"Did you do this on your DC?" - Yes. Changed the DNS address as the DC's local address and added our ISP's DNS as forwarders on the DC
Your DC must point to its own IP address for DNS. - Done
Check on the DNS server properties on the Advanced tab to see if Disable recursion is checked. - Disable recursion is NOT checked.
Make sure you have 53 TCP & UDP open out from the DC's address. - There is no IP Filtering within the DC TCP/IP property settings. TCP and UDP is set to "Permit all"
After a lot of reading on the subject of our firewall, I suspect it may be a "DNS alias" issue that needs to be added to the settings of my Cisco Pix firewall. Thanks to the information you have given me, I feel the DNS settings on the server are correct and my problem needs to be addressed with Cisco.
Thank you for all your help.
Here is what I did:
I read through the "How To" article and everything was configured properly in our DNS Manager.
I removed our ISP's DNS from 1 machine's TCP/IP properties and changed to our local AD DNS server's private address for DNS on our DC (192.168.1.4 is that correct?). I also added our ISP's DNS as forwarders. However, there was no "." in the forward lookup zone to delete.
Did you do this on your DC?
Your DC must point to its own IP address for DNS.
Check on the DNS server properties on the Advanced tab to see if Disable recursion is checked.
Make sure you have 53 TCP & UDP open out from the DC's address.
After I did this, I still could not connect to the internet from the 1 machine I was testing. I went on to open the UDP and TCP port 53 on the firewall, as well as the RPC port 135 as per the instructions in the How to Article. Still no internet. I also released/renewed ipconfig on the test PC. Still nothing.
You don't need port 135 open through your firewall!
Forgive me if I didn't understand your directions below entirely. I am very, very new at this and have a hard time deciphering a lot of the tech lingo. If I did something incorrectly, please let me know.
BTW - Everything with DNS was fine until we installed the firewall. No changes were made whatsoever to our DNS Manager or TCP/IP Settings. After the installation of the firewall we could not access the internet until I hardcoded the ISP's DNS address on all machines. I contacted the manufacturer of the firewall (Cisco PIX) and they told me that this was a Microsoft issue and that they couldn't help.
Try running nslookup set d2 against your local DNS for an external address.
If DNS is working properly the only machine that needs to see 53 TCP & UDP out would be the DC with DNS. It sure sounds to me like it is a configuration problem with the firewall. I am not familiar with the PIX firewall but it should not be that difficult to figure out.
--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
http://www.lonestaramerica.com/
============================
--
When responding to posts, please "Reply to Group" or
"Reply All" via your newsreader so that others may learn
and benefit from your issue
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
The problem here is the use of your ISP DNS in your TCP/IP properties, Active Directory domains store their service and resource (SRV) records in DNS, if you use your ISP's DNS in TCP/IP then your DC will try to register these records in your ISP's DNS which, your ISP will not allow. Then if you use your ISP's DNS in the clients they will contact them to find your Domain's SRV record which will not be there, the result, errors slow logons, and in general poor network performance.
To fix this remove your ISP's DNS from all machine's TCP/IP properties and use *ONLY* your local AD DNS server's private address for DNS this includes your DC. For internet access configure your local DNS server as per the below KB article paying special attention to step 3 and deleting the "." forward lookup zone. You can use your ISP's DNS as forwarders in your local DNS.
300202 - HOW TO Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202&FR=1
--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
http://www.lonestaramerica.com/
============================
--
When responding to posts, please "Reply to Group" or
"Reply All" via your newsreader so that others may learn
and benefit from your issue
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Below is the information you requested on ipconfig /all. I am not sure what you mean by, "Also verify you are using only your local DNS server in all NICs on all machines". Can you let me know how I could do this verification?
Server:
Windows 2000 IP Configuration:
Hostname: Server
Primary DNS Suffix: oz.local
Node type: Hybrid
IP Routing Enabled: Yes
WINS Proxy Enabled: No
DNS Suffix Serarch List: oz.local
Ethernet adapter Local Area Connection
Connection-specific DNS Suffix:
Decription: Intel 8255x-based PCI Adapter <10/100>
Physical Address: 00-06-5B-1A-15-E5
DHCP Enabled: No
IP Address: 192.168.1.4
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DNS Servers: 129.250.35.250, 129.250.35.251
Primary WINS Servers: 192.168.1.4
Client:
Windows 2000 IP Configuration:
Hostname: Client
Primary DNS Suffix: oz.local
Node type: Hybrid
IP Routing Enabled: No
WINS Proxy Enabled: No
DNS Suffix Search List: oz.local
Ethernet adapter Local Area Connection
Connection-specific DNS Suffix: oz
Description: 3Com etherlink xl 10/100 PCI for complete PC management NIC <3C905C-TX>
Physical Address: 01-01-03-25-81-83
DHCP Enabled: Yes
Auto configuration enabled: Yes
IP Address: 192.168.1.11
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DHCP Server: 192.168.1.4
DNS Servers: 129.250.35.250, 129.250.35.251
Primary WINS Servers: 192.168.1.4
Can you please post an ipconfig /all from the server and one of the clients?
Also verify you are using only your local DNS server in all NICs on all machines.
--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
http://www.lonestaramerica.com/
============================
--
When responding to posts, please "Reply to Group" or
"Reply All" via your newsreader so that others may learn
and benefit from your issue
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
We recently installed a new hardware firewall -- Cisco PIX. Since that time I had to hard code our dns server address on all our workstations in order to connect to the internet.
I have also noticed a "warning" in the event viewer on the domain controller every 2 hrs since the firewall installation:
"Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available." Event ID:5781.
Our Domain Controller is our primary DHCP server and is also running a DNS server.
Somehow the DNS server became unavailable but I cannot find any way to restart it. Under "Services" both DHCP Server and DNS Server are started and startup is automatic.
I check the Microsoft Knowledgebase and they suggested changing a setting in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon Value: DependOnService and adding DNS to the next available blank line. However, I don't have the value DependOnService listed.
Another suggestion I found was to change the setting in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon Value: DnsUpdateOnAllAdapters and changing the value to 1. Again, this value is not listed in the registry.
We are using Windows 2000 Server, Service Pack 4 w/Active directory as our domain controller and currently have apprx. 20 workstations on the domain.
I am very unfamiliar with Windows 2000 and DNS so if I left out any pertinent information that you may need in order to help, please let me know and I'll supply all the information you ask for.
Thank you in advance for your help.
