Group Policy and DNS Problem

[tgrattidge]

Have had some help on setting up group policies for desktop restrictions ,all of which work ok.
Until I try to access the Internet.
The workstaions have two DNS 10.1.1.253 and 10.1.1.252 and a gateway 10.25.200.1.
To get the group policy to work I have to add another DNS 10.25.200.2, the IP address of the server running the GPO. Its when this DNS is added that I loose Internet access. If I remove the DNS for the server I get no group Ploicy!
At a compltete loss! Any help would be gratefully received,
Thanks in advance
Tim

 

[wbg34]

On your domain controller (ip 10.25.200.2) go to start --> programs --> administartor tools --> dns. Click on the plus next to your server name then click on the plus next to forward lookup zones. See if there is a "." zone. If there is delete it.

Then close everything out and open the ip properties of your loacal area connection (right click my network places --> select properties --> right click local area connection --> select properties --> select tcp/ip protocol and click on properties. Verify that 10.25.200.2 is listed as primary dns server. close everything down.

Electricity is actually made up of extremely tiny particles called electrons, that you cannot see with the naked eye unless you have been drinking.
Quote taken from Dave Barry

Bill.

 

[GarethT]

Wbg34 - havnt you forgotten that you need to right click the DNS server and properties-- forwarders and enter both the DNS servers 10.1.1.253 and 10.1.1.252.
this way the workstations will contact the GPO DNS server and then if its really an interne DNS request it will be forwarded onto the "official" DNS servers

MCSE NT&2K,CCNA/CCDA,CNA,ASE,NSP

 

[GiaBetiu]

First of all i see that is an error in designing your DNS servers.
Why 3 DNS servers? What is the link between them? Are they servers on the same DNS zone?
In my site there is an article about internal DNS and external DNS. Have a look there. Also, some basic things about DNS.


Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[wbg34]

Gareth,
No I didn't forget I specifically chose not to do that for simplification troubleshooting. Win2k doesn't need forwarders (it will forward requests to the root servers by default as long as the "." zone is gone). Once the basic DNS setup has been verified we can worry about fine tuning.

Electricity is actually made up of extremely tiny particles called electrons, that you cannot see with the naked eye unless you have been drinking.
Quote taken from Dave Barry

Bill.

 

[GarethT]

Yes, but what i have said resolves the issue.

There is obviously some underlying issue going on with how that network is setup- but you and i are both not there and maybe the user isnt sufficiently knowledgeable to explain why there are 3 DNS servers - to me it sounds like the other DNS servers arent even part og his domain judging by what is implied


MCSE NT&2K,CCNA/CCDA,CNA,ASE,NSP

 

[wbg34]

Gareth,
By setting up the forwarders you are allowing the possibility for existing problems in the current config to be carried through to this DNS server. By not using forwarders and relying on the root servers you are isolating the one dns server. You are absolutely right that we are not there and we dont know if any of the DNS servers are correct. Thats why I dont want to involve them until the DC is working correctly.

Electricity is actually made up of extremely tiny particles called electrons, that you cannot see with the naked eye unless you have been drinking.
Quote taken from Dave Barry

Bill.

 

[GarethT]

By the time you get a sufficant explanation to diagnose the problem we could all be old men.

this poses an eternal question for forums:

Quickfix or resolve the cause of the problem.

Do you resolve the users problem as he states it to you or do you look past the problem and explanation he has given for the real reason.

the 2nd for a forum is not always practical as the user often isnt sufficently educated or experienced to give you the information you require.
You quite often have to make do with resolving the problem as he states it to you.

But anyway enough about this-- lets see what the user posts and what eventually resolves his problem.

MCSE NT&2K,CCNA/CCDA,CNA,ASE,NSP

 

[wbg34]

Gareth,
The answer to both of your questions is that you answer the question as it is stated or you ask for more info. You shouldn't assume anything. Should there be zone forwarding between the DNS servers? Is it even necessary to include the 10.1.1.# dns servers in the config or would the isp dns servers be better dns forwarders. The only thing that you know about the 10.1.1.# dns servers is that they resolve external queries, but not queries for 10.25.200.0 addresses. Until you know what role they play in the network it would be inappropriate to suggest a role. Therefore, ignoring the forwarder option until more is known would be the better option.

Electricity is actually made up of extremely tiny particles called electrons, that you cannot see with the naked eye unless you have been drinking.
Quote taken from Dave Barry

Bill.

 

[ksukenny]

what is your subnet mask? correct me if i am wrong, but if your subnet is something other than 255.0.0.0 then your gateway is incorrect and it isn't a problem with dns.

 

[GarethT]

hopefully its not that much of a problem

MCSE NT&2K,CCNA/CCDA,CNA,ASE,NSP

 

[tgrattidge]

Hi and thank you to you all for the very interesting comments and suggested solutions. Sorry for no quicker a response, was taken ill!

To explain in slightly more detail.
There is no DHCP running on the server all including server are on static IP address. 10.25.200.xxx
Subnet 255.255.255.0
We have a broad band router that according to the IT Technicians that installed it require a primary and secondary DNS 10.1.1.253 and 10.1.1.252 and a gateway 10.25.200.1 to be setup on the clients

We have one server which when I setup I set the DNS using the two internel NIC's IP address. The Broad Band router is split with desiganted ports for Admin network and the other for curriculum, hence the need for two network cards on the server and two DNS's

To stop students from playing with setting's I introduced Group Policies, by creating a OU adding users to that OU then created a GPO.

For the GPO to be recognised by the clients I had to include the servers IP address, hence three dns's on the workstaions. That is when my problem of not getting Internet access started.

Remove the server IP DNS result no policies but access the Internet.
Remove the router DNS result get policy but No internet access.

After reading your suggestions i looked at the DNS on the server and found an additional DNS Zone called .com? No address's set not able to configure it in any way!
Right clicked and deleted, and you guessed it now both Internet access and group policies are implemented.

So yes it was a DNS problem, but where this extra .Com DNS came from is anyones guess. I do appreciate your comments, suggestions and help, all of which has been noted for furhter reference.

Oh and any idea how I can control users using Win 98 on the same network or am I asking too much!
Thanks again
Tim