DNS operation refused. Clarification?

[John Dempsey]

Set up my first w2k server network. I have two network cards, one
internal and one external. They have the following setup:

INTERNAL
Ip 100.100.100.x
Sub 255.255.255.x
Default 'IP ISP Connection'

Primary: 'ISP DNS Server IP'
Secondary 'ISP DNS Server IP'

EXTERNAL CARD
IP 'Router IP'
Subnet 'ISP Subnet'
Default: 'IP ISP'

Primary: 'ISP DNS Server IP'
Secondary: 'ISP DNS Server IP'

Now I know this is wrong and we are having time outs on the internet
access. I have a firewall between the router and the server. Where the
terms 'ISP DNS Server IP' reads in the connection details should it be
the Internal DNS server and the 'Forwarder' be the the 'ISP DNS
Server'.

Any help gratefully recieved as I am pulling my hair out with users
and their Internet Access.

Many thanks in advance.

Regards

John

 

[Steve Duff [MVP]]

Assuming you have set up your server in an AD domain
then you would have real problems with this
configuration. (And as you ARE having real
problems with this configuraiton, I'd guess that's
the way you're set up.)

You need to point your network adapters
to the internal adapter. For "Internal" this
means that it's primary DNS address is
it's own IP. (I would do this for "external" also.)

You also need to make sure this is the configuration
on all workstations as well. If you use DHCP change
the DNS server IP to your local server IP (only). If you
are using static IP configurations then you have
to manually change each workstation and network
device that uses DNS.

The DNS service on your server must resolvecomputers cannot resolve AD namespace requests and you
will usually have lots of odd, random delays as a
consequence.

If you want to plug your ISPs DNS servers
in to the "forwarders" list in the DNS server, you
can. But as ISPs seem to be DNS-IP-switch-happy
these days, I'd forget them completely and just let it
use the "root hints".

There is a temptation to name your ISPs DNS
servers as secondary DNSen. Resist that temptation.
It will also cause spurious problems.

Steve Duff, MCSE
Ergodic Systems, Inc.

 

[Ace Fekay [MVP]]

In

Assuming you have set up your server in an AD domain
then you would have real problems with this
configuration. (And as you ARE having real
problems with this configuraiton, I'd guess that's
the way you're set up.)

You need to point your network adapters
to the internal adapter. For "Internal" this
means that it's primary DNS address is
it's own IP. (I would do this for "external" also.)

You also need to make sure this is the configuration
on all workstations as well. If you use DHCP change
the DNS server IP to your local server IP (only). If you
are using static IP configurations then you have
to manually change each workstation and network
device that uses DNS.

The DNS service on your server must resolvecomputers cannot resolve AD namespace requests and you
will usually have lots of odd, random delays as a
consequence.

If you want to plug your ISPs DNS servers
in to the "forwarders" list in the DNS server, you
can. But as ISPs seem to be DNS-IP-switch-happy
these days, I'd forget them completely and just let it
use the "root hints".

There is a temptation to name your ISPs DNS
servers as secondary DNSen. Resist that temptation.
It will also cause spurious problems.

Steve Duff, MCSE
Ergodic Systems, Inc.

Just want to add, make sure the external NIC is in the bottom of the binding
order in Network & Dialup and Connections, Advanced menu, Advanced settings.

Cheers!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jonathan de Boyne Pollard]

JD> Now I know this is wrong [...]

Good. (-:

JD> Where the terms 'ISP DNS Server IP' reads in the connection
JD> details should it be the Internal DNS server [?]

Yes.

<URL:http://homepages.tesco.net./~J.deBo...nt-all-proxies-must-provide-same-service.html>

JD> and [should] the 'Forwarder' be the the 'ISP DNS Server'[?]

It is not specifically _recommended_. You can do it or not, at
your option. There are reasons for doing it, and disadvantages
of doing it.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html#ForwardingProxy>

Analyse your particular situation and determine what is actually
appropriate.

 

[Ace Fekay [MVP]]

In

Thanks for all your help this really is good of you. To confirm then:

INTERNAL
Ip 100.100.100.x
Sub 255.255.255.x
Default 'IP ISP Connection' - WHAT ABOUT THE DEFAULT GATEWAY?

Primary: 'Internal DNS Server'
Secondary 'Internal DNS Server'

EXTERNAL CARD
IP 'Router IP'
Subnet 'ISP Subnet'
Default: 'IP ISP' - - WHAT ABOUT THE DEFAULT GATEWAY?

Primary: 'Internal DNS Server'
Secondary: 'Internal DNS Server'

What shoud the Default Gateway be on these NIC's? And how does my
clients know where to look for the ISP DNS Servers when it needs the
internet? I have ISA server configured as Web Cache only. How does
this resolve the ISP's DNS servers?

DNS is very confusing I want to read up, can anyone tell me any good
reading material also? Sorry for all the questions.

Thank you very much. It is very appreciated.

John

Now I know this is wrong [...]

Good. (-:

Where the terms 'ISP DNS Server IP' reads in the connection
details should it be the Internal DNS server [?]
Yes.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-client-all-proxie
s-must-provide-same-service.html>

and [should] the 'Forwarder' be the the 'ISP DNS Server'[?]

It is not specifically _recommended_. You can do it or not, at
your option. There are reasons for doing it, and disadvantages
of doing it.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html
#ForwardingProxy>

Analyse your particular situation and determine what is actually
appropriate.

For any multi homed machine, there's only one default gateway. To determine
which NIC gets it, you have to ask yourself, "Which is the doorway out to
the Internet?", since the gateway points the way "out". You would put it in
the external NIC and leave the internal one blank.

If you had multiple internal subnets, then you would create static route.
But I don't believe this applies to you.

Not knowing details about your configuration, the default gate on the
outside NIC would either be a NAT device or the one supplied by your ISP.

Hope that helps.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jonathan de Boyne Pollard]

JD> And how does my clients know where to look for the ISP DNS
JD> Servers when it needs the internet?

Your clients do _not_ "look for the ISP DNS servers". They talk to _your_
proxy DNS server. For queries involving domain names not in your DNS server's
own database, your DNS server either performs query resolution itself or
forwards the queries on to some other server (which in turn either performs
query resolution itself or forwards the query elsewhere in its turn).

If your DNS server is configured to forward to a forwardee owned by someone
else, that forwardee is usually a proxy DNS server provided to you, its
customer, by your ISP. The reasons for using such a forwardee, and the
disadvantages of doing so, are briefly outlined on the web page whose URL I
already gave to you.

If your DNS server performs query resolution itself, your ISP's proxy DNS
server is not involved _at all_. Your DNS server pieces together the DNS
database content published by all of the (relevant) individual content DNS
servers on the rest of Internet to form the complete answers.

JD> I have ISA server configured as Web Cache only. How does
JD> this resolve the ISP's DNS servers?

Your question makes no sense. Your ISP's DNS servers are not "resolved".
Queries (against the overall distributed DNS database) are "resolved".

 

[Jonathan de Boyne Pollard]

JD> [...] "Detect Network Settings" [...]

My educated guess, in the absence of detail, is that this is
a DHCP Client issue, not a DNS issue. Check that DHCP is
operating properly on your LAN.

JD> Thanks for all your help and hopefully one day I will repay
JD> the favour to someone else. I guess thats the idea of these
JD> groups.

That's what some of us believe. (-:

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/now-help-others.html>

 

[Ace Fekay [MVP]]

In

So the set up is confirmed and most of my PC's are fine. A few are
still not connecting and coming up with a page that has about half way
down it says "Detect Network Settings" after clicking this it works
perfectly until we close the browser and open again. You have to wait
until it times out then click the "Detect Network Settings". What
happens when this is clicked? It seems to work. I have published the
WPAD. Is this causing this problem?

I have configured the DNS Server to only serve DNS requests on the
internal card and have used a forwarder to my ISP. Didnt change the
fact though any ideas?

Should I ask this question in another group?

Thanks for all your help and hopefully one day I will repay the favour
to someone else. I guess thats the idea of these groups.

Cheers again.
John

You may want to ask this in the ISA group. I have used ISA for a long time,
but a bit rusty on it, so you would be better off with the experts over
there.

Good luck John, I'm sure it's a simple resolution.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[John Dempsey]

Thanks for all your help, FYI it was the version of IE that seemed to
be the problem I have windows update all my problem machines and hey
presto fix was done.

Very weird, but somethings with PC's are unexplained!