Windows 2003 server, DNS forwarding to internet not working

Discussion in 'Server Networking' started by kiln, Feb 25, 2006.

  1. kiln

    kiln Guest

    I have a windows 2003 std server that currently is a member of a
    workgroup AT, as are the xp workstations. I'm trying to get ready to
    install AD but first DHCP and DNS. DHCP works fine. LAN pc names are
    resolved by the DNS service but the workstations cannot browse to the
    internet (server can).

    Setup:
    Firewall (smoothwall) ip 192.168.0.1 (dhcp service turned off)

    Win2003 server std, one nic.
    IP 192.168.0.10 /24
    default gateway 192.168.0.1 (ie firewall)
    pref dns server (my isp's dns server address
    this win2003 server can browse the internet fine.
    dhcp service scope range 192.168.0.100 192.168.0.200

    All xp workstation are set to auto obtain ip and pref dns server.

    Switch joins firewall, server, workstations.

    Server and workstations can ping each other and the firewall fine.

    I've been using whatever.local at the machine name suffix, I think I
    need to do that (at the ws and server dialogs for network identity) but
    it's a point of confusion.

    I've run the DNS wizard many times, it seems straightforward. Does
    resolve local pc names so that part is ok. Steps:

    Choose to create a forward lookup zone
    This server maintains the zone
    Zone name set to whatever.local
    Accept default for zone file name
    Have variously opted to allow or disallow dynamic updates
    Forward requests that this server cannot handle to: (my isp's dns server
    ip)

    I am sure it's something simple that I'm missing, hopefully someone can
    spot it?
     
    kiln, Feb 25, 2006
    #1
    1. Advertisements

  2. kiln

    Bill Grant Guest

    Install DNS on the server. Create a zone on it for your local network.
    Set all the workstations and the server itself to use this server as their
    preferred (preferably only) DNS server. Set the DNS server to forward to a
    public DNS (such as your ISP).
     
    Bill Grant, Feb 25, 2006
    #2
    1. Advertisements

  3. kiln

    network_out Guest

    Thanks Bill. As far as I can tell I've done all of that. The ws report
    the server ip as the DNS server. Forwarding for dns that the server
    cannot handle is pointed to the isp dns server. I'm not sure if you read
    all that I wrote, I know it's kind of long, but something in the details
    of what I laid out must be wrong.
     
    network_out, Feb 26, 2006
    #3
  4. kiln

    network_out Guest

    Is there any chance that I'm missing a network element, something like a
    router? I have a switch connecting the various boxes. I'm reading some
    notes that seem to indicate that things might turn out as I see them if
    I don't ahve a NAT/PAT router, I don't. Well I do, a wireless linksys
    cable modem router but that's only being used for WAP.
     
    network_out, Feb 26, 2006
    #4
  5. In
    Actually I read it and you stated:
    The thing that I see wrong, which you may have missed, which seems apparent
    to your response to Bill, is you sated:
    "> pref dns server (my isp's dns server address". That tells me that you are
    mixing the DNS addresses in IP properties. What Bill stated is to ONLY use
    the internal DNS, that's it. As long as the client is set to use this too,
    as you stated, that's cool.

    For this:
    "> default gateway 192.168.0.1 (ie firewall)"
    Is that your Linksys NAT router, or whatever name brand? I am assuming the
    NAT/router is connected to your ISP (cable or DSL) and that performs NAT and
    the internal interface is plugged into the switch all other machines are
    plugged into.


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer
    Assimilation Imminent. Resistance is Futile
    Infinite Diversities in Infinite Combinations

    "Very funny Scotty. Now, beam down my clothes."

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy.
     
    Ace Fekay [MVP], Feb 26, 2006
    #5
  6. kiln

    network_out Guest

    Hi Ace and thanks for responding.

    So, for the server nic, do not use the isp dns server address for
    preferred dns server? I'll change that (thought Bill meant the ws to be
    like that).

    The firewall is a smoothwall (as I mentioned but maybe you didn't know
    what that was) Smoothwal is an open source project that uses a stripped
    down version of FreeBSD running on an old pc with three nics (lan,
    internet, and dmz). It has a static ip of 192.168.0.1.

    Separately I have a linksys router cable modem but it's actually not
    connected...of course it used to be how I connected to the internet.
    Maybe I need to use it as a router?
     
    network_out, Feb 26, 2006
    #6
  7. kiln

    network_out Guest

    Sorry, the server nic was already set to use it's own ip as the pref dns
    server. So are the workstations. Still can't browse to the internet from
    the workstations.
     
    network_out, Feb 26, 2006
    #7
  8. In
    I've heard of Smoothwall. I've used a FreeBSD firewall as an arp only
    (bridge) firewall. No ip addresses on it. It can scan packets for rules
    without the threat of an attacker hurtin git because it has NO IP addresses
    on it.

    Can you access the internet from the BSD machine? If not, I may be thinking
    traffic's being blocked. Double check your rules.

    I am assuming the smoothwall is also your NAT device connected to the
    router, DSL modem or cable modem (whatever you have)?

    Let's try to simplify it with a basic graphic on what you have. Can you
    describe the connections in more detail please, such as:

    cable modem -> smoothwall -> internal network.

    Internal network has:
    - Win2003 DOmain Controller
    - XP Clients


    And yes, ALL machines in an AD environment MUST only use the internal DNS.
    This also bades best practices for a non-AD network for your internal DNS to
    control resolution. Configure a forwarder for efficient internet resolution.
    DNS traffic must be allowed by the firewall inbound/outbound from the DNS
    server.

    Ace
     
    Ace Fekay [MVP], Feb 26, 2006
    #8
  9. kiln

    Bill Grant Guest

    Have you checked to see whether it is DNS or routing? Can you ping a public
    IP from a workstation? What about nslookup from a workstation?
     
    Bill Grant, Feb 26, 2006
    #9
  10. kiln

    network_out Guest

    Hi - no I'm not able to ping a public ip addr from a workstation.
    nslookup does work. I've only used nslookup a couple of times so I'm not
    sure what it implies about my issues.

    Thanks
     
    network_out, Feb 26, 2006
    #10
  11. kiln

    network_out Guest

    Thanks Ace

    I can get to the internet from both the firewall and the server. Only
    the workstations are unable. Yes the smoothwall is connected the cable
    modem.

    internet
    |
    smoothwall
    |
    switch
    | \
    server all workstations

    So server and xp ws are all right off of the switch.

    Prior to my current attempts I had smoothwall as the dhcp server and all
    boxes were able to get to the internet. DHCP is now via server.

    I mentioned in another post, am I missing an element? Router or
    something? Will the config I have work?
     
    network_out, Feb 26, 2006
    #11
  12. In
    Lack of pinging indicates blocked ICMP. Nonetheless, attempting to ping a
    name should resolve it. When you ping from the workstation, ping using a
    public name, such as www.macromedia.com. Tell us if it at least resolves the
    name to an IP.


    Example using nslookup in batch mode querying www.microsoft.com:
    ===================================
    C:\>nslookup
    Default Server: london.nwtraders.msft
    Address: 192.168.5.200

    (at the next prompt line signified by the ">" symbol, type in
    www.microsoft.com and the results will follow below)
    Server: london.nwtraders.msft
    Address: 192.168.5.200

    Non-authoritative answer:
    Name: lb1.www.ms.akadns.net
    Addresses: 207.46.19.30, 207.46.20.60, 207.46.20.30, 207.46.18.30
    207.46.198.60, 207.46.19.60, 207.46.199.60, 207.46.198.30
    Aliases: www.microsoft.com, toggle.www.ms.akadns.net
    g.www.ms.akadns.net
    ===================================


    If it cannot resolve www.microsoft.com, then it's indicating DNS traffic is
    being blocked. Now if you are only using the server's IP for DNS in the
    workstations, I would suggest to double check if DNS traffic (TCP and UDP
    53) is allowed in/out from the server. But since you said the server works,
    then do you allow HTTP and HTTPS traffic to the internal network? I assume
    the gateway on the workstations is the Smoothwall.

    Ace
     
    Ace Fekay [MVP], Feb 26, 2006
    #12
  13. In
    It should work. This is a simple network design. I assume when you switched
    over DHCP, that the scope or server options are set to give the workstations
    the correct config, such as internal server for DNS (Option 006) and the
    gateway (Option 003) being the Smoothwall?

    Ace
     
    Ace Fekay [MVP], Feb 26, 2006
    #13
  14. kiln

    network_out Guest

    OK, from the workstation, ping of www.googlecom does return the ip
    address but also 'destination host unreachable'. Ping of the ip address
    results in 'destination host unreachable'.

    Today, when I run nslookup, I get

    ***Can't find server name for address 192.168.0.10: non-existent domain
    ***Default servers are not available
    Default server: unknown
    Address: 192.168.0.10

    I can ping 192.168.0.10 from the ws. Didn't see this error yesterday
    with nslookup. using nslookup on www.microsoft.com:
    server: unknown
    address: 192.168.0.10

    Name: www.microsoft.com
    address: 63.219.151.20

    Re the second part of your message (and thanks for helping) yes the ws
    has the def dns server listed as the server ip (192.168.0.10). However
    no def gateway address is listed. I have the auto assign ip address
    option selected and that diables the def gateway field.

    I am able to browse the internet from the server. I'm not sure how to
    check to see if http etc traffic is allowed with the internal network?
     
    network_out, Feb 27, 2006
    #14
  15. kiln

    network_out Guest

    In the dhcp area there are only two entries

    06 dns servers 192.168.0.10
    15 dns domain name whatever.local

    you mentioned 03 as gateway, on my system 03 is router. Wasn't listed, I
    added it with the ip addr of smoothwall, and suddenly I can get to the
    internet from the ws!

    Now, I actually changed two things before rebooting the ws and it
    worked. #1 added the 03 router listing above. #2 on the ws I added the
    prefix whatever.local to the computer name. I'm not sure which impacted,
    maybe both?

    (I still get the nslookup err mentioned in my other post to you)

    Thank you
     
    network_out, Feb 27, 2006
    #15
  16. In
    006 did the trick. The workstation never had a gateway (the router's)
    address. That is REQUIRED in any ipconfig to get off the network otherwise,
    how would it know how?

    :)

    Ace
     
    Ace Fekay [MVP], Feb 28, 2006
    #16
  17. In network_out <none.none.none> stated, which I commented on below:

    I'm sorry, I meant: 003, the gateway address. 006 is DNS.

    Ace
     
    Ace Fekay [MVP], Feb 28, 2006
    #17
  18. In

    This part:
    Means you have no reverse zone created for 192.168.0.x with a PTR for the
    FQDN of the server. Create a reverse zone to eliminate this message (it's
    not an error).

    To check if HTTP traffic is working, just open a browser, unless I'm missing
    what you're asking.

    Ace
     
    Ace Fekay [MVP], Feb 28, 2006
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.