W2K DC trying to remote for DNS lookup

[J T]

I have a W2K AD domain with two DC's, each running DNS (standard
primary on one, standard secondary on the other), set up with the
ISP's DNS as forwarders. Both machines appear to be functioning
nominally, DDNS is working, zone updates are working, forwarded
lookups are working and cached properly.

However (you knew this was coming right?), both DC's occasionally try
to go outside the LAN (via our Proxy Server) to resolve their own FQDN
names. The Winsock Proxy log shows that Dfssvc.exe and lsass.exe are
attempting to GHBN through the Proxy.

Any ideas on this?
(And a sanity check on my DNS setup would be welcome also)

Here's the ipconfig /all for both DC's. bkpdc is the primary DNS,
bkhs is secondary. There is no default gateway as internet access is
through MS Proxy 2.0. I'll be switching to ISA soon and set them up
as secure NAT clients.
==============================================================================
==============================================================================
C:\WINNT\Profiles\Administrator>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : bkpdc
Primary DNS Suffix . . . . . . . : bishopkenny.lan
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bishopkenny.lan

Ethernet adapter Team #0: Adaptive Load Balancing Mode:

Connection-specific DNS Suffix . : bishopkenny.lan
Description . . . . . . . . . . . : Intel(R) Advanced Network
Services Virtual Adapter
Physical Address. . . . . . . . . : 00-07-E9-06-57-B4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.1.1
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.1.1
10.0.1.5
Primary WINS Server . . . . . . . : 10.0.1.11

===============================================================================
===============================================================================

C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : bkhs
Primary DNS Suffix . . . . . . . : bishopkenny.lan
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bishopkenny.lan

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : bishopkenny.lan
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100
PCI TX NIC (3C905B-TX)
Physical Address. . . . . . . . . : 00-10-5A-F4-E6-51
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.1.5
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.1.1
10.0.1.5
Primary WINS Server . . . . . . . : 10.0.1.11
Secondary WINS Server . . . . . . : 10.0.1.11
=================================================================================
=================================================================================

 

[Kevin D. Goodknecht [MVP]]

In J T <ReplyToGroupPle@se> posted a question
Then Kevin replied below:
: I have a W2K AD domain with two DC's, each running DNS (standard
: primary on one, standard secondary on the other), set up with the
: ISP's DNS as forwarders. Both machines appear to be functioning
: nominally, DDNS is working, zone updates are working, forwarded
: lookups are working and cached properly.
:
: However (you knew this was coming right?), both DC's occasionally try
: to go outside the LAN (via our Proxy Server) to resolve their own FQDN
: names. The Winsock Proxy log shows that Dfssvc.exe and lsass.exe are
: attempting to GHBN through the Proxy.
:
: Any ideas on this?
: (And a sanity check on my DNS setup would be welcome also)
:
: Here's the ipconfig /all for both DC's. bkpdc is the primary DNS,
: bkhs is secondary. There is no default gateway as internet access is
: through MS Proxy 2.0. I'll be switching to ISA soon and set them up
: as secure NAT clients.
:
============================================================================
==
:
============================================================================
==
: C:\WINNT\Profiles\Administrator>ipconfig /all
:
: Windows 2000 IP Configuration
:
: Host Name . . . . . . . . . . . . : bkpdc
: Primary DNS Suffix . . . . . . . : bishopkenny.lan
: Node Type . . . . . . . . . . . . : Hybrid
: IP Routing Enabled. . . . . . . . : No
: WINS Proxy Enabled. . . . . . . . : No
: DNS Suffix Search List. . . . . . : bishopkenny.lan
:
: Ethernet adapter Team #0: Adaptive Load Balancing Mode:
:
: Connection-specific DNS Suffix . : bishopkenny.lan
: Description . . . . . . . . . . . : Intel(R) Advanced Network
: Services Virtual Adapter
: Physical Address. . . . . . . . . : 00-07-E9-06-57-B4
: DHCP Enabled. . . . . . . . . . . : No
: IP Address. . . . . . . . . . . . : 10.0.1.1
: Subnet Mask . . . . . . . . . . . : 255.0.0.0
: Default Gateway . . . . . . . . . :
: DNS Servers . . . . . . . . . . . : 10.0.1.1
: 10.0.1.5
: Primary WINS Server . . . . . . . : 10.0.1.11
:
:
============================================================================
===
:
============================================================================
===
:
: C:\>ipconfig /all
:
: Windows 2000 IP Configuration
:
: Host Name . . . . . . . . . . . . : bkhs
: Primary DNS Suffix . . . . . . . : bishopkenny.lan
: Node Type . . . . . . . . . . . . : Hybrid
: IP Routing Enabled. . . . . . . . : No
: WINS Proxy Enabled. . . . . . . . : No
: DNS Suffix Search List. . . . . . : bishopkenny.lan
:
: Ethernet adapter Local Area Connection:
:
: Connection-specific DNS Suffix . : bishopkenny.lan
: Description . . . . . . . . . . . : 3Com EtherLink XL 10/100
: PCI TX NIC (3C905B-TX)
: Physical Address. . . . . . . . . : 00-10-5A-F4-E6-51
: DHCP Enabled. . . . . . . . . . . : No
: IP Address. . . . . . . . . . . . : 10.0.1.5
: Subnet Mask . . . . . . . . . . . : 255.0.0.0
: Default Gateway . . . . . . . . . :
: DNS Servers . . . . . . . . . . . : 10.0.1.1
: 10.0.1.5
: Primary WINS Server . . . . . . . : 10.0.1.11
: Secondary WINS Server . . . . . . : 10.0.1.11
:
============================================================================
=====
:
============================================================================
=====

Your ipconfig's look OK.
Disable the DNS proxy, let your DNS servers resolve all DNS queries. You
don't need a DNS proxy if you have DNS servers.
It is probably another machine using the proxy to resolve your DC's
addresses.

 

[J T]

In J T <ReplyToGroupPle@se> posted a question
Then Kevin replied below:
: I have a W2K AD domain with two DC's, each running DNS (standard
: primary on one, standard secondary on the other), set up with the
: ISP's DNS as forwarders. Both machines appear to be functioning
: nominally, DDNS is working, zone updates are working, forwarded
: lookups are working and cached properly.
:
: However (you knew this was coming right?), both DC's occasionally try
: to go outside the LAN (via our Proxy Server) to resolve their own FQDN
: names. The Winsock Proxy log shows that Dfssvc.exe and lsass.exe are
: attempting to GHBN through the Proxy.
:
: Any ideas on this?
: (And a sanity check on my DNS setup would be welcome also)
:
: Here's the ipconfig /all for both DC's. bkpdc is the primary DNS,
: bkhs is secondary. There is no default gateway as internet access is
: through MS Proxy 2.0. I'll be switching to ISA soon and set them up
: as secure NAT clients.
:
============================================================================
============================================================================
: C:\WINNT\Profiles\Administrator>ipconfig /all
:
: Windows 2000 IP Configuration
:
: Host Name . . . . . . . . . . . . : bkpdc
: Primary DNS Suffix . . . . . . . : bishopkenny.lan
: Node Type . . . . . . . . . . . . : Hybrid
: IP Routing Enabled. . . . . . . . : No
: WINS Proxy Enabled. . . . . . . . : No
: DNS Suffix Search List. . . . . . : bishopkenny.lan
:
: Ethernet adapter Team #0: Adaptive Load Balancing Mode:
:
: Connection-specific DNS Suffix . : bishopkenny.lan
: Description . . . . . . . . . . . : Intel(R) Advanced Network
: Services Virtual Adapter
: Physical Address. . . . . . . . . : 00-07-E9-06-57-B4
: DHCP Enabled. . . . . . . . . . . : No
: IP Address. . . . . . . . . . . . : 10.0.1.1
: Subnet Mask . . . . . . . . . . . : 255.0.0.0
: Default Gateway . . . . . . . . . :
: DNS Servers . . . . . . . . . . . : 10.0.1.1
: 10.0.1.5
: Primary WINS Server . . . . . . . : 10.0.1.11
:
:
============================================================================
============================================================================
:
: C:\>ipconfig /all
:
: Windows 2000 IP Configuration
:
: Host Name . . . . . . . . . . . . : bkhs
: Primary DNS Suffix . . . . . . . : bishopkenny.lan
: Node Type . . . . . . . . . . . . : Hybrid
: IP Routing Enabled. . . . . . . . : No
: WINS Proxy Enabled. . . . . . . . : No
: DNS Suffix Search List. . . . . . : bishopkenny.lan
:
: Ethernet adapter Local Area Connection:
:
: Connection-specific DNS Suffix . : bishopkenny.lan
: Description . . . . . . . . . . . : 3Com EtherLink XL 10/100
: PCI TX NIC (3C905B-TX)
: Physical Address. . . . . . . . . : 00-10-5A-F4-E6-51
: DHCP Enabled. . . . . . . . . . . : No
: IP Address. . . . . . . . . . . . : 10.0.1.5
: Subnet Mask . . . . . . . . . . . : 255.0.0.0
: Default Gateway . . . . . . . . . :
: DNS Servers . . . . . . . . . . . : 10.0.1.1
: 10.0.1.5
: Primary WINS Server . . . . . . . : 10.0.1.11
: Secondary WINS Server . . . . . . : 10.0.1.11
:
============================================================================
============================================================================

Your ipconfig's look OK.
Disable the DNS proxy, let your DNS servers resolve all DNS queries. You
don't need a DNS proxy if you have DNS servers.
It is probably another machine using the proxy to resolve your DC's
addresses.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

There's no option to not route the DNS lookups to the forwarders/root
servers via the proxy server. It is our only link to the internet.
The DNS lookups themselves are not proxied in the traditional sense
(i.e., the proxy server is not doing the DNS lookups, it is only
passing the lookups to the forwarders I have setup or to the root
servers).

Also, the requests in question are in fact coming from the two DC's.

Examples:
10.0.1.1:lsass.exe is looking for bkpdc.bishopkenny.lan (itself) via
winsock proxy (i.e., somewhere on the internet). It can resolve itself
fine with ping (both FQDN and NetBIOS name) and nslookupreturns
correct info when server is set to itself.

Same thing happens with 10.0.1.5, the other DC, and with Dfssvc.exe on
both DC's.

Any more ideas?

Thx,
J T

 

[Kevin D. Goodknecht [MVP]]

In J T <ReplyToGroupPle@se> posted a question
Then Kevin replied below:
:
: Examples:
: 10.0.1.1:lsass.exe is looking for bkpdc.bishopkenny.lan (itself) via
: winsock proxy (i.e., somewhere on the internet). It can resolve itself
: fine with ping (both FQDN and NetBIOS name) and nslookupreturns
: correct info when server is set to itself.

Lsass.exe is Netlogon it is trying to register its addresses, I feel as if
you have your proxy improperly configured and this is not a DNS problem. It
is a proxy problem. I can't tell you what is wrong, but it is wrong. if you
have to remove the winsock proxy and give it a gateway.

:
: Same thing happens with 10.0.1.5, the other DC, and with Dfssvc.exe on
: both DC's.

This is the Distributed File system trying to replicate the SYSVOL share
with the other DC.
Can you not disable the Winsock proxy?
It will cause problems, I use Wingate which give me the option to disable
their Wingate Client which is just another type of Winsock proxy. You can't
run a Winsock proxy on a DC, it interferes with to many services
You will have problems with Winlogon and other programs too if you don't
disable the Winsock proxy. They'll end up maxing out the CPU's too.

 

[J T]

Comments inline:

In J T <ReplyToGroupPle@se> posted a question
Then Kevin replied below:
:
: Examples:
: 10.0.1.1:lsass.exe is looking for bkpdc.bishopkenny.lan (itself) via
: winsock proxy (i.e., somewhere on the internet). It can resolve itself
: fine with ping (both FQDN and NetBIOS name) and nslookupreturns
: correct info when server is set to itself.

Lsass.exe is Netlogon it is trying to register its addresses, I feel as if
you have your proxy improperly configured and this is not a DNS problem. It
is a proxy problem. I can't tell you what is wrong, but it is wrong. if you
have to remove the winsock proxy and give it a gateway.

There is no gateway. The only way to the internet is via the proxy.
I could disable the winsock proxy client on the DC but then there'd be
no DNS lookups outside the LAN.

:
: Same thing happens with 10.0.1.5, the other DC, and with Dfssvc.exe on
: both DC's.

This is the Distributed File system trying to replicate the SYSVOL share
with the other DC.

But it's not looking for the other DC, it's looking for itself. And
replication is working fine. There's no spurious traffic from one DC
to the other trying to go out the proxy, only from each DC to itself.

Can you not disable the Winsock proxy?

See above.

It will cause problems, I use Wingate which give me the option to disable
their Wingate Client which is just another type of Winsock proxy. You can't
run a Winsock proxy on a DC, it interferes with to many services
You will have problems with Winlogon and other programs too if you don't
disable the Winsock proxy. They'll end up maxing out the CPU's too.

I'm not having any other problems. No error messages, just the wierd
traffic with the DC's trying to find themselves.

I guess I'll fire up NetMon tomorrow and snoop around.

Thx,
J T

 

[Kevin D. Goodknecht [MVP]]

In J T <ReplyToGroupPle@se> posted a question
Then Kevin replied below:

:
: I'm not having any other problems. No error messages, just the wierd
: traffic with the DC's trying to find themselves.
:
That is because the Winsock proxy is listening for DNS requests on port 53,
as long as the Winsock is listening for DNS requests it is going to respond.
This as I said is not a DNS issue but it is a Winsock proxy issue. I have
tried what you are doing and it won't work.
The Winsock proxy and the DNS server cannot both listen on port 53 on the
same IP address.

 

[J T]

Not sure why you think the Winsock proxy CLIENT is listening for DNS
requests. It's not a service nor does it intercept incoming requests.

It's working fine now. I had forgotten to update the
"LocalDomains=..." line in the mspclnt.ini file when I migrated to
W2K.

Thanks for trying though.

J T