Chat Transcript for May 13 2003

ISAServer.org Chat Transcript

May 13, 2003

We would like to thank John Tolamachoff from eServices For You for hosting this ISAServer.org ISA Server Expert Chat. Please visit John’s site for more information about the network and Internet Services John can offer you.

Please wait, connecting to server…

Connected!

8David_V_Dellanno has left the conversation.

     John : Good morning.

8jbaud3 has returned.

     jbaud3 : good morning

     John : As it appears that we have a large crowd this morning, I wont get myself into to many deep holes.

8David_V_Dellanno has joined the conversation.

     John :

     jbaud3 :

8spsl has joined the conversation.

8spsl is away.

     jbaud3 : I have a question for you John.

     jbaud3 : SOmething that’s been baffling me for a while.

     jbaud3 : When I restart my ISA Server, my DNS Server (on another box) stops responding to queries.

     jbaud3 : until the service is restarted.

     jbaud3 : Any ideas?

     John : Resources I use: <http://www.dnsreport.com/> (Thanks to Declude.com) <http://www.dnsstuff.com/> (Thanks to Declude.com) <http://www.miceandmen.com/> (DNS experts) DNS Expert program (<http://www.miceandmen.com/2000/2100_dns_expert.html>) Windows 2000 DNS

     John : Until the DNS service on the other compter is restarted?

     jbaud3 : John, I didn’t get to see that because i had URLs turned off, can you re-post that.

     jbaud3 : Yes!

     jbaud3 : weird huh?

     John : Resources I use: <http://www.dnsreport.com/> (Thanks to Declude.com) <http://www.dnsstuff.com/> (Thanks to Declude.com) <http://www.miceandmen.com/> (DNS experts) DNS Expert program (<http://www.miceandmen.com/2000/2100_dns_expert.html>) Windows 2000 DNS

     John : How do you have the DNS service properties setup, using forwarders?

8croush has joined the conversation.

     jbaud3 : It’s the internal DNS Server that fails.

8DrTom has joined the conversation.

     jbaud3 : it’s a stand alone primary

     jbaud3 : that forwards out.

     John : Are you saying the DNS service on the other computer fails? What is the error code?

     jbaud3 : it doesn’t actually fail, just stops responding to clients until the service is restarted.

     jbaud3 : no error codes.

     jbaud3 : It only happens when the ISA Server is restarted.

     jbaud3 : or the ISA Services are restarted.

     jbaud3 : specifically, the Firewall service.

     John : So let me get this straight, you restart the ISA server, and the DNS service on the other computer stops responding.

     jbaud3 : YES…

     DrTom : Hey guys!

     jbaud3 : Hi Tim!

     jbaud3 : Tom

     jbaud3 :

     John : On the internal server, what is it pointed to for forwarders?

     John : Morning Dr.

     DrTom :

     jbaud3 : It points to our ISP’s two DNS servers.

     John : And how do you have ISA setup to allow the queries?

     DrTom : Quick request: can someone save a transcripts of this and send it to me when its over?

     jbaud3 : we also get errors about all port scan atacks from our ISPs DNS servers every now and then.

     DrTom : I’ll post it tonight. I don’t know how large the buffer is, but if you just save the buffer before you leave, that will be enough.

     jbaud3 : We’ve set it up according to ISAServer.org articles.

     John : If I remeber to Doctor.

     DrTom : Hi John, thanks a million!

     jbaud3 : It is working 99% of the time.

     John : BTW, after this is over, in case I do a good job of throughly confusing anyone, the Doctor is holding a group therapy session.

     jbaud3 : unless we restart the ISA Server.

     jbaud3 : lol

     John : Oh wait, he is not that kind of Doctor.

     John : What is the ISA server using for DNS queries?

     DrTom : Ha! Used to do a bit of therapy in my day

     John : Hey Doc, I have this nagging problem…

     John :

     DrTom : RE: this DNS issue, I would be curious to see if the “non-Connected UDP mappings” counter pegs

     jbaud3 : ISA Server has external NIC DNS blank, and internal NIC points to ISP DNS first, then internal DNS second.

     John : Ah, you have DNS set up on each NIC. The external NIC should not have any DNS settings configured.

     jbaud3 : this was per Microsoft suggestion.

     jbaud3 : No… External is blank.

     DrTom : John, what do you think of that? Having the ISP DNS server address on the top of the list?

     jbaud3 : Internal has two DNS server entries.

     John : Sorry, read that wrong.

     jbaud3 : ok

     John : Internal should only point to Internal DNS. Is ISA server part of the domain?

     jbaud3 : We tried having our ISA server only point internal, but it fails to resolve external queries at that point.  ISA Server is part of the domain.

     John : If someone really wants the ISP DNS server configured in the NIC properties, it should always be last.

     jbaud3 : okay, we can try switching the order around.

     John : OK, now we are getting closer. You say that if it is only set to Internal DNS, it can not resolve external queries. Do other internal clients have any problems?

     John : What are they using for DNS?

     jbaud3 : internal clients point to internal DNS for queries.

     jbaud3 : They have no problems, unless the internal DNS server stops responding (when ISA services restart)

     jbaud3 : When ISA internal NIC is set to internal DNS only, clients cannot resolve outside networks.

     John : For any computer part of a AD domain, it is important that they point first to the DNS servers responsible for the AD zone.

     David_V_Dellanno : jbaud3 – do you have FWclient installed on your DNS servers?  if so…don’t

     John : OK, sounds like an issue with either the configuration of the Internal DNS server, or the rules on the ISA server.

     jbaud3 : Unfortunately, our two AD controllers are also our two external DNS servers.

     jbaud3 : No firewall client installed on any server… learned that the hard way. 

     John : You mean you have them publised?

     jbaud3 : Yes.

     John : Is the internal domain name the same as your external domain name by chance?

     jbaud3 : yes.

     John : Uh Oh

     jbaud3 : ?

     David_V_Dellanno : jbaud3 – you have created a protocol rule for internal dns servers – DNS Query  and a site/content rule for your DNS servers?

     jbaud3 : David – protocol rules are in place.

     David_V_Dellanno : and a site/content rule too?

     jbaud3 : yes

     John : If you are using the same domain name internally as well as externally, you have to use split DNS.

     jbaud3 : We do.

     John : But you said you are using the same DNS servers for Internal and External.

     jbaud3 : We publish the external DNS servers through ISA server to the rest of the world, they are also our AD controllers.

     jbaud3 : We publish the internal DNS server only to internal clients.

     jbaud3 : and the ISA Server.

     DrTom : Good point, John! You need two DNS servers to host the same zone name with different entries

     jbaud3 : nothing else looks to our external DNS servers.

     jbaud3 : We have three DNS servers setup… two external, one internal.

     John : If your internal domain is example.com, and your external domain is example.com, you have to have those serviced by 2 different zones, other wise problems will crop up.

     DrTom : What do you by “publish” a DNS server to internal clients? They should be accessing them directly, not looping through (and only firewall clients can loop back)

     John : Please explain your network setup as now I am confused as to what you have.

     DrTom : Same here.

     jbaud3 : Sorry Tom, internal clients are congifured by DHCP to see internal DNS server only.

     DrTom : OK, but how are external DNS servers configured and why are they DCs?

     John : Where exactly are the 3 DNS servers? Which ones are DCs?

     jbaud3 : External DNS servers are DCs and are published in ISA Server.

     John : Where are they?

     John : Internal?

     jbaud3 : They are all behind ISA Server.

     jbaud3 : internal.

     jbaud3 : yes.

     John : That is the problem.

     DrTom : But why are they DCs if they are public DNS servers?

     jbaud3 : The problem is that external DNS is behind ISA?

     John : Your internal clients, even though they are using the internal DNS server, still relay upon the zones on the DC, as that is where the SRV records are.

     jbaud3 : ah… and internal clients don’t connect to DNS on the AD machines…

     jbaud3 : STUPID!

     John : AD relies upon DNS. Therefore, your “External” DNS servers are the ones your internal clients are trying to use for domain resources.

     jbaud3 : okay.

     jbaud3 : I get where you’re going.

     jbaud3 : I definitely need to do some more thinking about this one and re-organize things a bit.

     John : If the DC are configured for DNS, they should then only hold internal records. While it is possible to use one DNS server for both public and internal records, it gets messy.

8Hugh has joined the conversation.

8Averomar has joined the conversation.

     John : Try doing research on Windows 2000 AD domain infrastucture for more information.

     jbaud3 : Thanks for the help.  We’ve been banging our heads against the wall on this one for months… and it was a very simple problem.

     jbaud3 :

     jbaud3 : isn’t that always the way?

     DrTom : LOL! Yes.

     John : No problem. At least you dont have the “.” zone problem.

     DrTom : I put the public DNS servers in VMs in a GSX server. That’s all they do, they belong to workgroup

     jbaud3 : what’s that problem entail?

     DrTom : We also use the same name for public and private resources, and the DNS infrastructures are completely split

8Averomar has left the conversation.

     DrTom : LOL! Not the dreaded AD Wizard Root Zone problem!

     John : When you have a zone called “.”, which means the DNS server was installed and configured as a root server.

     jbaud3 : oh boy.

     Hugh : Hi all, Is “bi-directional affinity” working with w2k3 and ISA

     John : I hope Microsoft fixed that in Windows 2003 server.

     Hugh : I tried but no luck …

     John : Full bi-directional affinity will not be truly supported until ISA 2003 from my understanding.

     Hugh : So the NLB support is the same as with w2k.

     John : The problem that jbaud3 has with AD DNS is an example of how extremely important it is to map out your AD domain structure before setting up the first DC.

     John : NBL support has been greatly improved in Windows 2003, but it is a limitation in ISA 2000 that also affects it.

     jbaud3 : I’m gonna need some counseling sessions with the doc after this is all done. 

     Hugh : Pity I was waiting for w2k3 to really use NLB … So I’ll have to change my design a bit.

     John : Here is a good starting point on DNS and AD:

     John : http://support.microsoft.com/default.aspx?scid=kb;en-us;810733

     David_V_Dellanno : ok

     David_V_Dellanno : I have a question

     John : Windows 2003 server does have NLB functions available, it is just that it will be fully integrated so to spead with ISA 2003.

     John : Go ahead.

     John :

     David_V_Dellanno : does it have to be DNS question?

     John : Not really.

     David_V_Dellanno : ok

     David_V_Dellanno : lets say I published OWA – mail.msdemos.com/exchange

     John : DNS is the focus. I will do my best to answer other questions.

     John : OK

     Hugh : Any ideas on dates for ISA 2003 betas or rtm

     David_V_Dellanno : that hits a server lets call it     atl-na-exch-01/exchange

     David_V_Dellanno : now I would like to point Sharepoint Portal server

     David_V_Dellanno : lets say for external users – mail.msdemo.com/corpportal

     David_V_Dellanno : that point to an internal server – atl-na-sps-01/corpportal

     John : About 4 months ago, plan was for ISA 2003 to be out 3rd quarter. Talk is it will not be ready.

     John : OK

     David_V_Dellanno : I forgot about the SSL –

     Hugh : thanks

     David_V_Dellanno : so it would be https://…

     John : Yes. Https://mail.msdemo.com/corpportal as long as you have set up ISA for the ssl traffic.

     David_V_Dellanno : I can remember Proxy 2.0 do this..but is ISA capable of keeping the same external name space so the users would not get an anoying pop-up window stating it is leaving a different secure site

     John : The pop-up I believe is via a client side IE configuration.

     John : In IE, you can configure to warn when leaving a secure site.

     David_V_Dellanno : so I can change that in a GPO

     David_V_Dellanno : but I would be able to do this for external users

     John : Yes, IE is configurable via a GPO

     jbaud3 : you wouldn’t be able to do this for external users though.

     David_V_Dellanno : I meant to say I wouldn’t

     David_V_Dellanno : sorry

     John : I am not sure, but I think it would depend on how you have the site setup. Remember, ISA is not proxing the site like a front end IIS would

     David_V_Dellanno : exactly

     John : Now if you have a site set up with frames, the content can change while the page the user is on remains the same.

     David_V_Dellanno : I have two sites on two servers behind ISA….but can ISA publish in a way to keep the naming space seamless

     David_V_Dellanno : true

8Warren has joined the conversation.

     John : If you mean www.example.com/site1 and www.example.com/site2 points to two different servers, that is done I think by using host headers, which I believe ISA allows you to use.

8DrTom is away.

     John : I am not sure how to set that up though, sorry.

     David_V_Dellanno : no worries…

     Hugh : Using John’s example and web publishing it is possible

8jasonb54 has joined the conversation.

     David_V_Dellanno : do I just create two destination sets – with two web publishing rules?

     David_V_Dellanno : or will that get confusing

     Hugh : Thats it

     David_V_Dellanno : one destination set to listen mail.msdemos.com/exchange  – that lets say point to the internal atl-na-exch-01

     David_V_Dellanno : and the second destinatio set to listen mail.msdemo.com/corpportal – that will publish to internal atl-na-sps-01

     jasonb54 : what is the focus of this chat?

     Hugh : David you’ve got it

     jbaud3 : jason, the focus is DNS and ISA Server.

8DrTom has left the conversation.

     David_V_Dellanno : thank Hugh

     David_V_Dellanno : thats what I needed…

     John : The focus is on DNS and mail servers and ISA server, but we will do our best to answer all questions.

     David_V_Dellanno : doing a Sharepoint Portal (extranet) integrating with Exchange 2000…..using ISA 2000 publishing RCP and embedding the web pages to the public folders so the user doesn’t have to leave his outlook fat client

8spsl has left the conversation.

     John : Good Idea. A lot of work though it seems.

     John : Then again, what the users want…

     David_V_Dellanno : plus sharepoint team services

     David_V_Dellanno : on another server

     David_V_Dellanno : yup

     David_V_Dellanno : it is

     John : I know there are more DNS issues out there.

     Hugh : anybody noticed that if you join a bew server to an array it changes the HTTP redirector back to “redirect to local web proxy” … really annoying

     Hugh : sorry “new server”

     John : This just in. There are no DNS problems. There are no problems anywhere. Everything is working as expected. Everyone is happy.

     John : Signed, the Iraqi Defence Minister.

     John :

     Hugh :

     Hugh : OK … DNS problem … I found if publishing DNS servers, the publishing fails after a while. Restart the Firewall service and all works again.

     John : With this kind of crowd, I can do this often.

     John : Is this with or without ISA SP1?

     Hugh : So I change to using the ISA server as an secondary DNS and using packet filters for UDP 53 and TCP 53

     John : This is for external or internal queries?

     Hugh : All the latest toys … SP1 + FP1 … I know there is a Q article that is pre SP1 but I still experienced it.

     Hugh : With packet filters I’ve had no problems for DNS publishing

     John : I have heard of issues with using DNS Server publishing as opposed to using packet filters.

     Hugh : Another ( don’t know if Windows 2000 or ISA ) but my DNS forwarding randomly fails through ISA

     John : DNS server publishing really requires DNS to be set up exactly correct.

     Hugh : So just wrote a batch on schedual to restart forwarding DNS servive every 24 hours and problem resolved.

     John : What do you mean by randomly fails?

     Hugh : after about 24 to 36 hours

     John : No seperate service as DNS Forwarding. It is part of the DNS server properties configuration. Do you mean you restart the DNS service?

     Hugh : yup

     John : On the Internal DNS server?

     John : Is it forwarding quriers to the ISP DNS servers, or ISA?

     Hugh : yup , queries from ISP DNS

     John : So, you have one internal DNS server that internal clients use and that also answers public quiries, correct? On the internal, are you using an AD domain?

     Hugh : 100 %

     Hugh : Yes it is a domain controller with an intergrated zone

     John : So, you have one DNS server, with one integrated zone resonding to both internal and external queiries.

     John : What kind of records is the public quering for?

     Hugh : David you might also be able to make use of the “link translator” with FP1 …

     Hugh : No … two different senerious.

     John : ?

     John : Does the public query the same zone as the internal zone?

     Hugh : 1 – Domain controller with DNS forwards internal clients DNS to ISP dns to resolve public DNS quesries. This fails anything from 24 to 36 hours … till DNS service on that DC restarted. For this fix I don’t have to touch ISA

     John : Have you tried running a query test from within the DNS server properties?

     Hugh : Hmmm … that almost always fails

     John : And are roor hints configured?

     John : If that is failing then that DNS server is where we need to look.

     John : Woops, root hints.

     Hugh : root hints point to internet root servers .. ( from cashe.dns)

     John : OK

     John : Do you have recurrsive queries enabled?

     Hugh : No … “enable forwarding” and “do not use recusion” selected

     John : Ah, enable recurision. There has been discussion on recursion as a attach point, but if you have Secure against Polution and are behind a firewall, little chance of that exploit.

     John : Of course, if I could spell correctly…

     John : Darn keyboard virus.

     Hugh : ok I’ll give that a bash …

8Warren has left the conversation.

     John : When you have an AD integrated zone, disabling recursion causes a problem from my experiances. As of a few months ago, there was no official documentation on this, but I will have to check to see if anything has been written up.

     Hugh : cool will try … I all ways clicked “do not use recusion”  as it is always recommended in all docs

     Hugh : another question on DNS

     John : This sheds some light: http://support.microsoft.com/default.aspx?scid=kb;en-us;303811

     John : Queries to forwards are recursive.

     John : Go ahead.

     Hugh : should you MX records point a A records or are CNAME acceptable …

     John : No, CNAMEs should never be used in conjuction with MX records or an A or PTR record that coralates to a mail server.

     John : In fact, the use of CNAMEs in a MX record is prohibitied by an RFC.

     Hugh : hmmm  that answers that one

     Hugh : I’ll have to chat to that lazy DNS admin

     John : Yes, it works for people, but it is a technical violation and will eventually cause problems that can be difficult to track down.

     John : :0

     John :

     Hugh : yup microsoft.com and hotmail.com stop delivering while other smtp servers don’t mind

     John : Well, then you haven’t tried sending to one of us staunch Imail admins that use a software called Declude JunkMail.

8jasonb54 has left the conversation.

     Hugh : tx … ok back to NLB as DNS is working …

     John : OK

     John :

     Hugh : besides the new gui tool for NLB on w2k3 … where is the benefit for 2 isa servers in array.

     Hugh : NLB on internal nics or external

     John : For Internal, the benefit is load balancing and fail over.

     Hugh : if on internal and publishing SMTP servers, can the SMTP servers default GW point at the NLB address … also making use of the reg key to make full-nat

     John : NLB (Clustering) and ISA server array are different “items” in ISA 2000.

     John : An array is a cluster, but configured specificly.

     John : I am not that familliar with NLB or ISA arrays to be able to answer that. Tom is an expert in that area, as he has done a lot of work on that, including the use of RainInfinity.

8Tiago has joined the conversation.

     Tiago : Yo!!

     John : Howdy.

     Tiago : what’s cookin’?

     John : I hate to say this, but it is time for me to get to work on stuff that I can bill someone for. After all, that is how the bills get paid.

     Hugh : ok thanks

     John : I would like to thank everyone who participated today. It has been fun. I will probobly do this once a month.

     John : I will be saving this chat and forwarding to Tom for posting later today.

     John : Resources I use: <http://www.dnsreport.com/> (Thanks to Declude.com) <http://www.dnsstuff.com/> (Thanks to Declude.com) <http://www.miceandmen.com/> (DNS experts) DNS Expert program (<http://www.miceandmen.com/2000/2100_dns_expert.html>) Windows 2000 DNS

     John : DNS Expert program (<http://www.miceandmen.com/2000/2100_dns_expert.html>) Windows 2000 DNS (Book by New Riders) Configuring ISA Server 2000 (By Dr. Tom Shinder) ISA Server and Beyond (By Dr. Tom Shinder) <http://www.isaserver.org/>

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top