Odd DNS issue in new network P J Bryant 6/7/2007 4:49:00 PM I know there's lots of info missing, but i'm looking for a prod in the right direction at the moment, rather than a specific fix! New network, just three boxes for now, DC, Domain-joined ISA box (dual NIC, external connection to ADSL router), member server (for VM). Servers are bog standard HP DL, fully up to date with firmware, and WIndows 2003 SP2 server installed via HP tools (so correct drivers loaded) * DHCP and DNS setup and running (more later though) * ISA Server configured for discovery and working * NSLOOKUP working fine. * Internet browsing through ISA all OK (using ISA client on machines) * DHCP allocation to client all OK and the ISA WPAD entry is clearly working. Not working: * login times (except on DC) taking ages * remote authentication requests (for share permissions say) timing out (errors in log - [sorry away from site so no eventid right now] which report unable to authenticate, kerberos * DNS updates to the forward lookup zone (unless I allow non-secure updates when the HOST records are then entered). It feels (and I stress feels!) like a firewall is in the way on the DC. But there nothing there to do that. Done plenty of googling, and nothing obvious comes to light. My one concern is that the HP teamed NIC might be doing something, so will break the team next time I'm there, disable a NIC, and use a single NIC with the same IP settings. It's the sort of setup that works every time <g> and you can do in your sleep <bg> but this time is not, and there's nothing I've done that various from the normal. So if you have any suggestions please shout out! Thanks, Peter

Re: Odd DNS issue in new network "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 6/7/2007 6:42:02 PM Read inline please. In news:1756BB58-06E5-42B5-BCB9-123FD00E568D[ at ]microsoft.com, P J Bryant <PJBryant[ at ]discussions.microsoft.com> typed: [Quoted Text] > I know there's lots of info missing, but i'm looking for a prod in > the right direction at the moment, rather than a specific fix! > > New network, just three boxes for now, DC, Domain-joined ISA box > (dual NIC, external connection to ADSL router), member server (for > VM). Servers are bog standard HP DL, fully up to date with firmware, > and WIndows 2003 SP2 server installed via HP tools (so correct > drivers loaded) > * DHCP and DNS setup and running (more later though) > * ISA Server configured for discovery and working > * NSLOOKUP working fine. > * Internet browsing through ISA all OK (using ISA client on machines) > * DHCP allocation to client all OK and the ISA WPAD entry is clearly > working. > > Not working: > * login times (except on DC) taking ages > * remote authentication requests (for share permissions say) timing > out (errors in log - [sorry away from site so no eventid right now] > which report unable to authenticate, kerberos > * DNS updates to the forward lookup zone (unless I allow non-secure > updates when the HOST records are then entered). > > It feels (and I stress feels!) like a firewall is in the way on the > DC. But there nothing there to do that. Done plenty of googling, > and nothing obvious comes to light. > > My one concern is that the HP teamed NIC might be doing something, so > will break the team next time I'm there, disable a NIC, and use a > single NIC with the same IP settings. > > It's the sort of setup that works every time <g> and you can do in > your sleep <bg> but this time is not, and there's nothing I've done > that various from the normal. > > So if you have any suggestions please shout out! > > Thanks, Peter Long logon times typically indicate that you have incorrectly used a DNS server in TCP/IP properties that does not support the AD domain. All DNS servers listed in TCP/IP properties, on any NIC on an AD domain member must support and resolve the AD domain. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================

Re: Odd DNS issue in new network P J Bryant 6/8/2007 8:51:00 AM thanks Kevin, we have got that one covered. the only location the ISP's DNS servers are referenced is as a forwarder on the DNS server. And that's how it was setup from scratch. NSLOOKUP from client machines works fine for internal and external names. The one symptom I've not yet understood (and hope may be a good clue) is the fact that clients can only register with DNS when security is weakened from secure only to non-secure and secure. The one thing i've not checked so far (and will on Tuesday when i go back on site) is that there is not a typo somewhere in the system. The internal range is 192.168.74.x and the ISP range start 194. It's possible somewhere there's a 194 instead of 192, but on the first pass yesterday it all looked good. I'm considering a change to 172.16 just to make things clearer <g> I mistakenly thought i'd lost this post last night, so there's a second thread - i'll post this to it as well, and transfer to that one Thanks, Peter "Kevin D. Goodknecht Sr. [MVP]" wrote: [Quoted Text] > Read inline please. > > In news:1756BB58-06E5-42B5-BCB9-123FD00E568D[ at ]microsoft.com, > P J Bryant <PJBryant[ at ]discussions.microsoft.com> typed: > > I know there's lots of info missing, but i'm looking for a prod in > > the right direction at the moment, rather than a specific fix! > > > > New network, just three boxes for now, DC, Domain-joined ISA box > > (dual NIC, external connection to ADSL router), member server (for > > VM). Servers are bog standard HP DL, fully up to date with firmware, > > and WIndows 2003 SP2 server installed via HP tools (so correct > > drivers loaded) > > * DHCP and DNS setup and running (more later though) > > * ISA Server configured for discovery and working > > * NSLOOKUP working fine. > > * Internet browsing through ISA all OK (using ISA client on machines) > > * DHCP allocation to client all OK and the ISA WPAD entry is clearly > > working. > > > > Not working: > > * login times (except on DC) taking ages > > * remote authentication requests (for share permissions say) timing > > out (errors in log - [sorry away from site so no eventid right now] > > which report unable to authenticate, kerberos > > * DNS updates to the forward lookup zone (unless I allow non-secure > > updates when the HOST records are then entered). > > > > It feels (and I stress feels!) like a firewall is in the way on the > > DC. But there nothing there to do that. Done plenty of googling, > > and nothing obvious comes to light. > > > > My one concern is that the HP teamed NIC might be doing something, so > > will break the team next time I'm there, disable a NIC, and use a > > single NIC with the same IP settings. > > > > It's the sort of setup that works every time <g> and you can do in > > your sleep <bg> but this time is not, and there's nothing I've done > > that various from the normal. > > > > So if you have any suggestions please shout out! > > > > Thanks, Peter > > Long logon times typically indicate that you have incorrectly used a DNS > server in TCP/IP properties that does not support the AD domain. All DNS > servers listed in TCP/IP properties, on any NIC on an AD domain member must > support and resolve the AD domain. > > -- > Best regards, > Kevin D. Goodknecht Sr. [MVP] > Hope This Helps > > =================================== > When responding to posts, please "Reply to Group" > via your newsreader so that others may learn and > benefit from your issue, to respond directly to > me remove the nospam. from my email address. > =================================== > http://www.lonestaramerica.com/ > http://support.wftx.us/ > http://message.wftx.us/ > =================================== > Use Outlook Express?... Get OE_Quotefix: > It will strip signature out and more > http://home.in.tum.de/~jain/software/oe-quotefix/ > =================================== > Keep a back up of your OE settings and folders > with OEBackup: > http://www.oehelp.com/OEBackup/Default.aspx > =================================== > > >

Re: Odd DNS issue in new network "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 6/8/2007 12:37:53 PM Read inline please. In news:3A9526BC-FD69-497E-8C0A-E4D22DB162C3[ at ]microsoft.com, P J Bryant <PJBryant[ at ]discussions.microsoft.com> typed: [Quoted Text] > thanks Kevin, we have got that one covered. the only location the > ISP's DNS servers are referenced is as a forwarder on the DNS server. > And that's how it was setup from scratch. > > NSLOOKUP from client machines works fine for internal and external > names. The one symptom I've not yet understood (and hope may be a > good clue) is the fact that clients can only register with DNS when > security is weakened from secure only to non-secure and secure. > > The one thing i've not checked so far (and will on Tuesday when i go > back on site) is that there is not a typo somewhere in the system. > The internal range is 192.168.74.x and the ISP range start 194. It's > possible somewhere there's a 194 instead of 192, but on the first > pass yesterday it all looked good. I'm considering a change to > 172.16 just to make things clearer <g> > > I mistakenly thought i'd lost this post last night, so there's a > second thread - i'll post this to it as well, and transfer to that one Check that your DCs Primary DNS suffix matches the AD domain name and the name of your forward lookup zone in DNS. If this is Win2k3 and you let dcpromo set up the zone in DNS, you should have two zones in DNS, one <ADDNSDomainName> and one _msdcs.<ADDNSForestName>. You should also have a delegation in the <ADDNSDomainName> named _msdcs, with NS records for all Domain Controllers in the Forest. Install the Support Tools from the CD and run the CMD Line netdiag /fix and dcdiag /fix -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================