DNS and ISA Server

[PatNicholls]

I have a win2k sp4 DC running DHCP/DNS/WINS (192.168.1.1) and a win2k sp4 server running ISA Server with 2 NICs (int 192.168.1.5 and ext 192.168.2.249). The ISA server is connected directly to my firewall (192.168.2.19).

My problem is that I can only ping domain names from the ISA server and not from any other computer.

I hope that is enough information to start with. I think the problem is DNS but I cannot trace where!

Any help would be greatly appreciated.

 

[Serbtastic]

On your DC, try nslookup for

http://www.tek-tips.com,

and see if it resolves to 216.45.19.33. If not, post the error message.

 

[PatNicholls]

If I run nslookup on the isa server with the two NICs and set the dns server to use the ISP's DNS server the response is a successful non-authoritative ip address (if that makes sense). If I just use the default internal DNS server I just get a DNS request timed out error. I guess the main reason for this is that my internal DNS server cannot forward a request to an external DNS server.

Could the overall problem be a RRAS problem?

 

[PatNicholls]

I have a second server which also has two NICs, one internal and one external (my exchange server). This is the server I wan to place behind ISA server but cant because DNS will not resolve properly.

I configured RRAS for NAT and then changed my own client gateway address to the internal IP of my exchange server (effectively bypassing ISA server). DNS resolved immediately so thankfully, no problem there.

I went back to my ISA Server and stopped the ISA server service (which also stopped other services), restarted the RRAS service (again which started ISA server - but not all the other services). When I tried to resolve an external domain name it was immediate! So ISA server and RRAS are correctly configured!

It seems that Microsoft Firewall could be the culprit! I will keep this thread updated.

 

[DG659]

i would start with the L A T if the external IP range is in the L A T ISA will filter traffic on your External NIC

 

[PatNicholls]

The answer is actually the MS Firewall client, wspcfg.ini and credtool.exe.

My original issue was that my DNS server could not forward requests to my isp's DNS server because it was behind the ISA server, yet I could ping from the ISA server itself.

I installed the firewall client on my DNS server (my NIC configured for both internal and external DNS servers) and immediately could resolve domain names.

The important bit then was to enable dns forwarding from my internal dns server. Here is the fun part.

Having already installed the MS Firewall Client on my DNS server (did not need a reboot) you then

1. Run CREDTOOL.EXE (from the firewall client folder) to create a credentials entry for DNS

2. Create a wspcfg.ini file in the system32 folder structured like this

[dns]
KillOldSession=1
ForceCredentials=1
Persistent=1
ProxyBindUDPPorts=53

3. restart the DNS server service.

Once those three are completed, go back into DNS and enter the forwarder IP address. Then test in nslookup.

Note: You only need to install the firewall client on the DNS server(s). Any other machine on the LAN will get name resolution from your internal DNS server (using the forwarder).

I hope this information is useful to someone else as it took me quite some time to find. My main issue was that I was not sure what was stopping DNS in the first place.

Thanks to those who have shown an interest in my problem!

For further information check out MS Knowledgebase Q323457