Hi,

i have a problem when i did a ping in my new AD 2003. i have 2 DC also a dns
server. the 2 DC server dns IP settings is pointing to itself. 1 file server
dns setting is pointing to the 2 Dns server internally.
My AD name is 'ael.ms.sg', DNS are AD-integrated.
Problem here: when i do a pinging of any invalid hostname, it returns:

C:\Documents and Settings\Administrator>ping test
Pinging test.ms.sg [203.117.178.39] with 32 bytes of data:
Request timed out.
Request timed out

this [203.117.178.39], is not our IP. i did a ping of ms.sg in my office and
also return with [203.117.178.39]. I guess this is a external IP with a valid
domain call 'ms.sg'.

Anyway, when i did any invalid host, it should return 'time-out', instead of
forward to external to resolve.

i did another test:
In my DNS server, i create a forward zone 'microsoft.com', with empty host
record. i did a ping 'www.microsoft.com', it return:
Pinging www.microsoft.com.ms.sg [203.117.178.39] with 32 bytes of data:
Request timed out.

Without the forward zone 'microsoft.com' in my dns. i ping
'www.microsoft.com', it returns with:
>ping www.microsoft.com Pinging lb1.www.ms.akadns.net [207.46.19.60] with 32 bytes of data: Request timed out.

this is obviously wrong!

The below is the IPconfig/all on my DC1

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : AELDC1
Primary Dns Suffix . . . . . . . : ael.ms.sg
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ael.ms.sg
ms.sg

Ethernet adapter LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connection #
2
Physical Address. . . . . . . . . : 00-13-72-5B-86-B9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 198.1.1.60
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 198.1.1.3
DNS Servers . . . . . . . . . . . : 198.1.1.60
Primary WINS Server . . . . . . . : 198.1.1.60
Secondary WINS Server . . . . . . : 198.1.1.61


C:\Documents and Settings\Administrator>

workaround:
i remove the 'Append parent suffixes of the primary DNS' tick, in DC1. i did
the same ping. Now, it replys normal as in 'ping request could not find host
test.' Which this is a normal reply for invaild hostname.

This is not a good solutions and it should not forward to external to
resolve anway, plus the return of ping 'www.microsoft.com.ms.sg' is stupid..

any clus what's going on with my DNS?

regards,
Chua

steve wrote:
> Hi,
>
> i have a problem when i did a ping in my new AD 2003. i have 2 DC
> also a dns
> server. the 2 DC server dns IP settings is pointing to itself. 1 file
> server
> dns setting is pointing to the 2 Dns server internally.
> My AD name is 'ael.ms.sg', DNS are AD-integrated.
> Problem here: when i do a pinging of any invalid hostname, it returns:
C:\Documents and Settings\Administrator>ping test
Pinging test.ms.sg [203.117.178.39] with 32 bytes of data:

<snip>

> The below is the IPconfig/all on my DC1
>
> Microsoft Windows [Version 5.2.3790]
> (C) Copyright 1985-2003 Microsoft Corp.
>
> C:\Documents and Settings\Administrator>ipconfig/all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : AELDC1
> Primary Dns Suffix . . . . . . . : ael.ms.sg
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : ael.ms.sg
> ms.sg
>
> Ethernet adapter LAN:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> Connection #
> 2
> Physical Address. . . . . . . . . : 00-13-72-5B-86-B9
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 198.1.1.60
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 198.1.1.3
> DNS Servers . . . . . . . . . . . : 198.1.1.60
> Primary WINS Server . . . . . . . : 198.1.1.60
> Secondary WINS Server . . . . . . : 198.1.1.61
>
>
> C:\Documents and Settings\Administrator>
>
> workaround:
> i remove the 'Append parent suffixes of the primary DNS' tick, in
> DC1. i did
> the same ping. Now, it replys normal as in 'ping request could not
> find host
> test.' Which this is a normal reply for invaild hostname.
>
> This is not a good solutions and it should not forward to external to
> resolve anway, plus the return of ping 'www.microsoft.com.ms.sg' is
> stupid..
>
> any clus what's going on with my DNS?

Nothing is wrong with your DNS, this is a problem for Active Directory
domains that are in the same DNS tree at the third or lower level as your
public Domain and there is a Wildcard record in the public domain tree at a
higher level.

There is only one solution since getting rid of the Wildcard record in a
domain you have no control of is out of the question. That solution is to
remove ms.sg from the DNS suffix search list, by configuring each machine
with a custom DNS suffix search list. Win2k3 and XP clients are fairly easy
and can be done in the Default Domain and Default Domain Controller policy.

Computer Configuration
-Administrative templates
-Network
-DNS Client <DNS Suffix search list>
Make ael.ms.sg the only name in the search list.

This policy is ignored by WIn2k clients, they will have to be manually done
at the client in TCP/IP properties, on the DNS tab. Select the radial
button, "Append these suffixes (in order)" then enter ael.ms.sg as the only
suffix appended.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

hi,

sorry i dun really get u. i have setup so many AD before. others were using
like 'abc.net.sg'. If i create another forward zone 'microsoft.com'. if i do
a ping 'www.microsoft.com', it will not resolve things like
'microsoft.com.net.sg'.
i dun understand y it got forward out to resolve? i did a nslookup, see if u
have any comments

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookup
Default Server: aeldc1.ael.ms.sg
Address: 198.1.1.60

> ael.ms.sg
Server: aeldc1.ael.ms.sg
Address: 198.1.1.60

Non-authoritative answer:
Name: ael.ms.sg.ms.sg
Address: 203.117.178.39

> test.ms.sg
Server: aeldc1.ael.ms.sg
Address: 198.1.1.60

Non-authoritative answer:
Name: test.ms.sg.ms.sg
Address: 203.117.178.39

> test.ms.sg
Server: aeldc1.ael.ms.sg
Address: 198.1.1.60

Non-authoritative answer:
Name: test.ms.sg.ms.sg
Address: 203.117.178.39

>
thanks!!



"Kevin D. Goodknecht Sr. [MVP]" wrote:

> steve wrote:
> > Hi,
> >
> > i have a problem when i did a ping in my new AD 2003. i have 2 DC
> > also a dns
> > server. the 2 DC server dns IP settings is pointing to itself. 1 file
> > server
> > dns setting is pointing to the 2 Dns server internally.
> > My AD name is 'ael.ms.sg', DNS are AD-integrated.
> > Problem here: when i do a pinging of any invalid hostname, it returns:
> C:\Documents and Settings\Administrator>ping test
> Pinging test.ms.sg [203.117.178.39] with 32 bytes of data:
>
> <snip>
>
> > The below is the IPconfig/all on my DC1
> >
> > Microsoft Windows [Version 5.2.3790]
> > (C) Copyright 1985-2003 Microsoft Corp.
> >
> > C:\Documents and Settings\Administrator>ipconfig/all
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : AELDC1
> > Primary Dns Suffix . . . . . . . : ael.ms.sg
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : ael.ms.sg
> > ms.sg
> >
> > Ethernet adapter LAN:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> > Connection #
> > 2
> > Physical Address. . . . . . . . . : 00-13-72-5B-86-B9
> > DHCP Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 198.1.1.60
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 198.1.1.3
> > DNS Servers . . . . . . . . . . . : 198.1.1.60
> > Primary WINS Server . . . . . . . : 198.1.1.60
> > Secondary WINS Server . . . . . . : 198.1.1.61
> >
> >
> > C:\Documents and Settings\Administrator>
> >
> > workaround:
> > i remove the 'Append parent suffixes of the primary DNS' tick, in
> > DC1. i did
> > the same ping. Now, it replys normal as in 'ping request could not
> > find host
> > test.' Which this is a normal reply for invaild hostname.
> >
> > This is not a good solutions and it should not forward to external to
> > resolve anway, plus the return of ping 'www.microsoft.com.ms.sg' is
> > stupid..
> >
> > any clus what's going on with my DNS?
>
> Nothing is wrong with your DNS, this is a problem for Active Directory
> domains that are in the same DNS tree at the third or lower level as your
> public Domain and there is a Wildcard record in the public domain tree at a
> higher level.
>
> There is only one solution since getting rid of the Wildcard record in a
> domain you have no control of is out of the question. That solution is to
> remove ms.sg from the DNS suffix search list, by configuring each machine
> with a custom DNS suffix search list. Win2k3 and XP clients are fairly easy
> and can be done in the Default Domain and Default Domain Controller policy.
>
> Computer Configuration
> -Administrative templates
> -Network
> -DNS Client <DNS Suffix search list>
> Make ael.ms.sg the only name in the search list.
>
> This policy is ignored by WIn2k clients, they will have to be manually done
> at the client in TCP/IP properties, on the DNS tab. Select the radial
> button, "Append these suffixes (in order)" then enter ael.ms.sg as the only
> suffix appended.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>
>

steve wrote:
> hi,
>
> sorry i dun really get u. i have setup so many AD before. others were
> using like 'abc.net.sg'. If i create another forward zone
> 'microsoft.com'. if i do a ping 'www.microsoft.com', it will not
> resolve things like 'microsoft.com.net.sg'.
> i dun understand y it got forward out to resolve? i did a nslookup,
> see if u have any comments
>
> Microsoft Windows [Version 5.2.3790]
> (C) Copyright 1985-2003 Microsoft Corp.
>
> C:\Documents and Settings\Administrator>nslookup
> Default Server: aeldc1.ael.ms.sg
> Address: 198.1.1.60
>
>> ael.ms.sg
> Server: aeldc1.ael.ms.sg
> Address: 198.1.1.60
>
> Non-authoritative answer:
> Name: ael.ms.sg.ms.sg
> Address: 203.117.178.39
>
>> test.ms.sg
> Server: aeldc1.ael.ms.sg
> Address: 198.1.1.60
>
> Non-authoritative answer:
> Name: test.ms.sg.ms.sg
> Address: 203.117.178.39
>
>> test.ms.sg
> Server: aeldc1.ael.ms.sg
> Address: 198.1.1.60
>
> Non-authoritative answer:
> Name: test.ms.sg.ms.sg
> Address: 203.117.178.39

This is the Behavior of nslookup and that DNS client service, you will not
get this behavior if you add a trailing "."(dot) to your queries. This is
not a problem with your DNS server, it is the client, it first appends the
Primary DNS suffix, then it appends the parent of the Primary DNS suffix
(ms.sg in this case), and will continue to devolve until it has appended the
last two level domain, if you will append all queries with the dot, the
client will not append suffixes. Try nslookup with the -d2 option to see
what names are sent to DNS.

If you follow my instructions it will stop.

The Domain "ms.sg" has a wildcard record in it that will redirect you to
some kind of Website administration page if you resolve a name that does not
exist.

Look at some of the names I queried for,
QUESTION SECTION:
anynameyouwanttotype.ms.sg. IN A

ANSWER SECTION:
anynameyouwanttotype.ms.sg. 3599 IN A 203.117.178.39

Query time: 625 ms
Server : 192.168.201.13:53 udp (192.168.201.13)

QUESTION SECTION:
http://www.WildCardRecordsAreSoStupi...lPurpose.ms.sg. IN
A

ANSWER SECTION:
http://www.WildCardRecordsAreSoStupi...lPurpose.ms.sg. 3599 IN
A 203.117.178.39

Query time: 328 ms
Server : 192.168.201.13:53 udp (192.168.201.13)




--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Thanks for the explanation.

But for my thinking i always thought, im query internally in primary dns
suffix or parent dns suffix. WHY it should resolve to external.?
sorry if i sound annoying...




"Kevin D. Goodknecht Sr. [MVP]" wrote:

> steve wrote:
> > hi,
> >
> > sorry i dun really get u. i have setup so many AD before. others were
> > using like 'abc.net.sg'. If i create another forward zone
> > 'microsoft.com'. if i do a ping 'www.microsoft.com', it will not
> > resolve things like 'microsoft.com.net.sg'.
> > i dun understand y it got forward out to resolve? i did a nslookup,
> > see if u have any comments
> >
> > Microsoft Windows [Version 5.2.3790]
> > (C) Copyright 1985-2003 Microsoft Corp.
> >
> > C:\Documents and Settings\Administrator>nslookup
> > Default Server: aeldc1.ael.ms.sg
> > Address: 198.1.1.60
> >
> >> ael.ms.sg
> > Server: aeldc1.ael.ms.sg
> > Address: 198.1.1.60
> >
> > Non-authoritative answer:
> > Name: ael.ms.sg.ms.sg
> > Address: 203.117.178.39
> >
> >> test.ms.sg
> > Server: aeldc1.ael.ms.sg
> > Address: 198.1.1.60
> >
> > Non-authoritative answer:
> > Name: test.ms.sg.ms.sg
> > Address: 203.117.178.39
> >
> >> test.ms.sg
> > Server: aeldc1.ael.ms.sg
> > Address: 198.1.1.60
> >
> > Non-authoritative answer:
> > Name: test.ms.sg.ms.sg
> > Address: 203.117.178.39
>
> This is the Behavior of nslookup and that DNS client service, you will not
> get this behavior if you add a trailing "."(dot) to your queries. This is
> not a problem with your DNS server, it is the client, it first appends the
> Primary DNS suffix, then it appends the parent of the Primary DNS suffix
> (ms.sg in this case), and will continue to devolve until it has appended the
> last two level domain, if you will append all queries with the dot, the
> client will not append suffixes. Try nslookup with the -d2 option to see
> what names are sent to DNS.
>
> If you follow my instructions it will stop.
>
> The Domain "ms.sg" has a wildcard record in it that will redirect you to
> some kind of Website administration page if you resolve a name that does not
> exist.
>
> Look at some of the names I queried for,
> QUESTION SECTION:
> anynameyouwanttotype.ms.sg. IN A
>
> ANSWER SECTION:
> anynameyouwanttotype.ms.sg. 3599 IN A 203.117.178.39
>
> Query time: 625 ms
> Server : 192.168.201.13:53 udp (192.168.201.13)
>
> QUESTION SECTION:
> http://www.WildCardRecordsAreSoStupi...lPurpose.ms.sg. IN
> A
>
> ANSWER SECTION:
> http://www.WildCardRecordsAreSoStupi...lPurpose.ms.sg. 3599 IN
> A 203.117.178.39
>
> Query time: 328 ms
> Server : 192.168.201.13:53 udp (192.168.201.13)
>
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>
>

steve wrote:
> Thanks for the explanation.
>
> But for my thinking i always thought, im query internally in primary
> dns suffix or parent dns suffix. WHY it should resolve to external.?
> sorry if i sound annoying...

Non-Fully qualified names are appended with the DNS suffix search list,
first one (the Primary DNS suffix) if the name cannot be found in the
internal zone, the DNS client appends the parent of the Primary DNS suffix
(ms.sg) which is forwarded to the internet, it hits the Wildcard in ms.sg
and resolves. A DNS name is not fully qualified unless it ends with a dot.
So, www.microsoft.com is not fully qualified but www.microsoft.com. is.
It really is that simple, this is a common issue for third level domain
names, but not all parent domains have wildcards in them, and the client
stops appending suffixes and just sends the queried name to DNS.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

i do understand clearly now. thanks for your explanation.


"Kevin D. Goodknecht Sr. [MVP]" wrote:

> steve wrote:
> > Thanks for the explanation.
> >
> > But for my thinking i always thought, im query internally in primary
> > dns suffix or parent dns suffix. WHY it should resolve to external.?
> > sorry if i sound annoying...
>
> Non-Fully qualified names are appended with the DNS suffix search list,
> first one (the Primary DNS suffix) if the name cannot be found in the
> internal zone, the DNS client appends the parent of the Primary DNS suffix
> (ms.sg) which is forwarded to the internet, it hits the Wildcard in ms.sg
> and resolves. A DNS name is not fully qualified unless it ends with a dot.
> So, www.microsoft.com is not fully qualified but www.microsoft.com. is.
> It really is that simple, this is a common issue for third level domain
> names, but not all parent domains have wildcards in them, and the client
> stops appending suffixes and just sends the queried name to DNS.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>
>