Configure private network with forwarding for update

05/01/2007, 20h34

I'm trying to do something which *should* be simple, but I'm getting
nowhere fast. I have a service application which, among other things,
needs to update A records in a given DNS server. I am using the
DnsModifyRecordsInSet API. This all works just ducky when I point it at
a (properly configured) DNS server out on the Internet which is running
BIND.

I also have to be able to run it against Windows DNS Server (both
Windows 2000 and Windows 2003). I am trying to set up a DNS server on
my private network; I want a special zone (called "local") to contain
the records I will be updating.

I have tried numerous ways of configuring this, both on Win2000 and
Win2003, to no avail. Using Ethereal, I can see a request for the SOA
record go to my DNS server, and the response comes back; but the the
DnsModifyRecordsInSet call returns error 9002
(DNS_ERROR_RCODE_SERVER_FAILURE, "DNS server failure"). I've also tried
using the ModifyRecords sample in the Platform SDK (which uses the same
API), and it behaves the same way.

Since this same API works with BIND and not with Windows DNS, my
conclusion is that I have not configured Windows DNS correctly. Can
anyone give me a step-by-step to do this? It seems like it should be
straight-forward, but I'm just a simple programmer.

Thanks in advance,

--mkj

Michael Jones
Stone Hill Consulting
http://stonehill.com

05/01/2007, 22h04

"Michael Jones" <mkjones@newsgroup.nospam> wrote in message
news:ejObwjQMHHA.1248@TK2MSFTNGP03.phx.gbl...
> I'm trying to do something which *should* be simple, but I'm getting
> nowhere fast. I have a service application which, among other things,
> needs to update A records in a given DNS server. I am using the
> DnsModifyRecordsInSet API. This all works just ducky when I point it at
> a (properly configured) DNS server out on the Internet which is running
> BIND.
>
> I also have to be able to run it against Windows DNS Server (both
> Windows 2000 and Windows 2003). I am trying to set up a DNS server on
> my private network; I want a special zone (called "local") to contain
> the records I will be updating.
>
> I have tried numerous ways of configuring this, both on Win2000 and
> Win2003, to no avail. Using Ethereal, I can see a request for the SOA
> record go to my DNS server, and the response comes back; but the the
> DnsModifyRecordsInSet call returns error 9002
> (DNS_ERROR_RCODE_SERVER_FAILURE, "DNS server failure"). I've also tried
> using the ModifyRecords sample in the Platform SDK (which uses the same
> API), and it behaves the same way.
>
> Since this same API works with BIND and not with Windows DNS, my
> conclusion is that I have not configured Windows DNS correctly. Can
> anyone give me a step-by-step to do this? It seems like it should be
> straight-forward, but I'm just a simple programmer.

You may have to ask this question in one of the programming/API groups
(no reason not to copy here but most people here are admin types and
even those of us who are programmers aren't typically doing programming
as our main job today.)

One thought most of us would have is the differences between "Dynamic
updates" being allowed, "Secure Only Dynamic Updates" and how these
relate to AUTHENTICATION.

Also, if you are running this "over the network" or locally on the same
computer as the DNS server, and are you an Admin (on the domain or
authenticated on that DNS server)?

Also note that usually it is the "Computer Account" that must be
authenticated for the "Secure Updates" work and that for service
level access you usually authenticate as a USER (running a program.)

These questions won't give you the answer but they might point you
towards some tests and ideas for checking.

Also, consider that in Win2003 you can easily enable "Debug Logging"
in the DNS MMC to determine quite a bit about what requests are
received and how they are answered.

Both Win2000 and Win2003 DNS have some simple logging too, but
that debug logging may be quite useful in your situation.

> Thanks in advance,
>
> --mkj
>
> Michael Jones
> Stone Hill Consulting
> http://stonehill.com

06/01/2007, 17h06

Comments inline below.

--mkj

Herb Martin wrote:
>
> You may have to ask this question in one of the programming/API groups
> (no reason not to copy here but most people here are admin types and
> even those of us who are programmers aren't typically doing programming
> as our main job today.)

I don't think it's an API problem per se; the same code works when I
point it at BIND, and fails when I point it at a Windows DNS server. I
suspect that I'm just not configured the Windows DNS server correctly
for what I want to do.

>
> One thought most of us would have is the differences between "Dynamic
> updates" being allowed, "Secure Only Dynamic Updates" and how these
> relate to AUTHENTICATION.

I've configured it to allow both secure and non-secure updates. At
least, that's what is says on the "General" tab of the properties dialog
for the zone. Is there more to it than that (for non-secure updates)?

>
> Also, if you are running this "over the network" or locally on the same
> computer as the DNS server, and are you an Admin (on the domain or
> authenticated on that DNS server)?

It fails in the same way whether I run it on the DNS server machine, or
from a different machine on the same network.

>
> Also note that usually it is the "Computer Account" that must be
> authenticated for the "Secure Updates" work and that for service
> level access you usually authenticate as a USER (running a program.)

I can run the app as a service or as a console-mode app; I get the same
error either way. I also get the same error using the "ModifyRecords"
sample (also a console app) in the Platform SDK (which uses the same API).

>
> These questions won't give you the answer but they might point you
> towards some tests and ideas for checking.
>
> Also, consider that in Win2003 you can easily enable "Debug Logging"
> in the DNS MMC to determine quite a bit about what requests are
> received and how they are answered.
>
> Both Win2000 and Win2003 DNS have some simple logging too, but
> that debug logging may be quite useful in your situation.

I will turn that on and see what I get. One thing I did not communicate
well: although I understand how DNS is set up and how it works to a
first level, I do not have the "zen" of it; I get the basics, but I also
suspect there are subtleties and intricacies which I am missing. That's
further reason why I suspect I have not configured DNS properly.

I have been googling for days now, trying to find a simple "how-to" for
setting up Windows DNS to serve a private zone on a private network, but
still be able to forward other requests out to my normal (ISP-supplied)
DNS server.

I have attempted to put together bits and pieces of things I have found,
without completely understanding them all. It seems to work to some
degree; I can get out to the Internet, I can ping local machines, and if
I manually add an A record to my private zone, I can ping that.

However, I cannot add or update records in that zone. I can (using the
same program) add and update records in a zone managed by BIND (running
on Linux out on the Internet somewhere). So I'm guessing there's
something screwy with how I set up my DNS server here, and/or how my
client machines are configured.

Any pointers on configuring DNS in general for this situation--private
network, DNS serving a private domain (but forwarding to ISP's DNS for
all others), Workgroup environment (as opposed to Domain Controller or
Active Directory)--I would be eternally grateful.

Cheers,

--mkj

Michael Jones
http://stonehill.com

06/01/2007, 18h30

"Michael Jones" <mkjones@newsgroup.nospam> wrote in message
news:OHD4UUbMHHA.3312@TK2MSFTNGP03.phx.gbl...
> Comments inline below.
>
> --mkj
>
> Herb Martin wrote:
> >
> > You may have to ask this question in one of the programming/API groups
> > (no reason not to copy here but most people here are admin types and
> > even those of us who are programmers aren't typically doing programming
> > as our main job today.)
>
> I don't think it's an API problem per se; the same code works when I
> point it at BIND, and fails when I point it at a Windows DNS server. I
> suspect that I'm just not configured the Windows DNS server correctly
> for what I want to do.
>
> >
> > One thought most of us would have is the differences between "Dynamic
> > updates" being allowed, "Secure Only Dynamic Updates" and how these
> > relate to AUTHENTICATION.
>
> I've configured it to allow both secure and non-secure updates. At
> least, that's what is says on the "General" tab of the properties dialog
> for the zone. Is there more to it than that (for non-secure updates)?

No, that's it. And you can test it by having a machine set it's primary
domain name (System Control Panel->Computer Name) to that zone
name, set its NIC->IP->DNS server to this server, boot or run
"Ipconfig /registerDNS", and see if it registers itself. (It will if you
have
the non-secure and secure update settings.)

> > Also, if you are running this "over the network" or locally on the same
> > computer as the DNS server, and are you an Admin (on the domain or
> > authenticated on that DNS server)?
>
> It fails in the same way whether I run it on the DNS server machine, or
> from a different machine on the same network.
>
> >
> > Also note that usually it is the "Computer Account" that must be
> > authenticated for the "Secure Updates" work and that for service
> > level access you usually authenticate as a USER (running a program.)
>
> I can run the app as a service or as a console-mode app; I get the same
> error either way. I also get the same error using the "ModifyRecords"
> sample (also a console app) in the Platform SDK (which uses the same API).

The (poor) distinction I was trying to make here was the distinction
between authenticating as the Computer and Authenticating as a
User, then Admin or ordinary User.

> > These questions won't give you the answer but they might point you
> > towards some tests and ideas for checking.
> >
> > Also, consider that in Win2003 you can easily enable "Debug Logging"
> > in the DNS MMC to determine quite a bit about what requests are
> > received and how they are answered.
> >
> > Both Win2000 and Win2003 DNS have some simple logging too, but
> > that debug logging may be quite useful in your situation.
>
> I will turn that on and see what I get. One thing I did not communicate
> well: although I understand how DNS is set up and how it works to a
> first level, I do not have the "zen" of it; I get the basics, but I also
> suspect there are subtleties and intricacies which I am missing. That's
> further reason why I suspect I have not configured DNS properly.

We can you get the 'zen' or fully 'grok' DNS here, but for other
than unusual setups tricks (to implement odd scenarios) there is very
little that is surprising in DNS -- like most of IP, DNS is incredibly
logical and I have reasonable confidence that you have setup DNS
correctly.

One unlikely ful, but possibly enlightening trick you might try is
to CHANGE the DNS dynamic update setting to "No" then "Secure
Only updates" (only possible for AD integrated DNS if you use a
Domain Controller), running your program each time to see if you get
different error messages which might lead to some insite. Not likely,
but easy to test.

> I have been googling for days now, trying to find a simple "how-to" for
> setting up Windows DNS to serve a private zone on a private network, but
> still be able to forward other requests out to my normal (ISP-supplied)
> DNS server.

That's easy: Just set your "DNS clients" to use it (NIC->IP properties)
and in your DNS server FORWARDING tab (MMC->Properties->
Forwarder) set the ISP (or other external resolving DNS, e.g., your
gateway/firewall) as the Forwarder. (Generally you would also check,
"Do not use recursion" also, but that is ONLY an option.)

You want to set the 'general' forwarding, which is labeled "all other
domains/zones".

[IF the forwarding tab is disabled when you attempt the above, then
delete the "." (or DOT) zone. It is unnecessary (if it appears) for
practically everyone, especially those people who didn't explicitly
create it themselves.]

> I have attempted to put together bits and pieces of things I have found,
> without completely understanding them all. It seems to work to some
> degree; I can get out to the Internet, I can ping local machines, and if
> I manually add an A record to my private zone, I can ping that.

Make sure your DNS Clients (whether the same DNS server or other
machines) are set to use STRICTLY a single DNS server (set) -- do
not mix your internal server and the ISP on their NIC->IP properties.
(Doing this wrong is a common beginner mistake and even though
it may APPEAR to work sometimes, it is never reliable.)

> However, I cannot add or update records in that zone. I can (using the
> same program) add and update records in a zone managed by BIND (running
> on Linux out on the Internet somewhere). So I'm guessing there's
> something screwy with how I set up my DNS server here, and/or how my
> client machines are configured.

Maybe. Try the test to see if one of them can register it's own computer
name -- we all get that work everyday so if it doesn't work we can talk
you through the non-programmatic setup and troubleshooting of dynamic
DNS, which does seem to be correct set from your description.

> Any pointers on configuring DNS in general for this situation--private
> network, DNS serving a private domain (but forwarding to ISP's DNS for
> all others), Workgroup environment (as opposed to Domain Controller or
> Active Directory)--I would be eternally grateful.

1) Set to allow Secure and Non-Secure updates

2) Set forwarding tab to forward to the ISP DNS Server

3) Set all clients (including the DNS server itself) to use STRICTLY the
internal DNS server on their NIC->IP Properties.

06/01/2007, 19h08

There were some useful suggestions in you last posting; most of which I
had done at one time or another (but perhaps not all together at one
time in the right order). However, just before I saw your reply, I
actually got it to work. Let me explain what I tried first (which
didn't work), and then what I did to get it to work; maybe you can
explain where I went wrong the first time.

Initially, I create a zone called "local." (with dynamic updates
enable). I also set the server name to "mydns.local". The server has a
static IP address, and has it's own address as the DNS server in TCP/IP
Properties. On the client machine I set the DNS suffix to "local" and
the DNS server address to the IP address of mydns.

That did not work. From the client, I was able to ping the Internet,
and ping the mydns machine. If I manually added an A record to the
"local" zone, I could ping it as well. But updates did not work.

On a lark, I changed the DNS suffix to "local.stonehill.com", and added
that zone to mydns. Suddenly it started working. Note that the
authoritative DNS server for "stonehill.com" is not my DNS server (it's
TierraNet as it happens).

The only difference I can see is that with "local." there is no
"standard" top-level domain (com, net, org, etc). Could that be the
issue? It didn't seem to bother "ping", but maybe the DNS updater
"knows" too much? It doesn't seem likely, but I can't come up with any
other theory.

Cheers,

--mkj

Michael Jones
http://stonehill.com

06/01/2007, 19h50

"Michael Jones" <mkjones@newsgroup.nospam> wrote in message
news:OA$2dYcMHHA.5000@TK2MSFTNGP03.phx.gbl...
> There were some useful suggestions in you last posting; most of which I
> had done at one time or another (but perhaps not all together at one
> time in the right order). However, just before I saw your reply, I
> actually got it to work. Let me explain what I tried first (which
> didn't work), and then what I did to get it to work; maybe you can
> explain where I went wrong the first time.
>
> Initially, I create a zone called "local." (with dynamic updates
> enable). I also set the server name to "mydns.local". The server has a
> static IP address, and has it's own address as the DNS server in TCP/IP
> Properties. On the client machine I set the DNS suffix to "local" and
> the DNS server address to the IP address of mydns.

I suppose that I should have asked you about SINGLE LABEL
domain names. It just doesn't occur to me (at first) that anyone
will use those and therefore, I don't typically remember to suggest it
until later -- or until someone says that they have used a single label
domain name.

There are significant issues with Dynamic Registration using such
single label names (e.g., domain, local, rather than domain.com or
domain.local, or even longer such as corp.domain.com).

> That did not work. From the client, I was able to ping the Internet,
> and ping the mydns machine. If I manually added an A record to the
> "local" zone, I could ping it as well. But updates did not work.
>
> On a lark, I changed the DNS suffix to "local.stonehill.com", and added
> that zone to mydns. Suddenly it started working. Note that the
> authoritative DNS server for "stonehill.com" is not my DNS server (it's
> TierraNet as it happens).
>
> The only difference I can see is that with "local." there is no
> "standard" top-level domain (com, net, org, etc).

Nothing to do with "standard" but rather with the SINGLE label
domain name.

> Could that be the issue?

Yes, it is a known issue for single label names, but non-standard
names are just fine, e.g., junk.stupid.local will work, but just
"com" or just "anything" will give trouble.

> It didn't seem to bother "ping", but maybe the DNS updater
> "knows" too much? It doesn't seem likely, but I can't come up with any
> other theory.

It is ONLY a "dynamic registration" problem.

I apologize for the delay in realizing the source of your problem.

--
Herb Martin, MCSE MVP
www.LearnQuick.Com

06/01/2007, 20h04

Herb Martin wrote:
> I apologize for the delay in realizing the source of your problem.
>
>
Oh, no problem; I'm grateful someone finally explained the weirdness! I
just know the ultimate end-users of this thing will do the same thing,
and I know that I'll get asked why it doesn't work; so being able to
give an intelligent answer is a huge relief.

Thanks again for all your !

Cheers,

--mkj

Michael Jones
http://stonehill.com

06/01/2007, 20h05

Herb Martin wrote:
> I apologize for the delay in realizing the source of your problem.
>
>
Oh, no problem; I'm grateful someone finally explained the weirdness! I
just know the ultimate end-users of this software will do the same
thing, and I know that I'll get asked why it doesn't work; so being able
to give an intelligent answer is a huge relief.

Thanks again for all your !

Cheers,

--mkj

Michael Jones
http://stonehill.com

05/01/2007, 20h34	#1
Michael Jones Messages: n/a Hébergeur:	Configure private network with forwarding for update I'm trying to do something which should be simple, but I'm getting nowhere fast. I have a service application which, among other things, needs to update A records in a given DNS server. I am using the DnsModifyRecordsInSet API. This all works just ducky when I point it at a (properly configured) DNS server out on the Internet which is running BIND. I also have to be able to run it against Windows DNS Server (both Windows 2000 and Windows 2003). I am trying to set up a DNS server on my private network; I want a special zone (called "local") to contain the records I will be updating. I have tried numerous ways of configuring this, both on Win2000 and Win2003, to no avail. Using Ethereal, I can see a request for the SOA record go to my DNS server, and the response comes back; but the the DnsModifyRecordsInSet call returns error 9002 (DNS_ERROR_RCODE_SERVER_FAILURE, "DNS server failure"). I've also tried using the ModifyRecords sample in the Platform SDK (which uses the same API), and it behaves the same way. Since this same API works with BIND and not with Windows DNS, my conclusion is that I have not configured Windows DNS correctly. Can anyone give me a step-by-step to do this? It seems like it should be straight-forward, but I'm just a simple programmer. Thanks in advance, --mkj Michael Jones Stone Hill Consulting http://stonehill.com

05/01/2007, 22h04	#2
Herb Martin Messages: n/a Hébergeur:	Re: Configure private network with forwarding for update "Michael Jones" <mkjones@newsgroup.nospam> wrote in message news:ejObwjQMHHA.1248@TK2MSFTNGP03.phx.gbl... > I'm trying to do something which should be simple, but I'm getting > nowhere fast. I have a service application which, among other things, > needs to update A records in a given DNS server. I am using the > DnsModifyRecordsInSet API. This all works just ducky when I point it at > a (properly configured) DNS server out on the Internet which is running > BIND. > > I also have to be able to run it against Windows DNS Server (both > Windows 2000 and Windows 2003). I am trying to set up a DNS server on > my private network; I want a special zone (called "local") to contain > the records I will be updating. > > I have tried numerous ways of configuring this, both on Win2000 and > Win2003, to no avail. Using Ethereal, I can see a request for the SOA > record go to my DNS server, and the response comes back; but the the > DnsModifyRecordsInSet call returns error 9002 > (DNS_ERROR_RCODE_SERVER_FAILURE, "DNS server failure"). I've also tried > using the ModifyRecords sample in the Platform SDK (which uses the same > API), and it behaves the same way. > > Since this same API works with BIND and not with Windows DNS, my > conclusion is that I have not configured Windows DNS correctly. Can > anyone give me a step-by-step to do this? It seems like it should be > straight-forward, but I'm just a simple programmer. You may have to ask this question in one of the programming/API groups (no reason not to copy here but most people here are admin types and even those of us who are programmers aren't typically doing programming as our main job today.) One thought most of us would have is the differences between "Dynamic updates" being allowed, "Secure Only Dynamic Updates" and how these relate to AUTHENTICATION. Also, if you are running this "over the network" or locally on the same computer as the DNS server, and are you an Admin (on the domain or authenticated on that DNS server)? Also note that usually it is the "Computer Account" that must be authenticated for the "Secure Updates" work and that for service level access you usually authenticate as a USER (running a program.) These questions won't give you the answer but they might point you towards some tests and ideas for checking. Also, consider that in Win2003 you can easily enable "Debug Logging" in the DNS MMC to determine quite a bit about what requests are received and how they are answered. Both Win2000 and Win2003 DNS have some simple logging too, but that debug logging may be quite useful in your situation. > Thanks in advance, > > --mkj > > Michael Jones > Stone Hill Consulting > http://stonehill.com

06/01/2007, 17h06	#3
Michael Jones Messages: n/a Hébergeur:	Re: Configure private network with forwarding for update Comments inline below. --mkj Herb Martin wrote: > > You may have to ask this question in one of the programming/API groups > (no reason not to copy here but most people here are admin types and > even those of us who are programmers aren't typically doing programming > as our main job today.) I don't think it's an API problem per se; the same code works when I point it at BIND, and fails when I point it at a Windows DNS server. I suspect that I'm just not configured the Windows DNS server correctly for what I want to do. > > One thought most of us would have is the differences between "Dynamic > updates" being allowed, "Secure Only Dynamic Updates" and how these > relate to AUTHENTICATION. I've configured it to allow both secure and non-secure updates. At least, that's what is says on the "General" tab of the properties dialog for the zone. Is there more to it than that (for non-secure updates)? > > Also, if you are running this "over the network" or locally on the same > computer as the DNS server, and are you an Admin (on the domain or > authenticated on that DNS server)? It fails in the same way whether I run it on the DNS server machine, or from a different machine on the same network. > > Also note that usually it is the "Computer Account" that must be > authenticated for the "Secure Updates" work and that for service > level access you usually authenticate as a USER (running a program.) I can run the app as a service or as a console-mode app; I get the same error either way. I also get the same error using the "ModifyRecords" sample (also a console app) in the Platform SDK (which uses the same API). > > These questions won't give you the answer but they might point you > towards some tests and ideas for checking. > > Also, consider that in Win2003 you can easily enable "Debug Logging" > in the DNS MMC to determine quite a bit about what requests are > received and how they are answered. > > Both Win2000 and Win2003 DNS have some simple logging too, but > that debug logging may be quite useful in your situation. I will turn that on and see what I get. One thing I did not communicate well: although I understand how DNS is set up and how it works to a first level, I do not have the "zen" of it; I get the basics, but I also suspect there are subtleties and intricacies which I am missing. That's further reason why I suspect I have not configured DNS properly. I have been googling for days now, trying to find a simple "how-to" for setting up Windows DNS to serve a private zone on a private network, but still be able to forward other requests out to my normal (ISP-supplied) DNS server. I have attempted to put together bits and pieces of things I have found, without completely understanding them all. It seems to work to some degree; I can get out to the Internet, I can ping local machines, and if I manually add an A record to my private zone, I can ping that. However, I cannot add or update records in that zone. I can (using the same program) add and update records in a zone managed by BIND (running on Linux out on the Internet somewhere). So I'm guessing there's something screwy with how I set up my DNS server here, and/or how my client machines are configured. Any pointers on configuring DNS in general for this situation--private network, DNS serving a private domain (but forwarding to ISP's DNS for all others), Workgroup environment (as opposed to Domain Controller or Active Directory)--I would be eternally grateful. Cheers, --mkj Michael Jones http://stonehill.com

06/01/2007, 18h30	#4
Herb Martin Messages: n/a Hébergeur:	Re: Configure private network with forwarding for update "Michael Jones" <mkjones@newsgroup.nospam> wrote in message news:OHD4UUbMHHA.3312@TK2MSFTNGP03.phx.gbl... > Comments inline below. > > --mkj > > Herb Martin wrote: > > > > You may have to ask this question in one of the programming/API groups > > (no reason not to copy here but most people here are admin types and > > even those of us who are programmers aren't typically doing programming > > as our main job today.) > > I don't think it's an API problem per se; the same code works when I > point it at BIND, and fails when I point it at a Windows DNS server. I > suspect that I'm just not configured the Windows DNS server correctly > for what I want to do. > > > > > One thought most of us would have is the differences between "Dynamic > > updates" being allowed, "Secure Only Dynamic Updates" and how these > > relate to AUTHENTICATION. > > I've configured it to allow both secure and non-secure updates. At > least, that's what is says on the "General" tab of the properties dialog > for the zone. Is there more to it than that (for non-secure updates)? No, that's it. And you can test it by having a machine set it's primary domain name (System Control Panel->Computer Name) to that zone name, set its NIC->IP->DNS server to this server, boot or run "Ipconfig /registerDNS", and see if it registers itself. (It will if you have the non-secure and secure update settings.) > > Also, if you are running this "over the network" or locally on the same > > computer as the DNS server, and are you an Admin (on the domain or > > authenticated on that DNS server)? > > It fails in the same way whether I run it on the DNS server machine, or > from a different machine on the same network. > > > > > Also note that usually it is the "Computer Account" that must be > > authenticated for the "Secure Updates" work and that for service > > level access you usually authenticate as a USER (running a program.) > > I can run the app as a service or as a console-mode app; I get the same > error either way. I also get the same error using the "ModifyRecords" > sample (also a console app) in the Platform SDK (which uses the same API). The (poor) distinction I was trying to make here was the distinction between authenticating as the Computer and Authenticating as a User, then Admin or ordinary User. > > These questions won't give you the answer but they might point you > > towards some tests and ideas for checking. > > > > Also, consider that in Win2003 you can easily enable "Debug Logging" > > in the DNS MMC to determine quite a bit about what requests are > > received and how they are answered. > > > > Both Win2000 and Win2003 DNS have some simple logging too, but > > that debug logging may be quite useful in your situation. > > I will turn that on and see what I get. One thing I did not communicate > well: although I understand how DNS is set up and how it works to a > first level, I do not have the "zen" of it; I get the basics, but I also > suspect there are subtleties and intricacies which I am missing. That's > further reason why I suspect I have not configured DNS properly. We can you get the 'zen' or fully 'grok' DNS here, but for other than unusual setups tricks (to implement odd scenarios) there is very little that is surprising in DNS -- like most of IP, DNS is incredibly logical and I have reasonable confidence that you have setup DNS correctly. One unlikely ful, but possibly enlightening trick you might try is to CHANGE the DNS dynamic update setting to "No" then "Secure Only updates" (only possible for AD integrated DNS if you use a Domain Controller), running your program each time to see if you get different error messages which might lead to some insite. Not likely, but easy to test. > I have been googling for days now, trying to find a simple "how-to" for > setting up Windows DNS to serve a private zone on a private network, but > still be able to forward other requests out to my normal (ISP-supplied) > DNS server. That's easy: Just set your "DNS clients" to use it (NIC->IP properties) and in your DNS server FORWARDING tab (MMC->Properties-> Forwarder) set the ISP (or other external resolving DNS, e.g., your gateway/firewall) as the Forwarder. (Generally you would also check, "Do not use recursion" also, but that is ONLY an option.) You want to set the 'general' forwarding, which is labeled "all other domains/zones". [IF the forwarding tab is disabled when you attempt the above, then delete the "." (or DOT) zone. It is unnecessary (if it appears) for practically everyone, especially those people who didn't explicitly create it themselves.] > I have attempted to put together bits and pieces of things I have found, > without completely understanding them all. It seems to work to some > degree; I can get out to the Internet, I can ping local machines, and if > I manually add an A record to my private zone, I can ping that. Make sure your DNS Clients (whether the same DNS server or other machines) are set to use STRICTLY a single DNS server (set) -- do not mix your internal server and the ISP on their NIC->IP properties. (Doing this wrong is a common beginner mistake and even though it may APPEAR to work sometimes, it is never reliable.) > However, I cannot add or update records in that zone. I can (using the > same program) add and update records in a zone managed by BIND (running > on Linux out on the Internet somewhere). So I'm guessing there's > something screwy with how I set up my DNS server here, and/or how my > client machines are configured. Maybe. Try the test to see if one of them can register it's own computer name -- we all get that work everyday so if it doesn't work we can talk you through the non-programmatic setup and troubleshooting of dynamic DNS, which does seem to be correct set from your description. > Any pointers on configuring DNS in general for this situation--private > network, DNS serving a private domain (but forwarding to ISP's DNS for > all others), Workgroup environment (as opposed to Domain Controller or > Active Directory)--I would be eternally grateful. 1) Set to allow Secure and Non-Secure updates 2) Set forwarding tab to forward to the ISP DNS Server 3) Set all clients (including the DNS server itself) to use STRICTLY the internal DNS server on their NIC->IP Properties.

06/01/2007, 19h08	#5
Michael Jones Messages: n/a Hébergeur:	Re: Configure private network with forwarding for update There were some useful suggestions in you last posting; most of which I had done at one time or another (but perhaps not all together at one time in the right order). However, just before I saw your reply, I actually got it to work. Let me explain what I tried first (which didn't work), and then what I did to get it to work; maybe you can explain where I went wrong the first time. Initially, I create a zone called "local." (with dynamic updates enable). I also set the server name to "mydns.local". The server has a static IP address, and has it's own address as the DNS server in TCP/IP Properties. On the client machine I set the DNS suffix to "local" and the DNS server address to the IP address of mydns. That did not work. From the client, I was able to ping the Internet, and ping the mydns machine. If I manually added an A record to the "local" zone, I could ping it as well. But updates did not work. On a lark, I changed the DNS suffix to "local.stonehill.com", and added that zone to mydns. Suddenly it started working. Note that the authoritative DNS server for "stonehill.com" is not my DNS server (it's TierraNet as it happens). The only difference I can see is that with "local." there is no "standard" top-level domain (com, net, org, etc). Could that be the issue? It didn't seem to bother "ping", but maybe the DNS updater "knows" too much? It doesn't seem likely, but I can't come up with any other theory. Cheers, --mkj Michael Jones http://stonehill.com

06/01/2007, 19h50	#6
Herb Martin Messages: n/a Hébergeur:	Re: Configure private network with forwarding for update "Michael Jones" <mkjones@newsgroup.nospam> wrote in message news:OA$2dYcMHHA.5000@TK2MSFTNGP03.phx.gbl... > There were some useful suggestions in you last posting; most of which I > had done at one time or another (but perhaps not all together at one > time in the right order). However, just before I saw your reply, I > actually got it to work. Let me explain what I tried first (which > didn't work), and then what I did to get it to work; maybe you can > explain where I went wrong the first time. > > Initially, I create a zone called "local." (with dynamic updates > enable). I also set the server name to "mydns.local". The server has a > static IP address, and has it's own address as the DNS server in TCP/IP > Properties. On the client machine I set the DNS suffix to "local" and > the DNS server address to the IP address of mydns. I suppose that I should have asked you about SINGLE LABEL domain names. It just doesn't occur to me (at first) that anyone will use those and therefore, I don't typically remember to suggest it until later -- or until someone says that they have used a single label domain name. There are significant issues with Dynamic Registration using such single label names (e.g., domain, local, rather than domain.com or domain.local, or even longer such as corp.domain.com). > That did not work. From the client, I was able to ping the Internet, > and ping the mydns machine. If I manually added an A record to the > "local" zone, I could ping it as well. But updates did not work. > > On a lark, I changed the DNS suffix to "local.stonehill.com", and added > that zone to mydns. Suddenly it started working. Note that the > authoritative DNS server for "stonehill.com" is not my DNS server (it's > TierraNet as it happens). > > The only difference I can see is that with "local." there is no > "standard" top-level domain (com, net, org, etc). Nothing to do with "standard" but rather with the SINGLE label domain name. > Could that be the issue? Yes, it is a known issue for single label names, but non-standard names are just fine, e.g., junk.stupid.local will work, but just "com" or just "anything" will give trouble. > It didn't seem to bother "ping", but maybe the DNS updater > "knows" too much? It doesn't seem likely, but I can't come up with any > other theory. It is ONLY a "dynamic registration" problem. I apologize for the delay in realizing the source of your problem. -- Herb Martin, MCSE MVP www.LearnQuick.Com

06/01/2007, 20h04	#7
Michael Jones Messages: n/a Hébergeur:	Re: Configure private network with forwarding for update Herb Martin wrote: > I apologize for the delay in realizing the source of your problem. > > Oh, no problem; I'm grateful someone finally explained the weirdness! I just know the ultimate end-users of this thing will do the same thing, and I know that I'll get asked why it doesn't work; so being able to give an intelligent answer is a huge relief. Thanks again for all your ! Cheers, --mkj Michael Jones http://stonehill.com

06/01/2007, 20h05	#8
Michael Jones Messages: n/a Hébergeur:	Re: Configure private network with forwarding for update Herb Martin wrote: > I apologize for the delay in realizing the source of your problem. > > Oh, no problem; I'm grateful someone finally explained the weirdness! I just know the ultimate end-users of this software will do the same thing, and I know that I'll get asked why it doesn't work; so being able to give an intelligent answer is a huge relief. Thanks again for all your ! Cheers, --mkj Michael Jones http://stonehill.com

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email