Possible DNS problem

[joan]

Archived from groups: microsoft.public.win2000.dns (More info?)

We have a Windows 2003 domain. There is also have a stand alone (not a part
of the domain) windows 2003 server. I have that server pointing to my
primary DNS in my domain. When you look at the host record it has the fully
qualified domain but that is not correct because that server is not a part of
the domain. Should I put DNS on the stand alone box then point the primary
to itself and the secondary DNS to the domain.

We am experiencing inconsistent problems with page not found errors in the
web based application that is sitting on this stand alone box. I have tested
all hardware.

Thanks for any help!

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:3546D527-BE81-433A-A229-D2F249A299AD@microsoft.com,
Joan <Joan@discussions.microsoft.com> made a post then I commented below
> We have a Windows 2003 domain. There is also have a stand alone (not
> a part of the domain) windows 2003 server. I have that server
> pointing to my primary DNS in my domain. When you look at the host
> record it has the fully qualified domain but that is not correct
> because that server is not a part of the domain. Should I put DNS on
> the stand alone box then point the primary to itself and the
> secondary DNS to the domain.
>
> We am experiencing inconsistent problems with page not found errors
> in the web based application that is sitting on this stand alone box.
> I have tested all hardware.
>
> Thanks for any help!

It is somewhat difficult to follow your post, it jumps around a bit, and is
doesn't provide any specific information with what you are tyring to do and
what is exactly happening, to help you, which is probably why no one else
has responded yet.

What exactly are you trying to accomplish or connect to? Is it an external
website or an internal website? Is the website you are trying to connect to
on this 2003 standalone machine (assuming IIS is installed and operational)
or another machine? What is the name of the website? Does that FQDN exist in
your DNS? Is it hostheader based?

We'll need more specific info to better help.


--?
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--?
=================================

 

[joan]

Archived from groups: microsoft.public.win2000.dns (More info?)

Sorry for the jumping around. The application/website is internal and
external. The box that the app is running on is fully contained. Win2003
Server, SQL, IIS, SSL. It is not a part of our corp. domain, it is a stand
alone workgroup. The name is https://cash.thefloridacenter.org.

In DNS, which is sitting on our domain, it is under the corp domain zone and
the FQDN is thefloridacenter.org. That is where I am confused because that
is not right, that machine is not a part of the domain. Internally though,
everything is working with DNS. I ran a FreePing all weekend and never had a
problem getting to the box by name or by IP.

On a side note, this server used to be a part of the domain with the same
server name. Is it possible that DNS still thinks it is a part of the domain?

I hope this clears it up a little...very sorry for the confusion.

Thank you very much for your help and time.
Joan

"Ace Fekay [MVP]" wrote:

> In news:3546D527-BE81-433A-A229-D2F249A299AD@microsoft.com,
> Joan <Joan@discussions.microsoft.com> made a post then I commented below
> > We have a Windows 2003 domain. There is also have a stand alone (not
> > a part of the domain) windows 2003 server. I have that server
> > pointing to my primary DNS in my domain. When you look at the host
> > record it has the fully qualified domain but that is not correct
> > because that server is not a part of the domain. Should I put DNS on
> > the stand alone box then point the primary to itself and the
> > secondary DNS to the domain.
> >
> > We am experiencing inconsistent problems with page not found errors
> > in the web based application that is sitting on this stand alone box.
> > I have tested all hardware.
> >
> > Thanks for any help!
>
> It is somewhat difficult to follow your post, it jumps around a bit, and is
> doesn't provide any specific information with what you are tyring to do and
> what is exactly happening, to help you, which is probably why no one else
> has responded yet.
>
> What exactly are you trying to accomplish or connect to? Is it an external
> website or an internal website? Is the website you are trying to connect to
> on this 2003 standalone machine (assuming IIS is installed and operational)
> or another machine? What is the name of the website? Does that FQDN exist in
> your DNS? Is it hostheader based?
>
> We'll need more specific info to better help.
>
>
> --Â?
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --Â?
> =================================
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:9650EA6B-7CF0-4AD0-A5E4-5E18F84F9D1E@microsoft.com,
Joan <Joan@discussions.microsoft.com> commented
Then Kevin replied below:
> Sorry for the jumping around. The application/website is
> internal and external. The box that the app is running
> on is fully contained. Win2003 Server, SQL, IIS, SSL.
> It is not a part of our corp. domain, it is a stand alone
> workgroup. The name is
> https://cash.thefloridacenter.org.
>
> In DNS, which is sitting on our domain, it is under the
> corp domain zone and the FQDN is thefloridacenter.org.
> That is where I am confused because that is not right,
> that machine is not a part of the domain. Internally
> though, everything is working with DNS. I ran a FreePing
> all weekend and never had a problem getting to the box by
> name or by IP.
>
> On a side note, this server used to be a part of the
> domain with the same server name. Is it possible that
> DNS still thinks it is a part of the domain?
>
> I hope this clears it up a little...very sorry for the
> confusion.
>
> Thank you very much for your help and time.
> Joan

Whether the web server is part of the domain or not, if it is behind NAT and
has a private address, you must access it by the machine's private address
if you are also behind the same NAT device.
All local machines need to use the local DNS in order to access any other
machine behind NAT by a FQDN. On the local DNS server in
'thefloridacenter.org' forward lookup zone you will need a host record named
'cash' with the web server private IP address.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[joan]

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks Kevin,

I do have an entry in my firewall to NAT the external IP to the internal IP.
I was just confused when adding the record in the "thefloridacenter.org" DNS
that is automatically created the FQDN as thefloridacenter.org...that is not
correct. It is just a workgroup server.

Thanks,
Joan

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> In news:9650EA6B-7CF0-4AD0-A5E4-5E18F84F9D1E@microsoft.com,
> Joan <Joan@discussions.microsoft.com> commented
> Then Kevin replied below:
> > Sorry for the jumping around. The application/website is
> > internal and external. The box that the app is running
> > on is fully contained. Win2003 Server, SQL, IIS, SSL.
> > It is not a part of our corp. domain, it is a stand alone
> > workgroup. The name is
> > https://cash.thefloridacenter.org.
> >
> > In DNS, which is sitting on our domain, it is under the
> > corp domain zone and the FQDN is thefloridacenter.org.
> > That is where I am confused because that is not right,
> > that machine is not a part of the domain. Internally
> > though, everything is working with DNS. I ran a FreePing
> > all weekend and never had a problem getting to the box by
> > name or by IP.
> >
> > On a side note, this server used to be a part of the
> > domain with the same server name. Is it possible that
> > DNS still thinks it is a part of the domain?
> >
> > I hope this clears it up a little...very sorry for the
> > confusion.
> >
> > Thank you very much for your help and time.
> > Joan
>
> Whether the web server is part of the domain or not, if it is behind NAT and
> has a private address, you must access it by the machine's private address
> if you are also behind the same NAT device.
> All local machines need to use the local DNS in order to access any other
> machine behind NAT by a FQDN. On the local DNS server in
> 'thefloridacenter.org' forward lookup zone you will need a host record named
> 'cash' with the web server private IP address.
>
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:EEE4E1CA-0785-4DAD-8EB8-B9C08E6AA880@microsoft.com,
Joan <Joan@discussions.microsoft.com> commented
Then Kevin replied below:
> Thanks Kevin,
>
> I do have an entry in my firewall to NAT the external IP
> to the internal IP. I was just confused when adding the
> record in the "thefloridacenter.org" DNS that is
> automatically created the FQDN as
> thefloridacenter.org...that is not correct. It is just a
> workgroup server.

One more time, whether it is a domain member or a workgroup server is not
relevant, if you want to access the server or any site on the server from
behind your firewall by the name 'cash.thefloridacenter.org', you will need
that record in your local DNS zone. One of the limitations of NAT is, you
cannot make an incoming connection on one of its public IPs if you are
behind the private side of the NAT device.
In other words, U-Turns are *not* permitted in NAT. Most firewalls use NAT,
some use a proxy. If the Firewall is a proxy server, U-Turns are permitted
in a Proxy server.
Unless I am misunderstanding your question, it is kind of hard to follow.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:9650EA6B-7CF0-4AD0-A5E4-5E18F84F9D1E@microsoft.com,
Joan <Joan@discussions.microsoft.com> made a post then I commented below
> Sorry for the jumping around. The application/website is internal and
> external. The box that the app is running on is fully contained.
> Win2003 Server, SQL, IIS, SSL. It is not a part of our corp.
> domain, it is a stand alone workgroup. The name is
> https://cash.thefloridacenter.org.
>
> In DNS, which is sitting on our domain, it is under the corp domain
> zone and the FQDN is thefloridacenter.org. That is where I am
> confused because that is not right, that machine is not a part of the
> domain. Internally though, everything is working with DNS. I ran a
> FreePing all weekend and never had a problem getting to the box by
> name or by IP.
>
> On a side note, this server used to be a part of the domain with the
> same server name. Is it possible that DNS still thinks it is a part
> of the domain?
>
> I hope this clears it up a little...very sorry for the confusion.
>
> Thank you very much for your help and time.
> Joan

Hi Joan,

No problem. I'm glad you gave us a little more to work with.

As Kevin stated, since the webserver is an internal server, and you are
tyring to access it from an internal machine, on your internal DNS, you MUST
use the private IP. The reason is because a NAT device (no matter what brand
name), cannot translate an internal request to it's outer WAN IP and back in
again. It's just a limitation.

Now if you are hosting the external domain with the external IP on your
internal server, then you will need a separate DNS to host the external
stuff, and a separate DNS server to host the internal names, since you
CANNOT mix internal private IPs and external public IPs under the same zone
name.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uRWg$psEFHA.3732@TK2MSFTNGP14.phx.gbl,
Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> made a post then I
commented below

> One more time, whether it is a domain member or a workgroup server is
> not relevant, if you want to access the server or any site on the
> server from behind your firewall by the name
> 'cash.thefloridacenter.org', you will need that record in your local
> DNS zone. One of the limitations of NAT is, you cannot make an
> incoming connection on one of its public IPs if you are behind the
> private side of the NAT device.
> In other words, U-Turns are *not* permitted in NAT. Most firewalls
> use NAT, some use a proxy. If the Firewall is a proxy server, U-Turns
> are permitted in a Proxy server.
> Unless I am misunderstanding your question, it is kind of hard to
> follow.

U-turns? Interesting way to put it, but accurate! I think you got that from
your old trucking days!



Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23qYzzPuEFHA.3596@TK2MSFTNGP12.phx.gbl,
Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com>
commented
Then Kevin replied below:
> In news:uRWg$psEFHA.3732@TK2MSFTNGP14.phx.gbl,
> Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> made
> a post then I commented below
>
>> One more time, whether it is a domain member or a
>> workgroup server is not relevant, if you want to access
>> the server or any site on the server from behind your
>> firewall by the name 'cash.thefloridacenter.org', you
>> will need that record in your local DNS zone. One of the
>> limitations of NAT is, you cannot make an incoming
>> connection on one of its public IPs if you are behind
>> the private side of the NAT device.
>> In other words, U-Turns are *not* permitted in NAT. Most
>> firewalls use NAT, some use a proxy. If the Firewall is
>> a proxy server, U-Turns are permitted in a Proxy server.
>> Unless I am misunderstanding your question, it is kind
>> of hard to follow.
>
> U-turns? Interesting way to put it, but accurate! I think
> you got that from your old trucking days!

You got that right!

Besides, If the firewall is worth its stuff, it would reject the packets as
spoofed packets, anyway.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:eBKch%23wEFHA.2180@TK2MSFTNGP12.phx.gbl,
Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> made a post then I
commented below
>> U-turns? Interesting way to put it, but accurate! I think
>> you got that from your old trucking days!
>
> You got that right!
>
> Besides, If the firewall is worth its stuff, it would reject the
> packets as spoofed packets, anyway.


I figured it was from your driving days!

Many a firewall we have to state to ignore that range in the rules, such as
a Cisco IOS IP access rules (the way I used to do it). Not sure about the
newer ones, but I would assume it would have to be stated. But that is for
inbound, not inside requests hitting the inside interface for the outside
WAN interface. As for NAT, all NATs don't allow U-Turns, just as a traffic
cop!

Ace

 

[joan]

Archived from groups: microsoft.public.win2000.dns (More info?)

We are keeping it stand alone because it is an application that we want to
easily add to ones environment with the least amount of intrusion to their
network or to our box.

I will try adding DNS to the stand alone box and then forward the requests
to the domain DNS.

Sorry I was not clear enough for some of you!! It just bothers me that the
problem is not consistant. I understand NAT fairly well, I was just driving
myself nuts that I had an entry under the domain dns zone that had the fqdn
which is incorecct.

Thank you all for your words and time!
Joan

"Patrick Burwell" wrote:

> Whenever you set up DNS services on a server you always point the NIC to it's own dns server first.
> Why are you not adding the stand-alone ot the domain?
> Anyway, you can point the dns for stand-alone to itself, if it is running dns server services and then forward reqiests to the domain dns in the dns management
>
>
>
> Patrick J Burwell
> Support Analyst
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:949D33EB-5732-4F88-9367-C2AD2C78991E@microsoft.com,
Joan <Joan@discussions.microsoft.com> made a post then I commented below
> We are keeping it stand alone because it is an application that we
> want to easily add to ones environment with the least amount of
> intrusion to their network or to our box.
>
> I will try adding DNS to the stand alone box and then forward the
> requests to the domain DNS.
>
> Sorry I was not clear enough for some of you!! It just bothers me
> that the problem is not consistant. I understand NAT fairly well, I
> was just driving myself nuts that I had an entry under the domain dns
> zone that had the fqdn which is incorecct.
>
> Thank you all for your words and time!
> Joan
>

You are quite welcome.

Ace