I have 2 DNS servers with private IPs (NAT Clients) behind an ISA server running in integrated mode. Occasionally the DNS services on both servers will, at the same time, stop resolving external zones. The internal zones are never a problem, so I know the DNS servers are working properly.
I've already applied ISA SP1 and the 2 post-SP1 hotfixes. MS Q312640 says the fix for this issue is to install SP1 - riiiight. I have not run the lockdown wizard, and TCP/IP is the only protocol running on both NICs. The internal NIC on the ISA server uses internal DNS and no gateway, the external NIC has no DNS and the ISP's gateway. The internal DNS servers that stop working have failed when accessing the ISP's DNS and the root hosts.
I'm publisking a website, a POP3 server, and an SMTP server on the same ISA box. I'm using a different IP for the publishing than the NAT clients use for outgoing access.
My old fix was to restart the Web Proxy service, or un- and re-install ISA SP1. Up until a week or two ago this seemed to work. I have this exact installation in 3 different networks, in 3 different places, with 3 different ISPs... this DNS issue happens regularly in only 2 of them.
I've found that when I split my DNS in advertising and resolver servers that things worked much better. Also disabling recursion on the advertisers is very helpful. There are a few more tips, but my Exchange server is down so I don't have access to them
My only concern is that these DNS servers are internal only -- there are only about 100 nodes on each network, and two servers service these 100 nodes. The servers will resolve about 10 internal zones and will forward on anything else to the root or my ISP - very low traffic on these servers. We don't run any public zones out of the offices, so there's really no need to split the DNS in these situations.
Once the exchange server comes back online, I'd love to hear what else you got! :-)
OK, it seems that you might have a bit different problem, although related to what I was talking about.
Check this out:
=================== Jorgen Junior Member Member # 8800
posted November 11, 2002 11:13 AM -------------------------------------------------------------------------------- Sorry Stefaan
Your link is close but not quite all the way there...
That article deals with TCP comnnections and most (not all) DNS traffic is UDP based. The parameter that handles UDP "connections" are in the same location but is called "msFPCMappingQuota".
SecureNAT and Firewall Clients Are Disconnected from the Network CAUSE This behavior can occur because ISA Server limits each client to forty SecureNAT mappings, by default. If there are more than forty simultaneous connections from one client, when the forty-first connection is requested from the same client, ISA Server sends a TCP Reset frame to the oldest connection, and then the new connection is successfully established. RESOLUTION WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To resolve this behavior, increase the registry value that controls the number of connections that ISA Server allows for each client: Start Registry Editor (Regedt32.exe). Locate and click the following registry key:
Click DWORD on the Edit menu, type a new value, and then click OK.
NOTE: The new value depends on your environment. The default is 40 decimal. A new value of 100 decimal is safe in most cases. To determine a specific value, analyze the maximum number of simultaneous sessions that you need. The maximum allowable value is based on available system resources. Quit Registry Editor.
Change the entry msFPCMappingQuota to 600 decimal and it should work much better. Don't make the change to the TCP quota or it won't work and might make things worse (or not).
Thanks for the additional info - I'll try that out today and hope it helps things.
My only concern is that the problem goes away for a number of weeks after re-installing ISA (my only sure-fire fix at this point). So wouldn't this mean that a "too many connections" problem would resurface almost immediately? And if it was "too many connections" wouldn't restarting the ISA server or the services clear the problem up at least temporarily? It doesn't...
Thanks again, if you have any additional insight, or if I find out anything else, I'll meet you back here. :-)
I think the fact that it goes away for a number of weeks is just a coincidence. I've noticed the same thing, but it will go away for weeks and then return. But since we don't really know for sure what's causing the problem, it could be anything Try the registry entries and see how it works for you. So far, it seems to be working OK at our sites.
We have found a similar problem. We have a split DNS system as well. When we restart the ISA services on the ISA server, our (separate) internal DNS server stops resolving dns queries, every time... WEIRD!
Restarting the DNS Server service on the internal DNS server fixes the problem... hope this helps you track down your issue.
I had the same problem with our internal dns servers, to get around this issue you can setup your ISA Servers as caching only DNS servers. After we setup our ISA Servers for caching only dns the internal dns servers worked great even after a restart and or shutdown. Hope the information helps.
I must be missing something here. We have been having a very similar problem. I checked to see if I could add this registry entry and found that I don't have the key starting at FPC, I have no "Arrays" key. Why would that be?