Windows 2003 server, DNS forwarding to internet not working

I have a windows 2003 std server that currently is a member of a
workgroup AT, as are the xp workstations. I'm trying to get ready to
install AD but first DHCP and DNS. DHCP works fine. LAN pc names are
resolved by the DNS service but the workstations cannot browse to the
internet (server can).

Setup:
Firewall (smoothwall) ip 192.168.0.1 (dhcp service turned off)

Win2003 server std, one nic.
IP 192.168.0.10 /24
default gateway 192.168.0.1 (ie firewall)
pref dns server (my isp's dns server address
this win2003 server can browse the internet fine.
dhcp service scope range 192.168.0.100 192.168.0.200

All xp workstation are set to auto obtain ip and pref dns server.

Switch joins firewall, server, workstations.

Server and workstations can ping each other and the firewall fine.

I've been using whatever.local at the machine name suffix, I think I
need to do that (at the ws and server dialogs for network identity) but
it's a point of confusion.

I've run the DNS wizard many times, it seems straightforward. Does
resolve local pc names so that part is ok. Steps:

Choose to create a forward lookup zone
This server maintains the zone
Zone name set to whatever.local
Accept default for zone file name
Have variously opted to allow or disallow dynamic updates
Forward requests that this server cannot handle to: (my isp's dns server
ip)

I am sure it's something simple that I'm missing, hopefully someone can
spot it?

 

Install DNS on the server. Create a zone on it for your local network.
Set all the workstations and the server itself to use this server as their
preferred (preferably only) DNS server. Set the DNS server to forward to a
public DNS (such as your ISP).

 

Thanks Bill. As far as I can tell I've done all of that. The ws report
the server ip as the DNS server. Forwarding for dns that the server
cannot handle is pointed to the isp dns server. I'm not sure if you read
all that I wrote, I know it's kind of long, but something in the details
of what I laid out must be wrong.

 

Is there any chance that I'm missing a network element, something like a
router? I have a switch connecting the various boxes. I'm reading some
notes that seem to indicate that things might turn out as I see them if
I don't ahve a NAT/PAT router, I don't. Well I do, a wireless linksys
cable modem router but that's only being used for WAP.

 

In

Actually I read it and you stated:

The thing that I see wrong, which you may have missed, which seems apparent
to your response to Bill, is you sated:
"> pref dns server (my isp's dns server address". That tells me that you are
mixing the DNS addresses in IP properties. What Bill stated is to ONLY use
the internal DNS, that's it. As long as the client is set to use this too,
as you stated, that's cool.

For this:
"> default gateway 192.168.0.1 (ie firewall)"
Is that your Linksys NAT router, or whatever name brand? I am assuming the
NAT/router is connected to your ISP (cable or DSL) and that performs NAT and
the internal interface is plugged into the switch all other machines are
plugged into.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile
Infinite Diversities in Infinite Combinations

"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.

 

Hi Ace and thanks for responding.

So, for the server nic, do not use the isp dns server address for
preferred dns server? I'll change that (thought Bill meant the ws to be
like that).

The firewall is a smoothwall (as I mentioned but maybe you didn't know
what that was) Smoothwal is an open source project that uses a stripped
down version of FreeBSD running on an old pc with three nics (lan,
internet, and dmz). It has a static ip of 192.168.0.1.

Separately I have a linksys router cable modem but it's actually not
connected...of course it used to be how I connected to the internet.
Maybe I need to use it as a router?

 

Sorry, the server nic was already set to use it's own ip as the pref dns
server. So are the workstations. Still can't browse to the internet from
the workstations.

 

In

I've heard of Smoothwall. I've used a FreeBSD firewall as an arp only
(bridge) firewall. No ip addresses on it. It can scan packets for rules
without the threat of an attacker hurtin git because it has NO IP addresses
on it.

Can you access the internet from the BSD machine? If not, I may be thinking
traffic's being blocked. Double check your rules.

I am assuming the smoothwall is also your NAT device connected to the
router, DSL modem or cable modem (whatever you have)?

Let's try to simplify it with a basic graphic on what you have. Can you
describe the connections in more detail please, such as:

cable modem -> smoothwall -> internal network.

Internal network has:
- Win2003 DOmain Controller
- XP Clients


And yes, ALL machines in an AD environment MUST only use the internal DNS.
This also bades best practices for a non-AD network for your internal DNS to
control resolution. Configure a forwarder for efficient internet resolution.
DNS traffic must be allowed by the firewall inbound/outbound from the DNS
server.

Ace

 

Have you checked to see whether it is DNS or routing? Can you ping a public
IP from a workstation? What about nslookup from a workstation?

 

Hi - no I'm not able to ping a public ip addr from a workstation.
nslookup does work. I've only used nslookup a couple of times so I'm not
sure what it implies about my issues.

Thanks

 

Thanks Ace

I can get to the internet from both the firewall and the server. Only
the workstations are unable. Yes the smoothwall is connected the cable
modem.

internet
|
smoothwall
|
switch
| \
server all workstations

So server and xp ws are all right off of the switch.

Prior to my current attempts I had smoothwall as the dhcp server and all
boxes were able to get to the internet. DHCP is now via server.

I mentioned in another post, am I missing an element? Router or
something? Will the config I have work?

 

In

Lack of pinging indicates blocked ICMP. Nonetheless, attempting to ping a
name should resolve it. When you ping from the workstation, ping using a
public name, such as www.macromedia.com. Tell us if it at least resolves the
name to an IP.


Example using nslookup in batch mode querying www.microsoft.com:
===================================
C:\>nslookup
Default Server: london.nwtraders.msft
Address: 192.168.5.200

(at the next prompt line signified by the ">" symbol, type in
www.microsoft.com and the results will follow below)

Server: london.nwtraders.msft
Address: 192.168.5.200

Non-authoritative answer:
Name: lb1.www.ms.akadns.net
Addresses: 207.46.19.30, 207.46.20.60, 207.46.20.30, 207.46.18.30
207.46.198.60, 207.46.19.60, 207.46.199.60, 207.46.198.30
Aliases: www.microsoft.com, toggle.www.ms.akadns.net
g.www.ms.akadns.net

===================================


If it cannot resolve www.microsoft.com, then it's indicating DNS traffic is
being blocked. Now if you are only using the server's IP for DNS in the
workstations, I would suggest to double check if DNS traffic (TCP and UDP
53) is allowed in/out from the server. But since you said the server works,
then do you allow HTTP and HTTPS traffic to the internal network? I assume
the gateway on the workstations is the Smoothwall.

Ace

 

In

It should work. This is a simple network design. I assume when you switched
over DHCP, that the scope or server options are set to give the workstations
the correct config, such as internal server for DNS (Option 006) and the
gateway (Option 003) being the Smoothwall?

Ace

 

OK, from the workstation, ping of www.googlecom does return the ip
address but also 'destination host unreachable'. Ping of the ip address
results in 'destination host unreachable'.

Today, when I run nslookup, I get

***Can't find server name for address 192.168.0.10: non-existent domain
***Default servers are not available
Default server: unknown
Address: 192.168.0.10

I can ping 192.168.0.10 from the ws. Didn't see this error yesterday
with nslookup. using nslookup on www.microsoft.com:

server: unknown
address: 192.168.0.10

Name: www.microsoft.com
address: 63.219.151.20

Re the second part of your message (and thanks for helping) yes the ws
has the def dns server listed as the server ip (192.168.0.10). However
no def gateway address is listed. I have the auto assign ip address
option selected and that diables the def gateway field.

I am able to browse the internet from the server. I'm not sure how to
check to see if http etc traffic is allowed with the internal network?

 

In the dhcp area there are only two entries

06 dns servers 192.168.0.10
15 dns domain name whatever.local

you mentioned 03 as gateway, on my system 03 is router. Wasn't listed, I
added it with the ip addr of smoothwall, and suddenly I can get to the
internet from the ws!

Now, I actually changed two things before rebooting the ws and it
worked. #1 added the 03 router listing above. #2 on the ws I added the
prefix whatever.local to the computer name. I'm not sure which impacted,
maybe both?

(I still get the nslookup err mentioned in my other post to you)

Thank you

 

In

006 did the trick. The workstation never had a gateway (the router's)
address. That is REQUIRED in any ipconfig to get off the network otherwise,
how would it know how?



Ace

 

In network_out <none.none.none> stated, which I commented on below:

I'm sorry, I meant: 003, the gateway address. 006 is DNS.

Ace

 

In

This part:

Means you have no reverse zone created for 192.168.0.x with a PTR for the
FQDN of the server. Create a reverse zone to eliminate this message (it's
not an error).

To check if HTTP traffic is working, just open a browser, unless I'm missing
what you're asking.

Ace