming one is being
> used)?
>
>  
>
> On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
> christopher_bod...@glic.com> wrote:
>
> I would start with something like this in PowerShell.
>
> http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell
>
>
> I'd modify it to look at the current DNS server config of the adapter and
> only modify it if it's got the old DNS server address. I think that's what
> you are trying to do. 
>
> *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services 
>
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com 
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> *www.guardianlife.com 
>
>
>
>
>
>
> From:"itli...@imcu.com" 
> To:"NT System Admin Issues"  >
> Date:11/29/2012 01:54 PM 
>
> Subject:DNS settings in GPO or logon script 
> --
>
>
>
>
>
> I have active directory server 2008r2 standard.
> I want to push DNS primary and secondary.  I can netsh it but not everyone
> has the same adapter settings name?
> I have all static addressing on all 24 LAN’s.
> How am I going to get this done? 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>  
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: DNS settings in GPO or logon script

[Jonathan Link]

Sometimes you have to rip the bandaid off. :-)

On Thursday, November 29, 2012, itli...@imcu.com wrote:

> We will be moving to a more DHCP type shop in the next couple of years.
> But not quite yet.
>
> ** **
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com  'cvml', 'jonathan.l...@gmail.com');>]
> *Posted At:* Thursday, November 29, 2012 3:05 PM
> *Posted To:* itli...@imcu.com  'itli...@imcu.com');>
> *Conversation:* DNS settings in GPO or logon script
> *Subject:* Re: DNS settings in GPO or logon script
>
> ** **
>
> Well, I assign all my IP addresses via reservations, so I'm essentially
> static.  I thought I'd float it, just in case. 
>
> ** **
>
> ** **
>
> ** **
>
> On Thu, Nov 29, 2012 at 2:44 PM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
>
> He has 24 LANs statically addressed.
>
>  
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Thursday, November 29, 2012 2:40 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* Re: DNS settings in GPO or logon script
>
>  
>
> Isn't it better to set this via the DHCP server (assuming one is being
> used)?
>
>  
>
> On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
> christopher_bod...@glic.com> wrote:
>
> I would start with something like this in PowerShell.
>
> http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell
>
>
> I'd modify it to look at the current DNS server config of the adapter and
> only modify it if it's got the old DNS server address. I think that's what
> you are trying to do. 
>
> *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services 
>
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com 
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> *www.guardianlife.com 
>
>
>
>
>
>
> From:"itli...@imcu.com" 
> To:"NT System Admin Issues"  >
> Date:11/29/2012 01:54 PM 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com 'cvml', 'listmana...@lyris.sunbeltsoftware.com');>
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: DNS settings in GPO or logon script

[itli...@imcu.com]

We will be moving to a more DHCP type shop in the next couple of years.
But not quite yet.

 

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Posted At: Thursday, November 29, 2012 3:05 PM
Posted To: itli...@imcu.com
Conversation: DNS settings in GPO or logon script
Subject: Re: DNS settings in GPO or logon script

 

Well, I assign all my IP addresses via reservations, so I'm essentially
static.  I thought I'd float it, just in case. 

 

 

 

On Thu, Nov 29, 2012 at 2:44 PM, Kennedy, Jim <
kennedy...@elyriaschools.org> wrote:

He has 24 LANs statically addressed.

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Thursday, November 29, 2012 2:40 PM


To: NT System Admin Issues

Subject: Re: DNS settings in GPO or logon script

 

Isn't it better to set this via the DHCP server (assuming one is being
used)?

 

On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
christopher_bod...@glic.com> wrote:

I would start with something like this in PowerShell. 

http://digitaldeviation.com/articles/change-dns-servers-remotely-powersh
ell
<http://digitaldeviation.com/articles/change-dns-servers-remotely-powers
hell>  


I'd modify it to look at the current DNS server config of the adapter
and only modify it if it's got the old DNS server address. I think
that's what you are trying to do. 

Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise
Architecture and Engineering Services 

Tel 610-807-6459  
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 

 

The Guardian Life Insurance Company of America

www.guardianlife.com <http://www.guardianlife.com/>  








From:"itli...@imcu.com"  
To:"NT System Admin Issues" <
ntsysadmin@lyris.sunbelt-software.com> 
Date:11/29/2012 01:54 PM 

Subject:DNS settings in GPO or logon script 






  
I have active directory server 2008r2 standard. 
I want to push DNS primary and secondary.  I can netsh it but not
everyone has the same adapter settings name? 
I have all static addressing on all 24 LAN's. 
How am I going to get this done? 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: DNS settings in GPO or logon script

[Jonathan Link]

Well, I assign all my IP addresses via reservations, so I'm essentially
static.  I thought I'd float it, just in case.




On Thu, Nov 29, 2012 at 2:44 PM, Kennedy, Jim
wrote:

>  He has 24 LANs statically addressed.
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Thursday, November 29, 2012 2:40 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: DNS settings in GPO or logon script
>
> ** **
>
> Isn't it better to set this via the DHCP server (assuming one is being
> used)?
>
> ** **
>
> On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
> christopher_bod...@glic.com> wrote:
>
> I would start with something like this in PowerShell.
>
> http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell
>
>
> I'd modify it to look at the current DNS server config of the adapter and
> only modify it if it's got the old DNS server address. I think that's what
> you are trying to do.
>
> 
>
> *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services 
>
> Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com 
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> *www.guardianlife.com 
>
>
>
>
>
>
> From:"itli...@imcu.com" 
> To:"NT System Admin Issues"  >
> Date:11/29/2012 01:54 PM 
>
> Subject:DNS settings in GPO or logon script 
>  --
>
>
>
>
>
> I have active directory server 2008r2 standard.
> I want to push DNS primary and secondary.  I can netsh it but not everyone
> has the same adapter settings name?
> I have all static addressing on all 24 LAN’s.
> How am I going to get this done? 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: DNS settings in GPO or logon script

[Kennedy, Jim]

He has 24 LANs statically addressed.

From: Jonathan Link [mailto:jonathan.l...@gmail.com]
Sent: Thursday, November 29, 2012 2:40 PM
To: NT System Admin Issues
Subject: Re: DNS settings in GPO or logon script

Isn't it better to set this via the DHCP server (assuming one is being used)?

On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar 
mailto:christopher_bod...@glic.com>> wrote:
I would start with something like this in PowerShell.

http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell


I'd modify it to look at the current DNS server config of the adapter and only 
modify it if it's got the old DNS server address. I think that's what you are 
trying to do.

Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>

[cid:image001.jpg@01CDCE40.0D4D2200]

The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>







From:"itli...@imcu.com<mailto:itli...@imcu.com>" 
mailto:itli...@imcu.com>>
To:"NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Date:11/29/2012 01:54 PM
Subject:DNS settings in GPO or logon script





I have active directory server 2008r2 standard.
I want to push DNS primary and secondary.  I can netsh it but not everyone has 
the same adapter settings name?
I have all static addressing on all 24 LAN's.
How am I going to get this done?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

RE: DNS settings in GPO or logon script

[itli...@imcu.com]

Will that set them on Windows 7 and Windows 8 machines as well or just
windows xp?

 

From: David Lum [mailto:david@nwea.org] 
Posted At: Thursday, November 29, 2012 1:59 PM
Posted To: itli...@imcu.com
Conversation: DNS settings in GPO or logon script
Subject: RE: DNS settings in GPO or logon script

 

Policies...Administrative Templates...Network/DNS client...DNS suffix
search...

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Thursday, November 29, 2012 10:41 AM
To: NT System Admin Issues
Subject: DNS settings in GPO or logon script

 

 

I have active directory server 2008r2 standard.

I want to push DNS primary and secondary.  I can netsh it but not
everyone has the same adapter settings name?

I have all static addressing on all 24 LAN's.

How am I going to get this done?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS settings in GPO or logon script

[Jonathan Link]

Isn't it better to set this via the DHCP server (assuming one is being
used)?


On Thu, Nov 29, 2012 at 2:12 PM, Christopher Bodnar <
christopher_bod...@glic.com> wrote:

> I would start with something like this in PowerShell.
>
> http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell
>
>
> I'd modify it to look at the current DNS server config of the adapter and
> only modify it if it's got the old DNS server address. I think that's what
> you are trying to do.
>
>
>  *Christopher Bodnar*
> Enterprise Architect I, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services  Tel 610-807-6459
> 3900 Burgess Place, Bethlehem, PA 18017
> christopher_bod...@glic.com
>
>
> *
> The Guardian Life Insurance Company of America*
> *
> **www.guardianlife.com* 
>
>
>
>
>
>
> From:"itli...@imcu.com" 
> To:"NT System Admin Issues"  >
> Date:11/29/2012 01:54 PM
> Subject:DNS settings in GPO or logon script
> --
>
>
>
>
> I have active directory server 2008r2 standard.
> I want to push DNS primary and secondary.  I can netsh it but not everyone
> has the same adapter settings name?
> I have all static addressing on all 24 LAN’s.
> How am I going to get this done?
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ 
> <*http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/*>
>  ~
>
> ---
> To manage subscriptions click here: *
> http://lyris.sunbelt-software.com/read/my_forums/*
> or send an email to 
> *listmana...@lyris.sunbeltsoftware.com*
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>

Re: DNS settings in GPO or logon script

[Christopher Bodnar]

I would start with something like this in PowerShell. 

http://digitaldeviation.com/articles/change-dns-servers-remotely-powershell


I'd modify it to look at the current DNS server config of the adapter and 
only modify it if it's got the old DNS server address. I think that's what 
you are trying to do.



Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
christopher_bod...@glic.com 




The Guardian Life Insurance Company of America

www.guardianlife.com 







From:   "itli...@imcu.com" 
To: "NT System Admin Issues" 
Date:   11/29/2012 01:54 PM
Subject:DNS settings in GPO or logon script



 
I have active directory server 2008r2 standard.
I want to push DNS primary and secondary.  I can netsh it but not everyone 
has the same adapter settings name?
I have all static addressing on all 24 LAN’s.
How am I going to get this done?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
<>

RE: DNS?

[itli...@imcu.com]

Yes and so does www.imcu.com 'a' record.  Only the stupid mail is
screwy???

 

From: Walker, Michael [mailto:mwal...@mail.cvhp.org] 
Posted At: Monday, October 29, 2012 12:49 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Does your other A Record "board.imcu.com" resolve correctly?

 

Michael Walker

Senior Network Engineer

Citrus Valley Health Partners

140 W. College Street, Covina, CA  91723

Phone/Fax/Pager: (888) 299-6882

mwal...@mail.cvhp.org <mailto:mwal...@mail.cvhp.org>  

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:34 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

Just mail.imcu.com no ip address.

Ping not host

I am getting very frustrated because it is staring me in the face

 

 

From: Walker, Michael [mailto:mwal...@mail.cvhp.org] 
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it
resolve to?

 

Michael Walker

Senior Network Engineer

Citrus Valley Health Partners

140 W. College Street, Covina, CA  91723

Phone/Fax/Pager: (888) 299-6882

mwal...@mail.cvhp.org <mailto:mwal...@mail.cvhp.org>  

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

Public ip works.  DNS, ping, https, activesync the whole thing.

I want to access it internally using a name instead of an IP address.

Currently with I can not https://mail.imcu.com/exchange with or without
the 'imcu.com' zone internally.

If I use a hosts file entry the above works.

If I use the ip (10.0.50.14) the https link works.

Not sure I need to go out my firewall just to come back in to get to my
exchange box?

 

 

From: Richard McClary [mailto:richard.mccl...@aspca.org] 
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Let's see...  You have a private LAN, and you are hoping the public can
reach the system at that same (private, internal) IP?

 

Why not register an external IP for that system, then do a mapped IP
address ("MIP") through your firewall?

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM

RE: DNS?

[Walker, Michael]

Does your other A Record "board.imcu.com" resolve correctly?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:34 AM
To: NT System Admin Issues
Subject: RE: DNS?

Just mail.imcu.com no ip address.
Ping not host
I am getting very frustrated because it is staring me in the face


From: Walker, Michael [mailto:mwal...@mail.cvhp.org]
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it resolve to?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

Public ip works.  DNS, ping, https, activesync the whole thing.
I want to access it internally using a name instead of an IP address.
Currently with I can not https://mail.imcu.com/exchange with or without the 
'imcu.com' zone internally.
If I use a hosts file entry the above works.
If I use the ip (10.0.50.14) the https link works.
Not sure I need to go out my firewall just to come back in to get to my 
exchange box?


From: Richard McClary [mailto:richard.mccl...@aspca.org]
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

RE: DNS?

[Damien Solodow]

It won't; nbtstat is for WINS, not DNS.

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 12:35 PM
To: NT System Admin Issues
Subject: RE: DNS?

Nbtstat -a 10.0.50.4 does not resolve the mail.imcu.com either??

From: Walker, Michael [mailto:mwal...@mail.cvhp.org]
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it resolve to?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

Public ip works.  DNS, ping, https, activesync the whole thing.
I want to access it internally using a name instead of an IP address.
Currently with I can not https://mail.imcu.com/exchange with or without the 
'imcu.com' zone internally.
If I use a hosts file entry the above works.
If I use the ip (10.0.50.14) the https link works.
Not sure I need to go out my firewall just to come back in to get to my 
exchange box?


From: Richard McClary [mailto:richard.mccl...@aspca.org]
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at 
mail.imcu.com<http://mail.imcu.com>?

Most MTA's will fall back to the A record for the domain, so you could also put

RE: DNS?

[Damien Solodow]

What is the name/IP of the DNS server you created the zone on?
Does the zone show SOA/NS records?
Is it an AD integrated zone?

DAMIEN SOLODOW
Systems Engineer
317.447.6033 (office)
317.447.6014 (fax)
HARRISON COLLEGE

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 12:34 PM
To: NT System Admin Issues
Subject: RE: DNS?

Just mail.imcu.com no ip address.
Ping not host
I am getting very frustrated because it is staring me in the face


From: Walker, Michael [mailto:mwal...@mail.cvhp.org]
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it resolve to?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

Public ip works.  DNS, ping, https, activesync the whole thing.
I want to access it internally using a name instead of an IP address.
Currently with I can not https://mail.imcu.com/exchange with or without the 
'imcu.com' zone internally.
If I use a hosts file entry the above works.
If I use the ip (10.0.50.14) the https link works.
Not sure I need to go out my firewall just to come back in to get to my 
exchange box?


From: Richard McClary [mailto:richard.mccl...@aspca.org]
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain point

RE: DNS?

[itli...@imcu.com]

Nbtstat -a 10.0.50.4 does not resolve the mail.imcu.com either??

 

From: Walker, Michael [mailto:mwal...@mail.cvhp.org] 
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it
resolve to?

 

Michael Walker

Senior Network Engineer

Citrus Valley Health Partners

140 W. College Street, Covina, CA  91723

Phone/Fax/Pager: (888) 299-6882

mwal...@mail.cvhp.org <mailto:mwal...@mail.cvhp.org>  

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

Public ip works.  DNS, ping, https, activesync the whole thing.

I want to access it internally using a name instead of an IP address.

Currently with I can not https://mail.imcu.com/exchange with or without
the 'imcu.com' zone internally.

If I use a hosts file entry the above works.

If I use the ip (10.0.50.14) the https link works.

Not sure I need to go out my firewall just to come back in to get to my
exchange box?

 

 

From: Richard McClary [mailto:richard.mccl...@aspca.org] 
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Let's see...  You have a private LAN, and you are hoping the public can
reach the system at that same (private, internal) IP?

 

Why not register an external IP for that system, then do a mapped IP
address ("MIP") through your firewall?

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint secu

RE: DNS?

[itli...@imcu.com]

Just mail.imcu.com no ip address.

Ping not host

I am getting very frustrated because it is staring me in the face

 

 

From: Walker, Michael [mailto:mwal...@mail.cvhp.org] 
Posted At: Monday, October 29, 2012 12:30 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it
resolve to?

 

Michael Walker

Senior Network Engineer

Citrus Valley Health Partners

140 W. College Street, Covina, CA  91723

Phone/Fax/Pager: (888) 299-6882

mwal...@mail.cvhp.org <mailto:mwal...@mail.cvhp.org>  

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

Public ip works.  DNS, ping, https, activesync the whole thing.

I want to access it internally using a name instead of an IP address.

Currently with I can not https://mail.imcu.com/exchange with or without
the 'imcu.com' zone internally.

If I use a hosts file entry the above works.

If I use the ip (10.0.50.14) the https link works.

Not sure I need to go out my firewall just to come back in to get to my
exchange box?

 

 

From: Richard McClary [mailto:richard.mccl...@aspca.org] 
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Let's see...  You have a private LAN, and you are hoping the public can
reach the system at that same (private, internal) IP?

 

Why not register an external IP for that system, then do a mapped IP
address ("MIP") through your firewall?

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: u

RE: DNS?

[Walker, Michael]

Question:  When you do an NSLOOKUP of mail.imcu.com, what does it resolve to?

Michael Walker
Senior Network Engineer
Citrus Valley Health Partners
140 W. College Street, Covina, CA  91723
Phone/Fax/Pager: (888) 299-6882
mwal...@mail.cvhp.org<mailto:mwal...@mail.cvhp.org>

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 8:55 AM
To: NT System Admin Issues
Subject: RE: DNS?

Public ip works.  DNS, ping, https, activesync the whole thing.
I want to access it internally using a name instead of an IP address.
Currently with I can not https://mail.imcu.com/exchange with or without the 
'imcu.com' zone internally.
If I use a hosts file entry the above works.
If I use the ip (10.0.50.14) the https link works.
Not sure I need to go out my firewall just to come back in to get to my 
exchange box?


From: Richard McClary [mailto:richard.mccl...@aspca.org]
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at 
mail.imcu.com<http://mail.imcu.com>?

Most MTA's will fall back to the A record for the domain, so you could also put 
up an A record for imcu.com<http://imcu.com>. But I wouldn't count on that. 
Exchange didn't until 2007 or so.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

I have added a new Forward lookup zone for IMCU.COM<http://IMCU.COM> on my 
local active Directory.
I have added an 'a' record for 10.0.50.4 for 
mail.imcu.com<http://mail.imcu.com>  in that zone.
I do not resolve the mail to the ip.
If I add that

Re: DNS?

[Steve Kradel]

Mr. or Ms. ITLists, it appears you have a bad or incomplete A record
for mail.imcu.com.  However, nslookup is not a good tool for DNS
troubleshooting; I would suggest you use 'dig' (it's part of the BIND
tools package) with the 'debug' option to tell the DNS server not to
search recursively.

On Mon, Oct 29, 2012 at 11:54 AM, itli...@imcu.com  wrote:
> Public ip works.  DNS, ping, https, activesync the whole thing.
>
> I want to access it internally using a name instead of an IP address.
>
> Currently with I can not https://mail.imcu.com/exchange with or without the
> ‘imcu.com’ zone internally.
>
> If I use a hosts file entry the above works.
>
> If I use the ip (10.0.50.14) the https link works.
>
> Not sure I need to go out my firewall just to come back in to get to my
> exchange box?
>
>
>
>
>
> From: Richard McClary [mailto:richard.mccl...@aspca.org]
> Posted At: Monday, October 29, 2012 11:41 AM
>
>
> Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: RE: DNS?
>
>
>
> Let’s see…  You have a private LAN, and you are hoping the public can reach
> the system at that same (private, internal) IP?
>
>
>
> Why not register an external IP for that system, then do a mapped IP address
> (“MIP”) through your firewall?
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Monday, October 29, 2012 9:59 AM
> To: NT System Admin Issues
> Subject: RE: DNS?
>
>
>
> You are accessing it from external though.  External is working fine.
>
> I am wanting an internal zone since my domain is imcu.local and my mail is
> imcu.com…
>
> I hope to God you can use the internal ip address from the wild.
>
> That would send me home in a bucket.
>
>
>
>
>
> From: Steve Ens [mailto:stevey...@gmail.com]
> Posted At: Monday, October 29, 2012 10:53 AM
> Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: Re: DNS?
>
>
>
> For me it's the other way around...
>
> On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com  wrote:
>
> Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
> fails???
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Posted At: Monday, October 29, 2012 10:12 AM
> Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: RE: DNS?
>
>
>
> That looks correct. Be sure to flush dns on the machine doing the lookup.
>
>
>
> To be sure you should first do an nslookup on the domain’s MX and make sure
> you get mail.imcu.com
>
>
>
> nslookup
>
> Set type=MX
>
> Imcu.com
>
>
>
> That should return mail.imcu.com
>
>
>
> Then check the A record for mail.imcu.com and you should be good to go.
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Monday, October 29, 2012 10:09 AM
> To: NT System Admin Issues
> Subject: RE: DNS?
>
>
>
> I’ll recycle the dnscache and post my internal DNS records here to make sure
> I am doing it correctly.
>
> New Primary Zone
>
> IMCU.COM
>
> imcu.com A 12.145.145.177.176
>
> imcu.com MX mail.imcu.com
>
> mail.imcu.com A 10.0.50.4(internal address))
>
> www.imcu.com A 12.145.177.176  (external address for managed
> website))
>
> board.imcu.com A 10.0.10.21 (internal address))
>
>
>
>
>
> Should that be all that I need?
>
> I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
> accessible through the firewall so outside in only.
>
>
>
> After the recycle of dnscache I should be able to do an nslookup for
> mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which I
> have commented out until after this experiment works or fails)
>
> Thanks
>
>
>
>
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Posted At: Monday, October 29, 2012 8:18 AM
> Posted To: itli...@imcu.com
> Conversation: DNS?
> Subject: RE: DNS?
>
>
>
> Did you also add an MX record for that domain pointing at mail.imcu.com?
>
>
>
> Most MTA’s will fall back to the A record for the domain, so you could also
> put up an A record for imcu.com. But I wouldn’t count on that. Exchange
> didn’t until 2007 or so.
>
>
>
> From: itli...@imcu.com [mailto:itli...@imcu.com]
> Sent: Sunday, October 28, 2012 1:50 PM
> To: NT System Admin Issues
> Subject: DNS?
>
>
>
> I have added a new Forward lookup zone for IMCU.COM on my local active
> Directory.
>
> I have added an ‘a’ record for 10.0.50.4 for mail.imcu.com  in that zone.
>
> I do not resolve the mail to the ip.
>
> If I add that record in my hosts file I can browse it easily.
>
> What is wrong in my DNS set up?
>
> Server 2003 active directory.
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

Public ip works.  DNS, ping, https, activesync the whole thing.

I want to access it internally using a name instead of an IP address.

Currently with I can not https://mail.imcu.com/exchange with or without
the 'imcu.com' zone internally.

If I use a hosts file entry the above works.

If I use the ip (10.0.50.14) the https link works.

Not sure I need to go out my firewall just to come back in to get to my
exchange box?

 

 

From: Richard McClary [mailto:richard.mccl...@aspca.org] 
Posted At: Monday, October 29, 2012 11:41 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Let's see...  You have a private LAN, and you are hoping the public can
reach the system at that same (private, internal) IP?

 

Why not register an external IP for that system, then do a mapped IP
address ("MIP") through your firewall?

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security tha

RE: DNS?

[Richard McClary]

Let's see...  You have a private LAN, and you are hoping the public can reach 
the system at that same (private, internal) IP?

Why not register an external IP for that system, then do a mapped IP address 
("MIP") through your firewall?

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 9:59 AM
To: NT System Admin Issues
Subject: RE: DNS?

You are accessing it from external though.  External is working fine.
I am wanting an internal zone since my domain is imcu.local and my mail is 
imcu.com...
I hope to God you can use the internal ip address from the wild.
That would send me home in a bucket.


From: Steve Ens [mailto:stevey...@gmail.com]
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at 
mail.imcu.com<http://mail.imcu.com>?

Most MTA's will fall back to the A record for the domain, so you could also put 
up an A record for imcu.com<http://imcu.com>. But I wouldn't count on that. 
Exchange didn't until 2007 or so.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

I have added a new Forward lookup zone for IMCU.COM<http://IMCU.COM> on my 
local active Directory.
I have added an 'a' record for 10.0.50.4 for 
mail.imcu.com<http://mail.imcu.com>  in that zone.
I do not resolve the mail to the ip.
If I add that record in my hosts file I can browse it easily.
What is wrong in my DNS set up?
Server 2003 active directory.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris

Re: DNS?

[Steve Ens]

Haha, I thought it might be an external IP...yep, there is an issue with
your DNS entry.

On Mon, Oct 29, 2012 at 9:58 AM, itli...@imcu.com  wrote:

> You are accessing it from external though.  External is working fine.
>
> I am wanting an internal zone since my domain is imcu.local and my mail is
> imcu.com…
>
> I hope to God you can use the internal ip address from the wild.
>
> That would send me home in a bucket.
>
> ** **
>
> ** **
>
> *From:* Steve Ens [mailto:stevey...@gmail.com]
> *Posted At:* Monday, October 29, 2012 10:53 AM
>
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* Re: DNS?
>
> ** **
>
> For me it's the other way around...
>
> On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
> wrote:
>
> Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchangefails???
> 
>
>  
>
>  
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Posted At:* Monday, October 29, 2012 10:12 AM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* RE: DNS?
>
>  
>
> That looks correct. Be sure to flush dns on the machine doing the lookup.*
> ***
>
>  
>
> To be sure you should first do an nslookup on the domain’s MX and make
> sure you get mail.imcu.com
>
>  
>
> nslookup
>
> Set type=MX
>
> Imcu.com
>
>  
>
> That should return mail.imcu.com
>
>  
>
> Then check the A record for mail.imcu.com and you should be good to go.***
> *
>
>  
>
> *From:* itli...@imcu.com [mailto:itli...@imcu.com ]
> *Sent:* Monday, October 29, 2012 10:09 AM
> *To:* NT System Admin Issues
> *Subject:* RE: DNS?
>
>  
>
> I’ll recycle the dnscache and post my internal DNS records here to make
> sure I am doing it correctly.
>
> New Primary Zone
>
> IMCU.COM
>
> imcu.com A 12.145.145.177.176
>
> imcu.com MX mail.imcu.com
>
> mail.imcu.com A 10.0.50.4(internal address))
>
> www.imcu.com A 12.145.177.176  (external address for managed
> website))
>
> board.imcu.com A 10.0.10.21 (internal address))
>
>  
>
>  
>
> Should that be all that I need?
>
> I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
> accessible through the firewall so outside in only.
>
>  
>
> After the recycle of dnscache I should be able to do an nslookup for
> mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which I
> have commented out until after this experiment works or fails)
>
> Thanks
>
>  
>
>  
>
>  
>
>  
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Posted At:* Monday, October 29, 2012 8:18 AM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* RE: DNS?
>
>  
>
> Did you also add an MX record for that domain pointing at mail.imcu.com?**
> **
>
>  
>
> Most MTA’s will fall back to the A record for the domain, so you could
> also put up an A record for imcu.com. But I wouldn’t count on that.
> Exchange didn’t until 2007 or so.
>
>  
>
> *From:* itli...@imcu.com [mailto:itli...@imcu.com ]
> *Sent:* Sunday, October 28, 2012 1:50 PM
> *To:* NT System Admin Issues
> *Subject:* DNS?
>
>  
>
> I have added a new Forward lookup zone for IMCU.COM on my local active
> Directory.
>
> I have added an ‘a’ record for 10.0.50.4 for mail.imcu.com  in that zone.*
> ***
>
> I do not resolve the mail to the ip.
>
> If I add that record in my hosts file I can browse it easily.
>
> What is wrong in my DNS set up?
>
> Server 2003 active directory.
>
>  
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Ent

RE: DNS?

[Kennedy, Jim]

Something is wrong with the DNS entry for that host that you just created.

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 11:07 AM
To: NT System Admin Issues
Subject: RE: DNS?

Now when using my hosts file of 10.0.50.4 mail.imcu.com, going to 
https://mail.imcu.com/exchange works.
Comment it out and it stops??

From: Steve Ens 
[mailto:stevey...@gmail.com]<mailto:[mailto:stevey...@gmail.com]>
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: Re: DNS?

For me it's the other way around...
On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com<mailto:itli...@imcu.com> 
mailto:itli...@imcu.com>> wrote:
Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange fails???


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>]
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com<http://mail.imcu.com>

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com<http://mail.imcu.com>

Then check the A record for mail.imcu.com<http://mail.imcu.com> and you should 
be good to go.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM<http://IMCU.COM>
imcu.com<http://imcu.com> A 12.145.145.177.176
imcu.com<http://imcu.com> MX mail.imcu.com<http://mail.imcu.com>
mail.imcu.com<http://mail.imcu.com> A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  
(external address for managed website))
board.imcu.com<http://board.imcu.com> A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com<http://vpn.imcu.com>, ftp.imcu.com<ftp://ftp.imcu.com> but 
they are programmatically only accessible through the firewall so outside in 
only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com<http://mail.imcu.com> and get the ip 10.0.50.4 just like in my 
hosts file(Which I have commented out until after this experiment works or 
fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at 
mail.imcu.com<http://mail.imcu.com>?

Most MTA's will fall back to the A record for the domain, so you could also put 
up an A record for imcu.com<http://imcu.com>. But I wouldn't count on that. 
Exchange didn't until 2007 or so.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

I have added a new Forward lookup zone for IMCU.COM<http://IMCU.COM> on my 
local active Directory.
I have added an 'a' record for 10.0.50.4 for 
mail.imcu.com<http://mail.imcu.com>  in that zone.
I do not resolve the mail to the ip.
If I add that record in my hosts file I can browse it easily.
What is wrong in my DNS set up?
Server 2003 active directory.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ 

RE: DNS?

[itli...@imcu.com]

Now when using my hosts file of 10.0.50.4 mail.imcu.com, going to
https://mail.imcu.com/exchange works.

Comment it out and it stops??

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 

RE: DNS?

[itli...@imcu.com]

You are accessing it from external though.  External is working fine.

I am wanting an internal zone since my domain is imcu.local and my mail
is imcu.com...

I hope to God you can use the internal ip address from the wild.

That would send me home in a bucket.

 

 

From: Steve Ens [mailto:stevey...@gmail.com] 
Posted At: Monday, October 29, 2012 10:53 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: Re: DNS?

 

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com 
wrote:

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T 

Re: DNS?

[Steve Ens]

For me it's the other way around...

On Mon, Oct 29, 2012 at 9:46 AM, itli...@imcu.com  wrote:

> Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchangefails???
> 
>
> ** **
>
> ** **
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Posted At:* Monday, October 29, 2012 10:12 AM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* RE: DNS?
>
> ** **
>
> That looks correct. Be sure to flush dns on the machine doing the lookup.*
> ***
>
> ** **
>
> To be sure you should first do an nslookup on the domain’s MX and make
> sure you get mail.imcu.com
>
> ** **
>
> nslookup
>
> Set type=MX
>
> Imcu.com
>
> ** **
>
> That should return mail.imcu.com
>
> ** **
>
> Then check the A record for mail.imcu.com and you should be good to go.***
> *
>
> ** **
>
> *From:* itli...@imcu.com [mailto:itli...@imcu.com ]
> *Sent:* Monday, October 29, 2012 10:09 AM
> *To:* NT System Admin Issues
> *Subject:* RE: DNS?
>
> ** **
>
> I’ll recycle the dnscache and post my internal DNS records here to make
> sure I am doing it correctly.
>
> New Primary Zone
>
> IMCU.COM
>
> imcu.com A 12.145.145.177.176
>
> imcu.com MX mail.imcu.com
>
> mail.imcu.com A 10.0.50.4(internal address))
>
> www.imcu.com A 12.145.177.176  (external address for managed
> website))
>
> board.imcu.com A 10.0.10.21 (internal address))
>
> ** **
>
> ** **
>
> Should that be all that I need?
>
> I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
> accessible through the firewall so outside in only.
>
> ** **
>
> After the recycle of dnscache I should be able to do an nslookup for
> mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which I
> have commented out until after this experiment works or fails)
>
> Thanks
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Posted At:* Monday, October 29, 2012 8:18 AM
> *Posted To:* itli...@imcu.com
> *Conversation:* DNS?
> *Subject:* RE: DNS?
>
> ** **
>
> Did you also add an MX record for that domain pointing at mail.imcu.com?**
> **
>
> ** **
>
> Most MTA’s will fall back to the A record for the domain, so you could
> also put up an A record for imcu.com. But I wouldn’t count on that.
> Exchange didn’t until 2007 or so.
>
> ** **
>
> *From:* itli...@imcu.com [mailto:itli...@imcu.com ]
> *Sent:* Sunday, October 28, 2012 1:50 PM
> *To:* NT System Admin Issues
> *Subject:* DNS?
>
> ** **
>
> I have added a new Forward lookup zone for IMCU.COM on my local active
> Directory.
>
> I have added an ‘a’ record for 10.0.50.4 for mail.imcu.com  in that zone.*
> ***
>
> I do not resolve the mail to the ip.
>
> If I add that record in my hosts file I can browse it easily.
>
> What is wrong in my DNS set up?
>
> Server 2003 active directory.
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

>From my PC (win8):   ( I can https://10.0.50.4/exchange and get in but I
get a failed browser going to https://mail.imcu.com/exchange)

 

C:\Windows\System32\Drivers\etc>ipconfig /flushdns

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

 

C:\Windows\System32\Drivers\etc>nslookup mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

 

C:\Windows\System32\Drivers\etc>nslookup

Default Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

> set type=mx

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

mail.imcu.com

primary name server = 0304090304zu55.imcu.local

responsible mail addr = hostmaster.imcu.local

serial  = 2

refresh = 900 (15 mins)

retry   = 600 (10 mins)

expire  = 86400 (1 day)

default TTL = 3600 (1 hour)

> imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

imcu.comMX preference = 10, mail exchanger = mx1.imcu.com

> imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

imcu.comMX preference = 10, mail exchanger = mail.imcu.com

> set type=mx

> imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

imcu.comMX preference = 10, mail exchanger = mail.imcu.com

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

mail.imcu.com

primary name server = 0304090304zu55.imcu.local

responsible mail addr = hostmaster.imcu.local

serial  = 2

refresh = 900 (15 mins)

retry   = 600 (10 mins)

expire  = 86400 (1 day)

default TTL = 3600 (1 hour)

> set type=a

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

> www.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:www.imcu.com

Address:  12.145.177.146

 

> board.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:board.imcu.com

Address:  10.0.10.21

 

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

> 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ 

RE: DNS?

[itli...@imcu.com]

Ok https://10.0.50.4/exchange works but https://mail.imcu.com/exchange
fails???

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

So once I do this I will get my internal address not my external
address.

 

C:\Windows\System32\Drivers\etc>nslookup mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

 

C:\Windows\System32\Drivers\etc>nslookup

Default Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

> Set type=MX

*** Can't find address for server type=MX: Non-existent domain

> Imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Non-authoritative answer:

Name:Imcu.com

Address:  12.145.177.146

 

> set type=mx

> imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Non-authoritative answer:

imcu.comMX preference = 5, mail exchanger = mx1.imcu.com

 

mx1.imcu.cominternet address = 38.109.185.193

> set type=a

> mail.imcu.com

Server:  0304090304zu55.imcu.local

Address:  10.0.50.205

 

Name:mail.imcu.com

 

> 

38.109.185.193 is my external address.

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 10:12 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

That looks correct. Be sure to flush dns on the machine doing the
lookup.

 

To be sure you should first do an nslookup on the domain's MX and make
sure you get mail.imcu.com

 

nslookup

Set type=MX

Imcu.com

 

That should return mail.imcu.com

 

Then check the A record for mail.imcu.com and you should be good to go.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

 

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

C:\Windows\System32\Drivers\etc>nslookup mail.imcu.com
Server:  0304090304zu55.imcu.local
Address:  10.0.50.205

Name:mail.imcu.com


C:\Windows\System32\Drivers\etc>

Why no IP address??


-Original Message-
From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] 
Posted At: Sunday, October 28, 2012 3:29 PM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

>I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.
>I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.
>I do not resolve the mail to the ip.
>If I add that record in my hosts file I can browse it easily.
>What is wrong in my DNS set up?
>Server 2003 active directory.

Recycle the dnscache service. If you looked it up before your new fwd
zone was instantiated, your dns server returned a failure response and
it was cached.

The hosts file lookup doesn't use this.

This does assume your client is using that dns server and it and the
zone are setup correctly...
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[Kennedy, Jim]

That looks correct. Be sure to flush dns on the machine doing the lookup.

To be sure you should first do an nslookup on the domain's MX and make sure you 
get mail.imcu.com

nslookup
Set type=MX
Imcu.com

That should return mail.imcu.com

Then check the A record for mail.imcu.com and you should be good to go.

From: itli...@imcu.com [mailto:itli...@imcu.com]
Sent: Monday, October 29, 2012 10:09 AM
To: NT System Admin Issues
Subject: RE: DNS?

I'll recycle the dnscache and post my internal DNS records here to make sure I 
am doing it correctly.
New Primary Zone
IMCU.COM
imcu.com A 12.145.145.177.176
imcu.com MX mail.imcu.com
mail.imcu.com A 10.0.50.4(internal address))
www.imcu.com<http://www.imcu.com> A 12.145.177.176  (external address for 
managed website))
board.imcu.com A 10.0.10.21 (internal address))


Should that be all that I need?
I have vpn.imcu.com, ftp.imcu.com<ftp://ftp.imcu.com> but they are 
programmatically only accessible through the firewall so outside in only.

After the recycle of dnscache I should be able to do an nslookup for 
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which I have 
commented out until after this experiment works or fails)
Thanks




From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com<mailto:itli...@imcu.com>
Conversation: DNS?
Subject: RE: DNS?

Did you also add an MX record for that domain pointing at mail.imcu.com?

Most MTA's will fall back to the A record for the domain, so you could also put 
up an A record for imcu.com. But I wouldn't count on that. Exchange didn't 
until 2007 or so.

From: itli...@imcu.com<mailto:itli...@imcu.com> [mailto:itli...@imcu.com]
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

I have added a new Forward lookup zone for IMCU.COM on my local active 
Directory.
I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that zone.
I do not resolve the mail to the ip.
If I add that record in my hosts file I can browse it easily.
What is wrong in my DNS set up?
Server 2003 active directory.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[itli...@imcu.com]

I'll recycle the dnscache and post my internal DNS records here to make
sure I am doing it correctly.

New Primary Zone

IMCU.COM

imcu.com A 12.145.145.177.176

imcu.com MX mail.imcu.com

mail.imcu.com A 10.0.50.4(internal address))

www.imcu.com A 12.145.177.176  (external address for managed
website))

board.imcu.com A 10.0.10.21 (internal address))

 

 

Should that be all that I need?

I have vpn.imcu.com, ftp.imcu.com but they are programmatically only
accessible through the firewall so outside in only.

 

After the recycle of dnscache I should be able to do an nslookup for
mail.imcu.com and get the ip 10.0.50.4 just like in my hosts file(Which
I have commented out until after this experiment works or fails)

Thanks

 

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Posted At: Monday, October 29, 2012 8:18 AM
Posted To: itli...@imcu.com
Conversation: DNS?
Subject: RE: DNS?

 

Did you also add an MX record for that domain pointing at mail.imcu.com?

 

Most MTA's will fall back to the A record for the domain, so you could
also put up an A record for imcu.com. But I wouldn't count on that.
Exchange didn't until 2007 or so.

 

From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Sunday, October 28, 2012 1:50 PM
To: NT System Admin Issues
Subject: DNS?

 

I have added a new Forward lookup zone for IMCU.COM on my local active
Directory.

I have added an 'a' record for 10.0.50.4 for mail.imcu.com  in that
zone.

I do not resolve the mail to the ip.

If I add that record in my hosts file I can browse it easily.

What is wrong in my DNS set up?

Server 2003 active directory.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS?

[Joseph L. Casale]

>I have added a new Forward lookup zone for IMCU.COM on my local active 
>Directory.
>I have added an ‘a’ record for 10.0.50.4 for mail.imcu.com  in that zone.
>I do not resolve the mail to the ip.
>If I add that record in my hosts file I can browse it easily.
>What is wrong in my DNS set up?
>Server 2003 active directory.

Recycle the dnscache service. If you looked it up before your new fwd zone was
instantiated, your dns server returned a failure response and it was cached.

The hosts file lookup doesn't use this.

This does assume your client is using that dns server and it and the zone are 
setup
correctly...
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

I'm going to remove the older address after hours--maybe this weekend--and see 
what happens.


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Wednesday, August 15, 2012 1:10 PM
To: NT System Admin Issues
Subject: Re: DNS Lookup Failing for One Address

If you don't have any old equipment with static listings of the older IP 
address of the DC, remove the older IP address.

If you do have older equipment with static listings, but don't have any newer 
equipment with static listings, and want to preserve the old address, then 
during off-hours remove the newer address and reboot.

If you have different sets of equipment that points to both addresses, you'll 
need to fix one or the other set of equipment.

Kurt

On Wed, Aug 15, 2012 at 9:14 AM, John Hornbuckle 
 wrote:
> And we have a winner!!!
>
>
>
> So, I was totally unfamiliar with conditional forwarding. I just tried
> what you suggested, and voila—it works.
>
>
>
> I realize this is a workaround, and I still want to tackle the root of
> the problem. But this at least buys me some time.
>
>
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 11:09 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Another option is to set up conditional forwarding on the ‘bad’ dns
> server to one of your ‘good’ dns servers for just studyisland.com
>
>
>
> That way you will be out of the business of manually working on that
> zone as studyisland moves or changes things.
>
>
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 11:06 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> While officially supported, having multiple IP addresses on a single
> DC is not recommended and has caused problems all the way back to NT 3.5.
>
>
>
> If you just want to make this work – host the domain locally. Create
> it in your DNS servers. Probably the quickest way to fix the problem.
>
>
>
> Meinolf Weber wrote a very lengthy response to someone’s question, a
> few years ago, about what can go wrong on a DC with multiple IP
> addresses. Took me a few minutes to find it, link below. Much of it
> doesn’t apply in your case, of course, but still a worthwhile read.
>
>
>
> http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem
> -t705909.html
>
>
>
> I can surmise that what is happening here is that you are having to
> talk to a server that doesn’t like asynchronous routing of DNS replies and 
> requests.
> That’s becoming more and more common as DNS spoofing becomes more and
> more common. Couldn’t verify that without a network trace (wireshark /
> netmon). I probably would’ve done that by now and if you really want
> to track the issue down, that’s the next best step IMO.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:43 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> And I did consider that.
>
>
>
> :)
>
>
>
> However, (A.) this server’s configuration hasn’t changed in the years
> since it was deployed, (B.) we’ve done the same thing at our other
> sites that aren’t having problems, and (C.) DNS is working 100%
> correctly at the site in question except for the failure of lookups
> against this one single domain name.
>
>
>
> So while I’m open to all possibilities (honestly—I’m getting
> desperate), my gut instinct is that this isn’t the cause of the problem.
>
>
>
>
>
> John
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 10:36 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> I have a theory. Often when Mr. Smith asks a question he isn’t looking
> for an answer to that question, he is pointing you towards the answer
> for your problem.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:33 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Yup. When we decommissioned the old server this server replaced, some
> devices were still looking for it for DNS (they had static settings).
> So we assigned the old server’s address to the new one as a second address.
>
>
>
>
>
> John
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 

Re: DNS Lookup Failing for One Address

[Kurt Buff]

If you don't have any old equipment with static listings of the older
IP address of the DC, remove the older IP address.

If you do have older equipment with static listings, but don't have
any newer equipment with static listings, and want to preserve the old
address, then during off-hours remove the newer address and reboot.

If you have different sets of equipment that points to both addresses,
you'll need to fix one or the other set of equipment.

Kurt

On Wed, Aug 15, 2012 at 9:14 AM, John Hornbuckle
 wrote:
> And we have a winner!!!
>
>
>
> So, I was totally unfamiliar with conditional forwarding. I just tried what
> you suggested, and voila—it works.
>
>
>
> I realize this is a workaround, and I still want to tackle the root of the
> problem. But this at least buys me some time.
>
>
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 11:09 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Another option is to set up conditional forwarding on the ‘bad’ dns server
> to one of your ‘good’ dns servers for just studyisland.com
>
>
>
> That way you will be out of the business of manually working on that zone as
> studyisland moves or changes things.
>
>
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 11:06 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> While officially supported, having multiple IP addresses on a single DC is
> not recommended and has caused problems all the way back to NT 3.5.
>
>
>
> If you just want to make this work – host the domain locally. Create it in
> your DNS servers. Probably the quickest way to fix the problem.
>
>
>
> Meinolf Weber wrote a very lengthy response to someone’s question, a few
> years ago, about what can go wrong on a DC with multiple IP addresses. Took
> me a few minutes to find it, link below. Much of it doesn’t apply in your
> case, of course, but still a worthwhile read.
>
>
>
> http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html
>
>
>
> I can surmise that what is happening here is that you are having to talk to
> a server that doesn’t like asynchronous routing of DNS replies and requests.
> That’s becoming more and more common as DNS spoofing becomes more and more
> common. Couldn’t verify that without a network trace (wireshark / netmon). I
> probably would’ve done that by now and if you really want to track the issue
> down, that’s the next best step IMO.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:43 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> And I did consider that.
>
>
>
> :)
>
>
>
> However, (A.) this server’s configuration hasn’t changed in the years since
> it was deployed, (B.) we’ve done the same thing at our other sites that
> aren’t having problems, and (C.) DNS is working 100% correctly at the site
> in question except for the failure of lookups against this one single domain
> name.
>
>
>
> So while I’m open to all possibilities (honestly—I’m getting desperate), my
> gut instinct is that this isn’t the cause of the problem.
>
>
>
>
>
> John
>
>
>
>
>
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, August 15, 2012 10:36 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> I have a theory. Often when Mr. Smith asks a question he isn’t looking for
> an answer to that question, he is pointing you towards the answer for your
> problem.
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 10:33 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Yup. When we decommissioned the old server this server replaced, some
> devices were still looking for it for DNS (they had static settings). So we
> assigned the old server’s address to the new one as a second address.
>
>
>
>
>
> John
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Wednesday, August 15, 2012 10:05 AM
>
>
> To: NT System Admin Issues
> Subject: RE: DNS Lookup Failing for One Address
>
>
>
> Your DC has multiple IP addresses?
>
>
>
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Wednesday, August 15, 2012 9:08 AM
>
>
> To: NT Syst

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

And we have a winner!!!

So, I was totally unfamiliar with conditional forwarding. I just tried what you 
suggested, and voila-it works.

I realize this is a workaround, and I still want to tackle the root of the 
problem. But this at least buys me some time.



From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 11:09 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Another option is to set up conditional forwarding on the 'bad' dns server to 
one of your 'good' dns servers for just studyisland.com

That way you will be out of the business of manually working on that zone as 
studyisland moves or changes things.


From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-

RE: DNS Lookup Failing for One Address

[Michael B. Smith]

To David's point - except when used in bonding (for failover) - most big 
environments would avoid this with a 10-foot pole. The behavior can seem quite 
non-deterministic and can be difficult to debug.

From: Webster [mailto:webs...@carlwebster.com]
Sent: Wednesday, August 15, 2012 11:34 AM
To: NT System Admin Issues
Subject: Re: DNS Lookup Failing for One Address

Your commute to work with Ken would be brutal!



Carl Webster

Consultant and Citrix Technology Professional

http://www.CarlWebster.com<http://www.carlwebster.com/>

From: David Lum mailto:david@nwea.org>>
Subject: RE: DNS Lookup Failing for One Address

Wow, it would never, ever occur to me to give a DC multiple IP addresses. 
Multiple NIC's, yes, but teamed. Amazing that's it's supported, but that just 
may be my ignorance due to my SMB-scale focus.

I need to work with Ken and experience big environments!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[Ziots, Edward]

I can look at a network trace for you, if you want to send it over, I
have done it for others on the list to help them out with problems, and
its good practice. 

 

Z

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 11:12 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Alas, network traces are outside of my skillset. I may have to bring in
outside help for that. I'm a technology generalist-lots of breadth, less
depth.

 

If I wanted to host the domain locally... I would just go to Forward
Lookup Zones, right-click, select "New Zone", and go from there? With us
being AD-integrated, this won't screw anything up?

 

I'll read the link you sent, too. Thanks for that.

 

 

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

While officially supported, having multiple IP addresses on a single DC
is not recommended and has caused problems all the way back to NT 3.5.

 

If you just want to make this work - host the domain locally. Create it
in your DNS servers. Probably the quickest way to fix the problem.

 

Meinolf Weber wrote a very lengthy response to someone's question, a few
years ago, about what can go wrong on a DC with multiple IP addresses.
Took me a few minutes to find it, link below. Much of it doesn't apply
in your case, of course, but still a worthwhile read.

 

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t
705909.html

 

I can surmise that what is happening here is that you are having to talk
to a server that doesn't like asynchronous routing of DNS replies and
requests. That's becoming more and more common as DNS spoofing becomes
more and more common. Couldn't verify that without a network trace
(wireshark / netmon). I probably would've done that by now and if you
really want to track the issue down, that's the next best step IMO.

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

And I did consider that.

 

:)

 

However, (A.) this server's configuration hasn't changed in the years
since it was deployed, (B.) we've done the same thing at our other sites
that aren't having problems, and (C.) DNS is working 100% correctly at
the site in question except for the failure of lookups against this one
single domain name.

 

So while I'm open to all possibilities (honestly-I'm getting desperate),
my gut instinct is that this isn't the cause of the problem.

 

 

John

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

I have a theory. Often when Mr. Smith asks a question he isn't looking
for an answer to that question, he is pointing you towards the answer
for your problem.

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Yup. When we decommissioned the old server this server replaced, some
devices were still looking for it for DNS (they had static settings). So
we assigned the old server's address to the new one as a second address.

 

 

John

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Your DC has multiple IP addresses?

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Oh, and to add... Each of my sites has its own DNS server. All other DNS
servers are resolving this address fine. All servers are behind the same
firewall.

 

Curiouser and curiouser.

 

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Per the suggestions from the list, I put dig on my squirrely DNS server
and ran dig +trace www.studyisland.com. Results are:

 

===

; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com

;; global options:  printcmd

.   19740   IN  NS  b.root-servers.net.

.   19740   IN  NS  c.root-servers.net.

.   19740   IN  NS  d.root-servers.net.

.   19740   IN  NS  e.root-servers.net.

. 

RE: DNS Lookup Failing for One Address

[David Lum]

Wow, it would never, ever occur to me to give a DC multiple IP addresses. 
Multiple NIC's, yes, but teamed. Amazing that's it's supported, but that just 
may be my ignorance due to my SMB-scale focus.

I need to work with Ken and experience big environments!

Dave

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 8:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN 

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Alas, network traces are outside of my skillset. I may have to bring in outside 
help for that. I'm a technology generalist-lots of breadth, less depth.

If I wanted to host the domain locally... I would just go to Forward Lookup 
Zones, right-click, select "New Zone", and go from there? With us being 
AD-integrated, this won't screw anything up?

I'll read the link you sent, too. Thanks for that.



From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   1

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

Another option is to set up conditional forwarding on the 'bad' dns server to 
one of your 'good' dns servers for just studyisland.com

That way you will be out of the business of manually working on that zone as 
studyisland moves or changes things.


From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 11:06 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

I did disable DNS on one of the two addresses and restarted the service. No 
difference.

I haven't tried removing the whole address from the TCP/IP settings.



From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 10:55 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Well, since you are desperate. :)  Remove one of the addresses, bounce the DC 
and retest.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:44 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.17280

RE: DNS Lookup Failing for One Address

[Michael B. Smith]

While officially supported, having multiple IP addresses on a single DC is not 
recommended and has caused problems all the way back to NT 3.5.

If you just want to make this work - host the domain locally. Create it in your 
DNS servers. Probably the quickest way to fix the problem.

Meinolf Weber wrote a very lengthy response to someone's question, a few years 
ago, about what can go wrong on a DC with multiple IP addresses. Took me a few 
minutes to find it, link below. Much of it doesn't apply in your case, of 
course, but still a worthwhile read.

http://www.winvistatips.com/domain-controller-multiple-nic-dns-problem-t705909.html

I can surmise that what is happening here is that you are having to talk to a 
server that doesn't like asynchronous routing of DNS replies and requests. 
That's becoming more and more common as DNS spoofing becomes more and more 
common. Couldn't verify that without a network trace (wireshark / netmon). I 
probably would've done that by now and if you really want to track the issue 
down, that's the next best step IMO.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:43 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

Well, since you are desperate. :)  Remove one of the addresses, bounce the DC 
and retest.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:44 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

Yep, and I prefer it that way.

From: Free, Bob [mailto:r...@pge.com]
Sent: Wednesday, August 15, 2012 10:49 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

AKA fishing lesson :)

From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]<mailto:[mailto:kennedy...@elyriaschools.org]>
Sent: Wednesday, August 15, 2012 7:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup

RE: DNS Lookup Failing for One Address

[Free, Bob]

AKA fishing lesson :)

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 7:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith 
[mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]>
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, r

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

And I did consider that.

:)

However, (A.) this server's configuration hasn't changed in the years since it 
was deployed, (B.) we've done the same thing at our other sites that aren't 
having problems, and (C.) DNS is working 100% correctly at the site in question 
except for the failure of lookups against this one single domain name.

So while I'm open to all possibilities (honestly-I'm getting desperate), my gut 
instinct is that this isn't the cause of the problem.


John


From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 15, 2012 10:36 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> =

RE: DNS Lookup Failing for One Address

[Kennedy, Jim]

I have a theory. Often when Mr. Smith asks a question he isn't looking for an 
answer to that question, he is pointing you towards the answer for your problem.

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 10:33 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com<http://www.studyisland.com>, type = A, class = IN
ADDITIONAL RECORDS:
->  (ro

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Yup. When we decommissioned the old server this server replaced, some devices 
were still looking for it for DNS (they had static settings). So we assigned 
the old server's address to the new one as a second address.


John

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Your DC has multiple IP addresses?

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com<http://www.studyisland.com>, type = A, class = IN
ADDITIONAL RECORDS:
->  (root)
??? unknown type 41 ???
ttl = 0 (0 secs)


DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** aoc-pet300.taylor.k12.fl.us can't find 
www.studyisland.com<http://www.studyisland.com>.: Server failed
===

Found someone reporting a similar issue (but no real solution) here:

http://forum

RE: DNS Lookup Failing for One Address

[Ziots, Edward]

Are the root hints on that DNS correct, as compared to the other DNS
servers? Can you resolve the DNS roots?  Because its trying to go to
.com on root first and them to studyisland but its not even getting to
.com DNS root, in your db2 switch debug. 

 

Z

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Wednesday, August 15, 2012 10:05 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Your DC has multiple IP addresses?

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Oh, and to add... Each of my sites has its own DNS server. All other DNS
servers are resolving this address fine. All servers are behind the same
firewall.

 

Curiouser and curiouser.

 

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

 

Per the suggestions from the list, I put dig on my squirrely DNS server
and ran dig +trace www.studyisland.com. Results are:

 

===

; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com

;; global options:  printcmd

.   19740   IN  NS  b.root-servers.net.

.   19740   IN  NS  c.root-servers.net.

.   19740   IN  NS  d.root-servers.net.

.   19740   IN  NS  e.root-servers.net.

.   19740   IN  NS  f.root-servers.net.

.   19740   IN  NS  g.root-servers.net.

.   19740   IN  NS  h.root-servers.net.

.   19740   IN  NS  i.root-servers.net.

.   19740   IN  NS  j.root-servers.net.

.   19740   IN  NS  k.root-servers.net.

.   19740   IN  NS  l.root-servers.net.

.   19740   IN  NS  m.root-servers.net.

.   19740   IN  NS  a.root-servers.net.

;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

 

com.172800  IN  NS  g.gtld-servers.net.

com.172800  IN  NS  m.gtld-servers.net.

com.172800  IN  NS  e.gtld-servers.net.

com.172800  IN  NS  j.gtld-servers.net.

com.172800  IN  NS  k.gtld-servers.net.

com.172800  IN  NS  d.gtld-servers.net.

com.172800  IN  NS  a.gtld-servers.net.

com.172800  IN  NS  c.gtld-servers.net.

com.172800  IN  NS  f.gtld-servers.net.

com.172800  IN  NS  h.gtld-servers.net.

com.172800  IN  NS  b.gtld-servers.net.

com.172800  IN  NS  l.gtld-servers.net.

com.172800  IN  NS  i.gtld-servers.net.

;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

 

studyisland.com.172800  IN  NS
aldfwprdinf001.archipelagolearni

ng.com.

studyisland.com.172800  IN  NS
aldfwcrpinf001.archipelagolearni

ng.com.

;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

 

www.studyisland.com.0   IN  CNAME   vip1.studyisland.com.

vip1.studyisland.com.   28800   IN  A   72.249.13.58

;; Received 72 bytes from
207.210.237.70#53(aldfwprdinf001.archipelagolearning.c

om) in 46 ms

===

 

Now, I'm not a DNS expert. But to me, this looks right because I know
that www.studyisland.com = vip1.studyisland.com = 72.249.13.58.

 

But when I use nslookup against that same DNS server, my queries still
fail. I enabled debugging in nslookup and got this:

 

===

> set db2

> www.studyisland.com.

Server:  aoc-pet300.taylor.k12.fl.us

Addresses:  10.11.7.19

  10.11.7.13

 



Got answer:

HEADER:

opcode = QUERY, id = 8, rcode = SERVFAIL

header flags:  response, want recursion, recursion avail.

questions = 1,  answers = 0,  authority records = 0,  additional
= 1

 

QUESTIONS:

www.studyisland.com, type = A, class = IN

ADDITIONAL RECORDS:

->  (root)

??? unknown type 41 ???

ttl = 0 (0 secs)

 



DNS request timed out.

timeout was 2 seconds.

timeout (2 secs)

*** aoc-pet300.taylor.k12.fl.us can't find www.studyisland.com.: Server
failed

===

 

Found someone reporting a similar issue (but no real solution) here:

 

http://forums.msexchange.org/m_1800553796/printable.htm

 

Also, when I run nslookup I *can* resolve studyisland.com-just not

RE: DNS Lookup Failing for One Address

[Michael B. Smith]

Your DC has multiple IP addresses?

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 9:08 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us]<mailto:[mailto:john.hornbuc...@taylor.k12.fl.us]>
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com<http://www.studyisland.com>, type = A, class = IN
ADDITIONAL RECORDS:
->  (root)
??? unknown type 41 ???
ttl = 0 (0 secs)


DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** aoc-pet300.taylor.k12.fl.us can't find 
www.studyisland.com<http://www.studyisland.com>.: Server failed
===

Found someone reporting a similar issue (but no real solution) here:

http://forums.msexchange.org/m_1800553796/printable.htm

Also, when I run nslookup I *can* resolve studyisland.com-just not 
www.studyisland.com<http://www.studyisland.com>.

Still researching...


From: John Hornbuckle
Sent: Tuesday, August 14, 2012 1:42 PM
To: NT System Admin Issues 
(ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>)
Subject: DNS Lookup Failing for One Address

Okay, DNS wizards... I need some input.

On

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Oh, and to add... Each of my sites has its own DNS server. All other DNS 
servers are resolving this address fine. All servers are behind the same 
firewall.

Curiouser and curiouser.


From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Wednesday, August 15, 2012 8:50 AM
To: NT System Admin Issues
Subject: RE: DNS Lookup Failing for One Address

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com<http://www.studyisland.com>. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com<http://www.studyisland.com>
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com<http://www.studyisland.com>.0   IN  CNAME   
vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com<http://www.studyisland.com> = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com<http://www.studyisland.com>.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com<http://www.studyisland.com>, type = A, class = IN
ADDITIONAL RECORDS:
->  (root)
??? unknown type 41 ???
ttl = 0 (0 secs)


DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** aoc-pet300.taylor.k12.fl.us can't find 
www.studyisland.com<http://www.studyisland.com>.: Server failed
===

Found someone reporting a similar issue (but no real solution) here:

http://forums.msexchange.org/m_1800553796/printable.htm

Also, when I run nslookup I *can* resolve studyisland.com-just not 
www.studyisland.com<http://www.studyisland.com>.

Still researching...


From: John Hornbuckle
Sent: Tuesday, August 14, 2012 1:42 PM
To: NT System Admin Issues 
(ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>)
Subject: DNS Lookup Failing for One Address

Okay, DNS wizards... I need some input.

One of my DNS servers (Server 2008) is failing to resolve 
www.studyisland.com<http://www.studyisland.com> like so:

C:\>nslookup
Default Server:  aoc-pet300.taylor.k12.fl.us
Address:  10.11.7.13

> www.studyisland.com<http://www.studyisland.com>.
Server:  ao

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Per the suggestions from the list, I put dig on my squirrely DNS server and ran 
dig +trace www.studyisland.com. Results are:

===
; <<>> DiG 9.3.2 <<>> +trace www.studyisland.com
;; global options:  printcmd
.   19740   IN  NS  b.root-servers.net.
.   19740   IN  NS  c.root-servers.net.
.   19740   IN  NS  d.root-servers.net.
.   19740   IN  NS  e.root-servers.net.
.   19740   IN  NS  f.root-servers.net.
.   19740   IN  NS  g.root-servers.net.
.   19740   IN  NS  h.root-servers.net.
.   19740   IN  NS  i.root-servers.net.
.   19740   IN  NS  j.root-servers.net.
.   19740   IN  NS  k.root-servers.net.
.   19740   IN  NS  l.root-servers.net.
.   19740   IN  NS  m.root-servers.net.
.   19740   IN  NS  a.root-servers.net.
;; Received 449 bytes from 127.0.0.1#53(127.0.0.1) in 15 ms

com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 192.33.4.12#53(c.root-servers.net) in 46 ms

studyisland.com.172800  IN  NS  aldfwprdinf001.archipelagolearni
ng.com.
studyisland.com.172800  IN  NS  aldfwcrpinf001.archipelagolearni
ng.com.
;; Received 147 bytes from 192.42.93.30#53(g.gtld-servers.net) in 93 ms

www.studyisland.com.0   IN  CNAME   vip1.studyisland.com.
vip1.studyisland.com.   28800   IN  A   72.249.13.58
;; Received 72 bytes from 207.210.237.70#53(aldfwprdinf001.archipelagolearning.c
om) in 46 ms
===

Now, I'm not a DNS expert. But to me, this looks right because I know that 
www.studyisland.com = vip1.studyisland.com = 
72.249.13.58.

But when I use nslookup against that same DNS server, my queries still fail. I 
enabled debugging in nslookup and got this:

===
> set db2
> www.studyisland.com.
Server:  aoc-pet300.taylor.k12.fl.us
Addresses:  10.11.7.19
  10.11.7.13


Got answer:
HEADER:
opcode = QUERY, id = 8, rcode = SERVFAIL
header flags:  response, want recursion, recursion avail.
questions = 1,  answers = 0,  authority records = 0,  additional = 1

QUESTIONS:
www.studyisland.com, type = A, class = IN
ADDITIONAL RECORDS:
->  (root)
??? unknown type 41 ???
ttl = 0 (0 secs)


DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** aoc-pet300.taylor.k12.fl.us can't find www.studyisland.com.: Server failed
===

Found someone reporting a similar issue (but no real solution) here:

http://forums.msexchange.org/m_1800553796/printable.htm

Also, when I run nslookup I *can* resolve studyisland.com-just not 
www.studyisland.com.

Still researching...


From: John Hornbuckle
Sent: Tuesday, August 14, 2012 1:42 PM
To: NT System Admin Issues (ntsysadmin@lyris.sunbelt-software.com)
Subject: DNS Lookup Failing for One Address

Okay, DNS wizards... I need some input.

One of my DNS servers (Server 2008) is failing to resolve 
www.studyisland.com like so:

C:\>nslookup
Default Server:  aoc-pet300.taylor.k12.fl.us
Address:  10.11.7.13

> www.studyisland.com.
Server:  aoc-pet300.taylor.k12.fl.us
Address:  10.11.7.13

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to aoc-pet300.taylor.k12.fl.us timed-out

But I can point nslookup at one of my other servers (also Server 2008), and it 
resolves fine. Which kind of sounds like a server problem--but this server has 
resolved every other name I've thrown at it, though. Only this one is failing.

I can point nslookup at the Norton DNS server that my failing server uses as a 
forwarding server (198.153.192.1), and it resolves fine. All of my other 
servers use that same forwarding address, too.

I'm kind of going crazy here..

Re: DNS Lookup Failing for One Address

[Ben Scott]

On Tue, Aug 14, 2012 at 3:26 PM, John Hornbuckle
 wrote:
> Yeah, I tried that. Cleared the cache, restarted the DNS server service,
> even rebooted the whole machine.

  Hmmm, that's interesting.  A reboot *should* clear most possible
causes discussed so far, at least briefly.

  My next guess would be a firewall interacting badly with EDNS or
something like that, but you say another DNS server you run doesn't
have this trouble.  Are they both on the same IP subnet?  Same
broadcast domain?  Same switch?  Behind the same firewall?

  Compare versions/sizes of DNS.EXE on the working server and the
non-working server.  Maybe an update failed or something like that.

  Using DIG, running on the problem server, run a delegation trace for
the problem domain.  For example:

dig +trace www.studyisland.com.

This will cause DIG to perform an iterative query internally.  That
is, DIG will query the root servers directly, and then chase the
referrals in the replies until it gets an answer.  In other words, DIG
will do what your DNS server should be doing.  If DIG fails, you can
see where and why.  If it succeeds, you know it's possible to do a
good lookup from the problem server.

  Maybe do the same thing on the working server.  See if they follow
different paths.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS Lookup Failing for One Address

[Ben Scott]

On Tue, Aug 14, 2012 at 4:51 PM, Maglinger, Paul  wrote:
> Somebody put something in the hosts file?

  Wouldn't effect data returned by DIG.  Shouldn't effect data
returned by NSLOOKUP, either, but as mentioned, I don't trust that
program.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS Lookup Failing for One Address

[Kurt Buff]

Here's some more specific advice regarding EDNS:
http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

Kurt

On Tue, Aug 14, 2012 at 12:44 PM, John Hornbuckle
 wrote:
> Clearing the cache didn't help. I'll grab DIG now...
>
>
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Tuesday, August 14, 2012 2:41 PM
> To: NT System Admin Issues
> Subject: Re: DNS Lookup Failing for One Address
>
> On Tue, Aug 14, 2012 at 1:42 PM, John Hornbuckle 
>  wrote:
>> One of my DNS servers (Server 2008) is failing to resolve
>> www.studyisland.com like so:
>
>   There is some bug in MS-DNS in Windows 2008 R2 that causes it to randomly 
> get a brain crap on individual domains.  I don't know the details, but it's 
> bit a few people on this list.  Symptoms seem to match yours.  Try the command
>
> dnscmd /clearcache
>
> on the server.  If that clears the trouble, you need the hotfix.  I
> *think* this is it:
>
> http://support.microsoft.com/kb/2508835
>
> but I might have it confused with some other bug in MS-DNS.
>
>> C:\>nslookup
>
>   NSLOOKUP is brain damaged.  (The biggest problem is that it can give 
> ambiguous error messages.)  Get DIG from the ISC BIND suite and get in the 
> habit of using it for DNS diagnostics.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[John Hornbuckle]

Clearing the cache didn't help. I'll grab DIG now...



-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, August 14, 2012 2:41 PM
To: NT System Admin Issues
Subject: Re: DNS Lookup Failing for One Address

On Tue, Aug 14, 2012 at 1:42 PM, John Hornbuckle 
 wrote:
> One of my DNS servers (Server 2008) is failing to resolve 
> www.studyisland.com like so:

  There is some bug in MS-DNS in Windows 2008 R2 that causes it to randomly get 
a brain crap on individual domains.  I don't know the details, but it's bit a 
few people on this list.  Symptoms seem to match yours.  Try the command

dnscmd /clearcache

on the server.  If that clears the trouble, you need the hotfix.  I
*think* this is it:

http://support.microsoft.com/kb/2508835

but I might have it confused with some other bug in MS-DNS.

> C:\>nslookup

  NSLOOKUP is brain damaged.  (The biggest problem is that it can give 
ambiguous error messages.)  Get DIG from the ISC BIND suite and get in the 
habit of using it for DNS diagnostics.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS Lookup Failing for One Address

[Kurt Buff]

On Tue, Aug 14, 2012 at 10:42 AM, John Hornbuckle
 wrote:
> Okay, DNS wizards… I need some input.
>
>
>
> One of my DNS servers (Server 2008) is failing to resolve
> www.studyisland.com like so:
>
>
>
> C:\>nslookup
>
> Default Server:  aoc-pet300.taylor.k12.fl.us
>
> Address:  10.11.7.13
>
>
>
>> www.studyisland.com.
>
> Server:  aoc-pet300.taylor.k12.fl.us
>
> Address:  10.11.7.13
>
>
>
> DNS request timed out.
>
> timeout was 2 seconds.
>
> DNS request timed out.
>
> timeout was 2 seconds.
>
> *** Request to aoc-pet300.taylor.k12.fl.us timed-out
>
>
>
> But I can point nslookup at one of my other servers (also Server 2008), and
> it resolves fine. Which kind of sounds like a server problem--but this
> server has resolved every other name I’ve thrown at it, though. Only this
> one is failing.
>
>
>
> I can point nslookup at the Norton DNS server that my failing server uses as
> a forwarding server (198.153.192.1), and it resolves fine. All of my other
> servers use that same forwarding address, too.
>
>
>
> I’m kind of going crazy here… My users desperately need to get to this site.
> I can’t figure out what’s wrong, but that’s no surprise because I’m not an
> expert when it comes to DNS.
>
>
>
> Can anyone offer any troubleshooting pointers?

Yes - if recycling the DNS Server service fixes the problem, there are
some known issues with DNS on 2003, 2008 and 2008 R2. One is EDNS -
see this link:
http://support.microsoft.com/kb/832223

and/or this link:
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

Also, it's possible, but unlikely, that your firewall is filtering
these extended DNS records - especially if your firewall doesn't
understand/like TCP returns on queries. These links has some info on
that:
http://www.cisco.com/web/about/security/intelligence/dnssec.html

http://www.icann.org/en/groups/ssac/documents/sac-016-en.htm

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS Lookup Failing for One Address

[Ben Scott]

On Tue, Aug 14, 2012 at 1:42 PM, John Hornbuckle
 wrote:
> One of my DNS servers (Server 2008) is failing to resolve
> www.studyisland.com like so:

  There is some bug in MS-DNS in Windows 2008 R2 that causes it to
randomly get a brain crap on individual domains.  I don't know the
details, but it's bit a few people on this list.  Symptoms seem to
match yours.  Try the command

dnscmd /clearcache

on the server.  If that clears the trouble, you need the hotfix.  I
*think* this is it:

http://support.microsoft.com/kb/2508835

but I might have it confused with some other bug in MS-DNS.

> C:\>nslookup

  NSLOOKUP is brain damaged.  (The biggest problem is that it can give
ambiguous error messages.)  Get DIG from the ISC BIND suite and get in
the habit of using it for DNS diagnostics.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[Ziots, Edward]

Non-authoritative answer:

Name:vip1.studyisland.com

Address:  72.249.13.58

Aliases:  www.studyisland.com

 

So looks like possible dns cache corruption on your DNS server. 

(What I see from my end) (this could be due to access list on what
traffic its accepting)

> server 198.153.192.1

Default Server:  [198.153.192.1]

Address:  198.153.192.1

 

> www.studyisland.com.

Server:  [198.153.192.1]

Address:  198.153.192.1

 

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

*** Request to [198.153.192.1] timed-out

 

Have you turned on debug log for dns, and look into that one? 

 

Have you tried, to do that DNS lookup from the DNS Server itself to the
upstream DNS forwarder, and see if it resolves and then take a look at
it from the DNS cache ( You will probably need wireshark on the
workstation and server in question to see what is going on with the
packets. I will be happy to look at any pcap files you would want to
send over on the situation. 

 

Z

 

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Tuesday, August 14, 2012 1:42 PM
To: NT System Admin Issues
Subject: DNS Lookup Failing for One Address

 

Okay, DNS wizards... I need some input.

 

One of my DNS servers (Server 2008) is failing to resolve
www.studyisland.com like so:

 

C:\>nslookup

Default Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

> www.studyisland.com.

Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

*** Request to aoc-pet300.taylor.k12.fl.us timed-out

 

But I can point nslookup at one of my other servers (also Server 2008),
and it resolves fine. Which kind of sounds like a server problem--but
this server has resolved every other name I've thrown at it, though.
Only this one is failing.

 

I can point nslookup at the Norton DNS server that my failing server
uses as a forwarding server (198.153.192.1), and it resolves fine. All
of my other servers use that same forwarding address, too.

 

I'm kind of going crazy here... My users desperately need to get to this
site. I can't figure out what's wrong, but that's no surprise because
I'm not an expert when it comes to DNS.

 

Can anyone offer any troubleshooting pointers?

 

 

 

John Hornbuckle, MSMIS, PMP

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS Lookup Failing for One Address

[Jimmy Tran]

Clear the DNS cache on that particular server?

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Tuesday, August 14, 2012 10:42 AM
To: NT System Admin Issues
Subject: DNS Lookup Failing for One Address

 

Okay, DNS wizards... I need some input.

 

One of my DNS servers (Server 2008) is failing to resolve
www.studyisland.com like so:

 

C:\>nslookup

Default Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

> www.studyisland.com.

Server:  aoc-pet300.taylor.k12.fl.us

Address:  10.11.7.13

 

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

*** Request to aoc-pet300.taylor.k12.fl.us timed-out

 

But I can point nslookup at one of my other servers (also Server 2008),
and it resolves fine. Which kind of sounds like a server problem--but
this server has resolved every other name I've thrown at it, though.
Only this one is failing.

 

I can point nslookup at the Norton DNS server that my failing server
uses as a forwarding server (198.153.192.1), and it resolves fine. All
of my other servers use that same forwarding address, too.

 

I'm kind of going crazy here... My users desperately need to get to this
site. I can't figure out what's wrong, but that's no surprise because
I'm not an expert when it comes to DNS.

 

Can anyone offer any troubleshooting pointers?

 

 

 

John Hornbuckle, MSMIS, PMP

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[James Rankin]

I used to be an incompetent sysadmin.then I learned how to use Google
and signed up for this list :-)

On 21 May 2012 21:31, Jonathan Link  wrote:

> You know there are a few incompetent ones out there...
>
>
> On Mon, May 21, 2012 at 4:25 PM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> Your admin should be diagnosing this problem for you.
>>
>> --
>> Espi
>>
>>
>>
>>
>> On Mon, May 21, 2012 at 9:21 AM, joseph palmieri wrote:
>>
>>> don't know as I'm not the admin (who tells me everything is properly
>>> configured)...can only make suggestion
>>>
>>>   *From:* Webster 
>>>
>>> *To:* NT System Admin Issues 
>>> *Sent:* Monday, May 21, 2012 12:00 PM
>>> *Subject:* RE: DNS/DHCP
>>>
>>>   Run Michael’s script!  Is Aging and Scavenging enabled in all 4
>>> places for DNS?
>>>
>>>
>>>  Carl Webster
>>> Consultant and Citrix Technology Professional
>>> http://www.carlwebster.com/
>>>
>>>   *From:* joseph palmieri [mailto:jpalm...@yahoo.com]
>>> *Sent:* Monday, May 21, 2012 10:50 AM
>>>
>>> *To:* NT System Admin Issues
>>> *Subject:* Re: DNS/DHCP
>>>
>>>  flushed cache same results from other workstations...neither address
>>> is correct
>>>
>>>
>>>   *From:* Kurt Buff 
>>> *To:* NT System Admin Issues 
>>> *Sent:* Monday, May 21, 2012 9:57 AM
>>> *Subject:* Re: DNS/DHCP
>>>
>>> On Mon, May 21, 2012 at 4:33 AM, joseph palmieri 
>>> wrote:
>>> 
>>> > C:\>ping 10.237.4.83
>>> > Pinging 10.237.4.83 with 32 bytes of data:
>>> > Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
>>> >
>>> > C:\>ping workstation1
>>> > Pinging workstation1.xyz.org [10.237.5.102] with 32 bytes of data:
>>>
>>> Two different IP addresses? Which one is correct?
>>>
>>> As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
>>> on the pinging workstation?
>>>
>>> Also, on the pinged workstation, have you done "ipconfig /release &&
>>> ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
>>> minutes?
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>>
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunb

Re: DNS/DHCP

[Jonathan Link]

You know there are a few incompetent ones out there...

On Mon, May 21, 2012 at 4:25 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Your admin should be diagnosing this problem for you.
>
> --
> Espi
>
>
>
>
> On Mon, May 21, 2012 at 9:21 AM, joseph palmieri wrote:
>
>> don't know as I'm not the admin (who tells me everything is properly
>> configured)...can only make suggestion
>>
>>   *From:* Webster 
>>
>> *To:* NT System Admin Issues 
>> *Sent:* Monday, May 21, 2012 12:00 PM
>> *Subject:* RE: DNS/DHCP
>>
>>   Run Michael’s script!  Is Aging and Scavenging enabled in all 4 places
>> for DNS?
>>
>>
>>  Carl Webster
>> Consultant and Citrix Technology Professional
>> http://www.carlwebster.com/
>>
>>   *From:* joseph palmieri [mailto:jpalm...@yahoo.com]
>> *Sent:* Monday, May 21, 2012 10:50 AM
>>
>> *To:* NT System Admin Issues
>> *Subject:* Re: DNS/DHCP
>>
>>  flushed cache same results from other workstations...neither address is
>> correct
>>
>>
>>   *From:* Kurt Buff 
>> *To:* NT System Admin Issues 
>> *Sent:* Monday, May 21, 2012 9:57 AM
>> *Subject:* Re: DNS/DHCP
>>
>> On Mon, May 21, 2012 at 4:33 AM, joseph palmieri 
>> wrote:
>> 
>> > C:\>ping 10.237.4.83
>> > Pinging 10.237.4.83 with 32 bytes of data:
>> > Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
>> >
>> > C:\>ping workstation1
>> > Pinging workstation1.xyz.org [10.237.5.102] with 32 bytes of data:
>>
>> Two different IP addresses? Which one is correct?
>>
>> As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
>> on the pinging workstation?
>>
>> Also, on the pinged workstation, have you done "ipconfig /release &&
>> ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
>> minutes?
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[Micheal Espinola Jr]

Your admin should be diagnosing this problem for you.

--
Espi




On Mon, May 21, 2012 at 9:21 AM, joseph palmieri  wrote:

> don't know as I'm not the admin (who tells me everything is properly
> configured)...can only make suggestion
>
>   *From:* Webster 
>
> *To:* NT System Admin Issues 
> *Sent:* Monday, May 21, 2012 12:00 PM
> *Subject:* RE: DNS/DHCP
>
>   Run Michael’s script!  Is Aging and Scavenging enabled in all 4 places
> for DNS?
>
>
>  Carl Webster
> Consultant and Citrix Technology Professional
> http://www.carlwebster.com/
>
>   *From:* joseph palmieri [mailto:jpalm...@yahoo.com]
> *Sent:* Monday, May 21, 2012 10:50 AM
> *To:* NT System Admin Issues
> *Subject:* Re: DNS/DHCP
>
>  flushed cache same results from other workstations...neither address is
> correct
>
>
>   *From:* Kurt Buff 
> *To:* NT System Admin Issues 
> *Sent:* Monday, May 21, 2012 9:57 AM
> *Subject:* Re: DNS/DHCP
>
> On Mon, May 21, 2012 at 4:33 AM, joseph palmieri 
> wrote:
> 
> > C:\>ping 10.237.4.83
> > Pinging 10.237.4.83 with 32 bytes of data:
> > Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
> >
> > C:\>ping workstation1
> > Pinging workstation1.xyz.org [10.237.5.102] with 32 bytes of data:
>
> Two different IP addresses? Which one is correct?
>
> As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
> on the pinging workstation?
>
> Also, on the pinged workstation, have you done "ipconfig /release &&
> ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
> minutes?
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[James Rankin]

I've just set the AD guys at my current assignment away with a copy of that
script tooas part of my crackdown on bad AD practices affecting XenApp.
Dunno where I got the idea for that :-)

On 21 May 2012 20:09, Webster  wrote:

>  I am just glad I know a PoSH genius before I made a fool out of myself
> in public! LOL
>
> ** **
>
> ** **
>
> Carl Webster
>
> Consultant and Citrix Technology Professional
>
> http://www.CarlWebster.com <http://www.carlwebster.com/>
>
> ** **
>
> *From:* Michael B. Smith [mailto:mich...@smithcons.com]
> *Sent:* Monday, May 21, 2012 1:27 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: DNS/DHCP
>
>  ** **
>
> If you have client duplicates and you are using DHCP, then you almost
> certainly don’t have scavenging configured properly.
>
> ** **
>
> You wouldn’t BELIEVE what Web was doing before he asked me to post that. J
> 
>
> ** **
>
> *From:* Steven Peck [mailto:sep...@gmail.com]
> *Sent:* Monday, May 21, 2012 2:02 PM
> *To:* NT System Admin Issues
> *Subject:* Re: DNS/DHCP
>
> ** **
>
> That is an awesome script.  Most 'duplicates' I found on ours were clients
> but I did find one of our new HyperV clusters that had a nic configuration
> issues.  :)
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>


-- 
http://appsensebigot.blogspot.co.uk

IMPORTANT INFORMATION/DISCLAIMER

I certainly don't have time to monitor the content of e-mail sent and
received via this account for the purposes of ensuring compliance with
anyone's policies and procedures. I am pretty sure that somewhere in UK
legislation there is some politically-correct drivel that stipulates I must
never send or store e-mails or attachments that are obscene, indecent,
sexist, racist, defamatory, abusive, in breach of copyright, encrypted,
amusing, overly long, slightly opinionated, anonymous, likely to harm
animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent
minority (such as extraterrestrial eggplants). Emails of this nature sent
in or out of this account may be intercepted and stopped by the system, but
it's a long shot. This being the UK, even if I was prosecuted for breach of
said email guidelines, I'd probably walk with a suspended sentence anyway,
but if I'd forgotten to pay my car insurance, I'd most certainly be hung,
drawn and quartered.

I am not responsible for any changes made to the message after it has been
sent, in more or less the same way that cyclozine manufacturers aren't
responsible for drug addicts mixing it with methadone and overdosing, so
I'm glad I cleared the confusion up there nice and early. Where opinions
are expressed, they are not necessarily mine. However, I don't make a habit
of expressing other people's opinions for them, so you shouldn't take that
statement as an indication that I am in the business of providing an
opinion-expressing service. In the event that I did, this discourse would
provide no guarantee that I would do it anyway, but I don't, so I won't.

This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you are not the intended addressee, or the person responsible for
delivering it to them, aside from the fact that you've clearly got some
level of unauthorised access to their account or are at least engaged in
some sort of fraud, I'm obliged to tell you that may not copy, forward
disclose or otherwise use it or any part of it in any way. To do so may be
unlawful, and as you're already breaking the law, I am sure that bombshell
makes you quake in your boots and turn yourself over to law enforcement
immediately. If you receive this e-mail by mistake, please advise the
sender immediately. That would be me, and as I am clearly prone to sending
emails to completely the wrong person, I should instantly be stripped of my
status as a technical consultant and sent to do something more becoming of
my stupidity, such as appearing on Big Brother, the X Factor or "insert
country name here"'s Got Talent.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[Steven Peck]

Oh, I am not surprised we have a few with issues, however between clients
and servers there were only 40-50 duplicate entries.  Some were just
oddities we carry from past apps (hardcoded to DNS name) but a few were out
and out mistakes.  Between desktop, windows servers, *nix servers we have a
lot of entries and so very few duplicates overall.  I think most will be
one off or some oddity from a dev client systems.  In any case, I forwarded
to the DNS guys for them to play with and delve deeper.

On Mon, May 21, 2012 at 11:26 AM, Michael B. Smith wrote:

>  If you have client duplicates and you are using DHCP, then you almost
> certainly don’t have scavenging configured properly.
>
> ** **
>
> You wouldn’t BELIEVE what Web was doing before he asked me to post that. J
> 
>
> ** **
>
> *From:* Steven Peck [mailto:sep...@gmail.com]
> *Sent:* Monday, May 21, 2012 2:02 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: DNS/DHCP
>
> ** **
>
> That is an awesome script.  Most 'duplicates' I found on ours were clients
> but I did find one of our new HyperV clusters that had a nic configuration
> issues.  :)
>
> On Mon, May 21, 2012 at 10:05 AM, Kurt Buff  wrote:**
> **
>
> Then it's definitely time to use the link that Webster gave you.
>
>
> On Mon, May 21, 2012 at 8:50 AM, joseph palmieri 
> wrote:
> > flushed cache same results from other workstations...neither address is
> > correct
> >
> > From: Kurt Buff 
> >
> > To: NT System Admin Issues 
> > Sent: Monday, May 21, 2012 9:57 AM
> > Subject: Re: DNS/DHCP
> >
> > On Mon, May 21, 2012 at 4:33 AM, joseph palmieri 
> wrote:
> > 
> >> C:\>ping 10.237.4.83
> >> Pinging 10.237.4.83 with 32 bytes of data:
> >> Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
> >>
> >> C:\>ping workstation1
> >> Pinging workstation1.xyz.org [10.237.5.102] with 32 bytes of data:
> >
> > Two different IP addresses? Which one is correct?
> >
> > As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
> > on the pinging workstation?
> >
> > Also, on the pinged workstation, have you done "ipconfig /release &&
> > ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
> > minutes?
>
> 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/DHCP

[Michael B. Smith]

If you have client duplicates and you are using DHCP, then you almost certainly 
don't have scavenging configured properly.

You wouldn't BELIEVE what Web was doing before he asked me to post that. :)

From: Steven Peck [mailto:sep...@gmail.com]
Sent: Monday, May 21, 2012 2:02 PM
To: NT System Admin Issues
Subject: Re: DNS/DHCP

That is an awesome script.  Most 'duplicates' I found on ours were clients but 
I did find one of our new HyperV clusters that had a nic configuration issues.  
:)
On Mon, May 21, 2012 at 10:05 AM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
Then it's definitely time to use the link that Webster gave you.

On Mon, May 21, 2012 at 8:50 AM, joseph palmieri 
mailto:jpalm...@yahoo.com>> wrote:
> flushed cache same results from other workstations...neither address is
> correct
>
> From: Kurt Buff mailto:kurt.b...@gmail.com>>
>
> To: NT System Admin Issues 
> mailto:ntsysadmin@lyris.sunbelt-software.com>>
> Sent: Monday, May 21, 2012 9:57 AM
> Subject: Re: DNS/DHCP
>
> On Mon, May 21, 2012 at 4:33 AM, joseph palmieri 
> mailto:jpalm...@yahoo.com>> wrote:
> 
>> C:\>ping 10.237.4.83
>> Pinging 10.237.4.83 with 32 bytes of data:
>> Reply from 10.237.4.83<http://10.237.4.83>: bytes=32 time=1ms TTL=127
>>
>> C:\>ping workstation1
>> Pinging workstation1.xyz.org<http://workstation1.xyz.org> [10.237.5.102] 
>> with 32 bytes of data:
>
> Two different IP addresses? Which one is correct?
>
> As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
> on the pinging workstation?
>
> Also, on the pinged workstation, have you done "ipconfig /release &&
> ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
> minutes?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[Steven Peck]

That is an awesome script.  Most 'duplicates' I found on ours were clients
but I did find one of our new HyperV clusters that had a nic configuration
issues.  :)

On Mon, May 21, 2012 at 10:05 AM, Kurt Buff  wrote:

> Then it's definitely time to use the link that Webster gave you.
>
> On Mon, May 21, 2012 at 8:50 AM, joseph palmieri 
> wrote:
> > flushed cache same results from other workstations...neither address is
> > correct
> >
> > From: Kurt Buff 
> >
> > To: NT System Admin Issues 
> > Sent: Monday, May 21, 2012 9:57 AM
> > Subject: Re: DNS/DHCP
> >
> > On Mon, May 21, 2012 at 4:33 AM, joseph palmieri 
> wrote:
> > 
> >> C:\>ping 10.237.4.83
> >> Pinging 10.237.4.83 with 32 bytes of data:
> >> Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
> >>
> >> C:\>ping workstation1
> >> Pinging workstation1.xyz.org [10.237.5.102] with 32 bytes of data:
> >
> > Two different IP addresses? Which one is correct?
> >
> > As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
> > on the pinging workstation?
> >
> > Also, on the pinged workstation, have you done "ipconfig /release &&
> > ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
> > minutes?
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[Kurt Buff]

Then it's definitely time to use the link that Webster gave you.

On Mon, May 21, 2012 at 8:50 AM, joseph palmieri  wrote:
> flushed cache same results from other workstations...neither address is
> correct
>
> From: Kurt Buff 
>
> To: NT System Admin Issues 
> Sent: Monday, May 21, 2012 9:57 AM
> Subject: Re: DNS/DHCP
>
> On Mon, May 21, 2012 at 4:33 AM, joseph palmieri  wrote:
> 
>> C:\>ping 10.237.4.83
>> Pinging 10.237.4.83 with 32 bytes of data:
>> Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
>>
>> C:\>ping workstation1
>> Pinging workstation1.xyz.org [10.237.5.102] with 32 bytes of data:
>
> Two different IP addresses? Which one is correct?
>
> As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
> on the pinging workstation?
>
> Also, on the pinged workstation, have you done "ipconfig /release &&
> ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
> minutes?
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[joseph palmieri]

don't know as I'm not the admin (who tells me everything is properly 
configured)...can only make suggestion




From: Webster 
To: NT System Admin Issues  
Sent: Monday, May 21, 2012 12:00 PM
Subject: RE: DNS/DHCP


Run Michael’s script!  Is Aging and Scavenging enabled in all 4 places for DNS?
 
 
Carl Webster
Consultant and Citrix Technology Professional
http://www.carlwebster.com/
 
From:joseph palmieri [mailto:jpalm...@yahoo.com] 
Sent: Monday, May 21, 2012 10:50 AM
To: NT System Admin Issues
Subject: Re: DNS/DHCP
 
flushed cache same results from other workstations...neither address is correct


 
From:Kurt Buff 
To: NT System Admin Issues  
Sent: Monday, May 21, 2012 9:57 AM
Subject: Re: DNS/DHCP

On Mon, May 21, 2012 at 4:33 AM, joseph palmieri  wrote:

> C:\>ping 10.237.4.83
> Pinging 10.237.4.83 with 32 bytes of data:
> Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
>
> C:\>ping workstation1
> Pinging workstation1.xyz.org [10.237.5.102] with 32 bytes of data:

Two different IP addresses? Which one is correct?

As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
on the pinging workstation?

Also, on the pinged workstation, have you done "ipconfig /release &&
ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
minutes?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/DHCP

[Webster]

Run Michael's script!  Is Aging and Scavenging enabled in all 4 places for DNS?


Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com<http://www.carlwebster.com/>

From: joseph palmieri [mailto:jpalm...@yahoo.com]
Sent: Monday, May 21, 2012 10:50 AM
To: NT System Admin Issues
Subject: Re: DNS/DHCP

flushed cache same results from other workstations...neither address is correct


From: Kurt Buff mailto:kurt.b...@gmail.com>>
To: NT System Admin Issues 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Sent: Monday, May 21, 2012 9:57 AM
Subject: Re: DNS/DHCP

On Mon, May 21, 2012 at 4:33 AM, joseph palmieri 
mailto:jpalm...@yahoo.com>> wrote:

> C:\>ping 10.237.4.83
> Pinging 10.237.4.83 with 32 bytes of data:
> Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
>
> C:\>ping workstation1
> Pinging workstation1.xyz.org<http://workstation1.xyz.org/> [10.237.5.102] 
> with 32 bytes of data:

Two different IP addresses? Which one is correct?

As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
on the pinging workstation?

Also, on the pinged workstation, have you done "ipconfig /release &&
ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
minutes?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[joseph palmieri]

flushed cache same results from other workstations...neither address is correct




From: Kurt Buff 
To: NT System Admin Issues  
Sent: Monday, May 21, 2012 9:57 AM
Subject: Re: DNS/DHCP

On Mon, May 21, 2012 at 4:33 AM, joseph palmieri  wrote:

> C:\>ping 10.237.4.83
> Pinging 10.237.4.83 with 32 bytes of data:
> Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
>
> C:\>ping workstation1
> Pinging workstation1.xyz.org [10.237.5.102] with 32 bytes of data:

Two different IP addresses? Which one is correct?

As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
on the pinging workstation?

Also, on the pinged workstation, have you done "ipconfig /release &&
ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
minutes?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DNS/DHCP

[Webster]

Run Michael's script and see what duplicates exist in your DNS.

http://theessentialexchange.com/blogs/michael/archive/2012/04/24/finding-duplicate-ip-addresses-and-duplicate-names-in-a-dns-zone.aspx



Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com<http://www.carlwebster.com/>

From: joseph palmieri [mailto:jpalm...@yahoo.com]
Sent: Monday, May 21, 2012 9:02 AM
To: NT System Admin Issues
Subject: Re: DNS/DHCP

results are the same from multiple workstations


From: Terry Dickson 
mailto:te...@treasurer.state.ks.us>>
To: NT System Admin Issues 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Sent: Monday, May 21, 2012 8:08 AM
Subject: re: DNS/DHCP

Did you make sure you cleared the DNS Cache on the machine you are pinging from?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[joseph palmieri]

results are the same from multiple workstations




From: Terry Dickson 
To: NT System Admin Issues  
Sent: Monday, May 21, 2012 8:08 AM
Subject: re: DNS/DHCP

Did you make sure you cleared the DNS Cache on the machine you are pinging from?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: DNS/DHCP

[Kurt Buff]

On Mon, May 21, 2012 at 4:33 AM, joseph palmieri  wrote:

> C:\>ping 10.237.4.83
> Pinging 10.237.4.83 with 32 bytes of data:
> Reply from 10.237.4.83: bytes=32 time=1ms TTL=127
>
> C:\>ping workstation1
> Pinging workstation1.xyz.org [10.237.5.102] with 32 bytes of data:

Two different IP addresses? Which one is correct?

As Terry suggested, did you clear the DNS cache (ipconfig /flushdns)
on the pinging workstation?

Also, on the pinged workstation, have you done "ipconfig /release &&
ipconfig /renew && ipconfig /registerdns" and waited a minimum of 15
minutes?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

re: DNS/DHCP

[Terry Dickson]

Did you make sure you cleared the DNS Cache on the machine you are pinging from?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin