configuring dns for domain controller and isa server?

J

Jan

Hi

I have a small test network, one domain controller (server1) for the network
'study.local' which has 2 clients. All machines run Windows 2000/windows
2000 Server

In order to simulate large LANs dealing with internet access I have been
trying to add an additional pc, (running win 2000 server) which would be a
proxy server (is that still the correct term?) to give the network clients
access to the internet. I was/am intending to add ISA 2003 to the new
machine. I've called this machine ISAServer.

However, I have got totally confused over the DNS settings.

From what I have read the domain controller, server1, should be the dns
server. So using the dns manager on server1 I have an entry for 'server1'
with forwarding set to study.local->A, NS and SOA all point to server1
reverse lookup zone also has an entry for server1.study.local.

From what i can see the ISAServer should have 'caching dns', which is
implemented by installing the dns components and leaving everything
unchanged. Therefore on isaserver when i look in the dns manager all I see
is an entry for 'isaserver' with no forwarding or zones setup.

Unfortunatly it doesnt work :( when i ping www.google.com i get 'unknown
host'.

I've tried forwarding isaserver dns to server1, and to my isp's dns but
neither worked. I also tried making isaserver a member of the domain, but
that didnt seem to work either.

Can anyone tell me what i have done wrong and how to put it right?

Many thanks for any help given

J
 
H

Herb Martin

Jan said:
Hi

I have a small test network, one domain controller (server1) for the
network 'study.local' which has 2 clients. All machines run Windows
2000/windows 2000 Server

In order to simulate large LANs dealing with internet access I have been
trying to add an additional pc, (running win 2000 server) which would be a
proxy server (is that still the correct term?)

It is an (appropriate) generic terms for such machines -- the
old product name was Proxy Server then new one is ISA
but those are just product names.
to give the network clients access to the internet. I was/am intending to
add ISA 2003 to the new machine. I've called this machine ISAServer.

However, I have got totally confused over the DNS settings.

From what I have read the domain controller, server1, should be the dns
server.

Yes, it must be if you are using AD directory "inside"....

Although you might also have a "caching only DNS" (no internal zones)
on the ISA server too.
So using the dns manager on server1 I have an entry for 'server1' with
forwarding set to study.local->A, NS and SOA all point to server1
reverse lookup zone also has an entry for server1.study.local.

Forwarding? No, you should have a FORWARD zone.

Forwarding should likely be set to EITHER the ISA or directly
to the ISP DNS server.

A forward ZONE has regular records as you described here.
From what i can see the ISAServer should have 'caching dns', which is
implemented by installing the dns components and leaving everything
unchanged.

"everything" here means to create NO zones. Although it might
recurse OR even be changed to forward to the ISP.
Therefore on isaserver when i look in the dns manager all I see is an
entry for 'isaserver' with no forwarding or zones setup.

Sounds right.
Unfortunatly it doesnt work :( when i ping www.google.com i get 'unknown
host'.

Did you remember to FORWARD from the internal server1 DNS to the
ISA DNS?

Can you explicitly query either server using NSLookup from the
command lines of ANY machine (clients, then server1, then ISA)?

You want to try both UNSPECIFIED servers and each possible
server to see which works and which doesn't:

nslookup www.google.com
nslookup www.google.com Server1_IP
nslookup www.google.com ISA_IP
nslookup www.google.com ISP_DNS_IP
I've tried forwarding isaserver dns to server1,

UGH! That would be going the wrong directly.
and to my isp's dns

That's cool IF you allow this out of the ISA.
but neither worked. I also tried making isaserver a member of the domain,
but that didnt seem to work either.

Irrelevant but perhaps useful in its own right.
Can anyone tell me what i have done wrong and how to put it right?

Forgot to FORWARD from internal DNS to ISA. OR neglected to
allow the DNS request in/out of the ISA.

But mainly you didn't test systematically (and show results) using
DNS specific tools like NSlookup.
Many thanks for any help given

You should also show you actual IPConfig from the problem
machines AND the ISA server....

Ipconfig /all
 
J

Jan

Hi

I appreciate the help, I seem to be go in circles and they are not seemingly
decreasing!

Last night in an attempt to re-create an earlier working environment I
changed the isaserver from being part of the domain to being part of
'workgroup', now I get errors when trying to be part of the domain again :(

I also worked through the isaserver settings for the connections tcp/ip
properties, dns and dchp settings, setting them all back to the original
values as per instructions.

I set the server1 forwarders to 10.10.1.99 (isaserver) as you suggested.

I do seem to be able to ping google again! :) but in my client if i set the
LAN option and the proxy server settings i still get a page saying about dns
errors :(

I'm still learning about networks so i didnt know about nslookup :(

I have done the nslookups you suggest, not sure why i get the domain doesnt
exist errors, or how to procede? Any further help is much appreciated :)

here is what i get:
from server1:

ipconfig /all shows:
ip config
host name: server1
primary dns suffix: study.local
dns suffix search list study.local
Local adapter
DHCP Enabled: NO (I have disabled it and transfered autheroty to
isaserver)
ip address 10.10.1.1
subnet 255.0.0.0
default gateway 'blank'
dns server 10.10.1.1

nslookup www.google.com 10.10.1.1
***Cant find server name for address 10.10.1.1: non existant domain
server: unknown
address: 10.10.1.1
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

nslookup www.google.com 10.10.1.99
***Cant find server name for address 10.10.1.99: non existant domain
server: unknown
address: 10.10.1.99
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

nslookup www.google.com 195.92.195.94 (apparantly my isp's dns server)
***Cant find server name for address 195.92.195.94: no responce from
server
server: unknown
address: 195.92.195.94

***unknown cant find www.google.com : no reponse from server

From my ISA server I get:
ipconfig /all shows:
ip config
host name: isaserver
primary dns suffix: study.local
dns suffix search list study.local
ethernet adapter on local connection
DHCP enabled: no
ip address 10.10.1.1
subnet 255.0.0.0
default gateway 'blank'
dns server 10.10.1.1


nslookup www.google.com 10.10.1.1
***Cant find server name for address 10.10.1.1: non existant domain
server: unknown
address: 10.10.1.1
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

nslookup www.google.com 10.10.1.99
***Cant find server name for address 10.10.1.99: non existant domain
server: unknown
address: 10.10.1.99
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

nslookup www.google.com 195.92.195.94 (apparantly my isp's dns server)
server: resolver1.svr.pol.co.uk
address: 195.92.195.94
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com



From my client pc I get:

ipconfig /all shows:
ip config
host name: pc2
primary dns suffix: study.local
dns suffix search list study.local
Local adapter
DHCP Enabled: yes
ip address 10.10.1.2
subnet 255.0.0.0
default gateway 'blank'
dhcp server: 10.10.1.99
dns server 10.10.1.1

nslookup www.google.com 10.10.1.1
***Cant find server name for address 10.10.1.1: non existant domain
server: unknown
address: 10.10.1.1
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

nslookup www.google.com 10.10.1.99
***Cant find server name for address 10.10.1.99: non existant domain
server: unknown
address: 10.10.1.99
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

nslookup www.google.com 195.92.195.94 (apparantly my isp's dns server)
***Cant find server name for address 195.92.195.94: no responce from
server
server: unknown
address: 195.92.195.94
***unknown cant find www.google.com : no reponse from server
 
H

Herb Martin

Jan said:
Hi

I appreciate the help, I seem to be go in circles and they are not
seemingly decreasing!

Stop. Just stop that.
Last night in an attempt to re-create an earlier working environment I
changed the isaserver from being part of the domain to being part of
'workgroup', now I get errors when trying to be part of the domain again
:(

Likely flailing -- and you cannot use the ISA to give different privileges
(net access) to Domain users based on ID or group.
I also worked through the isaserver settings for the connections tcp/ip
properties, dns and dchp settings, setting them all back to the original
values as per instructions.

I set the server1 forwarders to 10.10.1.99 (isaserver) as you suggested.

That is one choice. For this to work, you should be able to go to
Server1 command line and Nslookup (something on the Internet)
by using 10.10.1.99 explicitly:

nslookup www.google.com 10.10.1.99

If this works then server1 CAN use ISA to resolve the Internet AND
ISA can in fact resolve the Internet.

If this fails, then one of those is (part of) the problem.
I do seem to be able to ping google again! :) but in my client if i set
the LAN option and the proxy server settings i still get a page saying
about dns errors :(

"If I set the LAN option" -- What specifically do you mean?

Are you having trouble getting web pages in your browser when
it is set to use the Proxy/ISA server AND yet able to resolve the names
using DNS (nslookup)?

If so that is almost certainly an ISA (as a security server) issue unless
you have messed up the Client (IE) proxy settings.
I'm still learning about networks so i didnt know about nslookup :(

That should be :) -- you learned something that is GENERALLY useful,
not just useful in this specific case.

I have done the nslookups you suggest, not sure why i get the domain
doesnt exist errors, or how to procede? Any further help is much
appreciated :)

here is what i get:
from server1:

ipconfig /all shows:

You didn't copy and past in the text but typed it in yourself -- don't
do that -- YOUR idea of what is important or any errors you
introduce just confuse the problem.
ip config
host name: server1
primary dns suffix: study.local
dns suffix search list study.local
Local adapter
DHCP Enabled: NO (I have disabled it and transfered autheroty to
isaserver)

What does that ("I have disabled...") mean? DHCP enable means
that this CLIENT is not a DHCP client.
ip address 10.10.1.1
subnet 255.0.0.0

Odd choice for subnet mask but legal, and possibly correct.
default gateway 'blank'

Wrong UNLESS you don't want the DC (server1) to EVER
visit the Internet (except for proxy controlled things, so you
might actually use this.) More common would be to use the
ISA address here too.
dns server 10.10.1.1
Correct.

nslookup www.google.com 10.10.1.1
***Cant find server name for address 10.10.1.1: non existant domain

These reverse "errors" are ENTIRELY BOGUS artifacts of the
way that NSLookup operates --- IGNORE THESE if you get your
'actual question answered' such as down below....
server: unknown
address: 10.10.1.1
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

Name resolution works. You don't have an apparent DNS issue for
the Internet using ISA.
nslookup www.google.com 10.10.1.99
***Cant find server name for address 10.10.1.99: non existant domain
server: unknown
address: 10.10.1.99
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

Name resolution works. You don't have an apparent DNS issue for
the Internet using itself (server1) either.
nslookup www.google.com 195.92.195.94 (apparantly my isp's dns server)
***Cant find server name for address 195.92.195.94: no responce from
server
server: unknown
address: 195.92.195.94

***unknown cant find www.google.com : no reponse from server

This makes sense and means your DC (server1) cannot access the ISP
DIRECTLY but must use the ISA -- which is probably the RIGHT thing
to do.
From my ISA server I get:
ipconfig /all shows:
ip config
host name: isaserver
primary dns suffix: study.local
dns suffix search list study.local
ethernet adapter on local connection
DHCP enabled: no
ip address 10.10.1.1
subnet 255.0.0.0
default gateway 'blank'

Odd. This should be set on the external interface to point to the ISP
ROUTER.
dns server 10.10.1.1

Oddly enough, this should be set to Server1 IF you want ISA to be
a member of the domain (and be able to fully use it's security.)

VERY few people understand this very trick point.
nslookup www.google.com 10.10.1.1
***Cant find server name for address 10.10.1.1: non existant domain
server: unknown
address: 10.10.1.1
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

Thinks are working for DNS.
nslookup www.google.com 10.10.1.99
***Cant find server name for address 10.10.1.99: non existant domain
server: unknown
address: 10.10.1.99
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

Means it will work even if you change the DNS setting to
point to the INTERNAL DNS (server1) as I suggested above.
nslookup www.google.com 195.92.195.94 (apparantly my isp's dns server)
server: resolver1.svr.pol.co.uk
address: 195.92.195.94
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

Fine. Means we can get directly to the ISP from the ISA but that
was pretty much a given since everything else was already shown to
work.
From my client pc I get:

ipconfig /all shows:
ip config
host name: pc2
primary dns suffix: study.local
dns suffix search list study.local
Local adapter
DHCP Enabled: yes
ip address 10.10.1.2
subnet 255.0.0.0
default gateway 'blank'
dhcp server: 10.10.1.99
dns server 10.10.1.1

nslookup www.google.com 10.10.1.1
***Cant find server name for address 10.10.1.1: non existant domain
server: unknown
address: 10.10.1.1
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

nslookup www.google.com 10.10.1.99
***Cant find server name for address 10.10.1.99: non existant domain
server: unknown
address: 10.10.1.99
Non Autherative answer:
name: www.l.google.com
Address: 216.239.59.104 (and a whole bunch more)
Aliases: www.google.com

nslookup www.google.com 195.92.195.94 (apparantly my isp's dns server)
***Cant find server name for address 195.92.195.94: no responce from
server
server: unknown
address: 195.92.195.94
***unknown cant find www.google.com : no reponse from server

DNS works. Don't mess with DNS except perhaps to have the ISA
use the Internal DNS (server1) as I suggested above.
 
J

Jan

Hi
Thanks for the detailed explanations, it has really helped my understanding
of things, especially the purpose of nslookup and it helped me get the dns
setup :)

Not sure why I didn't get webpages though, I went into tools-> internet
options->connections-lan settings-checked 'use proxy server' option and then
tried both the ip of the isa server and the server's name. both on port
8080, but both showed the dns error web page.

Things are more confused as when I install the isa server software I cant
access the internet at all on the clients. I think I'm tracking that down to
the fact that isa software throws up lots of events on starting saying that
there is an error. Thats what I'm working on overcoming at the moment. I
hadn't released but when I went on the monitoring part of the isa console,
nothing was running and nothing would start......

At least I don't think its a DNS problem anymore :)

Thanks again for the help

J
 
K

Kevin D. Goodknecht Sr. [MVP]

Jan said:
Hi
Thanks for the detailed explanations, it has really helped my
understanding of things, especially the purpose of nslookup and it
helped me get the dns setup :)

Not sure why I didn't get webpages though, I went into tools->
internet options->connections-lan settings-checked 'use proxy server'
option and then tried both the ip of the isa server and the server's
name. both on port 8080, but both showed the dns error web page.

Things are more confused as when I install the isa server software I
cant access the internet at all on the clients. I think I'm tracking
that down to the fact that isa software throws up lots of events on
starting saying that there is an error. Thats what I'm working on
overcoming at the moment. I hadn't released but when I went on the
monitoring part of the isa console, nothing was running and nothing
would start......

At least I don't think its a DNS problem anymore :)

Thanks again for the help



One thing I notice is all your machines do not have a default gateway. The
ISA server needs a gateway and the server with DNS needs a gateway.
Your clients do not neccessarily need a gateway if you use Proxies for the
web browser and email client. But other applications that don't use proxies
will need a gateway. The DNS server machine may not need a gateway if it has
a forwarder on its own subnet and you have "Do not use recursion" selected
on the forwarders tab. However, if this is not checked it will need a
gateway assigned so it can find the door out to the internet to get to the
root servers.
The ISA machine would most assuredly need a gateway that points to the
router. Remember, the default gateway is like an exit sign pointing the way
out.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
J

Jan

Hi

I didn't think any of the machines needed a gateway as I was connecting
using a USB Modem. From the various documentation concerning ISA this seemed
ok. I thought the gateway address was the address of the network adapter
connected to the router?

Thanks again for any help
J
 
K

Kevin D. Goodknecht Sr. [MVP]

Jan said:
Hi

I didn't think any of the machines needed a gateway as I was
connecting using a USB Modem. From the various documentation
concerning ISA this seemed ok. I thought the gateway address was the
address of the network adapter connected to the router?

The gateway address would be the IP of the router. We would be able to tell
more about it if you would show your unedited ipconfig /all from ISA.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top