OK, I am really stumped here now!
I put four Win2K servers (AD/DNS/DHCP, Exchange, Mail Marshal, OracleDB) behind a Raptor firewall to host a remote AD domain. I have the raptor set as the default gateway, and using its DNSd service, it is now the forwarder for the AD/DNS server, which has recursion disabled (and the root hints deleted!)
All the other servers (and workstations, but they are all DHCP) point to the AD/DNS server for their DNS. Name resolution works fine. They all enable "Register this connection address in DNS", even those supplied from the DHCP.
I see about every hour a flood of outgoing traffic from all four servers (but NONE of the workstations) to the root name servers with destination port 53 (which of course the raptor blocks because the servers are supposed to ask it for external DNS name resolution.
So where in Win2K (on all four servers!!) could this be
coming from? (And WHY would the member servers try to update the Root Name Servers, wouldn't they only go the the AD server that is authorative for their DNS suffix?)
I cannot believe I am the only person to ever operate a domain from behind a firewall...
I put four Win2K servers (AD/DNS/DHCP, Exchange, Mail Marshal, OracleDB) behind a Raptor firewall to host a remote AD domain. I have the raptor set as the default gateway, and using its DNSd service, it is now the forwarder for the AD/DNS server, which has recursion disabled (and the root hints deleted!)
All the other servers (and workstations, but they are all DHCP) point to the AD/DNS server for their DNS. Name resolution works fine. They all enable "Register this connection address in DNS", even those supplied from the DHCP.
I see about every hour a flood of outgoing traffic from all four servers (but NONE of the workstations) to the root name servers with destination port 53 (which of course the raptor blocks because the servers are supposed to ask it for external DNS name resolution.
So where in Win2K (on all four servers!!) could this be
coming from? (And WHY would the member servers try to update the Root Name Servers, wouldn't they only go the the AD server that is authorative for their DNS suffix?)
I cannot believe I am the only person to ever operate a domain from behind a firewall...