Possible DNS problem

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We have a Windows 2003 domain. There is also have a stand alone (not a part
of the domain) windows 2003 server. I have that server pointing to my
primary DNS in my domain. When you look at the host record it has the fully
qualified domain but that is not correct because that server is not a part of
the domain. Should I put DNS on the stand alone box then point the primary
to itself and the secondary DNS to the domain.

We am experiencing inconsistent problems with page not found errors in the
web based application that is sitting on this stand alone box. I have tested
all hardware.

Thanks for any help!
 
In
Joan said:
We have a Windows 2003 domain. There is also have a stand alone (not
a part of the domain) windows 2003 server. I have that server
pointing to my primary DNS in my domain. When you look at the host
record it has the fully qualified domain but that is not correct
because that server is not a part of the domain. Should I put DNS on
the stand alone box then point the primary to itself and the
secondary DNS to the domain.

We am experiencing inconsistent problems with page not found errors
in the web based application that is sitting on this stand alone box.
I have tested all hardware.

Thanks for any help!
Click to expand...

It is somewhat difficult to follow your post, it jumps around a bit, and is
doesn't provide any specific information with what you are tyring to do and
what is exactly happening, to help you, which is probably why no one else
has responded yet.

What exactly are you trying to accomplish or connect to? Is it an external
website or an internal website? Is the website you are trying to connect to
on this 2003 standalone machine (assuming IIS is installed and operational)
or another machine? What is the name of the website? Does that FQDN exist in
your DNS? Is it hostheader based?

We'll need more specific info to better help.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Sorry for the jumping around. The application/website is internal and
external. The box that the app is running on is fully contained. Win2003
Server, SQL, IIS, SSL. It is not a part of our corp. domain, it is a stand
alone workgroup. The name is https://cash.thefloridacenter.org.

In DNS, which is sitting on our domain, it is under the corp domain zone and
the FQDN is thefloridacenter.org. That is where I am confused because that
is not right, that machine is not a part of the domain. Internally though,
everything is working with DNS. I ran a FreePing all weekend and never had a
problem getting to the box by name or by IP.

On a side note, this server used to be a part of the domain with the same
server name. Is it possible that DNS still thinks it is a part of the domain?

I hope this clears it up a little...very sorry for the confusion.

Thank you very much for your help and time.
Joan
 
In
Joan said:
Sorry for the jumping around. The application/website is
internal and external. The box that the app is running
on is fully contained. Win2003 Server, SQL, IIS, SSL.
It is not a part of our corp. domain, it is a stand alone
workgroup. The name is
https://cash.thefloridacenter.org.

In DNS, which is sitting on our domain, it is under the
corp domain zone and the FQDN is thefloridacenter.org.
That is where I am confused because that is not right,
that machine is not a part of the domain. Internally
though, everything is working with DNS. I ran a FreePing
all weekend and never had a problem getting to the box by
name or by IP.

On a side note, this server used to be a part of the
domain with the same server name. Is it possible that
DNS still thinks it is a part of the domain?

I hope this clears it up a little...very sorry for the
confusion.

Thank you very much for your help and time.
Joan
Click to expand...

Whether the web server is part of the domain or not, if it is behind NAT and
has a private address, you must access it by the machine's private address
if you are also behind the same NAT device.
All local machines need to use the local DNS in order to access any other
machine behind NAT by a FQDN. On the local DNS server in
'thefloridacenter.org' forward lookup zone you will need a host record named
'cash' with the web server private IP address.
 
Thanks Kevin,

I do have an entry in my firewall to NAT the external IP to the internal IP.
I was just confused when adding the record in the "thefloridacenter.org" DNS
that is automatically created the FQDN as thefloridacenter.org...that is not
correct. It is just a workgroup server.

Thanks,
Joan
 
In
Joan said:
Thanks Kevin,

I do have an entry in my firewall to NAT the external IP
to the internal IP. I was just confused when adding the
record in the "thefloridacenter.org" DNS that is
automatically created the FQDN as
thefloridacenter.org...that is not correct. It is just a
workgroup server.
Click to expand...

One more time, whether it is a domain member or a workgroup server is not
relevant, if you want to access the server or any site on the server from
behind your firewall by the name 'cash.thefloridacenter.org', you will need
that record in your local DNS zone. One of the limitations of NAT is, you
cannot make an incoming connection on one of its public IPs if you are
behind the private side of the NAT device.
In other words, U-Turns are *not* permitted in NAT. Most firewalls use NAT,
some use a proxy. If the Firewall is a proxy server, U-Turns are permitted
in a Proxy server.
Unless I am misunderstanding your question, it is kind of hard to follow.
 
In
Joan said:
Sorry for the jumping around. The application/website is internal and
external. The box that the app is running on is fully contained.
Win2003 Server, SQL, IIS, SSL. It is not a part of our corp.
domain, it is a stand alone workgroup. The name is
https://cash.thefloridacenter.org.

In DNS, which is sitting on our domain, it is under the corp domain
zone and the FQDN is thefloridacenter.org. That is where I am
confused because that is not right, that machine is not a part of the
domain. Internally though, everything is working with DNS. I ran a
FreePing all weekend and never had a problem getting to the box by
name or by IP.

On a side note, this server used to be a part of the domain with the
same server name. Is it possible that DNS still thinks it is a part
of the domain?

I hope this clears it up a little...very sorry for the confusion.

Thank you very much for your help and time.
Joan
Click to expand...

Hi Joan,

No problem. I'm glad you gave us a little more to work with.

As Kevin stated, since the webserver is an internal server, and you are
tyring to access it from an internal machine, on your internal DNS, you MUST
use the private IP. The reason is because a NAT device (no matter what brand
name), cannot translate an internal request to it's outer WAN IP and back in
again. It's just a limitation.

Now if you are hosting the external domain with the external IP on your
internal server, then you will need a separate DNS to host the external
stuff, and a separate DNS server to host the internal names, since you
CANNOT mix internal private IPs and external public IPs under the same zone
name.

Ace
 
In
One more time, whether it is a domain member or a workgroup server is
not relevant, if you want to access the server or any site on the
server from behind your firewall by the name
'cash.thefloridacenter.org', you will need that record in your local
DNS zone. One of the limitations of NAT is, you cannot make an
incoming connection on one of its public IPs if you are behind the
private side of the NAT device.
In other words, U-Turns are *not* permitted in NAT. Most firewalls
use NAT, some use a proxy. If the Firewall is a proxy server, U-Turns
are permitted in a Proxy server.
Unless I am misunderstanding your question, it is kind of hard to
follow.
Click to expand...

U-turns? Interesting way to put it, but accurate! I think you got that from
your old trucking days!

:-)

Ace
 
In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
commented
Then Kevin replied below:
In

U-turns? Interesting way to put it, but accurate! I think
you got that from your old trucking days!
Click to expand...

You got that right!

Besides, If the firewall is worth its stuff, it would reject the packets as
spoofed packets, anyway.
 
In
Kevin D. Goodknecht Sr. said:
You got that right!

Besides, If the firewall is worth its stuff, it would reject the
packets as spoofed packets, anyway.
Click to expand...


I figured it was from your driving days!

Many a firewall we have to state to ignore that range in the rules, such as
a Cisco IOS IP access rules (the way I used to do it). Not sure about the
newer ones, but I would assume it would have to be stated. But that is for
inbound, not inside requests hitting the inside interface for the outside
WAN interface. As for NAT, all NATs don't allow U-Turns, just as a traffic
cop!

Ace
 
Whenever you set up DNS services on a server you always point the NIC to it's own dns server first.
Why are you not adding the stand-alone ot the domain?
Anyway, you can point the dns for stand-alone to itself, if it is running dns server services and then forward reqiests to the domain dns in the dns management



Patrick J Burwell
Support Analyst
 
We are keeping it stand alone because it is an application that we want to
easily add to ones environment with the least amount of intrusion to their
network or to our box.

I will try adding DNS to the stand alone box and then forward the requests
to the domain DNS.

Sorry I was not clear enough for some of you!! It just bothers me that the
problem is not consistant. I understand NAT fairly well, I was just driving
myself nuts that I had an entry under the domain dns zone that had the fqdn
which is incorecct.

Thank you all for your words and time!
Joan
 
In
Joan said:
We are keeping it stand alone because it is an application that we
want to easily add to ones environment with the least amount of
intrusion to their network or to our box.

I will try adding DNS to the stand alone box and then forward the
requests to the domain DNS.

Sorry I was not clear enough for some of you!! It just bothers me
that the problem is not consistant. I understand NAT fairly well, I
was just driving myself nuts that I had an entry under the domain dns
zone that had the fqdn which is incorecct.

Thank you all for your words and time!
Joan
Click to expand...

You are quite welcome.

Ace
 
Back
Top