NAT

[Hamish]

Can someone please help with some advice or point me in the direction of
some resources for NAT! I am running a Win 2K server network with Win 2K
clients. I have installed RAS on the Win 2K server and tried to configure
NAT for internet sharing via an ISDN connection. I can connect to the
internet on the server via the NAT interface (not using demand dial) but am
unable to gain access from the clients. I have been troubleshooting for
weeks without success. My clients are configured with the NAT servers
internal adapter (192.168.0.1) as the default gateway and IP and DNS
addresses are server assisgned as per my ISP's config. All other
configuration is as per Microsoft technet advice.
TIA

 

[Herb Martin]

Can someone please help with some advice or point me in the direction of

some resources for NAT! I am running a Win 2K server network with Win 2K
clients.

The help is pretty good for NAT. Try that first.

I have installed RAS on the Win 2K server and tried to configure
NAT for internet sharing via an ISDN connection. I can connect to the
internet on the server via the NAT interface (not using demand dial) but am
unable to gain access from the clients. I have been troubleshooting for
weeks without success. My clients are configured with the NAT servers
internal adapter (192.168.0.1) as the default gateway and IP and DNS
addresses are server assisgned as per my ISP's config. All other
configuration is as per Microsoft technet advice.

Then it will work <grin>

Some thoughts:

1) Did you configure the NAT interaces in RRAS
a) adding the ISDN interface to the IP, then to NAT as PUBLIC
interface?
(leave the translate box checked)
b) adding the LAN NIC (Ethernet) interface as PRIVATE interface?
2) Does PING of a KNOWN IP address work? Like the upstream router
from the NAT -- ping from the clients, if it fails try tracert
3) Does tracert show the trace to AT LEAST the NAT? How about the
upstream router? How far?

Ignore NAMES for now, DNS isn't important if you cannot use IP itself.
Get the IP to work first, then work on the Name Resolution. Generally
though, if you have no internal DNS servers, the NAT should be listed as
the DNS for your clients, and it will relay to the ISP DNS.

weeks without success. My clients are configured with the NAT servers
internal adapter (192.168.0.1) as the default gateway and IP and DNS

Are the clients ON this subnet? E.g., 192.168.0.2 etc.

If this isn't working, give us your "Ipconfig /all >nat.txt" and the same
thing
from one of the clients, "ipconfig >client.txt"

We need to see the IPConfig to help.

Also consider including "Route Print >nat.txt" (and the clients too.)

 

[Ray Grasso]

Here is the Microsoft article on running a NAT server.

 

[Hamish]

Thanks for the reply Herb,

The problem is certainly name resolution. I can ping IP but not host names.
Perhaps you could clear up two questions for me that may solve my problem.

1.My NAT server is also the DNS and DHCP server for my LAN (single subnet).
According to the help files I am unable to run the DNS and DHCP services in
conjunction with NAT as NAT runs these services when installed. I understood
this to be the case with ICS but not NAT. If this is the case, then what are
the Address Assignment and Name Resolution settings for on the NAT
properties dialogue box. I understood that by leaving "automatically assign
IP addresses by using DHCP" and "clients using domain name system" unchecked
would allow your hosts to rely on the existing DHCP and DNS services and
that NAT simply leased IP addresses from the DHCP server.

2. Several of the papers I have read on NAT have indicated that the client
machines should be configured with the address/es of the ISP's DNS server/s
and not the LAN's DNS server. Is this correct? If so how are local DNS
quieries resolved without broadcast and if a connection to the internet is
not present (assuming that the cache is empty) ?

Hamish.

 

[Hamish]

Herb,

In answer to your questions I am running the AD intergrated DNS and DHCP
services. I have not checked the boxes on the NAT Name Resolution and
Address assignment tabs. I have pointed my clients DNS to the IP of my
internal DNS server. The internal server is not forwarding DNS requests from
clients as I am unable to resolve DNS queries from clients. I can however
use the NAT machine to access the internet and do name resolutions but only
when browsing from the NAT server.

Just a thought, if my problem is that the NAT server is not forwarding DNS
requests from clients that are intended for outside of my LAN, would it
matter what my LAN domain suffix is. For reasons to lengthy to explain here
my domain suffix is .local.

Do you have any other ideas?

Thanks again,
Hamish.

 

[Hamish]

Herb,

Thanks again for the info and patience. To clarify, I am running the "real"
DHCP and AD integrated DNS services (I am aware that DHCP is not AD
integrated, this was a grammatical misdemeanour on my behalf). I have
forward and reverse lookup zones. The NAT, DHCP, DNS and PDC server (all the
one box) will connect to the internet and resolve host names. The clients
have their DNS address as my internal DNS server as does my Win2K server on
the LAN side. The public side (ISDN NTU) is configured for server assigned
DNS address as per my ISP. An ipconfig /all indicates that the clients DNS,
DHCP and default gateway are the IP address of my servers internal adaptor.
The server's DNS address points to itself on the LAN adaptor and to the loop
address (127.0.0.1) on the RAS adaptor. I believe that this is the
configuration that yourself and Bill have explained.

I think that these are the issues with my system (apart from my ignorance).
a) Please clarify this. Bill states that "The default settings in NAT work
like ICS". I find this confusing and apologise for "not getting the
message". The default settings for ICS are to install its own integrated
DHCP and DNS "proxies", this I know. My understanding is that NAT does
exactly the opposite. It does not install its own integrated DHCP and DNS
"proxies" by default unless you go to the Address Assignment and Name
Resolution tabs on the NAT Properties window and check the boxes marked
"Automatically assign IP addresses by using DHCP" and "Resolve IP addresses
for: Clients Using Domain Name Systems(DNS)". Obviously I don't want NAT to
run the integrated DNS and DHCP "proxies" as I have the "real" services
already configured and running. Please advise me if I am mistaken and need
to check the aforementioned boxes in order to "turn off" the NAT integrated
DNS and DHCP services (or any other method of turning of these integrated
services).

b) I have two sub folders at the root of my DNS forward lookups folder. The
first is . and the second is my domain name and suffix. The . lookup zone
installed by default when I configured my DNS server. Should I simply delete
this zone and its contents as suggested by Bill ?

c) I have no choice other than to make my PDC the NAT server. Can I secure
this in any way?



However Bill states that "The default settings in NAT work like ICS".

In answer to your questions I am running the AD intergrated DNS and DHCP
services. I have not checked the boxes on the NAT Name Resolution and
Address assignment tabs. I have pointed my clients DNS to the IP of my
internal DNS server. The internal server is not forwarding DNS requests from
clients as I am unable to resolve DNS queries from clients. I can however
use the NAT machine to access the internet and do name resolutions but only
when browsing from the NAT server.

Just a thought, if my problem is that the NAT server is not forwarding DNS
requests from clients that are intended for outside of my LAN, would it
matter what my LAN domain suffix is. For reasons to lengthy to explain here
my domain suffix is .local.

Do you have any other ideas?

Bill helped with my answer so read that first, and let
me emphasize or clarify a couple more possibilities.

You say, "I am running the AD integrated DNS and DHCP
services" There is no AD-integrated DHCP and NAT servers
have that "DNS and DHCP support" integrated in the NAT
so perhaps you mean this (or not but we need to be clear.)

If you are running the REAL DNS server then it must have
it's "forwarding" tab set to find the ISP (or other) DNS server
OR it must have access to the root servers and proper root
hints.

IF you use the "DNS relay" inside the NAT server (not the
'real' server) then you must ensure the NAT server's own
CLIENT IP is set to the ISP but this is going to cause a
big problem for a DC.

What's the problem? A DC needs to be pointed at the
INTERNAL and DYNAMIC DNS (in this case itself).

[Aside: You really shouldn't be using a DC as your NAT --
it exposes the DC on the Internet to attack by every cracker
and his little brother -- and sister.]

Another possibility is that you have BOTH turned on -- this
will cause the ICS-like integrated DNS to take precedence
on the internal NIC (I believe) but in any case is unreliable
and confusing.

Ok, so let's assume you TURN off the NAT integrated DNS
(DHCP is almost completely separate) and then you configure
you REAL DNS server correctly -- check the forwarder.

Make sure the server itself in the NIC\IP properties points to
ITSELF.

Make sure the clients get the right DHCP settings for DNS
server. (Ipconfig /all)

 

[Herb Martin]

Thanks again for the info and patience. To clarify, I am running the
"real"

DHCP and AD integrated DNS services (I am aware that DHCP is not AD
integrated, this was a grammatical misdemeanour on my behalf).

No harm -- I get very literal (picky) when troubleshooting -- it's a
conscious technique that is the biggest trick I know for becoming
a world class troubleshooter.


[Skim this quick on the first read -- I answered sequentially
without reading what you already knew/did again first. But
read the whole thing since I worked so long on it <grin>
---------------------------------------------
Here's the punchline from the bottom:
THAT's the solution right there -- delete "." and add the ISP server
in the forwarder tab forwarder address list.
---------------------------------------------

I have forward and reverse lookup zones.

Irrelevant to finding the Internet -- you might need them for internal
or external users but this is not related to your users reaching Microsoft
and Dell -- or LearnQuick.Com

The NAT, DHCP, DNS and PDC server (all the
one box) will connect to the internet and resolve host names.

This proves TWO things:
1) IP works
2) the CLIENT settings on this server are ok for reaching the
Internet (likely they are actually WRONG since it probably
needs to work on your private network.)

It may say nothing about the DNS server itself.

The clients
have their DNS address as my internal DNS server as does my Win2K server on
the LAN side.

AHA!!!! That's a clue -- pickyness helps --

What do you have on the OTHER side? You can't put different
values on two NICs and think you get BOTH -- you get (semi-randomly)
one of them.

REMOVE all other DNS addresses from the server's client settings.

Now it will fail TOO -- but that is probably a good thing because
when we fix the real problem it will work too.

The public side (ISDN NTU) is configured for server assigned
DNS address as per my ISP. An ipconfig /all indicates that the clients DNS,
DHCP and default gateway are the IP address of my servers internal

adaptor.

[You can skip this section but I am not going to erase it (due to more
info below) as it might help someone else or clarify for you what Bill
already had you do.]

This confirms what I wrote above -- but I am reading and answering
sequentially....

COPY that DNS server address -- we'll need it in a minute and
we are about to delete it. Write it down. (In a notepad and one paper
for next week.)

Go to the external NIC properties: NIC\IP where is says "Obtain an
address automatically" -- LEAVE that AS-IS.

You need the address and mask from the ISP and they will remain
GREYED out.

For DNS server (it's not grey) type in 127.0.0.1 (or the inside address
or this DNS server) -- if you ever change the "auto" setting and change
it back you will probably have to repeat this because when you CHOOSE
automatic it ERASES all the other settings (used to be a source or
support calls when NT 3.51 left them) but it still lets YOU OVERRIDE
all other settings.

NEVER do this unless you have a REASON -- we do -- we need that
server to use itself as DNS server.

Save (Ok, etc.)

If you do IPConfig you will have LOST that DNS server address
for the ISP -- but you wrote it down, right?

The server's DNS address points to itself on the LAN adaptor and to the loop
address (127.0.0.1) on the RAS adaptor. I believe that this is the
configuration that yourself and Bill have explained.

[Darn, I wish I had read this before typing all that above.]

Next we FIX the DNS server but first let me answer the
next section inline explain how to fix it....

I think that these are the issues with my system (apart from my ignorance).
a) Please clarify this. Bill states that "The default settings in NAT work
like ICS".

By default the NAT doesn't know it is ALSO a 'real' DNS server
so the check box for IT (the NAT) to answer DNS for the clients
is checked.

UNCHECK it. NAT (the server itself, not the interfaces), properties,
DNS tab -- resolve DNS for Clients.

Stop that -- you have a REAL DNS server and they are compeating
for the clients attention.

That's most of the problem right there.

I find this confusing and apologise for "not getting the
message". The default settings for ICS are to install its own integrated
DHCP and DNS "proxies", this I know. My understanding is that NAT does
exactly the opposite. It does not install its own integrated DHCP and DNS
"proxies" by default unless you go to the Address Assignment and Name

Actually I think it may only be DNS -- not DHCP but it has the feature
there for you to enable. The default for DNS is however to HELP if
asked.

The reason: DHCP is promiscuous -- clients broadcast and servers
volunteer (offer) addresses. Defaulting the DHCP server to "on" would
interfer with EXISTING DHCP servers.

DNS is passive -- the server only answers clients which specifically
ask it a question so enabling this causes few problems and most people
need it UNLESS they install their own "real" DNS (that's you and ME
TOO.)

Resolution tabs on the NAT Properties window and check the boxes marked
"Automatically assign IP addresses by using DHCP" and "Resolve IP addresses
for: Clients Using Domain Name Systems(DNS)". Obviously I don't want NAT to
run the integrated DNS and DHCP "proxies" as I have the "real" services
already configured and running.

Right, so clear both check boxes -- and NAT gets out of the way.
This is the MAIN advantage of NAT over ICS --configurability.
NAT can only do a few things that ICS can't do and most people
don't need those features.

ALMOST everything NAT can do, so can ICS.

Please advise me if I am mistaken and need
to check the aforementioned boxes in order to "turn off" the NAT integrated
DNS and DHCP services (or any other method of turning of these integrated
services).

Nope you have it right.

Ok so now let's fix the DNS server....

b) I have two sub folders at the root of my DNS forward lookups folder. The
first is . and the second is my domain name and suffix. The . lookup zone
installed by default when I configured my DNS server. Should I simply delete
this zone and its contents as suggested by Bill ?

YES -- that was configured at installation because you didn't have your
connection to the Internet (or is was inactive.)

Once it is deleted we are almost DONE -- go to the FORWARDING
tab of the server and type in that ISP DNS server address you wrote
down above.

If you lost it (before reading this) you might have to go back to the
NIC\IP and remove 127.0.0.1 (or it's address), save, ipconfig /renew,
and then put the 127.0.0.1 back.

Add the ISP address in as your forwarder. It will work.

THAT's the solution right there -- delete "." and add the ISP server
in the forwarder tab forwarder address list.

c) I have no choice other than to make my PDC the NAT server. Can I secure
this in any way?

Yes, but it is a LOT of work to be truly secure.

Prime theory of security is to remove everything you don't need ---
but a DC is repleat with listening connections on numerous ports
and you have to sweat bugs in ANY OF THOSE SERVICES,
new service packs become even more time critical, etc.

Buy a cheap $100 throwaway box and put Linix on it if you have
no other choice -- note, I don't do this, I am willing to run a Win2000
(non-DC) there and to really pay attention to it's settings -- but then I do
Windows for a living (and I sweat a lot <grin>) Or one of those little
appliance firewalls (but make sure you upgrade THEIR FIRMWARE
too.)

You can still run YOUR DNS and YOUR DHCP on the DC but
it will be INSIDE.

Want to get a feel for this? Go to the DC command prompt and type

netstat -a

This will display the ports the DC is listening on -- if that doesn't scare
you, then you might wish to volunteer for convoy truck driver duty in Iraq.

We report; you decide.

 

[Hamish]

Herb,

You have been very gracious with your assistance which I can't thank you
enough for. I wonder if I might press you for a little further assistance. I
believe that I now have everything configured as you have suggested. We are
ALMOST there I think. I have removed the "." zone and added my ISP's DNS
addresses to the forwarders. I can now get my clients to initiate the
demand dial interface (except from Outlook, and yes I have added it to the
network applications). The main issue now however is that my clients appear
to have DNS requests resolved intermittantly. After several connection
sessions today I have observed the following behaviour :
a) the first web page and several subsequent links will load and then an
unable to connect error "DNS or server error" occurs. The connection has to
be terminated and restarted . At the point of failure pinging of external
addresses may result in a time out or VERY slow response time.

b) Most common: the first page will load in acceptable time and then
nothing more. Pinging external addresses again results in a time out or very
slow response time (average 400-450ms which is comparable to 56K not ISDN).

c) The IP of the requested web site will take up to 30 seconds to resolve
and then load normally. Behaviour will then follow the same pattern as a)
and b).

d) I have several Email addresses all delivered to the one pst file. Once
the demand dial connection has been made I may receive errors (unable to
connect to server, or mail delivery failure) for one, two or all of the
accounts. Speradic success on all accounts has been observed a few times.
This behaviour is random and not related to a particular account (all
accounts are held with the same provider). Again this appears to be an
intermittent failure to resolve the mail servers IP address.

In all of the above mentioned cases after the initial success attempting a
DNS resolution (ie pinging or browsing to another site) will fail until the
connection is terminated and reconnected. Once and only once I have been
able to resolve half a dozen or so requests in a row.

For the record, I have 56K dial up modems connected to all clients.
Connection to ISPs, email etc on these connections are fine. I have also
configured a DUN connection to my ISP on the server using the same ISDN
service which also performs perfectly. I believe this again points to the
DNS configuration of my DNS server for the shared NAT connection.

Hope this info helps.
Once again thanks for the assistance,
Hamish

Thanks again for the info and patience. To clarify, I am running the "real"
DHCP and AD integrated DNS services (I am aware that DHCP is not AD
integrated, this was a grammatical misdemeanour on my behalf).

No harm -- I get very literal (picky) when troubleshooting -- it's a
conscious technique that is the biggest trick I know for becoming
a world class troubleshooter.


[Skim this quick on the first read -- I answered sequentially
without reading what you already knew/did again first. But
read the whole thing since I worked so long on it <grin>
---------------------------------------------
Here's the punchline from the bottom:
THAT's the solution right there -- delete "." and add the ISP server
in the forwarder tab forwarder address list.
---------------------------------------------

I have forward and reverse lookup zones.

Irrelevant to finding the Internet -- you might need them for internal
or external users but this is not related to your users reaching Microsoft
and Dell -- or LearnQuick.Com

The NAT, DHCP, DNS and PDC server (all the
one box) will connect to the internet and resolve host names.

This proves TWO things:
1) IP works
2) the CLIENT settings on this server are ok for reaching the
Internet (likely they are actually WRONG since it probably
needs to work on your private network.)

It may say nothing about the DNS server itself.

The clients
have their DNS address as my internal DNS server as does my Win2K server on
the LAN side.

AHA!!!! That's a clue -- pickyness helps --

What do you have on the OTHER side? You can't put different
values on two NICs and think you get BOTH -- you get (semi-randomly)
one of them.

REMOVE all other DNS addresses from the server's client settings.

Now it will fail TOO -- but that is probably a good thing because
when we fix the real problem it will work too.

The public side (ISDN NTU) is configured for server assigned
DNS address as per my ISP. An ipconfig /all indicates that the clients DNS,
DHCP and default gateway are the IP address of my servers internal

adaptor.

[You can skip this section but I am not going to erase it (due to more
info below) as it might help someone else or clarify for you what Bill
already had you do.]

This confirms what I wrote above -- but I am reading and answering
sequentially....

COPY that DNS server address -- we'll need it in a minute and
we are about to delete it. Write it down. (In a notepad and one paper
for next week.)

Go to the external NIC properties: NIC\IP where is says "Obtain an
address automatically" -- LEAVE that AS-IS.

You need the address and mask from the ISP and they will remain
GREYED out.

For DNS server (it's not grey) type in 127.0.0.1 (or the inside address
or this DNS server) -- if you ever change the "auto" setting and change
it back you will probably have to repeat this because when you CHOOSE
automatic it ERASES all the other settings (used to be a source or
support calls when NT 3.51 left them) but it still lets YOU OVERRIDE
all other settings.

NEVER do this unless you have a REASON -- we do -- we need that
server to use itself as DNS server.

Save (Ok, etc.)

If you do IPConfig you will have LOST that DNS server address
for the ISP -- but you wrote it down, right?

The server's DNS address points to itself on the LAN adaptor and to the loop
address (127.0.0.1) on the RAS adaptor. I believe that this is the
configuration that yourself and Bill have explained.

[Darn, I wish I had read this before typing all that above.]

Next we FIX the DNS server but first let me answer the
next section inline explain how to fix it....

I think that these are the issues with my system (apart from my ignorance).
a) Please clarify this. Bill states that "The default settings in NAT work
like ICS".

By default the NAT doesn't know it is ALSO a 'real' DNS server
so the check box for IT (the NAT) to answer DNS for the clients
is checked.

UNCHECK it. NAT (the server itself, not the interfaces), properties,
DNS tab -- resolve DNS for Clients.

Stop that -- you have a REAL DNS server and they are compeating
for the clients attention.

That's most of the problem right there.

I find this confusing and apologise for "not getting the
message". The default settings for ICS are to install its own integrated
DHCP and DNS "proxies", this I know. My understanding is that NAT does
exactly the opposite. It does not install its own integrated DHCP and DNS
"proxies" by default unless you go to the Address Assignment and Name

Actually I think it may only be DNS -- not DHCP but it has the feature
there for you to enable. The default for DNS is however to HELP if
asked.

The reason: DHCP is promiscuous -- clients broadcast and servers
volunteer (offer) addresses. Defaulting the DHCP server to "on" would
interfer with EXISTING DHCP servers.

DNS is passive -- the server only answers clients which specifically
ask it a question so enabling this causes few problems and most people
need it UNLESS they install their own "real" DNS (that's you and ME
TOO.)

Resolution tabs on the NAT Properties window and check the boxes marked
"Automatically assign IP addresses by using DHCP" and "Resolve IP addresses
for: Clients Using Domain Name Systems(DNS)". Obviously I don't want NAT to
run the integrated DNS and DHCP "proxies" as I have the "real" services
already configured and running.

Right, so clear both check boxes -- and NAT gets out of the way.
This is the MAIN advantage of NAT over ICS --configurability.
NAT can only do a few things that ICS can't do and most people
don't need those features.

ALMOST everything NAT can do, so can ICS.

Please advise me if I am mistaken and need
to check the aforementioned boxes in order to "turn off" the NAT integrated
DNS and DHCP services (or any other method of turning of these integrated
services).

Nope you have it right.

Ok so now let's fix the DNS server....

b) I have two sub folders at the root of my DNS forward lookups folder. The
first is . and the second is my domain name and suffix. The . lookup zone
installed by default when I configured my DNS server. Should I simply delete
this zone and its contents as suggested by Bill ?

YES -- that was configured at installation because you didn't have your
connection to the Internet (or is was inactive.)

Once it is deleted we are almost DONE -- go to the FORWARDING
tab of the server and type in that ISP DNS server address you wrote
down above.

If you lost it (before reading this) you might have to go back to the
NIC\IP and remove 127.0.0.1 (or it's address), save, ipconfig /renew,
and then put the 127.0.0.1 back.

Add the ISP address in as your forwarder. It will work.

THAT's the solution right there -- delete "." and add the ISP server
in the forwarder tab forwarder address list.

c) I have no choice other than to make my PDC the NAT server. Can I secure
this in any way?

Yes, but it is a LOT of work to be truly secure.

Prime theory of security is to remove everything you don't need ---
but a DC is repleat with listening connections on numerous ports
and you have to sweat bugs in ANY OF THOSE SERVICES,
new service packs become even more time critical, etc.

Buy a cheap $100 throwaway box and put Linix on it if you have
no other choice -- note, I don't do this, I am willing to run a Win2000
(non-DC) there and to really pay attention to it's settings -- but then I do
Windows for a living (and I sweat a lot <grin>) Or one of those little
appliance firewalls (but make sure you upgrade THEIR FIRMWARE
too.)

You can still run YOUR DNS and YOUR DHCP on the DC but
it will be INSIDE.

Want to get a feel for this? Go to the DC command prompt and type

netstat -a

This will display the ports the DC is listening on -- if that doesn't scare
you, then you might wish to volunteer for convoy truck driver duty in Iraq.

We report; you decide.

 

[Hamish]

Thanks again Herb.

The demand dial interface is fine. There are no timeout problems there.
The mail and web browsing problems I described are basically one in the
same. I receive intermittant failures to connect to server and/or load
further links once I have loaded the home page. The server has none of these
problems when browsing so I feel that I can rule out any connection related
hardware. ie ISP Connection quality and line/modem quality is fine as
before, during ar after my clients fail I can go to the server and run IE
and browse without problems.
I assume that my ISDN modem and connection is OK as the modem has an
analogue port to which I have connected a 56K dial up modem. This works
without any problems.
I will need a few days to research and implement the other suggestions that
you have given me. I hope I can come back to you with the results of these.

Regards,
Hamish

You're welcome.

ALMOST there I think. I have removed the "." zone and added my ISP's DNS
addresses to the forwarders. I can now get my clients to initiate the
demand dial interface (except from Outlook, and yes I have added it to the
network applications). The main issue now however is that my clients appear
to have DNS requests resolved intermittantly. After several connection
sessions today I have observed the following behaviour :
a) the first web page and several subsequent links will load and then an
unable to connect error "DNS or server error" occurs. The connection has to
be terminated and restarted . At the point of failure pinging of external
addresses may result in a time out or VERY slow response time.

[I am having trouble with context here (clients, dial, web page when we
were mainly doing DNS) but I will try and you can clarify if I miss the
target.]

On demand dial, it may time out before a connection can be made and
then DNS (or any other server) can return an answer. So although a
client can use demand-dial, it is very common for the FIRST request,
the one that cause the demand dial to fire up, fails.

This is mostly a problem with Phone (as opposed to ISDN or VPN) 'dial.'

I know it might seem to defeat the idea of demand-dial, but a shortcut
or batch file that just fires up the connect can be useful.

b) Most common: the first page will load in acceptable time and then
nothing more. Pinging external addresses again results in a time out or very
slow response time (average 400-450ms which is comparable to 56K not

ISDN).

Whenever you have trouble with Ping, it is usually a good idea to
try TraceRt (or PathPing, even SamSpade which is downloadable).
This will indicate or at least hint where the problem arises.

c) The IP of the requested web site will take up to 30 seconds to resolve
and then load normally. Behaviour will then follow the same pattern as a)
and b).

Yes, and by that time the client application is probably tired of waiting or

d) I have several Email addresses all delivered to the one pst file. Once
the demand dial connection has been made I may receive errors (unable to
connect to server, or mail delivery failure) for one, two or all of the
accounts. Speradic success on all accounts has been observed a few

times.

Monitoring the line (start with Connection Monitor to see speed,
compression,
and speed report)

This behaviour is random and not related to a particular account (all
accounts are held with the same provider). Again this appears to be an
intermittent failure to resolve the mail servers IP address.

Maybe it's phone lines or modems -- you can use a 56k modem but
56k error free is near impossible and in hotels I commonly see as little
at 28K -- or only a few years ago less..

In all of the above mentioned cases after the initial success attempting a
DNS resolution (ie pinging or browsing to another site) will fail until the
connection is terminated and reconnected. Once and only once I have been
able to resolve half a dozen or so requests in a row.

Client side caching of DNS "negative responses" may be involved --
defaults to 300 seconds or 5 minutes. If you wait or clear the
cache (ipconfig /flushdns) does it still require re-connection.

I would not turn off "client side caching" on a Dial-Up client -- that's
mostly who it is for -- but I might consider turning off or shortening
NEGATIVE cachine.

For the record, I have 56K dial up modems connected to all clients.
Connection to ISPs, email etc on these connections are fine. I have also
configured a DUN connection to my ISP on the server using the same ISDN
service which also performs perfectly. I believe this again points to the
DNS configuration of my DNS server for the shared NAT connection.

What results does NSLookup DIRECT to the DNS give?

You might also try netmon on these connections (NetMon, Ethereal, WinDump)

 

[Herb Martin]

Ok, you can eliminate DNS by using IP addresses in URLs
and email (temporarily).

Note: that some "virtual servers" (multiple sites hosted on a
single server) won't work right if you use an IP but other than
that should at least be able to test -- usually MAJOR servers,
e.g., Google, Microsoft, Dell, are not virtual.

Personal or small business sites frequently are virtual.

Another approach-- use Telnet or netcat (nc) to talk to the
web or email server directly. This eliminates funky and
high overhead programs like Outlook etc. (I love Outlook
but it's difficult to solve problem connections using it.)

Also use NSLookup to control your testing of nameserver
lookups.

How many Forwarder (and/or client NIC/IP) DNS server entries
do you have on the server? (Did you disable enable "recursion"
on the DNS server FORWARD tab?)

Do the clients point JUST to the server for DNS?

Thanks again Herb.

The demand dial interface is fine. There are no timeout problems there.
The mail and web browsing problems I described are basically one in the
same. I receive intermittant failures to connect to server and/or load
further links once I have loaded the home page. The server has none of these
problems when browsing so I feel that I can rule out any connection related
hardware. ie ISP Connection quality and line/modem quality is fine as
before, during ar after my clients fail I can go to the server and run IE
and browse without problems.
I assume that my ISDN modem and connection is OK as the modem has an
analogue port to which I have connected a 56K dial up modem. This works
without any problems.
I will need a few days to research and implement the other suggestions that
you have given me. I hope I can come back to you with the results of these.

Regards,
Hamish

You're welcome.

ALMOST there I think. I have removed the "." zone and added my ISP's DNS
addresses to the forwarders. I can now get my clients to initiate the
demand dial interface (except from Outlook, and yes I have added it

to
the

network applications). The main issue now however is that my clients appear
to have DNS requests resolved intermittantly. After several connection
sessions today I have observed the following behaviour :
a) the first web page and several subsequent links will load and then an
unable to connect error "DNS or server error" occurs. The connection

has
to

be terminated and restarted . At the point of failure pinging of external
addresses may result in a time out or VERY slow response time.

[I am having trouble with context here (clients, dial, web page when we
were mainly doing DNS) but I will try and you can clarify if I miss the
target.]

On demand dial, it may time out before a connection can be made and
then DNS (or any other server) can return an answer. So although a
client can use demand-dial, it is very common for the FIRST request,
the one that cause the demand dial to fire up, fails.

This is mostly a problem with Phone (as opposed to ISDN or VPN) 'dial.'

I know it might seem to defeat the idea of demand-dial, but a shortcut
or batch file that just fires up the connect can be useful.

b) Most common: the first page will load in acceptable time and then
nothing more. Pinging external addresses again results in a time out

or
very

slow response time (average 400-450ms which is comparable to 56K not

ISDN).

Whenever you have trouble with Ping, it is usually a good idea to
try TraceRt (or PathPing, even SamSpade which is downloadable).
This will indicate or at least hint where the problem arises.

c) The IP of the requested web site will take up to 30 seconds to resolve
and then load normally. Behaviour will then follow the same pattern as a)
and b).

Yes, and by that time the client application is probably tired of

waiting

or
times.

Monitoring the line (start with Connection Monitor to see speed,
compression,
and speed report)


Maybe it's phone lines or modems -- you can use a 56k modem but
56k error free is near impossible and in hotels I commonly see as little
at 28K -- or only a few years ago less..

attempting

a until
the

Client side caching of DNS "negative responses" may be involved --
defaults to 300 seconds or 5 minutes. If you wait or clear the
cache (ipconfig /flushdns) does it still require re-connection.

I would not turn off "client side caching" on a Dial-Up client -- that's
mostly who it is for -- but I might consider turning off or shortening
NEGATIVE cachine.
to
the

What results does NSLookup DIRECT to the DNS give?

You might also try netmon on these connections (NetMon, Ethereal, WinDump)

 

[Hamish]

Herb,

I have two forwarder DNS server entries, my ISP's primary and secondary name
servers. I am not sure in what context you are referring to with "(and/or
client NIC/IP)".
On the Forwarders tab "do not use recursion" is unchecked. On the Advanced
tab "disable recursion" is unchecked.
The clients have only my local DNS server listed under DNS.

Thanks,
Hamish

Ok, you can eliminate DNS by using IP addresses in URLs
and email (temporarily).

Note: that some "virtual servers" (multiple sites hosted on a
single server) won't work right if you use an IP but other than
that should at least be able to test -- usually MAJOR servers,
e.g., Google, Microsoft, Dell, are not virtual.

Personal or small business sites frequently are virtual.

Another approach-- use Telnet or netcat (nc) to talk to the
web or email server directly. This eliminates funky and
high overhead programs like Outlook etc. (I love Outlook
but it's difficult to solve problem connections using it.)

Also use NSLookup to control your testing of nameserver
lookups.

How many Forwarder (and/or client NIC/IP) DNS server entries
do you have on the server? (Did you disable enable "recursion"
on the DNS server FORWARD tab?)

Do the clients point JUST to the server for DNS?

Thanks again Herb.

The demand dial interface is fine. There are no timeout problems there.
The mail and web browsing problems I described are basically one in the
same. I receive intermittant failures to connect to server and/or load
further links once I have loaded the home page. The server has none of these
problems when browsing so I feel that I can rule out any connection related
hardware. ie ISP Connection quality and line/modem quality is fine as
before, during ar after my clients fail I can go to the server and run IE
and browse without problems.
I assume that my ISDN modem and connection is OK as the modem has an
analogue port to which I have connected a 56K dial up modem. This works
without any problems.
I will need a few days to research and implement the other suggestions that
you have given me. I hope I can come back to you with the results of these.

Regards,
Hamish

then

an

unable to connect error "DNS or server error" occurs. The connection has
to
be terminated and restarted . At the point of failure pinging of external
addresses may result in a time out or VERY slow response time.

[I am having trouble with context here (clients, dial, web page when we
were mainly doing DNS) but I will try and you can clarify if I miss the
target.]

On demand dial, it may time out before a connection can be made and
then DNS (or any other server) can return an answer. So although a
client can use demand-dial, it is very common for the FIRST request,
the one that cause the demand dial to fire up, fails.

This is mostly a problem with Phone (as opposed to ISDN or VPN) 'dial.'

I know it might seem to defeat the idea of demand-dial, but a shortcut
or batch file that just fires up the connect can be useful.

b) Most common: the first page will load in acceptable time and then
nothing more. Pinging external addresses again results in a time out or
very
slow response time (average 400-450ms which is comparable to 56K not
ISDN).

Whenever you have trouble with Ping, it is usually a good idea to
try TraceRt (or PathPing, even SamSpade which is downloadable).
This will indicate or at least hint where the problem arises.

c) The IP of the requested web site will take up to 30 seconds to resolve
and then load normally. Behaviour will then follow the same pattern

as
a)

and b).

Yes, and by that time the client application is probably tired of

waiting

or
in an unstable state even (<bugs>). Timeouts and failures result.

d) I have several Email addresses all delivered to the one pst file. Once
the demand dial connection has been made I may receive errors

(unable

to attempting

 

[Herb Martin]

I have two forwarder DNS server entries, my ISP's primary and secondary
name

servers.

That's fine in forwarding.

I am not sure in what context you are referring to with "(and/or
client NIC/IP)".

Context: The server's own CLIENT settings.

NIC\IP properties must point DNS to the SAME machine -- either
by IP or 127.0.0.1. No NIC may point elsewhere (some people
make the mistake of pointing one NIC to internal DNS and the other
to external DNS, which just causes semi-random problems.)

On the Forwarders tab "do not use recursion" is unchecked.

Then you servers may still do ACTUAL recursing of the root
hints namespace -- if that is what you desire.

On the Advanced tab "disable recursion" is unchecked.

Good because if you disable this, it won't even forward must
less do actual recursion -- it really should say (something to the
effect of)
"disable ALL support for recursive queries (including forwarding)"

The clients have only my local DNS server listed under DNS.

Good -- but the DC/DNS/Other servers are "clients" also, so
set them that way too.

Herb,

I have two forwarder DNS server entries, my ISP's primary and secondary name
servers. I am not sure in what context you are referring to with "(and/or
client NIC/IP)".
On the Forwarders tab "do not use recursion" is unchecked. On the Advanced
tab "disable recursion" is unchecked.
The clients have only my local DNS server listed under DNS.

Thanks,
Hamish

Ok, you can eliminate DNS by using IP addresses in URLs
and email (temporarily).

Note: that some "virtual servers" (multiple sites hosted on a
single server) won't work right if you use an IP but other than
that should at least be able to test -- usually MAJOR servers,
e.g., Google, Microsoft, Dell, are not virtual.

Personal or small business sites frequently are virtual.

Another approach-- use Telnet or netcat (nc) to talk to the
web or email server directly. This eliminates funky and
high overhead programs like Outlook etc. (I love Outlook
but it's difficult to solve problem connections using it.)

Also use NSLookup to control your testing of nameserver
lookups.

How many Forwarder (and/or client NIC/IP) DNS server entries
do you have on the server? (Did you disable enable "recursion"
on the DNS server FORWARD tab?)

Do the clients point JUST to the server for DNS?

Thanks again Herb.

The demand dial interface is fine. There are no timeout problems there.
The mail and web browsing problems I described are basically one in the
same. I receive intermittant failures to connect to server and/or load
further links once I have loaded the home page. The server has none of these
problems when browsing so I feel that I can rule out any connection related
hardware. ie ISP Connection quality and line/modem quality is fine as
before, during ar after my clients fail I can go to the server and run IE
and browse without problems.
I assume that my ISDN modem and connection is OK as the modem has an
analogue port to which I have connected a 56K dial up modem. This works
without any problems.
I will need a few days to research and implement the other suggestions that
you have given me. I hope I can come back to you with the results of these.

Regards,
Hamish


You're welcome.
ALMOST there I think. I have removed the "." zone and added my

ISP's
DNS

addresses to the forwarders. I can now get my clients to initiate the
demand dial interface (except from Outlook, and yes I have added

it
to

the
network applications). The main issue now however is that my clients
appear
to have DNS requests resolved intermittantly. After several connection
sessions today I have observed the following behaviour :
a) the first web page and several subsequent links will load and

then

an
unable to connect error "DNS or server error" occurs. The

connection
has

to
be terminated and restarted . At the point of failure pinging of
external
addresses may result in a time out or VERY slow response time.

[I am having trouble with context here (clients, dial, web page when we
were mainly doing DNS) but I will try and you can clarify if I miss the
target.]

On demand dial, it may time out before a connection can be made and
then DNS (or any other server) can return an answer. So although a
client can use demand-dial, it is very common for the FIRST request,
the one that cause the demand dial to fire up, fails.

This is mostly a problem with Phone (as opposed to ISDN or VPN) 'dial.'

I know it might seem to defeat the idea of demand-dial, but a shortcut
or batch file that just fires up the connect can be useful.

b) Most common: the first page will load in acceptable time and then
nothing more. Pinging external addresses again results in a time

out
or

very
slow response time (average 400-450ms which is comparable to 56K not
ISDN).

Whenever you have trouble with Ping, it is usually a good idea to
try TraceRt (or PathPing, even SamSpade which is downloadable).
This will indicate or at least hint where the problem arises.

c) The IP of the requested web site will take up to 30 seconds to
resolve
and then load normally. Behaviour will then follow the same

pattern

as (unable of
the

be

an have
been have
also same
ISDN points
to

 

[Herb Martin]

Haven't got two NIC's here. One NIC for internal network (DNS set to

internal DNS server 192.168.0.1), and a dial up adaptor (for ISDN
connection, DNS set to server assigned as per ISP recommendation).

That counts -- technically I should have said "two network interfaces"
because a dial-up connection is an interface.

And once created it acts just like a NIC.

Should I
have both of these pointing to internal server (192.168.0.1) ???

Yes. If you use dynamic addresses on the "dial up" you will likely
get a DNS server address from the ISP -- sometimes you need to
override this.

On ICS (Pro etc) you can ignore it usually but if your router is
also an INTERNAL client you must override it.

A DC is both a server and a "client of internal DNS" so it must
point internally even if it is the router (which isn't the most secure
choice.)

 

[Hamish]

Herb,

After much pulling of hair RAS/NAT is now working. The intermittant
success/failure was due to the response port configuration that I had
assigned for each application under the Network Applications Settings Tab of
the NAT Properties. In the fields where I had to specify the response ports
for each enabled application I had assigned ports 1024-65535 to each and
every app. that I wanted to supply access to. Once I changed this
configuration to 20 ports specific to each application...Voila. Why is this
so I ask, and can you advise on what would influence which ports and how
many I should open for responses from each application. I have not been able
to find this info anywhere.

Again your assistance has been greatly appreciated.

Hamish

 

[Herb Martin]

I don't think I know that -- you are now hacking at the edge
of MY experience. <grin>