dns problems

[Auddog]

I have two windows 2003 sp1 dns servers in my office on the ip network of
192.168.115.x / 255.255.255.0. Server A (192.168.115.2) is my primary dns
server and a global catalog. From here I can resolve both internal ip
address and external ip address. I can also get tracert and nslookup to
work. Server B (192.168.115.3) is my secondary dns server and also a global
catalog. From here I can resolve only internal ip addresses. I can get
tracert and nslookup to work only on internal ip addresses. If I try and
ping an outside ip address, the request will time out. Lastly, I can ping
from both servers the default gateway (192.168.115.254) without problems.
I'm stuck on what I should try next. Any help you may be able to provide is
greatly appreciated. Thanks.

A

 

[Frankster]

Why not provide the ipconfig /all output from each of the machines? That
would help.

Just guessing here, but the following are steps to resolve one of the most
common problems that exhibit symptoms like yours. If you'd rather not try
this now, just produce the ipconfig results here for further eval.

Check that both server's TCP/IP properties point ONLY to themselves for dns
(both Domain Controllers should be listed in each system's properties). Do
not put the ISP provided dns server in here.

Check that both servers do not have a "." (root) zone - if they do, delete
it. (highlight the "." and hit the delete key)

After deleting the "." entry (if it existed), add forwarders to your dns -
these forwarders will be your router (i.e. probably: 192.168.115.254) or,
could also be your ISP provided dns servers (only).

Try again.

-Frank

 

[Herb Martin]

I have two windows 2003 sp1 dns servers in my office on the ip network of
192.168.115.x / 255.255.255.0. Server A (192.168.115.2) is my primary dns
server and a global catalog. From here I can resolve both internal ip
address and external ip address. I can also get tracert and nslookup to
work. Server B (192.168.115.3) is my secondary dns server and also a
global catalog. From here I can resolve only internal ip addresses. I can
get tracert and nslookup to work only on internal ip addresses. If I try
and ping an outside ip address, the request will time out. Lastly, I can
ping from both servers the default gateway (192.168.115.254) without
problems. I'm stuck on what I should try next. Any help you may be able to
provide is greatly appreciated. Thanks.

Did you forget to set the forwarder on B? (To the ISP or Gateway)

Or is there some reason this server is cannot recurce? (Forwarding
is usually a better choice though.)

Or did you perhaps use the Advanced Properties of the DNS server
to "disable recursion"? (Don't do that -- it disables BOTH recursion
AND forwarding.)

Firewall issues for B only?

Test the latter by using NSLookup from B to EXPLICITLY resolve
against the Gateway or ISP DNS:

nslookup www.google.com IP.ISP.DNS.SERVER

 

[Auddog]

IP Config for Server A
192.168.115.2
255.255.255.0
192.168.115.254 (gateway)

192.168.115.2 preferred dns
192.168.115.3 secondary dns

IP Config for Server B
192.168.115.3
255.255.255.0
192.168.115.254 (gateway)

192.168.115.3 preferred dns
192.168.115.2 secondary dns

When I look for the "." the only place that I can find one is under the
Cached Lookups. Should I delete this one?

I have already put in my isp dns servers in the forwarders tab.

A

 

[Frankster]

Are both servers Domain Controllers?

Are you running AD Integrated dns?

What are your internal/external domain names? (if you can provide them)

Are you using single label domain names?

Are your internal/external names the same or different?

-Frank

 

[Auddog]

Yes the both at AD Integrated

My domain internal name is company.local, only have an MX record point to
our servers on the outside

don't know what a single label domain name is

different internal / external names

 

[Kevin D. Goodknecht Sr. [MVP]]

I have two windows 2003 sp1 dns servers in my office on the ip
network of 192.168.115.x / 255.255.255.0. Server A (192.168.115.2)
is my primary dns server and a global catalog. From here I can
resolve both internal ip address and external ip address. I can also
get tracert and nslookup to work. Server B (192.168.115.3) is my
secondary dns server and also a global catalog. From here I can
resolve only internal ip addresses. I can get tracert and nslookup
to work only on internal ip addresses. If I try and ping an outside
ip address, the request will time out. Lastly, I can ping from both
servers the default gateway (192.168.115.254) without problems. I'm
stuck on what I should try next. Any help you may be able to provide
is greatly appreciated. Thanks.

The fact that you can ping the gateway IP and not external IPs tells me this
is a routing or firewall issue, not a DNS issue.
What does this mean?

From here I can
resolve both internal ip address and external ip address. I can also
get tracert and nslookup to work.

And this?

If I try and ping an outside
ip address, the request will time out.

You may only have ICMP blocked at the firewall but for right now that's all
there is to work on, since your using ping to diagnose your issue.

Are you having a DNS issue or a ping issue?
If it's a DNS issue ping and tracert not the tools to use. If DNS can
resolve external names, DNS is not the issue.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Auddog]

Well, after reading your post, I think that I would come to believe that
something might be a miss with my router. But I'm not sure how I could
block only one machine from being able to communicate. I don't have a
firewall (software based) installed. I'm using a pix router if that helps.

A

 

[Kevin D. Goodknecht Sr. [MVP]]

Well, after reading your post, I think that I would come to believe
that something might be a miss with my router. But I'm not sure how
I could block only one machine from being able to communicate. I
don't have a firewall (software based) installed. I'm using a pix
router if that helps.

PIX Router?
Is that a Cisco or a really old firewall made by Network Translation, before
Cisco bought them out? (It would have to almost ten years old at least)
At any rate whoever made the thing has no bearing, if it is a firewall truly
built on PIX technology, it would certainly have the capability to block
ICMP or any other protocol or port on just one machine behind it. To think
of it, a regular old Netgear router has a limited ability to black hole one
IP of any machine's address.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================