DNS problem - Server can see internet, client can't

R

Rob Gibbens

I'm setting up my home network (again), and I've run into a problem. I have

SERVER
Windows 2k3
DHCP
DNS
2 NICS

Routing and Remote Access is set to use NAT
External NIC is set to DHCP from the ISP
Internal NIC is set to...
IP Address = 192.168.1.2
Subnet = 255.255.255.0
DNS = <none>
Gateway = <none>

DNS Server..
does NOT have a root zone
has forwarders using my ISP's DNS servers
has 2 forward lookup zones (the default zones)
has 0 reverse lookup zones
forwarders are using only the internal interface

CLIENT
Windows XP
1 NIC
NIC is set to..
IP Address = 192.168.1.4
DNS = 192.168.1.2 (Server)
Subnet = 255.255.255.0
Gateway = 192.168.1.2 (Server)

The problem is that the Server can get to the internet just fine, but the
client can not. The client can connect to the server, join the domain,
browse server files, etc, but can not resolve internet addresses. I think
this has to due with a misconfigured DNS Server on the Server machine, but I
don't know what it is. Any help out there?
 
K

Kevin D. Goodknecht

In
Rob Gibbens said:
I'm setting up my home network (again), and I've run into a problem.
I have

SERVER
Windows 2k3
DHCP
DNS
2 NICS

Routing and Remote Access is set to use NAT
External NIC is set to DHCP from the ISP
Internal NIC is set to...
IP Address = 192.168.1.2
Subnet = 255.255.255.0
DNS = <none>
Gateway = <none>

DNS Server..
does NOT have a root zone
has forwarders using my ISP's DNS servers
has 2 forward lookup zones (the default zones)
has 0 reverse lookup zones
forwarders are using only the internal interface

CLIENT
Windows XP
1 NIC
NIC is set to..
IP Address = 192.168.1.4
DNS = 192.168.1.2 (Server)
Subnet = 255.255.255.0
Gateway = 192.168.1.2 (Server)

The problem is that the Server can get to the internet just fine, but
the client can not. The client can connect to the server, join the
domain, browse server files, etc, but can not resolve internet
addresses. I think this has to due with a misconfigured DNS Server
on the Server machine, but I don't know what it is. Any help out
there?
Click to expand...

All NICs on the server should point to the private address for DNS, even the
one to the ISP.

Have you tried nslookup on the client or server to verify it is DNS?

On the Advanced tab of DNS "Disable recursion" checked?

Are the Root Hint servers resolved?

From the client can you ping the internet gateway address?

Post back with an ipconfig /all from the server with the connection open to
the ISP.
 
P

Patrick Wong

Can the clients ping to some external address? Try to confirm that this is a
DNS issue first.
 
H

Herb Martin

CLIENT
Windows XP
1 NIC
NIC is set to..
IP Address = 192.168.1.4
DNS = 192.168.1.2 (Server)
Subnet = 255.255.255.0
Gateway = 192.168.1.2 (Server)

The problem is that the Server can get to the internet just fine, but the
client can not. The client can connect to the server, join the domain,
browse server files, etc, but can not resolve internet addresses. I think
this has to due with a misconfigured DNS Server on the Server machine, but I
don't know what it is. Any help out there?
Click to expand...

Is the "Server" a router? Specifically is it the router to the Internet?

Let's assume it is (from your description this seems likely) -- what happens
when you use a name and ping vs. a number and ping from the client?

If the name resolves, but the address is still unreachable then what happens
when you tracert that address?

Use a destination that still answers pings (www.yahoo.com still works.)

Do you have any type of firewall implemented on the DNS-server-router?
Routing and Remote Access is set to use NAT
External NIC is set to DHCP from the ISP
Internal NIC is set to...
IP Address = 192.168.1.2
Subnet = 255.255.255.0
DNS = <none>
Gateway = <none>
Click to expand...

Generally you should manually OVERRIDE the DNS setting on such
servers (received from the ISP DHCP). Set it to 127.0.0.1 since it is
also your DNS server for internal purposes.

Otherwise the DNS server will not be able to resolve internal names.
 
A

Ace Fekay [MVP]

In
Herb Martin said:
Generally you should manually OVERRIDE the DNS setting on such
servers (received from the ISP DHCP). Set it to 127.0.0.1 since it is
also your DNS server for internal purposes.
Click to expand...

Herb, not to disagree, but the loopback is generally not advisable to set as
DNS. Besides, the GUI won't let you anyway.When the loopback shows up as the
DNS address, DCPROMO set it during the intial promotion process if the IP
wasn't set to itself before running DCPROMO. The loopback can cause some
issues with it besides it not being a valid IP address.

There was a discussion about a year ago concerning this among the group
participants and IIRC, Lee Thomas [MVP] and Jeff Westhead [MSFT] and William
Stacey [MVP]were all involved too, and we've all come to the conclusion that
the actual IP should be set.

There's a few articles concerning not using the loopback.

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q254715&

Q172060 - NSLOOKUP Can't Find Server Name for Address 127.0.0.1 -another
good reason not to use the loopback:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q172060&

There was another one too, but I can't seem to find it, but they both do
mention not to use it and if DCPROMO set it, change it the actual IP.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
R

Rob Gibbens

Ok, I got it setup. You were right, I was able to ping the name of Yahoo
from the client, and the DNS came back valid, but no response from Yahoo.
So, I was getting DNS correctly. I went back into my Routing and Remote
Access and removed it, and then re-enabled it with only NAT configured.
This immediately solved the problem. Thanks to everyone for their help
 
A

Ace Fekay [MVP]

In
Rob Gibbens said:
I'm setting up my home network (again), and I've run into a problem.
I have

SERVER
Windows 2k3
DHCP
DNS
2 NICS

Routing and Remote Access is set to use NAT
External NIC is set to DHCP from the ISP
Internal NIC is set to...
IP Address = 192.168.1.2
Subnet = 255.255.255.0
DNS = <none>
Gateway = <none>

DNS Server..
does NOT have a root zone
has forwarders using my ISP's DNS servers
has 2 forward lookup zones (the default zones)
has 0 reverse lookup zones
forwarders are using only the internal interface

CLIENT
Windows XP
1 NIC
NIC is set to..
IP Address = 192.168.1.4
DNS = 192.168.1.2 (Server)
Subnet = 255.255.255.0
Gateway = 192.168.1.2 (Server)

The problem is that the Server can get to the internet just fine, but
the client can not. The client can connect to the server, join the
domain, browse server files, etc, but can not resolve internet
addresses. I think this has to due with a misconfigured DNS Server
on the Server machine, but I don't know what it is. Any help out
there?
Click to expand...

Once you've set the DNS server on the external NIC to the internal DNS'
actual IP (as Kevin mentionded), and you've moved the internal NIC to the
top of the Binding order (in Net & Dialup Properties/Advanced menu/Adv
settings) and under interface tab (in DNS properties) to only listen to the
internal NIC, then it should work.

If you continue to have problems, I would take a look at the ENDS0 settings,
which is a new feature supported in W2k3. That is new feature allows UDP
packets greater than 512 for queries instead of reverting to TCP, as has
been being used. Many DNS servers in place don't follow this (if they
haven't been updated) and firewalls generally don't follow it if you created
a rule called "DNS" under their pre-defined settings/templates that most
firewalls may give you. Follow this article on how to disable it and see if
that helps you out:

Using Extension Meshanisms for DNS (EDNSO):
http://www.microsoft.com/technet/tr...proddocs/standard/sag_DNS_imp_EDNSsupport.asp


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
C

Carmen

That is exactly the same issue...

The DNS settings are set to the IP of the SERVER not to
the Internet, Disable Recursion is checked. I havnt tried
nslookup. The server has no problem accessing the
internet or the company's IP addresses.
for example:
2000 server
ip: 192.17.5.29
subnet: 255.255.255.224
default gateway:192.168.1.1 (isp)
primary dns server:192.17.5.29

dns
forwarder:192.16.1.28

clients PC's
Win2000
ip:192.17.5.20
subnet:255.255.255.224
default gateway:192.17.52.29 server address
dns:192.16.1.28

98's
ip:192.17.5.21
subnet 255.255.255.224
default gateway:192.17.52.29

When i try to ping the internet gateway i recieve request
timed out.
If its possible can you tell me how the DNS should exactly
be setup for this scenario.


Thank you for your helP!!!
 
H

Herb Martin

Herb, not to disagree, but the loopback is generally not advisable to set
as
DNS. Besides, the GUI won't let you anyway.When the loopback shows up as the
DNS address, DCPROMO set it during the intial promotion process if the IP
wasn't set to itself before running DCPROMO. The loopback can cause some
issues with it besides it not being a valid IP address.
Click to expand...

If it isn't a good idea, then you SHOULD disagree with me <grin>.

I don't actually do that but rather use the INTERNAL IP address for the
external
DNS server NIC settings -- but I didn't feel like writing all that out and
just used 127.0.0.1
since Microsoft's install programs frequently set this as the value.
There was a discussion about a year ago concerning this among the group
participants and IIRC, Lee Thomas [MVP] and Jeff Westhead [MSFT] and William
Stacey [MVP]were all involved too, and we've all come to the conclusion that
the actual IP should be set.
Click to expand...

The key point is to OVERRIDE the setting from an EXTERNAL DHCP server.
 
E

Enkidu

Once you've set the DNS server on the external NIC to the internal DNS'
actual IP (as Kevin mentionded), and you've moved the internal NIC to the
top of the Binding order (in Net & Dialup Properties/Advanced menu/Adv
settings) and under interface tab (in DNS properties) to only listen to the
internal NIC, then it should work.
Click to expand...
Hi Ace et al,

I'm not sure why there is a recommendation to set the *Internal* DNS
IP address on the *external* interface.

What would it be used for? An incoming packet does not need to know
the internal DNS, and the server has no need to look up (reverse
lookup, I presume) the DNS for an incoming packet. In general stuff
that happens in relation to the external NIC has no need of the
internal DNS, surely?

I must be missing something.

Cheers,

Cliff
 
K

Kevin D. Goodknecht

In
Enkidu said:
Hi Ace et al,

I'm not sure why there is a recommendation to set the *Internal* DNS
IP address on the *external* interface.

What would it be used for? An incoming packet does not need to know
the internal DNS, and the server has no need to look up (reverse
lookup, I presume) the DNS for an incoming packet. In general stuff
that happens in relation to the external NIC has no need of the
internal DNS, surely?

I must be missing something.

Cheers,

Cliff
Click to expand...

It will attempt to register its addresses in whatever DNS server it is
pointing to. If it is a DC it will also attempt to register blank records
for its addresses even if you uncheck "Register this connection's addresses
in DNS" on the DNS tab.
To stop this behavior you have to put make the registry entry below, but
doing that you have to manually add the blank records for the ones you must
have.
To disable only the registration of the local IP addresses, set the
following registry value:
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Value: LdapIpAddress

After you set this value, you must manually register your privately
available IP addresses for your domain to appear as:
Same as parent folder Host "privateIP"
 
A

Ace Fekay [MVP]

In
Herb Martin said:
If it isn't a good idea, then you SHOULD disagree with me <grin>.
Click to expand...

Just as I thought!
:)

I don't actually do that but rather use the INTERNAL IP address for
the external
DNS server NIC settings -- but I didn't feel like writing all that
out and just used 127.0.0.1
since Microsoft's install programs frequently set this as the value.
There was a discussion about a year ago concerning this among the
group participants and IIRC, Lee Thomas [MVP] and Jeff Westhead
[MSFT] and William Stacey [MVP]were all involved too, and we've all
come to the conclusion that the actual IP should be set.
Click to expand...

The key point is to OVERRIDE the setting from an EXTERNAL DHCP server.
Click to expand...

You got it. *Never* use an ISP's DNS.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
A

Ace Fekay [MVP]

In
Kevin D. Goodknecht said:
In

It will attempt to register its addresses in whatever DNS server it is
pointing to. If it is a DC it will also attempt to register blank
records for its addresses even if you uncheck "Register this
connection's addresses in DNS" on the DNS tab.
To stop this behavior you have to put make the registry entry below,
but doing that you have to manually add the blank records for the
ones you must have.
To disable only the registration of the local IP addresses, set the
following registry value:
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Value: LdapIpAddress

After you set this value, you must manually register your privately
available IP addresses for your domain to appear as:
Same as parent folder Host "privateIP"
Click to expand...

Actually it'll be easier if you disable it just on the external interface.
The above just kills the LdapIpAddress, but not the interface's A record. I
find it to be a PITA (pain in the butt) because the GC shows up as two
entries, one internal and one external. If a client happens to get the
external one with a query, then it can't find it if this server is not
performing NAT and can cause errors with logons, etc. If NAT, it will be
able to find it since it';s treated as a public IP.

Here's more info on killing just that interface all together and leaving the
internal one alone. NEed to identify the external interface in the reg
first:
246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations:
http://support.microsoft.com/?id=246804

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
M

Marina Roos

Hi Carmen,

The DNS on the clients should point to the server-IP.
Got options 003, 006, 015, 044 and 046 (0x8) set in DHCP-server, Scope
options? Got WINS installed on the server?

Marina
 
H

Herb Martin

I'm not sure why there is a recommendation to set the *Internal* DNS
IP address on the *external* interface.

What would it be used for? An incoming packet does not need to know
the internal DNS, and the server has no need to look up (reverse
lookup, I presume) the DNS for an incoming packet. In general stuff
that happens in relation to the external NIC has no need of the
internal DNS, surely?
Click to expand...

Yes, you are missing the way "client DNS" settings are used. No lookups
are done on an "interface specific" basis.

If you set the external and internal interface DNS server settings to
different
values you are just configuring your machine to be unreliable at lookups --
too give different results based on current performance and whichever NIC
happens to be the FIRST one.

A gateway machine that PARTICIPATES in an internal network, especially
a DC acting as a router must act like any other internal machine and first
check the internal DNS.

Just like any other machine the internal DNS will use forwarding to resolve
external names (or do actual recursion through it's own "root hints".)
 
E

Enkidu

In

Actually it'll be easier if you disable it just on the external interface.
The above just kills the LdapIpAddress, but not the interface's A record. I
find it to be a PITA (pain in the butt) because the GC shows up as two
entries, one internal and one external. If a client happens to get the
external one with a query, then it can't find it if this server is not
performing NAT and can cause errors with logons, etc. If NAT, it will be
able to find it since it';s treated as a public IP.

Here's more info on killing just that interface all together and leaving the
internal one alone. NEed to identify the external interface in the reg
first:
246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations:
http://support.microsoft.com/?id=246804
Click to expand...
Hi Ace, Kevin et al,

The problem is the dynamic registration of addresses in the DNS? Why
not then just set the DNS entries in the NIC configs to some
ficticious DNS server that doesn't exist? The server will attempt to
register its address and fail and that's it. Or will it periodically
try to register?

Cheers,

Cliff
 
K

Kevin D. Goodknecht

In
Enkidu said:
Hi Ace, Kevin et al,

The problem is the dynamic registration of addresses in the DNS? Why
not then just set the DNS entries in the NIC configs to some
ficticious DNS server that doesn't exist? The server will attempt to
register its address and fail and that's it. Or will it periodically
try to register?

Cheers,

Cliff
Click to expand...

It will try to register every two hours by the Netlogon service. If it
cannot register its addresses it will log 5774s and/or 5775s
Why not point it to its private address?

Unless you have ISA with DNS on a DC, Then you have to disable
registrations.
292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
Controller
with Routing and Remote Access and DNS Installed
http://support.microsoft.com/default.aspx?scid=kb;en-us;292822&FR=1
 
A

Ace Fekay [MVP]

In
Kevin D. Goodknecht said:
It will try to register every two hours by the Netlogon service.
Click to expand...

Just want ot point out that in W2k, the netlogon service registers every 60
minutes. W2k3 was changed to every 24 hours.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
E

Enkidu

It will try to register every two hours by the Netlogon service. If it
cannot register its addresses it will log 5774s and/or 5775s
Why not point it to its private address?

Unless you have ISA with DNS on a DC, Then you have to disable
registrations.
292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
Controller
with Routing and Remote Access and DNS Installed
http://support.microsoft.com/default.aspx?scid=kb;en-us;292822&FR=1
Click to expand...
Thanks guys!

Cheers,

Cliff
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Client Can't Join Domain 5
NAT in Windows 2000 Server 2
HELP: WINDOWS 2000 SERVER - CLIENT/SERVER NETWORK SETUP 2
Enabled internet on two computers (Client-Server) 3
Cannot join domain 1
Client computers cannot find login server 1
Cannot access Server 1
Internet Issues 4

Top