Thanks again for the info and patience. To clarify, I am running the "real"
DHCP and AD integrated DNS services (I am aware that DHCP is not AD
integrated, this was a grammatical misdemeanour on my behalf).
No harm -- I get very literal (picky) when troubleshooting -- it's a
conscious technique that is the biggest trick I know for becoming
a world class troubleshooter.
[Skim this quick on the first read -- I answered sequentially
without reading what you already knew/did again first. But
read the whole thing since I worked so long on it <grin>
---------------------------------------------
Here's the punchline from the bottom:
THAT's the solution right there -- delete "." and add the ISP server
in the forwarder tab forwarder address list.
---------------------------------------------
I have forward and reverse lookup zones.
Irrelevant to finding the Internet -- you might need them for internal
or external users but this is not related to your users reaching Microsoft
and Dell -- or LearnQuick.Com
The NAT, DHCP, DNS and PDC server (all the
one box) will connect to the internet and resolve host names.
This proves TWO things:
1) IP works
2) the CLIENT settings on this server are ok for reaching the
Internet (likely they are actually WRONG since it probably
needs to work on your private network.)
It may say nothing about the DNS server itself.
The clients
have their DNS address as my internal DNS server as does my Win2K server on
the LAN side.
AHA!!!! That's a clue -- pickyness helps --
What do you have on the OTHER side? You can't put different
values on two NICs and think you get BOTH -- you get (semi-randomly)
one of them.
REMOVE all other DNS addresses from the server's client settings.
Now it will fail TOO -- but that is probably a good thing because
when we fix the real problem it will work too.
The public side (ISDN NTU) is configured for server assigned
DNS address as per my ISP. An ipconfig /all indicates that the clients DNS,
DHCP and default gateway are the IP address of my servers internal
adaptor.
[You can skip this section but I am not going to erase it (due to more
info below) as it might help someone else or clarify for you what Bill
already had you do.]
This confirms what I wrote above -- but I am reading and answering
sequentially....
COPY that DNS server address -- we'll need it in a minute and
we are about to delete it. Write it down. (In a notepad and one paper
for next week.)
Go to the external NIC properties: NIC\IP where is says "Obtain an
address automatically" -- LEAVE that AS-IS.
You need the address and mask from the ISP and they will remain
GREYED out.
For DNS server (it's not grey) type in 127.0.0.1 (or the inside address
or this DNS server) -- if you ever change the "auto" setting and change
it back you will probably have to repeat this because when you CHOOSE
automatic it ERASES all the other settings (used to be a source or
support calls when NT 3.51 left them) but it still lets YOU OVERRIDE
all other settings.
NEVER do this unless you have a REASON -- we do -- we need that
server to use itself as DNS server.
Save (Ok, etc.)
If you do IPConfig you will have LOST that DNS server address
for the ISP -- but you wrote it down, right?
The server's DNS address points to itself on the LAN adaptor and to the loop
address (127.0.0.1) on the RAS adaptor. I believe that this is the
configuration that yourself and Bill have explained.
[Darn, I wish I had read this before typing all that above.]
Next we FIX the DNS server but first let me answer the
next section inline explain how to fix it....
I think that these are the issues with my system (apart from my ignorance).
a) Please clarify this. Bill states that "The default settings in NAT work
like ICS".
By default the NAT doesn't know it is ALSO a 'real' DNS server
so the check box for IT (the NAT) to answer DNS for the clients
is checked.
UNCHECK it. NAT (the server itself, not the interfaces), properties,
DNS tab -- resolve DNS for Clients.
Stop that -- you have a REAL DNS server and they are compeating
for the clients attention.
That's most of the problem right there.
I find this confusing and apologise for "not getting the
message". The default settings for ICS are to install its own integrated
DHCP and DNS "proxies", this I know. My understanding is that NAT does
exactly the opposite. It does not install its own integrated DHCP and DNS
"proxies" by default unless you go to the Address Assignment and Name
Actually I think it may only be DNS -- not DHCP but it has the feature
there for you to enable. The default for DNS is however to HELP if
asked.
The reason: DHCP is promiscuous -- clients broadcast and servers
volunteer (offer) addresses. Defaulting the DHCP server to "on" would
interfer with EXISTING DHCP servers.
DNS is passive -- the server only answers clients which specifically
ask it a question so enabling this causes few problems and most people
need it UNLESS they install their own "real" DNS (that's you and ME
TOO.)
Resolution tabs on the NAT Properties window and check the boxes marked
"Automatically assign IP addresses by using DHCP" and "Resolve IP addresses
for: Clients Using Domain Name Systems(DNS)". Obviously I don't want NAT to
run the integrated DNS and DHCP "proxies" as I have the "real" services
already configured and running.
Right, so clear both check boxes -- and NAT gets out of the way.
This is the MAIN advantage of NAT over ICS --configurability.
NAT can only do a few things that ICS can't do and most people
don't need those features.
ALMOST everything NAT can do, so can ICS.
Please advise me if I am mistaken and need
to check the aforementioned boxes in order to "turn off" the NAT integrated
DNS and DHCP services (or any other method of turning of these integrated
services).
Nope you have it right.
Ok so now let's fix the DNS server....
b) I have two sub folders at the root of my DNS forward lookups folder. The
first is . and the second is my domain name and suffix. The . lookup zone
installed by default when I configured my DNS server. Should I simply delete
this zone and its contents as suggested by Bill ?
YES -- that was configured at installation because you didn't have your
connection to the Internet (or is was inactive.)
Once it is deleted we are almost DONE -- go to the FORWARDING
tab of the server and type in that ISP DNS server address you wrote
down above.
If you lost it (before reading this) you might have to go back to the
NIC\IP and remove 127.0.0.1 (or it's address), save, ipconfig /renew,
and then put the 127.0.0.1 back.
Add the ISP address in as your forwarder. It will work.
THAT's the solution right there -- delete "." and add the ISP server
in the forwarder tab forwarder address list.
c) I have no choice other than to make my PDC the NAT server. Can I secure
this in any way?
Yes, but it is a LOT of work to be truly secure.
Prime theory of security is to remove everything you don't need ---
but a DC is repleat with listening connections on numerous ports
and you have to sweat bugs in ANY OF THOSE SERVICES,
new service packs become even more time critical, etc.
Buy a cheap $100 throwaway box and put Linix on it if you have
no other choice -- note, I don't do this, I am willing to run a Win2000
(non-DC) there and to really pay attention to it's settings -- but then I do
Windows for a living (and I sweat a lot <grin>) Or one of those little
appliance firewalls (but make sure you upgrade THEIR FIRMWARE
too.)
You can still run YOUR DNS and YOUR DHCP on the DC but
it will be INSIDE.
Want to get a feel for this? Go to the DC command prompt and type
netstat -a
This will display the ports the DC is listening on -- if that doesn't scare
you, then you might wish to volunteer for convoy truck driver duty in Iraq.
We report; you decide.
