Welcome to ISAserver.org

RE: DNS configuration problems

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> RE: DNS configuration problems

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: DNS configuration problems - 22.Mar.2001 5:00:00 AM

ProtoCallMike

Posts: 28
Joined: 20.Mar.2001
From: Hamitlon, OH 45015
Status: offline

Well, with everyones input here, I believe my DNS problem has been solved. After removing DNS from the ISA box and putting it back on the DC, I ran the DNS configuration wizard. I restarted and removed the root domain, setup the forwarders and have been able to resolve everything without a problem. The only small problem I am having now, that I have been having, is that some internet domains do not respond to ping requests. Anyone have any idea why this might be. If I am to ping microsoft.com or msn.com, the ping request times out. I can resolve the names ok, they just don't respond to pings. Anyone have any ideas?

Thanks again

------------------
Mike Evans
Network Administrator
ProtoCall

(in reply to ProtoCallMike)

Post #: 21

Featured Links*

RE: DNS configuration problems - 22.Mar.2001 6:03:00 AM

kfish

Posts: 15
Joined: 16.Mar.2001
From: Atlanta, Ga., USA
Status: offline

some domains do not respond to pings

too many people using them as a test ping site. Cisco is always up. Microsoft to my knowledge does not pong. Hope that helps.

(in reply to ProtoCallMike)

Post #: 22

RE: DNS configuration problems - 22.Mar.2001 3:26:00 PM

ProtoCallMike

Posts: 28
Joined: 20.Mar.2001
From: Hamitlon, OH 45015
Status: offline

Thank you, that is what my thought was, but I was not sure that you could setup a site to not respond to ping requests

------------------
Mike Evans
Network Administrator
ProtoCall

(in reply to ProtoCallMike)

Post #: 23

RE: DNS configuration problems - 22.Mar.2001 6:04:00 PM

SemSrg

Posts: 16
Joined: 22.Feb.2001
Status: offline

I have one DNS on ISA box
it was working fine for maybe a week but now it's working periodicaly like maybe 5 min working then 2 min doesn't and so on.
DNS is listening on the ISA private IP and published on the ISA external IP so everything like in book.

What can it be?

(in reply to ProtoCallMike)

Post #: 24

RE: DNS configuration problems - 22.Mar.2001 6:15:00 PM

ProtoCallMike

Posts: 28
Joined: 20.Mar.2001
From: Hamitlon, OH 45015
Status: offline

This was above,

quote:
Originally posted by tshinder:
Ok Dudes,
This is a pretty intensive conversation!
Here's what I would do, and what I have done.
Get the DNS off the ISA Server, its not good security policy and you should really remove all services not required on the ISA Server.
Install an internal DNS Server. That DNS Server should be authoritative for your internal domain. It should also be configured to forward requests to an external DNS Server for domains for which it is not authoritative.
Make sure that there is a protocol rule in place that will allow the internal DNS Server to forward requests to an external DNS server, and make sure that the internal DNS server is configured as a SecureNAT client.
The Exchange Server should be set up as a SecureNAT client. Because SecureNAT clients cannot use the ISA Server to perform a proxy DNS for them, you have to configure their DNS setting manually. Set the Exchange Server to use the internal DNS server to resolve host names.
Run the Secure Mail Wizard, and you're set for life!
HTH,
Tom

------------------
Mike Evans
Network Administrator
ProtoCall

(in reply to ProtoCallMike)

Post #: 25

RE: DNS configuration problems - 22.Mar.2001 10:37:00 PM

Guest

i have a test lab configured with Win2K. I am using two internal DNS servers serving a domain called rwdblab.org (which doesn't exist) and have set up all the forwarders which go through the ISA server. This part is all good. Now, I have a public domain name mycompany.com pointing at the external NIC of the ISA (the Cname, MX, point there). How exactly would I configure publishing for an internal server called ns1.rwdblab.org in this scenario when we know that to access OWA you need to type http://server/exchange/.....help here..i am going nuts.

(in reply to ProtoCallMike)

Post #: 26

RE: DNS configuration problems - 23.Mar.2001 12:46:00 AM

nouellette

Posts: 27
Joined: 22.Mar.2001
From: Dearborn, MI USA
Status: offline

I'd love to know this scenario as well...my current ISP has my MX record pointed to my external NIC card with the mail.domain.com record. However I am about to upgrade my entire organization to Win2k including Exchange and ISA. So I will have to implement DNS.

I want to have my internal DNS name something like company.local or company.com. My servers are all going to be inplace upgrades so I want a naming schema such as server1.company.com and server2.company.com. It's all one domain and only a couple of servers includling the ISA. My question is...how does that external DNS record from my ISP (mail.domain.com) affect my internal DNS naming convention? Do I have to have a mail.domain.com DNS name inside my company to retrieve that mail?

The exchange server will be sitting behind the ISA server.

(in reply to ProtoCallMike)

Post #: 27

RE: DNS configuration problems - 23.Mar.2001 5:31:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Alket,

You need to include in your Destination Set the paths that are required to access OWA:

/exchange/*
/exchweb/*
/public/*

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to ProtoCallMike)

Post #: 28

RE: DNS configuration problems - 23.Mar.2001 5:35:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi nouellette,

Just make sure the MX record points to the external interface of your ISA Server, and make sure that your Exchange Server is configured to accept mail from that domain for your users.

HTH,
Tom

quote:
Originally posted by nouellette:
I'd love to know this scenario as well...my current ISP has my MX record pointed to my external NIC card with the mail.domain.com record. However I am about to upgrade my entire organization to Win2k including Exchange and ISA. So I will have to implement DNS.
I want to have my internal DNS name something like company.local or company.com. My servers are all going to be inplace upgrades so I want a naming schema such as server1.company.com and server2.company.com. It's all one domain and only a couple of servers includling the ISA. My question is...how does that external DNS record from my ISP (mail.domain.com) affect my internal DNS naming convention? Do I have to have a mail.domain.com DNS name inside my company to retrieve that mail?
The exchange server will be sitting behind the ISA server.

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to ProtoCallMike)

Post #: 29

RE: DNS configuration problems - 23.Mar.2001 5:29:00 PM

jmunyan

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline

If you are making the move to ad consider using a non-contiguous internal namespace. It is a real plus in managing internal and external dns domains.

external company.com

internal inside.tld
east.inside.tld
west.inside.tld
far.east.inside.tld

etc.

You don't want internal and external resouces in the same zone. It is a security/dynamic update nightmare!

John

(in reply to ProtoCallMike)

Post #: 30

RE: DNS configuration problems - 24.Mar.2001 3:13:00 AM

sandoka

Posts: 47
Joined: 10.Feb.2001
From: mountain View, CA
Status: offline

quote:
Originally posted by jmunyan:
If you are making the move to ad consider using a non-contiguous internal namespace. It is a real plus in managing internal and external dns domains.
external company.com
internal inside.tld
east.inside.tld
west.inside.tld
far.east.inside.tld
etc.
You don't want internal and external resouces in the same zone. It is a security/dynamic update nightmare!
John

Just a little addition to jmunyan's:
If you want (and if you host ALL your stuff -web,mail etc - on your internal servers), you can actually use the same zone name.

Let me explain. If your web servers, your mail servers and everything that you host are ALL housed internally on your servers, you can make you internal domain zone name the same as your external zone name.
Say your company is yxza.com. Say someone (your ISP) hosts the external DNS for yxza.com. You can configure your internal network as yxza.com, configure a yxza.com zone in your internal DNS server, create all the records in your internal zone to use the INTERNAL IPs of your internal servers. Configure your clients to use your internal DNS server for resolution. Configure your DNS server to use your ISP's DNS server(s) as forwarders.

This is a legitimate config. You will avoid the hassles of multiple domain configuration. All requests that originate from within your network yxza.com will NOT go out of your network, they will be sent directly to the internal server responsible for the requested resource. Your ISP's DNS server(s) will take care of request from outside.

Hope this is not too confusing.

(in reply to ProtoCallMike)

Post #: 31

RE: DNS configuration problems - 24.Mar.2001 3:49:00 AM

jmunyan

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline

Yes this can work. If one opts to move the dns inhouse it is a pain to have external and internal resouces in the same dns domain. Since the internal space runs ad dynamic update and holds some sensitive information one wouldn't want to allow external lookups on these server. For maximum flexability I still reccomend splitting up the namespace.

Additionally, ss far as resouces go it is a non-issue spliting the name. For instance my internal domain is blah.tld, but my internet name is attrition.ws. If one wants to publish serves like email one makes an a and mx to something like stoic.attrition.ws which really doesn't exist. After the lookup this info gets turned into an ip request the actual request doesn't really care about the actual name after resolution. And as far as exchange goes one simply has to define a global policy to add attrtion.ws to names it is responsible for.

But as was stated above you could share the namespace. It is up to you. It would seem this turns on what flexibility in configuration one is after.

Regards,

John

(in reply to ProtoCallMike)

Post #: 32

RE: DNS configuration problems - 24.Mar.2001 6:52:00 AM

Robert Holroyd

Posts: 14
Joined: 25.Mar.2001
From: Fort Myers, FL, USA
Status: offline

Good Thread. After pulling my hair out with
this firewall for days, I am using netmask
ordering on my internal dns server. of course delete the (.) root if you have active directory active

try multiple host addresses (A) one for internal and
one for external. check your configuration
using nslookup. This setup is working for
me, hope this helps.

P.S. When will we be able to form a group
of TCP ports (MSN gaming zone )
and publish them easy to an internal
I.P. I see no option for this...

Robert
DrStripe@Hotmail.com

(in reply to ProtoCallMike)

Post #: 33

RE: DNS configuration problems - 24.Mar.2001 3:12:00 PM

kfish

Posts: 15
Joined: 16.Mar.2001
From: Atlanta, Ga., USA
Status: offline

This is the second post i've seen about this recently, re: MSN gaming zone. Since i've done this one,, thanks for the hints on the ports, I guess I will go ahead and take some screenshots of the configuration for anyone who is interested. Tom, would you like to email me so can send you the documents? I don't particularly want to host these documents on my server at this time.
Regards,
Chris

(in reply to ProtoCallMike)

Post #: 34

RE: DNS configuration problems - 25.Mar.2001 3:10:00 AM