DNS, Unix and Checkpoint Firewall

[KJ-MCSE]

Hi all, why would one subnet not be allowed in to get to
FTP server that is UNIX passing through firewall? Only
XP/2000 boxes that are sub-DNS members of/domains of UNIX
bind 8.x DNS which all subdomains use own DNS(active-
Directory Integrated)and allow recursive lookups and
specify reverse lookup zones for other subnets, cannot
get to this FTP that are on the certain subnet. Some
boxes even specify the only WINS servers that are in an
NT domain that remains so that trust relationships work
and apps that are there within. This is unique problem.
Some XP/2000 boxes not joining domain that point to Unix
DNS to begin with do not even "always" connect on that
subnet. Some boxes that are joined to a AD domain do
connect briefly, some don't. This is not issue on 98, NT
side though, so it seems. Thanks in advance,

 

[Ace Fekay [MVP]]

In

Hi all, why would one subnet not be allowed in to get to
FTP server that is UNIX passing through firewall?

Only
XP/2000 boxes that are sub-DNS members of/domains of UNIX
bind 8.x DNS which all subdomains use own DNS(active-
Directory Integrated)and allow recursive lookups and
specify reverse lookup zones for other subnets, cannot
get to this FTP that are on the certain subnet.

Some
boxes even specify the only WINS servers that are in an
NT domain that remains so that trust relationships work
and apps that are there within. This is unique problem.
Some XP/2000 boxes not joining domain that point to Unix
DNS to begin with do not even "always" connect on that
subnet. Some boxes that are joined to a AD domain do
connect briefly, some don't. This is not issue on 98, NT
side though, so it seems. Thanks in advance,

Trying to understand your post (it's one big paragraph), this sounds like a
firewall issue if the subnet is on the other side of the firewall. Check
your firewall rules.

I would also try pings to the FTP server from the machines that cannot
connect. If the ping replies, then I would try to connect by IP. If you can
connect by IP, then I would look at the way you have your DNS records
arranged.

Not sure about your infrastructure, but if the FTP is on a public network
(public IP) and your internal is a private range, then my guess is that
you're mixing public and private IP addresses. I would only point all
machines to your AD's DNS server. In that server, I would forward to the
BIND server, then from the BIND server, I would forward to your ISP. In your
AD DNS server, I would put in the actual IP addresses for your FTP server
for it's A record.

This suggestion (if it applies) will server two purposes:
1. AD will function correctly.
2. You'll get efficient Internet resolution.
3. There will be no question of what IP address your clients are connecting
to when they connect to the FTP server.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory