Announcement

Collapse
No announcement yet.

DNS in Server 2008

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS in Server 2008

    Hi All.
    Please assist. I am having problems getting access to the internet from my newly created domain. I have installed Win Server 2008, new forest, new domain, new DC. I have configured an ISA 2006 firewall with a ADSL connected to the firewall. I get nslookup responses and get FQDNS back when querying a machine on the domain. I can pop to my mal account and get internet access on the firewall. The IPCONFIG/ALL is:
    IP: 172.10.32.1 (DC)
    Subnet: 255.255.255.0
    Gateway: 172.10.32.5 (ISA 2006)
    DNS: 172.10.32.1 (DC)

    I have configured a forwarder on the DNS server to point to my ISP's DNS.

    Any help will be appreciated.

    Thanks
    So

  • #2
    Re: DNS in Server 2008

    Try to eliminate the issues. Temporarily allow all through ISA, and see if you can do a FQDN query. If yes, suspect ISA configuration. If not, come back with additional information.
    Cheers,

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services
    MCSA/E, MCTS, MCITP, MCT

    Comment


    • #3
      Re: DNS in Server 2008

      Currently i am allowing all through ISA. I have an All Outbound rule that states allow all traffic from internal to external, local host. This rule is working because when workstation on the domain makes the request the rule is been 'hit' in ISA. If i disable this rule then the requests hits the unrestricted Internet Access rule that comes standard when installing ISA. I dont get a denied connection on the Firewall. Could there be something wrong with the Reverse lookup in DNS? Does Win Server 2208 require a reverse lookup zone?

      Comment


      • #4
        Re: DNS in Server 2008

        How have you configured the ISA nics?
        And what is precisely your issue?
        Last edited by Dumber; 14th April 2009, 17:27.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: DNS in Server 2008

          Hi somoolla,

          i have understood your problem as you canot access internet behind the firewall on your newly created domain.If i am off road pls let me know.

          Did you have done basic troubleshooting tasks?

          1)Run nslookup xxx.xxx.xxx.xxx(your ISp Dns address) on domain controller.
          2)Run nslookup xxx.xxx.xxx.xxx(your ISp Dns address) on ISA server.
          3)Temporally unplug ISA and try to access internet on Domain controller.
          4)Please verify whether open TCP port 53,UDP Port 53 ?

          Regards
          Last edited by Chinthaka; 15th April 2009, 02:35.

          Comment


          • #6
            Re: DNS in Server 2008

            Well actually that isn't needed.

            The thing is that every box, eg clients, ISA server(internal nic), DC etc should point to the internal DNS server.
            On the external interface of the ISA server shouldn't be any DNS servers configured.

            Also unplugging the ISA server and exposing the DC against the internet is far from a good security practice.
            Allowing all outbound traffic will open every known port which can be find in the ISA swoosh bar and that should be more then enough.
            DNS should be configured with forwarders to the ISP DNS servers or use the root hints.

            So basically, a NSlookup from any client should be sufficient.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: DNS in Server 2008

              Architecture as we stand.

              My DSL is connected to my Firewall on the second interface. My internal address is on the first interface (172.10.32.5).
              ISA Firewall: 172.10.32.5, 255.255.255.0, 172.10.32.5 (GW) 172.10.32.1 (DNS)
              DC: 172.10.32.1, 255.255.255.0, 172.10.32.5 (GW) 172.10.32.1 (DNS)
              Forwarder on this dns server is ISP DNS.
              Exch: 172.10.32.2, 255.255.255.0, 172.10.32.5 (GW) 172.10.32.1 (DNS)

              I get nslookup replies on the workstations and DC and Exchange but no web pages will display. I even plug my laptop in and can collect my mail over POP on another public pop server. I will attach the tracert's later.

              Comment


              • #8
                Re: DNS in Server 2008

                Sorry. Stand corrected. My firewall's internal ip address config does not have a gateway.

                Comment


                • #9
                  Re: DNS in Server 2008

                  So there is Internet connectivity
                  Check out the ISA logging for more information.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: DNS in Server 2008

                    ISA does have no logs relating to denying a connection. What else am I missing? I dont have the web proxy setup on the ISA Server so there is no proxy.

                    Comment

                    Working...
                    X