J
Joe Wu [MSFT]
Dear Jeff,
Thank you for your update.
I have performed further research and I suspected it is a SMB sign issue.
Please check the event log to see if there are other errors such as 1030
event. If so, we can try a hotfix mentioned in the following Knowledge Base
article:
810907 Error Messages When You Open or Copy Network Files on Windows XP SP1
http://support.microsoft.com/?id=810907
Please contact Microsoft Product Support Services to obtain the hotfix. To
obtain the phone numbers for specific technology request please take a look
at the web site listed below.
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
NOTE: If you contact Microsoft to obtain this fix, a fee may be initially
applied. However, this fee is refundable if it is determined that you
require only the requested fix. On the other hand, this fee is
non-refundable if you request additional technical support.
However, if the problem still persists, since it is not related to the
original issue (DNS forward issue), I would like to suggest that you post
this question in a dedicated news group for Windows XP:
microsoft.public.windowsxp.general
I hope the problem can be resolved quickly.
Once again, thank you for using our news groups!
Regards,
Joe Wu
Product Support Services
Microsoft Corporation
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|From: "Jeff Smyrski" <[email protected]>
|References: <[email protected]>
<dhuumP#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
|Subject: Re: Conditional Forwarding Not Available
|Date: Fri, 3 Oct 2003 12:59:46 -0400
|Lines: 820
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <[email protected]>
|Newsgroups: microsoft.public.win2000.dns
|NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com 216.230.225.242
|Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:27288
|X-Tomcat-NG: microsoft.public.win2000.dns
|
|I looked at this article, too 314494, but there is no EnableDFS in the
|registry under Mup.
|
|I added the value and left its setting at 0
|This did not matter
|
|Looking at the error it seems that it is related to
|\\DOMAINNAME.COM\SYSVOL\domainname.com...etc...etc
|
|The folder exists, but if I attempt to browse to it from the machine
|generating the error, I either get file can not be found, or a permissions
|error if I just try to browse to the SYSVOL folder, all the while doing
this
|as admin.
|
|On the other hand, if I do the same thing from my workstation, as me, a
|member of admins, I can get to the file no prob. It almost seems that even
|though I am logging into the domain, I am not getting the permissions to do
|anything on it...
|
|Currently I am reinstalling XP from scratch using the restore CD for this
|machine, but not the HP Restore Plus feature, I will just install XP myself
|instead of letting HPs cd do it.
|
|Related to the SYSVOL if I look a the properties of the folder there is a
|DFS tab, but for both domain controllers the Status for active says NO from
|this machine, and checking the status says unreachable. But again if I do
|it from my XP workstation as me, I get the Backup DC as active and both
|check out okay.
|
|Any ideas...
|
|Jeff Smyrski
|
|
||> Dear Jeff,
|>
|> Thank you for your reply.
|>
|> I am glad to hear that the DNS forwarder issue has been resolved.
|Regarding
|> the 1058 Event on the Windows XP client, it seems it is not a DNS
problem.
|> You may try the solution mentioned in the following Knowledge Base
article
|> first to see if it works:
|>
|> 314494 Group Policies Are Not Applied The Way You Expect; "Event ID 1058"
|> and
|> http://support.microsoft.com/?id=314494
|>
|> By the way, I have check the ISA thread you mentioned. Currently an
|> engineer is performing researching on that issue and will get back to you
|> soon.
|>
|> If you have any other concerns, please feel free to let me know. I will
do
|> my best to help you.
|>
|> Thanks!
|>
|> Regards,
|> Joe Wu
|> Product Support Services
|> Microsoft Corporation
|>
|> Get Secure! - www.microsoft.com/security
|>
|> ====================================================
|> When responding to posts, please "Reply to Group" via your newsreader so
|> that others may learn and benefit from your issue.
|> ====================================================
|> This posting is provided "AS IS" with no warranties, and confers no
|rights.
|>
|> --------------------
|> |From: "Jeff Smyrski" <[email protected]>
|> |References: <[email protected]>
|> <dhuumP#[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> |Subject: Re: Conditional Forwarding Not Available
|> |Date: Thu, 2 Oct 2003 16:26:21 -0400
|> |Lines: 646
|> |X-Priority: 3
|> |X-MSMail-Priority: Normal
|> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |Message-ID: <[email protected]>
|> |Newsgroups: microsoft.public.win2000.dns
|> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|216.230.225.242
|> |Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
|> |Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:27101
|> |X-Tomcat-NG: microsoft.public.win2000.dns
|> |
|> |Well, Before trying these steps, the forwarders began to work. I am not
|> |really sure, why, but I did change the Gateway to be the firewall,
|although
|> |this did not seem to matter, last night.
|> |
|> |This morning, I was able to perform a NSLOOKUP using the local DNS
|server,
|> |and it forwarded the request as expected.
|> |
|> |I then removed the ISP's DNS entries in the Proxy's NIC that points to
|the
|> |firewall. So that the only entry that remains is my internal DNS server
|> |entry.
|> |
|> |Everything seems to be working fine now, and the Netlogon 5774 error at
|the
|> |Proxy has not shown up in 7 hours...so this is good.
|> |
|> |HOWEVER - On my new XP machines I am still getting the following errors
|of
|> |which I thought might be solved with this DNS error, as if it can't
find
|> |the server, the path does exist, but it seems to be related the the
Proxy
|> |Client that is installed on the machine. By the way I posted on the
|> |ISA.Configuration board 3 days ago and nobody has replied...I thought as
|a
|> |technet subscriber, I am guaranteed a response. Thanks.
|> |
|> |Jeff Smyrski
|> |
|> | Event Type: Error
|> |Event Source: Userenv
|> |Event Category: None
|> |Event ID: 1058
|> |Date: 10/2/2003
|> |Time: 10:20:07 AM
|> |User: NT AUTHORITY\SYSTEM
|> |Computer: STATION_120
|> |Description:
|> |Windows cannot access the file gpt.ini for GPO
|>
||CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=BANKOFU
T
|> I
|> |CA,DC=COM. The file must be present at the location
|>
||<\\BANKOFUTICA.COM\sysvol\BANKOFUTICA.COM\Policies\{31B2F340-016D-11D2-945
F
|> -
|> |00C04FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy
|> |processing aborted.
|> |
|> |
|> |
|> |
|> |
|> |
|> ||> |> Dear Jeff,
|> |>
|> |> Thank you for your reply.
|> |>
|> |> By default, the DNS server sends queries to other DNS servers using
|User
|> |> Datagram Protocol (UDP) port 53. However, this can be customized by
|> |> adjusting registry entries.
|> |>
|> |> To narrow down the problem's scope, please check the following:
|> |>
|> |> 1. Please install DNS and configure a zone for the domain on your
proxy
|> |> server. Add the ISP DNS servers to the proxy server's forwarder and
|then
|> |> change the local TCP/IP settings to only use itself as the Preferred
|DNS.
|> |> Check if the forwarder works on this server.
|> |>
|> |> If the problem still occurs on this server, I think we need to check
|the
|> |> firewall settings to check if the DNS query packets are blocked.
|> |>
|> |> 2. Please check if the following registry entries exist on the two
|> |servers:
|> |>
|> |> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
|> |> Value Name: SendPort
|> |> Value type: REG_DWORD
|> |>
|> |> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
|> |> Value Name: SendOnNonDnsPort
|> |> Data Type : REG_DWORD
|> |>
|> |> Thank you for your time and efforts!
|> |>
|> |> Regards,
|> |> Joe Wu
|> |> Product Support Services
|> |> Microsoft Corporation
|> |>
|> |> Get Secure! - www.microsoft.com/security
|> |>
|> |> ====================================================
|> |> When responding to posts, please "Reply to Group" via your newsreader
|so
|> |> that others may learn and benefit from your issue.
|> |> ====================================================
|> |> This posting is provided "AS IS" with no warranties, and confers no
|> |rights.
|> |>
|> |> --------------------
|> |> |From: "Jeff Smyrski" <[email protected]>
|> |> |References: <[email protected]>
|> |> <dhuumP#[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> |Subject: Re: Conditional Forwarding Not Available
|> |> |Date: Wed, 1 Oct 2003 16:01:02 -0400
|> |> |Lines: 468
|> |> |X-Priority: 3
|> |> |X-MSMail-Priority: Normal
|> |> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |> |Message-ID: <[email protected]>
|> |> |Newsgroups: microsoft.public.win2000.dns
|> |> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|> |216.230.225.242
|> |> |Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
|> |> |Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:27054
|> |> |X-Tomcat-NG: microsoft.public.win2000.dns
|> |> |
|> |> |I made the change you suggested, and made the gateway of the DNS
|server
|> |to
|> |> |be the Firewall IP. I left Proxy as is, since this should not
matter.
|> |> Keep
|> |> |in mind that the DNS server does have the Proxy Client installed on
|it,
|> |so
|> |> |that it can go out the Proxy for web related matters such as Windows
|> |> Update.
|> |> |The Proxy does not have Proxy Client installed on it...for obvious
|> |reasons.
|> |> |
|> |> |The DNS server, is only allowed to go out I think it is port 53 UDP
|not
|> |> TCP.
|> |> |Only the Proxy Server has the rights in the firewall rules to go out
|for
|> |> all
|> |> |other defined ports.
|> |> |
|> |> |After doing all of that, the DNS server still can not resolve a DNS
|name
|> |> |outside of the domain, using the NSLOOKUP when it defaults to the
|> |localhost
|> |> |127.0.0.1 address.
|> |> |
|> |> |If I type server at the nslookup prompt, and enter 216.238.0.10 the
IP
|> of
|> |> |the ISP DNS server, I can resolve all I want, it even returns the
name
|> of
|> |> |the server, no prob.
|> |> |
|> |> |I MUST be missing something with these forwarders...it should work
but
|> |does
|> |> |not!
|> |> |
|> |> |Do you know, or are you sure that the NSLOOKUP is using UDP where as
|the
|> |> |Forwarders are using TCP?
|> |> |
|> |> |Please let me know.
|> |> |
|> |> |Jeff Smyrski
|> |> |
|> |> ||> |> |> Dear Jeff,
|> |> |>
|> |> |> Thank you for your updates.
|> |> |>
|> |> |> Since the gateway on the DNS server is set to point to the proxy
|> |server,
|> |> |> the DNS query packets cannot be routed to the external DNS servers
|> (ISP
|> |> |DNS
|> |> |> servers). However, the DNS query packets can be sent to the
external
|> |DNS
|> |> |> from the proxy server, as the gateway of the proxy server itself is
|> set
|> |> to
|> |> |> the Firewall.
|> |> |>
|> |> |> This should be the reason why the DNS forward does not work. Please
|go
|> |to
|> |> |> the DNS server and change the gateway from the proxy server to the
|> |> |Firewall
|> |> |> to see if the problem can be resolved.
|> |> |>
|> |> |> In the meantime, I think your ISA upgrade should work (generally,
we
|> |> leave
|> |> |> the internal NIC's "Default gateway" blank on ISA server). You can
|get
|> |> |more
|> |> |> information from the following Knowledge Base article:
|> |> |>
|> |> |> 323387 HOW TO: Connect Your Company to the Internet by Using an ISA
|> |> |Firewall
|> |> |> http://support.microsoft.com/?id=323387
|> |> |>
|> |> |> Please let me know if any thing is unclear. Thanks!
|> |> |>
|> |> |> Regards,
|> |> |> Joe Wu
|> |> |> Product Support Services
|> |> |> Microsoft Corporation
|> |> |>
|> |> |> Get Secure! - www.microsoft.com/security
|> |> |>
|> |> |> ====================================================
|> |> |> When responding to posts, please "Reply to Group" via your
|newsreader
|> |so
|> |> |> that others may learn and benefit from your issue.
|> |> |> ====================================================
|> |> |> This posting is provided "AS IS" with no warranties, and confers no
|> |> |rights.
|> |> |>
|> |> |> --------------------
|> |> |> |From: "Jeff Smyrski" <[email protected]>
|> |> |> |References: <[email protected]>
|> |> |> <dhuumP#[email protected]>
|> |> |> <[email protected]>
|> |> |> <[email protected]>
|> |> |> <[email protected]>
|> |> |> <[email protected]>
|> |> |> |Subject: Re: Conditional Forwarding Not Available
|> |> |> |Date: Tue, 30 Sep 2003 08:56:31 -0400
|> |> |> |Lines: 337
|> |> |> |X-Priority: 3
|> |> |> |X-MSMail-Priority: Normal
|> |> |> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |> |> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |> |> |Message-ID: <[email protected]>
|> |> |> |Newsgroups: microsoft.public.win2000.dns
|> |> |> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|> |> |216.230.225.242
|> |> |> |Path:
|cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
|> |> |> |Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:26915
|> |> |> |X-Tomcat-NG: microsoft.public.win2000.dns
|> |> |> |
|> |> |> |I do have a Proxy Server, it is currently generating Netlogon
|errors
|> |> evey
|> |> |4
|> |> |> |hours in the system log event id 5774. I suspect that the issue
is
|a
|> |> dns
|> |> |> |problem. The Proxy 2.0 server is currently uni-homed, but will
|soon
|> |be
|> |> |> |upgraded to ISA server with 2 NICs. In my model currently it
looks
|> |like
|> |> |> |this.
|> |> |> |
|> |> |> | Proxy Server - Behind Firewall with an Internal Interface on
my
|> |> |> |backbone. The gateway of the Proxy is pointing to the Firewall.
|(As
|> |> |> opposed
|> |> |> |to all other machines including my internal DNS server, they are
|all
|> |> |> |pointing to the Proxy as the gateway.)
|> |> |> | Proxy's NIC is configured with 3 DNS entries, the first (top
of
|> |the
|> |> |> |list) is the internal DNS server, the next are the two ISP DNS
|> |servers.
|> |> |> |This is where I was attempting to remove the DNS entries for the
|ISP
|> |and
|> |> |> |move them to the Forwarders section of the Internal DNS server,
but
|I
|> |> |can't
|> |> |> |get my DNS server to resolve names when I do this.
|> |> |> |
|> |> |> | The internal DNS server also has one NIC, pointing to the
Proxy
|> |for
|> |> a
|> |> |> |gateway, with one DNS entry 127.0.0.1 (itself)
|> |> |> |
|> |> |> | If I try an nslookup at my workstation using my DNS server (by
|> |> |default)
|> |> |> |it looks like this.
|> |> |> |
|> |> |> |Microsoft Windows XP [Version 5.1.2600]
|> |> |> |(C) Copyright 1985-2001 Microsoft Corp.
|> |> |> |
|> |> |> |C:\Documents and Settings\jeff smyrski>nslookup
|> |> |> |Default Server: bofu2000.bankofutica.com
|> |> |> |Address: 192.168.1.13
|> |> |> |
|> |> |> |> www.cnn.com
|> |> |> |Server: bofu2000.bankofutica.com
|> |> |> |Address: 192.168.1.13
|> |> |> |
|> |> |> |DNS request timed out.
|> |> |> | timeout was 2 seconds.
|> |> |> |*** Request to bofu2000.bankofutica.com timed-out
|> |> |> |>
|> |> |> |
|> |> |> | If I go to the DNS server I get the same error, but I can tell
|> the
|> |> |DNS
|> |> |> |server to use another IP, and it seems to be able to resolve the
|> |> address,
|> |> |> |even after the ipconfig /flushdns command (just to make sure)
|> |> |> |
|> |> |> |In the future, I want to make this model work using an ISA server
|> |> |> |(multi-homed) behind a firewall.
|> |> |> |
|> |> |> | ISA Server NIC#1 - Remains the same, pointing to the Firewall
|as
|> |its
|> |> |> |gateway, but only has the two ISP DNS server entries in it.
|> |> |> |
|> |> |> | ISA Server NIC#2 - (New NIC Card, with new IP, will become
|> gateway
|> |> IP
|> |> |> |for workstations. The actual Gateway of this NIC would either be
|> |blank
|> |> |or
|> |> |> |the IP of the External NIC not sure on that one)
|> |> |> | (Only one DNS entry would be
|> |> |> associated
|> |> |> |with this NIC, and it would be the Internal DNS server)
|> |> |> |
|> |> |> | DNS Server NIC - Change Gateway to be the new IP of the new
ISA
|> |> NIC#2
|> |> |> |also remove the Forwarder entries in DNS.
|> |> |> |
|> |> |> |NOTE - The Proxy server soon to be ISA server is also a DC for
|Active
|> |> |> |Directory, and I will be leaving this the same.
|> |> |> |
|> |> |> |Let me know if this will work, and / or how I can improve it?
|> |> |> |Thanks
|> |> |> |Jeff Smyrski
|> |> |> |
|> |> |> |
|> |message
|> |> |> ||> |> |> |> nltest /dsregdns was added in W2k3. In W2k a quick way to get
|the
|> |> same
|> |> |> |> effect is: net stop netlogon & net start netlogon
|> |> |> |>
|> |> |> |> Try launching nslookup, then setting server=<ip address of your
|DNS
|> |> |> |server>,
|> |> |> |> and then try to resolve some name.
|> |> |> |> If you can resolve records that are on the DNS server, you could
|> try
|> |> |the
|> |> |> |> same thing from your DNS server, but use the IP address of your
|ISP
|> |to
|> |> |> |make
|> |> |> |> sure that they are resolving the name.
|> |> |> |>
|> |> |> |> nslookup will default to the "dns server" as defined in your
|TCP/IP
|> |> |> |> settings.
|> |> |> |>
|> |> |> |> Do you have a proxy server in this setup? If so, where, and how
|is
|> |it
|> |> |> |> configured?
|> |> |> |>
|> |> |> |> --
|> |> |> |> Michael Snyder
|> |> |> |> Active Directory Admin Tool Test
|> |> |> |>
|> |> |> |> This posting is provided "AS IS" with no warranties, and confers
|no
|> |> |> |rights.
|> |> |> |>
|> |> |> |> |> |> |> |> > ipconfig /flushdns was performed this completed...
|> |> |> |> >
|> |> |> |> > I removed the 2 ISP DNS entries from the NIC and left only the
|> |> |Internal
|> |> |> |> DNS
|> |> |> |> > server in the list.
|> |> |> |> > I bounced the DNS client service as well
|> |> |> |> >
|> |> |> |> > I used the ipconfig /flushdns at the DNS server this
completed.
|> |> |> |> > The DNS has two entries in the Forwarders tab of the DNS
server
|> |> |> |> properties,
|> |> |> |> > both are for the ISP server.
|> |> |> |> >
|> |> |> |> > I then ran nslookup at the command prompt, it returned Default
|> |> Server
|> |> |> |> > 127.0.0.1
|> |> |> |> > I entered www.cnn.com
|> |> |> |> >
|> |> |> |> > It timed out after 2 seconds, server could not be found.
|> |> |> |> >
|> |> |> |> > I then tried an attempt to connect via the web, but IE just
|hangs
|> |> |> |looking
|> |> |> |> > for a way to resolve the URL.
|> |> |> |> >
|> |> |> |> > Please help! Arrg
|> |> |> |> >
|> |> |> |> > BTW the nltest does not have a /DSREGDNS option only a
|> /DSDEREGDNS
|> |> |> |option.
|> |> |> |> >
|> |> |> |> > Jeff Smyrski
|> |> |> |> >
in
|> |> |message
|> |> |> |> > |> |> |> |> > > Changes like this do not require reboots on the DNS server,
|> |> |however,
|> |> |> |you
|> |> |> |> > may
|> |> |> |> > > need to:
|> |> |> |> > > ipconfig /flushdns on clients to flush the dns client cache
|> |> |> |> > > ipconfig /registerdns on clients to make them re-register
|their
|> |A
|> |> |> |> records
|> |> |> |> > > nltest /dsregdns on DCs to make them re-register their SRV
|> |records
|> |> |> |> > >
|> |> |> |> > > --
|> |> |> |> > > Michael Snyder
|> |> |> |> > > Active Directory Admin Tool Test
|> |> |> |> > >
|> |> |> |> > > This posting is provided "AS IS" with no warranties, and
|> confers
|> |> no
|> |> |> |> > rights.
|> |> |> |> > >
|> |> |> |> > > |> |> |> |> > > > Additional Info:
|> |> |> |> > > >
|> |> |> |> > > > I added the ISP DNS entries in the 2K3 Snap in, then
|> |looked
|> |> |at
|> |> |> |the
|> |> |> |> > 2K
|> |> |> |> > > > snap in, and the checkbox was checked, and the two entries
|> |were
|> |> |> |> present.
|> |> |> |> > > > Here is what I just tried.
|> |> |> |> > > >
|> |> |> |> > > > With the two ISP entries present as forwarders, I removed
|the
|> |> |same
|> |> |> |> > entries
|> |> |> |> > > > from the DNS tab on the Proxy Server, and only left the
DNS
|> |> |server
|> |> |> |IP
|> |> |> |> > > > present. I then attempted from my client to resolve
|CNN.COM
|> |it
|> |> |> will
|> |> |> |> not
|> |> |> |> > > go.
|> |> |> |> > > > I did not reboot or anything, I just made the changes, do
|> |> changes
|> |> |> |like
|> |> |> |> > > this
|> |> |> |> > > > require reboots, or DNS start stop to make not only the
|> |> |forwarders
|> |> |> |to
|> |> |> |> be
|> |> |> |> > > > effective but also the NIC DNS registration?
|> |> |> |> > > >
|> |> |> |> > > > Thanks
|> |> |> |> > > > Jeff Smyrski
|> |> |> |> > > >
|message
|> |> |> |> > > > |> |> |> |> > > > > Dear Jeff,
|> |> |> |> > > > >
|> |> |> |> > > > > Thank you for your post.
|> |> |> |> > > > >
|> |> |> |> > > > > Actually, it is normal that there is a "." zone in the
|> |Cached
|> |> |> |> Lookups
|> |> |> |> > > > > folder and it does not affect the forward/root hint
|> |functions.
|> |> |We
|> |> |> |do
|> |> |> |> > not
|> |> |> |> > > > > need to delete it, if there is no "." zone in the
Forward
|> |> |Lookups
|> |> |> |> > Zones
|> |> |> |> > > > > folder.
|> |> |> |> > > > >
|> |> |> |> > > > > I think that you have already removed the "." zone (in
|the
|> |> |> Forward
|> |> |> |> > > Lookups
|> |> |> |> > > > > Zones) before and this is why the
|> |> |"DNS_ERROR_ZONE_DOES_NOT_EXIST"
|> |> |> |> > error
|> |> |> |> > > > > appears.
|> |> |> |> > > > >
|> |> |> |> > > > > To be honest, the "Conditional Forwarding is Not
|Available
|> |> |> Because
|> |> |> |> > this
|> |> |> |> > > > > Server is a Downlevel Server" is a bit strange because
|> |> |> |"Conditional
|> |> |> |> > > > > Forwarding" is a new feature of Windows Server 2003.
|> |> |> |> > > > >
|> |> |> |> > > > > On my lab, I used Windows Server 2003 DNS Management
|> Snap-In
|> |> to
|> |> |> |> > connect
|> |> |> |> > > to
|> |> |> |> > > > > another "Windows 2000" DNS server, and in the Forwarders
|> |tab,
|> |> I
|> |> |> |saw
|> |> |> |> > the
|> |> |> |> > > > > message "Conditional Forwarding is Not Available Because
|> |this
|> |> |> |Server
|> |> |> |> > is
|> |> |> |> > > a
|> |> |> |> > > > > Downlevel Server".
|> |> |> |> > > > >
|> |> |> |> > > > > However, please note that I can still enable a regular
|> |> |forwarder,
|> |> |> |> > > although
|> |> |> |> > > > > the sentence makes it sound like forwarding isn't
|available
|> |at
|> |> |> |all.
|> |> |> |> > > > >
|> |> |> |> > > > > Did you configure DNS in this way? Please try to add a
|> |regular
|> |> |> |> > forwarder
|> |> |> |> > > > to
|> |> |> |> > > > > see if it works.
|> |> |> |> > > > >
|> |> |> |> > > > > However, if you cannot add a regular DNS forwarder,
|please
|> |let
|> |> |me
|> |> |> |> know
|> |> |> |> > > > more
|> |> |> |> > > > > about your network topology. For example, are you using
a
|> |> |Windows
|> |> |> |> > Server
|> |> |> |> > > > > 2003 domain? Is the DNS server a Windows 2000 Server?
And
|> |how
|> |> |did
|> |> |> |> you
|> |> |> |> > > > > install DNS?
|> |> |> |> > > > >
|> |> |> |> > > > > If you want, please also send the following to me at
|> |> |> |> > > (e-mail address removed):
|> |> |> |> > > > >
|> |> |> |> > > > > 1. A screenshot of the Forwarders tab as well as
|> screenshots
|> |> of
|> |> |> |any
|> |> |> |> > > error
|> |> |> |> > > > > messages you encounter.
|> |> |> |> > > > > 2. All related Event Logs.
|> |> |> |> > > > >
|> |> |> |> > > > > Thank you and have a nice day!
|> |> |> |> > > > >
|> |> |> |> > > > > Regards,
|> |> |> |> > > > > Joe Wu
|> |> |> |> > > > > Product Support Services
|> |> |> |> > > > > Microsoft Corporation
|> |> |> |> > > > >
|> |> |> |> > > > > Get Secure! - www.microsoft.com/security
|> |> |> |> > > > >
|> |> |> |> > > > > ====================================================
|> |> |> |> > > > > When responding to posts, please "Reply to Group" via
|your
|> |> |> |> newsreader
|> |> |> |> > so
|> |> |> |> > > > > that others may learn and benefit from your issue.
|> |> |> |> > > > > ====================================================
|> |> |> |> > > > > This posting is provided "AS IS" with no warranties, and
|> |> |confers
|> |> |> |no
|> |> |> |> > > > rights.
|> |> |> |> > > > >
|> |> |> |> > > > > --------------------
|> |> |> |> > > > > |From: "Jeff" <[email protected]>
|> |> |> |> > > > > |Subject: Conditional Forwarding Not Available
|> |> |> |> > > > > |Date: Thu, 25 Sep 2003 15:34:09 -0400
|> |> |> |> > > > > |Lines: 27
|> |> |> |> > > > > |X-Priority: 3
|> |> |> |> > > > > |X-MSMail-Priority: Normal
|> |> |> |> > > > > |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |> |> |> > > > > |X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2800.1165
|> |> |> |> > > > > |Message-ID: <[email protected]>
|> |> |> |> > > > > |Newsgroups: microsoft.public.win2000.dns
|> |> |> |> > > > > |NNTP-Posting-Host:
|bankofutica-gate-line-r.bankofutica.com
|> |> |> |> > > > 216.230.225.242
|> |> |> |> > > > > |Path:
|> |> |> |> cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
|> |> |> |> > > > > |Xref: cpmsftngxa06.phx.gbl
|> |microsoft.public.win2000.dns:26616
|> |> |> |> > > > > |X-Tomcat-NG: microsoft.public.win2000.dns
|> |> |> |> > > > > |
|> |> |> |> > > > > |In harmony with KB 229840 I attempted to delete the .
|root
|> |> dns
|> |> |> |> entry
|> |> |> |> > > > using
|> |> |> |> > > > > |the dnscmd /ZoneDelete . /DsDel but received an error
|> |> |> |> > > > > |DNS_ERROR_ZONE_DOES_NOT_EXIST 9601 (00002581)
|> |> |> |> > > > > |
|> |> |> |> > > > > |If I look at the DNS Console I only see a . (root)
entry
|> in
|> |> |the
|> |> |> |> > cached
|> |> |> |> > > > > |lookups and my regular domain is in the Forward
Lookups.
|> |> |> |> > > > > |
|> |> |> |> > > > > |When I choose properties, and click on the Forwarders
|tab,
|> |> |> (which
|> |> |> |> is
|> |> |> |> > > not
|> |> |> |> > > > > |grayed out) there is a message displayed that says:
|> |> |"Conditional
|> |> |> |> > > > Forwarding
|> |> |> |> > > > > |is Not Available Because this Server is a Downlevel
|> Server"
|> |> |and
|> |> |> |> there
|> |> |> |> > > is
|> |> |> |> > > > no
|> |> |> |> > > > > |option to enable forwarders.
|> |> |> |> > > > > |
|> |> |> |> > > > > |This machine connects to a Proxy Server which is behind
|a
|> |> |> |firewall.
|> |> |> |> > > The
|> |> |> |> > > > > |proxy server has one NIC and has three entries for DNS,
|> one
|> |> is
|> |> |> |the
|> |> |> |> > DNS
|> |> |> |> > > > > |server mentioned above and the other two are the ISP
|> Public
|> |> |DNS
|> |> |> |> > > servers.
|> |> |> |> > > > I
|> |> |> |> > > > > |am interested in removing the 2 ISP entries so that I
|can
|> |> |> |eliminate
|> |> |> |> > > some
|> |> |> |> > > > > |possible event errors such as 5774. But in order to do
|> |this,
|> |> |my
|> |> |> |> > > clients
|> |> |> |> > > > > all
|> |> |> |> > > > > |point to the Proxy (client installed) so the Proxy
would
|> |look
|> |> |to
|> |> |> |> the
|> |> |> |> > > DNS
|> |> |> |> > > > > |server to resolve a name, but I don't think I have
|> |something
|> |> |> |right
|> |> |> |> so
|> |> |> |> > > > that
|> |> |> |> > > > > I
|> |> |> |> > > > > |can enable Forwarding to ISP DNS servers.
|> |> |> |> > > > > |
|> |> |> |> > > > > |How can I make this work.
|> |> |> |> > > > > |
|> |> |> |> > > > > |Thanks
|> |> |> |> > > > > |Jeff Smyrski
|> |> |> |> > > > > |
|> |> |> |> > > > > |
|> |> |> |> > > > > |
|> |> |> |> > > > >
|> |> |> |> > > >
|> |> |> |> > > >
|> |> |> |> > >
|> |> |> |> > >
|> |> |> |> >
|> |> |> |> >
|> |> |> |>
|> |> |> |>
|> |> |> |
|> |> |> |
|> |> |> |
|> |> |>
|> |> |
|> |> |
|> |> |
|> |>
|> |
|> |
|> |
|>
|
|
|
Thank you for your update.
I have performed further research and I suspected it is a SMB sign issue.
Please check the event log to see if there are other errors such as 1030
event. If so, we can try a hotfix mentioned in the following Knowledge Base
article:
810907 Error Messages When You Open or Copy Network Files on Windows XP SP1
http://support.microsoft.com/?id=810907
Please contact Microsoft Product Support Services to obtain the hotfix. To
obtain the phone numbers for specific technology request please take a look
at the web site listed below.
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
NOTE: If you contact Microsoft to obtain this fix, a fee may be initially
applied. However, this fee is refundable if it is determined that you
require only the requested fix. On the other hand, this fee is
non-refundable if you request additional technical support.
However, if the problem still persists, since it is not related to the
original issue (DNS forward issue), I would like to suggest that you post
this question in a dedicated news group for Windows XP:
microsoft.public.windowsxp.general
I hope the problem can be resolved quickly.
Once again, thank you for using our news groups!
Regards,
Joe Wu
Product Support Services
Microsoft Corporation
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|From: "Jeff Smyrski" <[email protected]>
|References: <[email protected]>
<dhuumP#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
|Subject: Re: Conditional Forwarding Not Available
|Date: Fri, 3 Oct 2003 12:59:46 -0400
|Lines: 820
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <[email protected]>
|Newsgroups: microsoft.public.win2000.dns
|NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com 216.230.225.242
|Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:27288
|X-Tomcat-NG: microsoft.public.win2000.dns
|
|I looked at this article, too 314494, but there is no EnableDFS in the
|registry under Mup.
|
|I added the value and left its setting at 0
|This did not matter
|
|Looking at the error it seems that it is related to
|\\DOMAINNAME.COM\SYSVOL\domainname.com...etc...etc
|
|The folder exists, but if I attempt to browse to it from the machine
|generating the error, I either get file can not be found, or a permissions
|error if I just try to browse to the SYSVOL folder, all the while doing
this
|as admin.
|
|On the other hand, if I do the same thing from my workstation, as me, a
|member of admins, I can get to the file no prob. It almost seems that even
|though I am logging into the domain, I am not getting the permissions to do
|anything on it...
|
|Currently I am reinstalling XP from scratch using the restore CD for this
|machine, but not the HP Restore Plus feature, I will just install XP myself
|instead of letting HPs cd do it.
|
|Related to the SYSVOL if I look a the properties of the folder there is a
|DFS tab, but for both domain controllers the Status for active says NO from
|this machine, and checking the status says unreachable. But again if I do
|it from my XP workstation as me, I get the Backup DC as active and both
|check out okay.
|
|Any ideas...
|
|Jeff Smyrski
|
|
||> Dear Jeff,
|>
|> Thank you for your reply.
|>
|> I am glad to hear that the DNS forwarder issue has been resolved.
|Regarding
|> the 1058 Event on the Windows XP client, it seems it is not a DNS
problem.
|> You may try the solution mentioned in the following Knowledge Base
article
|> first to see if it works:
|>
|> 314494 Group Policies Are Not Applied The Way You Expect; "Event ID 1058"
|> and
|> http://support.microsoft.com/?id=314494
|>
|> By the way, I have check the ISA thread you mentioned. Currently an
|> engineer is performing researching on that issue and will get back to you
|> soon.
|>
|> If you have any other concerns, please feel free to let me know. I will
do
|> my best to help you.
|>
|> Thanks!
|>
|> Regards,
|> Joe Wu
|> Product Support Services
|> Microsoft Corporation
|>
|> Get Secure! - www.microsoft.com/security
|>
|> ====================================================
|> When responding to posts, please "Reply to Group" via your newsreader so
|> that others may learn and benefit from your issue.
|> ====================================================
|> This posting is provided "AS IS" with no warranties, and confers no
|rights.
|>
|> --------------------
|> |From: "Jeff Smyrski" <[email protected]>
|> |References: <[email protected]>
|> <dhuumP#[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> <[email protected]>
|> |Subject: Re: Conditional Forwarding Not Available
|> |Date: Thu, 2 Oct 2003 16:26:21 -0400
|> |Lines: 646
|> |X-Priority: 3
|> |X-MSMail-Priority: Normal
|> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |Message-ID: <[email protected]>
|> |Newsgroups: microsoft.public.win2000.dns
|> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|216.230.225.242
|> |Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
|> |Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:27101
|> |X-Tomcat-NG: microsoft.public.win2000.dns
|> |
|> |Well, Before trying these steps, the forwarders began to work. I am not
|> |really sure, why, but I did change the Gateway to be the firewall,
|although
|> |this did not seem to matter, last night.
|> |
|> |This morning, I was able to perform a NSLOOKUP using the local DNS
|server,
|> |and it forwarded the request as expected.
|> |
|> |I then removed the ISP's DNS entries in the Proxy's NIC that points to
|the
|> |firewall. So that the only entry that remains is my internal DNS server
|> |entry.
|> |
|> |Everything seems to be working fine now, and the Netlogon 5774 error at
|the
|> |Proxy has not shown up in 7 hours...so this is good.
|> |
|> |HOWEVER - On my new XP machines I am still getting the following errors
|of
|> |which I thought might be solved with this DNS error, as if it can't
find
|> |the server, the path does exist, but it seems to be related the the
Proxy
|> |Client that is installed on the machine. By the way I posted on the
|> |ISA.Configuration board 3 days ago and nobody has replied...I thought as
|a
|> |technet subscriber, I am guaranteed a response. Thanks.
|> |
|> |Jeff Smyrski
|> |
|> | Event Type: Error
|> |Event Source: Userenv
|> |Event Category: None
|> |Event ID: 1058
|> |Date: 10/2/2003
|> |Time: 10:20:07 AM
|> |User: NT AUTHORITY\SYSTEM
|> |Computer: STATION_120
|> |Description:
|> |Windows cannot access the file gpt.ini for GPO
|>
||CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=BANKOFU
T
|> I
|> |CA,DC=COM. The file must be present at the location
|>
||<\\BANKOFUTICA.COM\sysvol\BANKOFUTICA.COM\Policies\{31B2F340-016D-11D2-945
F
|> -
|> |00C04FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy
|> |processing aborted.
|> |
|> |
|> |
|> |
|> |
|> |
|> ||> |> Dear Jeff,
|> |>
|> |> Thank you for your reply.
|> |>
|> |> By default, the DNS server sends queries to other DNS servers using
|User
|> |> Datagram Protocol (UDP) port 53. However, this can be customized by
|> |> adjusting registry entries.
|> |>
|> |> To narrow down the problem's scope, please check the following:
|> |>
|> |> 1. Please install DNS and configure a zone for the domain on your
proxy
|> |> server. Add the ISP DNS servers to the proxy server's forwarder and
|then
|> |> change the local TCP/IP settings to only use itself as the Preferred
|DNS.
|> |> Check if the forwarder works on this server.
|> |>
|> |> If the problem still occurs on this server, I think we need to check
|the
|> |> firewall settings to check if the DNS query packets are blocked.
|> |>
|> |> 2. Please check if the following registry entries exist on the two
|> |servers:
|> |>
|> |> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
|> |> Value Name: SendPort
|> |> Value type: REG_DWORD
|> |>
|> |> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
|> |> Value Name: SendOnNonDnsPort
|> |> Data Type : REG_DWORD
|> |>
|> |> Thank you for your time and efforts!
|> |>
|> |> Regards,
|> |> Joe Wu
|> |> Product Support Services
|> |> Microsoft Corporation
|> |>
|> |> Get Secure! - www.microsoft.com/security
|> |>
|> |> ====================================================
|> |> When responding to posts, please "Reply to Group" via your newsreader
|so
|> |> that others may learn and benefit from your issue.
|> |> ====================================================
|> |> This posting is provided "AS IS" with no warranties, and confers no
|> |rights.
|> |>
|> |> --------------------
|> |> |From: "Jeff Smyrski" <[email protected]>
|> |> |References: <[email protected]>
|> |> <dhuumP#[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> <[email protected]>
|> |> |Subject: Re: Conditional Forwarding Not Available
|> |> |Date: Wed, 1 Oct 2003 16:01:02 -0400
|> |> |Lines: 468
|> |> |X-Priority: 3
|> |> |X-MSMail-Priority: Normal
|> |> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |> |Message-ID: <[email protected]>
|> |> |Newsgroups: microsoft.public.win2000.dns
|> |> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|> |216.230.225.242
|> |> |Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
|> |> |Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:27054
|> |> |X-Tomcat-NG: microsoft.public.win2000.dns
|> |> |
|> |> |I made the change you suggested, and made the gateway of the DNS
|server
|> |to
|> |> |be the Firewall IP. I left Proxy as is, since this should not
matter.
|> |> Keep
|> |> |in mind that the DNS server does have the Proxy Client installed on
|it,
|> |so
|> |> |that it can go out the Proxy for web related matters such as Windows
|> |> Update.
|> |> |The Proxy does not have Proxy Client installed on it...for obvious
|> |reasons.
|> |> |
|> |> |The DNS server, is only allowed to go out I think it is port 53 UDP
|not
|> |> TCP.
|> |> |Only the Proxy Server has the rights in the firewall rules to go out
|for
|> |> all
|> |> |other defined ports.
|> |> |
|> |> |After doing all of that, the DNS server still can not resolve a DNS
|name
|> |> |outside of the domain, using the NSLOOKUP when it defaults to the
|> |localhost
|> |> |127.0.0.1 address.
|> |> |
|> |> |If I type server at the nslookup prompt, and enter 216.238.0.10 the
IP
|> of
|> |> |the ISP DNS server, I can resolve all I want, it even returns the
name
|> of
|> |> |the server, no prob.
|> |> |
|> |> |I MUST be missing something with these forwarders...it should work
but
|> |does
|> |> |not!
|> |> |
|> |> |Do you know, or are you sure that the NSLOOKUP is using UDP where as
|the
|> |> |Forwarders are using TCP?
|> |> |
|> |> |Please let me know.
|> |> |
|> |> |Jeff Smyrski
|> |> |
|> |> ||> |> |> Dear Jeff,
|> |> |>
|> |> |> Thank you for your updates.
|> |> |>
|> |> |> Since the gateway on the DNS server is set to point to the proxy
|> |server,
|> |> |> the DNS query packets cannot be routed to the external DNS servers
|> (ISP
|> |> |DNS
|> |> |> servers). However, the DNS query packets can be sent to the
external
|> |DNS
|> |> |> from the proxy server, as the gateway of the proxy server itself is
|> set
|> |> to
|> |> |> the Firewall.
|> |> |>
|> |> |> This should be the reason why the DNS forward does not work. Please
|go
|> |to
|> |> |> the DNS server and change the gateway from the proxy server to the
|> |> |Firewall
|> |> |> to see if the problem can be resolved.
|> |> |>
|> |> |> In the meantime, I think your ISA upgrade should work (generally,
we
|> |> leave
|> |> |> the internal NIC's "Default gateway" blank on ISA server). You can
|get
|> |> |more
|> |> |> information from the following Knowledge Base article:
|> |> |>
|> |> |> 323387 HOW TO: Connect Your Company to the Internet by Using an ISA
|> |> |Firewall
|> |> |> http://support.microsoft.com/?id=323387
|> |> |>
|> |> |> Please let me know if any thing is unclear. Thanks!
|> |> |>
|> |> |> Regards,
|> |> |> Joe Wu
|> |> |> Product Support Services
|> |> |> Microsoft Corporation
|> |> |>
|> |> |> Get Secure! - www.microsoft.com/security
|> |> |>
|> |> |> ====================================================
|> |> |> When responding to posts, please "Reply to Group" via your
|newsreader
|> |so
|> |> |> that others may learn and benefit from your issue.
|> |> |> ====================================================
|> |> |> This posting is provided "AS IS" with no warranties, and confers no
|> |> |rights.
|> |> |>
|> |> |> --------------------
|> |> |> |From: "Jeff Smyrski" <[email protected]>
|> |> |> |References: <[email protected]>
|> |> |> <dhuumP#[email protected]>
|> |> |> <[email protected]>
|> |> |> <[email protected]>
|> |> |> <[email protected]>
|> |> |> <[email protected]>
|> |> |> |Subject: Re: Conditional Forwarding Not Available
|> |> |> |Date: Tue, 30 Sep 2003 08:56:31 -0400
|> |> |> |Lines: 337
|> |> |> |X-Priority: 3
|> |> |> |X-MSMail-Priority: Normal
|> |> |> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |> |> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |> |> |Message-ID: <[email protected]>
|> |> |> |Newsgroups: microsoft.public.win2000.dns
|> |> |> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|> |> |216.230.225.242
|> |> |> |Path:
|cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
|> |> |> |Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.dns:26915
|> |> |> |X-Tomcat-NG: microsoft.public.win2000.dns
|> |> |> |
|> |> |> |I do have a Proxy Server, it is currently generating Netlogon
|errors
|> |> evey
|> |> |4
|> |> |> |hours in the system log event id 5774. I suspect that the issue
is
|a
|> |> dns
|> |> |> |problem. The Proxy 2.0 server is currently uni-homed, but will
|soon
|> |be
|> |> |> |upgraded to ISA server with 2 NICs. In my model currently it
looks
|> |like
|> |> |> |this.
|> |> |> |
|> |> |> | Proxy Server - Behind Firewall with an Internal Interface on
my
|> |> |> |backbone. The gateway of the Proxy is pointing to the Firewall.
|(As
|> |> |> opposed
|> |> |> |to all other machines including my internal DNS server, they are
|all
|> |> |> |pointing to the Proxy as the gateway.)
|> |> |> | Proxy's NIC is configured with 3 DNS entries, the first (top
of
|> |the
|> |> |> |list) is the internal DNS server, the next are the two ISP DNS
|> |servers.
|> |> |> |This is where I was attempting to remove the DNS entries for the
|ISP
|> |and
|> |> |> |move them to the Forwarders section of the Internal DNS server,
but
|I
|> |> |can't
|> |> |> |get my DNS server to resolve names when I do this.
|> |> |> |
|> |> |> | The internal DNS server also has one NIC, pointing to the
Proxy
|> |for
|> |> a
|> |> |> |gateway, with one DNS entry 127.0.0.1 (itself)
|> |> |> |
|> |> |> | If I try an nslookup at my workstation using my DNS server (by
|> |> |default)
|> |> |> |it looks like this.
|> |> |> |
|> |> |> |Microsoft Windows XP [Version 5.1.2600]
|> |> |> |(C) Copyright 1985-2001 Microsoft Corp.
|> |> |> |
|> |> |> |C:\Documents and Settings\jeff smyrski>nslookup
|> |> |> |Default Server: bofu2000.bankofutica.com
|> |> |> |Address: 192.168.1.13
|> |> |> |
|> |> |> |> www.cnn.com
|> |> |> |Server: bofu2000.bankofutica.com
|> |> |> |Address: 192.168.1.13
|> |> |> |
|> |> |> |DNS request timed out.
|> |> |> | timeout was 2 seconds.
|> |> |> |*** Request to bofu2000.bankofutica.com timed-out
|> |> |> |>
|> |> |> |
|> |> |> | If I go to the DNS server I get the same error, but I can tell
|> the
|> |> |DNS
|> |> |> |server to use another IP, and it seems to be able to resolve the
|> |> address,
|> |> |> |even after the ipconfig /flushdns command (just to make sure)
|> |> |> |
|> |> |> |In the future, I want to make this model work using an ISA server
|> |> |> |(multi-homed) behind a firewall.
|> |> |> |
|> |> |> | ISA Server NIC#1 - Remains the same, pointing to the Firewall
|as
|> |its
|> |> |> |gateway, but only has the two ISP DNS server entries in it.
|> |> |> |
|> |> |> | ISA Server NIC#2 - (New NIC Card, with new IP, will become
|> gateway
|> |> IP
|> |> |> |for workstations. The actual Gateway of this NIC would either be
|> |blank
|> |> |or
|> |> |> |the IP of the External NIC not sure on that one)
|> |> |> | (Only one DNS entry would be
|> |> |> associated
|> |> |> |with this NIC, and it would be the Internal DNS server)
|> |> |> |
|> |> |> | DNS Server NIC - Change Gateway to be the new IP of the new
ISA
|> |> NIC#2
|> |> |> |also remove the Forwarder entries in DNS.
|> |> |> |
|> |> |> |NOTE - The Proxy server soon to be ISA server is also a DC for
|Active
|> |> |> |Directory, and I will be leaving this the same.
|> |> |> |
|> |> |> |Let me know if this will work, and / or how I can improve it?
|> |> |> |Thanks
|> |> |> |Jeff Smyrski
|> |> |> |
|> |> |> |
|> |message
|> |> |> ||> |> |> |> nltest /dsregdns was added in W2k3. In W2k a quick way to get
|the
|> |> same
|> |> |> |> effect is: net stop netlogon & net start netlogon
|> |> |> |>
|> |> |> |> Try launching nslookup, then setting server=<ip address of your
|DNS
|> |> |> |server>,
|> |> |> |> and then try to resolve some name.
|> |> |> |> If you can resolve records that are on the DNS server, you could
|> try
|> |> |the
|> |> |> |> same thing from your DNS server, but use the IP address of your
|ISP
|> |to
|> |> |> |make
|> |> |> |> sure that they are resolving the name.
|> |> |> |>
|> |> |> |> nslookup will default to the "dns server" as defined in your
|TCP/IP
|> |> |> |> settings.
|> |> |> |>
|> |> |> |> Do you have a proxy server in this setup? If so, where, and how
|is
|> |it
|> |> |> |> configured?
|> |> |> |>
|> |> |> |> --
|> |> |> |> Michael Snyder
|> |> |> |> Active Directory Admin Tool Test
|> |> |> |>
|> |> |> |> This posting is provided "AS IS" with no warranties, and confers
|no
|> |> |> |rights.
|> |> |> |>
|> |> |> |> |> |> |> |> > ipconfig /flushdns was performed this completed...
|> |> |> |> >
|> |> |> |> > I removed the 2 ISP DNS entries from the NIC and left only the
|> |> |Internal
|> |> |> |> DNS
|> |> |> |> > server in the list.
|> |> |> |> > I bounced the DNS client service as well
|> |> |> |> >
|> |> |> |> > I used the ipconfig /flushdns at the DNS server this
completed.
|> |> |> |> > The DNS has two entries in the Forwarders tab of the DNS
server
|> |> |> |> properties,
|> |> |> |> > both are for the ISP server.
|> |> |> |> >
|> |> |> |> > I then ran nslookup at the command prompt, it returned Default
|> |> Server
|> |> |> |> > 127.0.0.1
|> |> |> |> > I entered www.cnn.com
|> |> |> |> >
|> |> |> |> > It timed out after 2 seconds, server could not be found.
|> |> |> |> >
|> |> |> |> > I then tried an attempt to connect via the web, but IE just
|hangs
|> |> |> |looking
|> |> |> |> > for a way to resolve the URL.
|> |> |> |> >
|> |> |> |> > Please help! Arrg
|> |> |> |> >
|> |> |> |> > BTW the nltest does not have a /DSREGDNS option only a
|> /DSDEREGDNS
|> |> |> |option.
|> |> |> |> >
|> |> |> |> > Jeff Smyrski
|> |> |> |> >
in
|> |> |message
|> |> |> |> > |> |> |> |> > > Changes like this do not require reboots on the DNS server,
|> |> |however,
|> |> |> |you
|> |> |> |> > may
|> |> |> |> > > need to:
|> |> |> |> > > ipconfig /flushdns on clients to flush the dns client cache
|> |> |> |> > > ipconfig /registerdns on clients to make them re-register
|their
|> |A
|> |> |> |> records
|> |> |> |> > > nltest /dsregdns on DCs to make them re-register their SRV
|> |records
|> |> |> |> > >
|> |> |> |> > > --
|> |> |> |> > > Michael Snyder
|> |> |> |> > > Active Directory Admin Tool Test
|> |> |> |> > >
|> |> |> |> > > This posting is provided "AS IS" with no warranties, and
|> confers
|> |> no
|> |> |> |> > rights.
|> |> |> |> > >
|> |> |> |> > > |> |> |> |> > > > Additional Info:
|> |> |> |> > > >
|> |> |> |> > > > I added the ISP DNS entries in the 2K3 Snap in, then
|> |looked
|> |> |at
|> |> |> |the
|> |> |> |> > 2K
|> |> |> |> > > > snap in, and the checkbox was checked, and the two entries
|> |were
|> |> |> |> present.
|> |> |> |> > > > Here is what I just tried.
|> |> |> |> > > >
|> |> |> |> > > > With the two ISP entries present as forwarders, I removed
|the
|> |> |same
|> |> |> |> > entries
|> |> |> |> > > > from the DNS tab on the Proxy Server, and only left the
DNS
|> |> |server
|> |> |> |IP
|> |> |> |> > > > present. I then attempted from my client to resolve
|CNN.COM
|> |it
|> |> |> will
|> |> |> |> not
|> |> |> |> > > go.
|> |> |> |> > > > I did not reboot or anything, I just made the changes, do
|> |> changes
|> |> |> |like
|> |> |> |> > > this
|> |> |> |> > > > require reboots, or DNS start stop to make not only the
|> |> |forwarders
|> |> |> |to
|> |> |> |> be
|> |> |> |> > > > effective but also the NIC DNS registration?
|> |> |> |> > > >
|> |> |> |> > > > Thanks
|> |> |> |> > > > Jeff Smyrski
|> |> |> |> > > >
|message
|> |> |> |> > > > |> |> |> |> > > > > Dear Jeff,
|> |> |> |> > > > >
|> |> |> |> > > > > Thank you for your post.
|> |> |> |> > > > >
|> |> |> |> > > > > Actually, it is normal that there is a "." zone in the
|> |Cached
|> |> |> |> Lookups
|> |> |> |> > > > > folder and it does not affect the forward/root hint
|> |functions.
|> |> |We
|> |> |> |do
|> |> |> |> > not
|> |> |> |> > > > > need to delete it, if there is no "." zone in the
Forward
|> |> |Lookups
|> |> |> |> > Zones
|> |> |> |> > > > > folder.
|> |> |> |> > > > >
|> |> |> |> > > > > I think that you have already removed the "." zone (in
|the
|> |> |> Forward
|> |> |> |> > > Lookups
|> |> |> |> > > > > Zones) before and this is why the
|> |> |"DNS_ERROR_ZONE_DOES_NOT_EXIST"
|> |> |> |> > error
|> |> |> |> > > > > appears.
|> |> |> |> > > > >
|> |> |> |> > > > > To be honest, the "Conditional Forwarding is Not
|Available
|> |> |> Because
|> |> |> |> > this
|> |> |> |> > > > > Server is a Downlevel Server" is a bit strange because
|> |> |> |"Conditional
|> |> |> |> > > > > Forwarding" is a new feature of Windows Server 2003.
|> |> |> |> > > > >
|> |> |> |> > > > > On my lab, I used Windows Server 2003 DNS Management
|> Snap-In
|> |> to
|> |> |> |> > connect
|> |> |> |> > > to
|> |> |> |> > > > > another "Windows 2000" DNS server, and in the Forwarders
|> |tab,
|> |> I
|> |> |> |saw
|> |> |> |> > the
|> |> |> |> > > > > message "Conditional Forwarding is Not Available Because
|> |this
|> |> |> |Server
|> |> |> |> > is
|> |> |> |> > > a
|> |> |> |> > > > > Downlevel Server".
|> |> |> |> > > > >
|> |> |> |> > > > > However, please note that I can still enable a regular
|> |> |forwarder,
|> |> |> |> > > although
|> |> |> |> > > > > the sentence makes it sound like forwarding isn't
|available
|> |at
|> |> |> |all.
|> |> |> |> > > > >
|> |> |> |> > > > > Did you configure DNS in this way? Please try to add a
|> |regular
|> |> |> |> > forwarder
|> |> |> |> > > > to
|> |> |> |> > > > > see if it works.
|> |> |> |> > > > >
|> |> |> |> > > > > However, if you cannot add a regular DNS forwarder,
|please
|> |let
|> |> |me
|> |> |> |> know
|> |> |> |> > > > more
|> |> |> |> > > > > about your network topology. For example, are you using
a
|> |> |Windows
|> |> |> |> > Server
|> |> |> |> > > > > 2003 domain? Is the DNS server a Windows 2000 Server?
And
|> |how
|> |> |did
|> |> |> |> you
|> |> |> |> > > > > install DNS?
|> |> |> |> > > > >
|> |> |> |> > > > > If you want, please also send the following to me at
|> |> |> |> > > (e-mail address removed):
|> |> |> |> > > > >
|> |> |> |> > > > > 1. A screenshot of the Forwarders tab as well as
|> screenshots
|> |> of
|> |> |> |any
|> |> |> |> > > error
|> |> |> |> > > > > messages you encounter.
|> |> |> |> > > > > 2. All related Event Logs.
|> |> |> |> > > > >
|> |> |> |> > > > > Thank you and have a nice day!
|> |> |> |> > > > >
|> |> |> |> > > > > Regards,
|> |> |> |> > > > > Joe Wu
|> |> |> |> > > > > Product Support Services
|> |> |> |> > > > > Microsoft Corporation
|> |> |> |> > > > >
|> |> |> |> > > > > Get Secure! - www.microsoft.com/security
|> |> |> |> > > > >
|> |> |> |> > > > > ====================================================
|> |> |> |> > > > > When responding to posts, please "Reply to Group" via
|your
|> |> |> |> newsreader
|> |> |> |> > so
|> |> |> |> > > > > that others may learn and benefit from your issue.
|> |> |> |> > > > > ====================================================
|> |> |> |> > > > > This posting is provided "AS IS" with no warranties, and
|> |> |confers
|> |> |> |no
|> |> |> |> > > > rights.
|> |> |> |> > > > >
|> |> |> |> > > > > --------------------
|> |> |> |> > > > > |From: "Jeff" <[email protected]>
|> |> |> |> > > > > |Subject: Conditional Forwarding Not Available
|> |> |> |> > > > > |Date: Thu, 25 Sep 2003 15:34:09 -0400
|> |> |> |> > > > > |Lines: 27
|> |> |> |> > > > > |X-Priority: 3
|> |> |> |> > > > > |X-MSMail-Priority: Normal
|> |> |> |> > > > > |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |> |> |> > > > > |X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2800.1165
|> |> |> |> > > > > |Message-ID: <[email protected]>
|> |> |> |> > > > > |Newsgroups: microsoft.public.win2000.dns
|> |> |> |> > > > > |NNTP-Posting-Host:
|bankofutica-gate-line-r.bankofutica.com
|> |> |> |> > > > 216.230.225.242
|> |> |> |> > > > > |Path:
|> |> |> |> cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
|> |> |> |> > > > > |Xref: cpmsftngxa06.phx.gbl
|> |microsoft.public.win2000.dns:26616
|> |> |> |> > > > > |X-Tomcat-NG: microsoft.public.win2000.dns
|> |> |> |> > > > > |
|> |> |> |> > > > > |In harmony with KB 229840 I attempted to delete the .
|root
|> |> dns
|> |> |> |> entry
|> |> |> |> > > > using
|> |> |> |> > > > > |the dnscmd /ZoneDelete . /DsDel but received an error
|> |> |> |> > > > > |DNS_ERROR_ZONE_DOES_NOT_EXIST 9601 (00002581)
|> |> |> |> > > > > |
|> |> |> |> > > > > |If I look at the DNS Console I only see a . (root)
entry
|> in
|> |> |the
|> |> |> |> > cached
|> |> |> |> > > > > |lookups and my regular domain is in the Forward
Lookups.
|> |> |> |> > > > > |
|> |> |> |> > > > > |When I choose properties, and click on the Forwarders
|tab,
|> |> |> (which
|> |> |> |> is
|> |> |> |> > > not
|> |> |> |> > > > > |grayed out) there is a message displayed that says:
|> |> |"Conditional
|> |> |> |> > > > Forwarding
|> |> |> |> > > > > |is Not Available Because this Server is a Downlevel
|> Server"
|> |> |and
|> |> |> |> there
|> |> |> |> > > is
|> |> |> |> > > > no
|> |> |> |> > > > > |option to enable forwarders.
|> |> |> |> > > > > |
|> |> |> |> > > > > |This machine connects to a Proxy Server which is behind
|a
|> |> |> |firewall.
|> |> |> |> > > The
|> |> |> |> > > > > |proxy server has one NIC and has three entries for DNS,
|> one
|> |> is
|> |> |> |the
|> |> |> |> > DNS
|> |> |> |> > > > > |server mentioned above and the other two are the ISP
|> Public
|> |> |DNS
|> |> |> |> > > servers.
|> |> |> |> > > > I
|> |> |> |> > > > > |am interested in removing the 2 ISP entries so that I
|can
|> |> |> |eliminate
|> |> |> |> > > some
|> |> |> |> > > > > |possible event errors such as 5774. But in order to do
|> |this,
|> |> |my
|> |> |> |> > > clients
|> |> |> |> > > > > all
|> |> |> |> > > > > |point to the Proxy (client installed) so the Proxy
would
|> |look
|> |> |to
|> |> |> |> the
|> |> |> |> > > DNS
|> |> |> |> > > > > |server to resolve a name, but I don't think I have
|> |something
|> |> |> |right
|> |> |> |> so
|> |> |> |> > > > that
|> |> |> |> > > > > I
|> |> |> |> > > > > |can enable Forwarding to ISP DNS servers.
|> |> |> |> > > > > |
|> |> |> |> > > > > |How can I make this work.
|> |> |> |> > > > > |
|> |> |> |> > > > > |Thanks
|> |> |> |> > > > > |Jeff Smyrski
|> |> |> |> > > > > |
|> |> |> |> > > > > |
|> |> |> |> > > > > |
|> |> |> |> > > > >
|> |> |> |> > > >
|> |> |> |> > > >
|> |> |> |> > >
|> |> |> |> > >
|> |> |> |> >
|> |> |> |> >
|> |> |> |>
|> |> |> |>
|> |> |> |
|> |> |> |
|> |> |> |
|> |> |>
|> |> |
|> |> |
|> |> |
|> |>
|> |
|> |
|> |
|>
|
|
|