Win2k DNS and Netscreen Problem

[mooncat]

First of all I am working for a NPO and we don`t have huge resources.So I am stuck with the problem of running our domain name off one server.We host website and email and antivirus etc on this one box.I custom built a dual amd with uwscsi raid and 2teamed 3com cards.

It functions ok and I was having no real problems until we got a netscreen 5xt.The screen is configured properly as I got it from my friend at netscreen and he helped me config it.We have 2 remote sites which tunnel through the screen and we have more than 25 users and it`s running in mixed mode.I would like to upgrade some machines but unfortunately it`s not possible financially.


So the dilemma is this I set up AD so I can have all users on intranet or remote site use the server and authenticate.It obviously has to be the PDC and I got the DHCP done by the netscreen.So I am using an internal range 192.168.0.x.We have 8 realip`s from our ISP and I registered 2of them and host name to our Domain name.

I want to use an ip from internal range for the server and Have the 5xt with the realip and we set MIP from real to int on the untrust side.Obvioulsy I did something stupid as it only displays int ip to domain name when I use nslookup.

If I have the dns in just a file outside AD I can keep it stable but as soon as I put it in AD or have dynamic updates from 5xt things go wrong and int address is displayed again.

I tried several different configs but can`t keep it and 5xt in sync displaying real ip.I changed host and nameservers IP`s and played with cname records andso on.

As I said we are an NPO so we have limited resources So taking the server down means that email and office is disrupted.It`s driving me mad I did a lot of reading and research but can`t seem to figure it out.

I only had about 9months experience and I learned a lot but if someone can help out I would appreciate it.

I know the info is a bit sporadic so I can give more specific info when required.

Thanks guys.
Mooncat

 

[LoopyLoo]

Are you using DHCP to get the IP address for the server? I hope not as that will screw you up big time.

Secondly, if you are using a static IP for the server then the mapping from the Netscreen to the server should be a bit of a nobrainer. Ensure you are using the correct external IP. If you get a block of 8 from your ISP then the first and last won't be usable, i.e. 240-247, 240 = Network and 247=Broadcast. You will lose one other for your router address and another for the netscreen address.

Do you have an external DNS to map the correct IP to hostname? As you have noticed your internal hostname to IP maps fine but it seems to be externally you get the error. Try connecting to an external DNS server to run your query from there, e.g. nslookup and then enter server <external server name or IP> and do your query off of that.

If all comes to all, can you ignore the name resolution and just use the IP address? Or install the name into all the clients hosts file until you get a full solution? Drastic I know but sometimes the simplest fix can get you out of trouble quickly.

 

[mooncat]

Thanks for the response.

I should have been more specific.I am running it off an adsl router modem.It has the first 2 ip`s from the statucpool.The next 2 were registered to our domain.


And yes I am using a static ip for the server of course.
And also I have used external lookups and the same applies.

What I want to achieve is for the server to host the domain and do dns lookups for the LAN as well as for external queries.The 5xt does the dhcp and the range starts from 33-126.All other static ip`s fall between 2 and 10.I want clients to be able to resolve wins and dns through the 5xt to the server.And I don`t want the nics bound to real ip.

I want to use a local address for the server and give the 5xt the realip.

Is there any way to do this?I thought there was but ...

 

[LoopyLoo]

From the netscreen perspective it's pretty clear cut.

Untrust IP x.x.x.241
Trust IP 192.168.1.1
Mapped IP x.x.x.242 to 192.168.1.2 (server IP)

What I can't get my head around is why the clients would want to access WINS & DNS through the netscreen? Surely they are internal? Externally if they use x.x.x.242 as the DNS/WINS server they will always get internal addresses back which won't resolve via the internet.

The netscreen isn't an issue here as far as I can make out. It could be something to do with Zones in DNS.

 

[mooncat]

Yeah that`s basically how it`s setup.The untrust has the external ip.
And the internal clients are plugged onto a different port on the netscreen.So the screen passes the packets on to the server for dns or wins resolution.

I am sure also there`s an issue with the zones.As external dns also shows the internal ip regardless of DNS server used or connection.

I am not sure what records in the dns are at fault or if I need to add extra ones.

They all seem to be there SOA and nameserver etc and aliases and MX.

So untrust has 219.163.104.98 as our range runs from 96-103.
There`s a MIP from that ip to internal 192.168.0.2 which is bound to the servers nics.And gateway is the screens trust ip.
I want the resolution to return the real ip when resolved externally for mail or whatever purposes.
But all I get is internal address returned.

 

[mooncat]

So Microsoft seem to say that the internalIP should be the dns IP.So if all the records in the DNS are the internal IP then when someone tried to resolve the domain name from outside they will get the internal IP returned.

So how can I get it to return the external ip,which domain is registered to.