NetBIOS over TCP/IP NBDD Stopping Internet Access?

[Phillip Windell]

Yay! I've fixed the problem. You were right. Nothing to do with that DHCP
scope entry. Someone put a group policy entry in (admin template >
networking > dns client) with the internal DNS server IP, which was over
writing the local DNS server entries!

Not really,...you only covered up the problem by abandoning the "right-way"
that only needed a little "correcting",...in favor of doing it the
"wrong-way" that simply "gets by".

The correct way is for *every* machine on the LAN/WAN (every last one of the
them) to only use the AD/DNS Server and *nothing* else.

Then in the config of the AD/DNS Service you add the ISP's DNS as a
Forwarder in the Forwarders List within the DNS server's configuration. You
then have to make sure that the firewall allows the AD/DNS to make DNS
queries to the ISP's DNS.

This way:
1. All DNS Queries go to the AD/DNS first,...as it should be.
2. When the AD/DNS cannnot resolve the query on its own it turns to using
the ISP's DNS to resolve the query,...as it should be

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

 

[Ben]

No no! That wasn't the initial problem. Internally, in the office everyone
does query the internal DNS server, which then queries the external DNS. No
one in the office queries the external DNS directly.

The initial problem was people who were external seemed to be querying the
internal DNS. For example, I went home Friday, and could not get net access.
I could ping yahoo.com by IP address, but not hostname. After running
ethereal I found that my laptop was trying to resolve yahoo.com against our
internal office DNS, via it's internal office IP address. And not via my
home ISP's DNS servers.

Ben

Yay! I've fixed the problem. You were right. Nothing to do with that DHCP
scope entry. Someone put a group policy entry in (admin template >
networking > dns client) with the internal DNS server IP, which was over
writing the local DNS server entries!

Not really,...you only covered up the problem by abandoning the
"right-way"
that only needed a little "correcting",...in favor of doing it the
"wrong-way" that simply "gets by".

The correct way is for *every* machine on the LAN/WAN (every last one of
the
them) to only use the AD/DNS Server and *nothing* else.

Then in the config of the AD/DNS Service you add the ISP's DNS as a
Forwarder in the Forwarders List within the DNS server's configuration.
You
then have to make sure that the firewall allows the AD/DNS to make DNS
queries to the ISP's DNS.

This way:
1. All DNS Queries go to the AD/DNS first,...as it should be.
2. When the AD/DNS cannnot resolve the query on its own it turns to using
the ISP's DNS to resolve the query,...as it should be

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

 

[Ben]

That is what it is supposed to do. They should never query the ISP's DNS
directly. Only your AD/DNS should query the ISP's DNS, and do so only
after
it couldnot resolve the request from its own database.

Not when they are external though, i.e. when at home, using their home ISP.

 

[Phillip Windell]

When you connect at home, the machine should be given the proper DNS for
that environment. DHCP enabled clients will do this, statically assigned
clients will fail. According to your IPConfig output, your machines are not
DHCP enabled and will therefore fail.

If you must use Static Assignment and cannot use DHCP then you need a
product like Netswitcher (www.netswitcher.com) to "adjust" the machine when
it is moved from one networking envorinment to another. If not, then you
will have to manually change the TCP/IP Configuration each time the machine
is moved from place to place.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

No no! That wasn't the initial problem. Internally, in the office everyone
does query the internal DNS server, which then queries the external DNS. No
one in the office queries the external DNS directly.

The initial problem was people who were external seemed to be querying the
internal DNS. For example, I went home Friday, and could not get net access.
I could ping yahoo.com by IP address, but not hostname. After running
ethereal I found that my laptop was trying to resolve yahoo.com against our
internal office DNS, via it's internal office IP address. And not via my
home ISP's DNS servers.

Ben

Yay! I've fixed the problem. You were right. Nothing to do with that DHCP
scope entry. Someone put a group policy entry in (admin template >
networking > dns client) with the internal DNS server IP, which was over
writing the local DNS server entries!

Not really,...you only covered up the problem by abandoning the
"right-way"
that only needed a little "correcting",...in favor of doing it the
"wrong-way" that simply "gets by".

The correct way is for *every* machine on the LAN/WAN (every last one of
the
them) to only use the AD/DNS Server and *nothing* else.

Then in the config of the AD/DNS Service you add the ISP's DNS as a
Forwarder in the Forwarders List within the DNS server's configuration.
You
then have to make sure that the firewall allows the AD/DNS to make DNS
queries to the ISP's DNS.

This way:
1. All DNS Queries go to the AD/DNS first,...as it should be.
2. When the AD/DNS cannnot resolve the query on its own it turns to using
the ISP's DNS to resolve the query,...as it should be

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

 

[Sparda]

Sure, here we go

Windows IP Configuration

Host Name . . . . . . . . . . . . : hhc9t0j
Primary Dns Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com
domain.com

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom 440x
10/100 Integrated
Controller
Physical Address. . . . . . . . . : 00-0B-DB-9C-5B-1A

PPP adapter BTopenworld:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP)
Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 86.136.148.234
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 86.136.148.234
NetBIOS over Tcpip. . . . . . . . : Disabled

PPP adapter domain VPN:

Connection-specific DNS Suffix . : domain.com
Description . . . . . . . . . . . : WAN (PPP/SLIP)
Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.29
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.0.29

Why is the default gateway it’s self?
Surly that should be either a router or proxy of some kind.

 

[Bill Grant]

Why is the default gateway itâ?Ts self?
Surly that should be either a router or proxy of some kind.

No. The default gateway setting for a VPN client is the "received" IP.
All this really means is that the default gateway is the VPN connection
itself. Since it is a point-to-point connection, this means that all
non-local traffic is sent across the VPN link. You can alter that if you
wish. See KB 254231 for details. You probably need to clear the check box
"Use default router..".

 

[Chelsea]

Hi Ben
In Internet Explorer go to tools-Internet options and click the connections
tab. Under Lan settings make sure use a proxy server hasn't been activated..
This can kill the browser stone dead if used incorrectly.
Chelsea