Win2003 DNS. Works fine from DNS Server, but not from clients.

Windows 2003 DNS in Active Directory Domain. XP Pro clients in workgroup.
Set up DNS using Minasi's suggestions. NSlookup from server works fine for
local FQDNames as well as ones from the Inet. DNS lookups fail from clients.
Running Wireshark on DNS server, the clients are making DNS requests, and
they're reaching the network interface on the DNS server, but the DNS server
is ignoring them.

What did I miss?

The NSlookup on the clients is being directed to the right ip address. Also
the ip address of the DNS Server is pingable from the clients. If I NSlookup
the FQDN of the clients or of the client IP address, the DNS does the correct
translation.

Thanks
Rog

"Roger Smith III" <> wrote in message news:B93DCDDC-7398-47BB-B941-...
> Windows 2003 DNS in Active Directory Domain. XP Pro clients in workgroup.
> Set up DNS using Minasi's suggestions. NSlookup from server works fine for
> local FQDNames as well as ones from the Inet. DNS lookups fail from clients.
> Running Wireshark on DNS server, the clients are making DNS requests, and
> they're reaching the network interface on the DNS server, but the DNS server
> is ignoring them.
>
> What did I miss?
>
> The NSlookup on the clients is being directed to the right ip address. Also
> the ip address of the DNS Server is pingable from the clients. If I NSlookup
> the FQDN of the clients or of the client IP address, the DNS does the correct
> translation.
>
> Thanks
> Rog

Interesting issue, and I'm not sure what suggestions from Minasi you followed. Usually you simply setup a DNS server, and set this server's IP address in a client, and it will work.

It also depends on how you are trying to resolve queires, eg. using single name or the FQDN, and what search suffixes are set on the client side trying to resolve authorative records, or if you are trying to resolve internet records (you didn't specify which).

It also depends on how many interfaces are on the DNS server and zones its authorative for.

Therefore to better assist and diagnose this issue, please post the following:

1. Unedited ipconfig /all from the server
2. Unedited ipconfig /all from the XP client
3. What zones have been created on the DNS server
4. Examples of how you are using nslookup querying the following:
> hostname
> hostname.domainname.com
> set q=ns
> domain.com
5. Ping example by pinging the following:
hostname
hostname.domainname.com

If you can't provide the info, it will make it a bit difficult to assist.

Thank you,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer

http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Not sure if the last reply made it. The problem was the MS firewall running
on the DNS server. Turned off the firewall, and DNS worked fine from the
client. NSLookups on the server originated on the server, and thus weren't
blocked by the firewall. Not sure why DNS didn't open necessary ports when I
installed the DNS.

Need to find out if there are similar problems with Active Directory comms
or Domain comms getting through the firewall, and need to find out if there
is a way to log what is getting blocked by the firewall. Also need to figure
out what ports to allow in order to get this to work.

Rog



"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Roger Smith III" <> wrote in message news:B93DCDDC-7398-47BB-B941-...
> > Windows 2003 DNS in Active Directory Domain. XP Pro clients in workgroup.
> > Set up DNS using Minasi's suggestions. NSlookup from server works fine for
> > local FQDNames as well as ones from the Inet. DNS lookups fail from clients.
> > Running Wireshark on DNS server, the clients are making DNS requests, and
> > they're reaching the network interface on the DNS server, but the DNS server
> > is ignoring them.
> >
> > What did I miss?
> >
> > The NSlookup on the clients is being directed to the right ip address. Also
> > the ip address of the DNS Server is pingable from the clients. If I NSlookup
> > the FQDN of the clients or of the client IP address, the DNS does the correct
> > translation.
> >
> > Thanks
> > Rog
>
> Interesting issue, and I'm not sure what suggestions from Minasi you followed. Usually you simply setup a DNS server, and set this server's IP address in a client, and it will work.
>
> It also depends on how you are trying to resolve queires, eg. using single name or the FQDN, and what search suffixes are set on the client side trying to resolve authorative records, or if you are trying to resolve internet records (you didn't specify which).
>
> It also depends on how many interfaces are on the DNS server and zones its authorative for.
>
> Therefore to better assist and diagnose this issue, please post the following:
>
> 1. Unedited ipconfig /all from the server
> 2. Unedited ipconfig /all from the XP client
> 3. What zones have been created on the DNS server
> 4. Examples of how you are using nslookup querying the following:
> > hostname
> > hostname.domainname.com
> > set q=ns
> > domain.com
> 5. Ping example by pinging the following:
> hostname
> hostname.domainname.com
>
> If you can't provide the info, it will make it a bit difficult to assist.
>
> Thank you,
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
>
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
>
>

I figured out what was causing the problem (after a good night's sleep), but
am not sure why it was causing the problem.

Enabled DNS logging on the DNS server (DNS Snap in, properties of the DNS
server in question, and then to the logging tab). Noticed that the server
nslookups were logging fine, but nothing was showing up from the client.

Wireshark was showing the DNS requests at the network card of the server, so
obviously something was preventing the DNS requests from getting to the DNS
server service.

The answer turned out to be the MS Firewall, which was enabled. Turned off
the firewall, and DNS worked fine.

The question is, doesn't DNS open the necessary ports through the MS
firewall when you enable the service, or do I have to manually allow DNS
traffic through the firewall? Does this also apply to Domain / Active
Directory communications too - do I have to manually allow these? Need to
find out if there is a way to log the firewall activity so that I can see
what is getting blocked.

Rog






"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Roger Smith III" <> wrote in message news:B93DCDDC-7398-47BB-B941-...
> > Windows 2003 DNS in Active Directory Domain. XP Pro clients in workgroup.
> > Set up DNS using Minasi's suggestions. NSlookup from server works fine for
> > local FQDNames as well as ones from the Inet. DNS lookups fail from clients.
> > Running Wireshark on DNS server, the clients are making DNS requests, and
> > they're reaching the network interface on the DNS server, but the DNS server
> > is ignoring them.
> >
> > What did I miss?
> >
> > The NSlookup on the clients is being directed to the right ip address. Also
> > the ip address of the DNS Server is pingable from the clients. If I NSlookup
> > the FQDN of the clients or of the client IP address, the DNS does the correct
> > translation.
> >
> > Thanks
> > Rog
>
> Interesting issue, and I'm not sure what suggestions from Minasi you followed. Usually you simply setup a DNS server, and set this server's IP address in a client, and it will work.
>
> It also depends on how you are trying to resolve queires, eg. using single name or the FQDN, and what search suffixes are set on the client side trying to resolve authorative records, or if you are trying to resolve internet records (you didn't specify which).
>
> It also depends on how many interfaces are on the DNS server and zones its authorative for.
>
> Therefore to better assist and diagnose this issue, please post the following:
>
> 1. Unedited ipconfig /all from the server
> 2. Unedited ipconfig /all from the XP client
> 3. What zones have been created on the DNS server
> 4. Examples of how you are using nslookup querying the following:
> > hostname
> > hostname.domainname.com
> > set q=ns
> > domain.com
> 5. Ping example by pinging the following:
> hostname
> hostname.domainname.com
>
> If you can't provide the info, it will make it a bit difficult to assist.
>
> Thank you,
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
>
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
>
>

In news:46DAAD51-1B45-481C-B441-,
Roger Smith III <>, posted the following, which I replied to down below...: Hello Roger Smith III
> I figured out what was causing the problem (after a good night's
> sleep), but am not sure why it was causing the problem.
>
> Enabled DNS logging on the DNS server (DNS Snap in, properties of the
> DNS server in question, and then to the logging tab). Noticed that
> the server nslookups were logging fine, but nothing was showing up
> from the client.
>
> Wireshark was showing the DNS requests at the network card of the
> server, so obviously something was preventing the DNS requests from
> getting to the DNS server service.
>
> The answer turned out to be the MS Firewall, which was enabled.
> Turned off the firewall, and DNS worked fine.
>
> The question is, doesn't DNS open the necessary ports through the MS
> firewall when you enable the service, or do I have to manually allow
> DNS traffic through the firewall? Does this also apply to Domain /
> Active Directory communications too - do I have to manually allow
> these? Need to find out if there is a way to log the firewall
> activity so that I can see what is getting blocked.
>
> Rog

That's one of the last questions, if at all, that I would ask, because it is not recommended to turn on the local Windows firewall for numerous reasons, on a server. The common thought is to rely on your edge server.

But I am glad you figured it out, and no, the DNS server will not punch a hole in the wall.

Ace

"Roger Smith III" <> wrote in message news:0F9A8B8B-05DA-48D7-8A5B-...
> Thanks!
>
> Rog
>
>

My Pleasure!

Ace