Yesterday, we lost our ISA server and while it was down, internal DNS went
in the toilet.

Our internal DNS is AD integrated. Our domain is internal.mycompany.com
(clients are set to append this suffix). We have 2 subdomains,
printers.internal.mycompany.com and net.internal.mycompany.com. When the
internet was lost, and therefore external DNS was lost, clients became
unable to contact resources in either of the 2 subdomains by name unless
they specified the fully qualified name. We've since restored the internet
connection, so things are operating properly again, but there is obviously a
misconfiguration somewhere that I want to get resolved in case the internet
is lost again.

These two systems should be totally disconnected from one another when it
comes to name resolution.

Your internal AD dns servers should not have any reference to external dns
servers. What you want to do is forward any external requests to your ISP
and all your clients should be requesting all dns queries to your AD dns
server.

Take a look at
http://support.microsoft.com/kb/323418/

With particular interest in the paragraph -> To Integrate Windows Server
2003 DNS into Your existing DNS Domain

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Trevor Christie" <bbtrev@gmail.com> wrote in message
news:2Deci.18421$vT6.12639@edtnps90...
> Yesterday, we lost our ISA server and while it was down, internal DNS went
> in the toilet.
>
> Our internal DNS is AD integrated. Our domain is internal.mycompany.com
> (clients are set to append this suffix). We have 2 subdomains,
> printers.internal.mycompany.com and net.internal.mycompany.com. When the
> internet was lost, and therefore external DNS was lost, clients became
> unable to contact resources in either of the 2 subdomains by name unless
> they specified the fully qualified name. We've since restored the internet
> connection, so things are operating properly again, but there is obviously
> a misconfiguration somewhere that I want to get resolved in case the
> internet is lost again.
>
>

Sorry Paul, I neglected to mention that all clients point only to internal
DNS servers and each of the DNS servers points to one another. none of them
points to an external DNS server.


"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:ObbX%23mqrHHA.500@TK2MSFTNGP02.phx.gbl...
> These two systems should be totally disconnected from one another when it
> comes to name resolution.
>
> Your internal AD dns servers should not have any reference to external dns
> servers. What you want to do is forward any external requests to your ISP
> and all your clients should be requesting all dns queries to your AD dns
> server.
>
> Take a look at
> http://support.microsoft.com/kb/323418/
>
> With particular interest in the paragraph -> To Integrate Windows Server
> 2003 DNS into Your existing DNS Domain
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Trevor Christie" <bbtrev@gmail.com> wrote in message
> news:2Deci.18421$vT6.12639@edtnps90...
>> Yesterday, we lost our ISA server and while it was down, internal DNS
>> went
>> in the toilet.
>>
>> Our internal DNS is AD integrated. Our domain is internal.mycompany.com
>> (clients are set to append this suffix). We have 2 subdomains,
>> printers.internal.mycompany.com and net.internal.mycompany.com. When the
>> internet was lost, and therefore external DNS was lost, clients became
>> unable to contact resources in either of the 2 subdomains by name unless
>> they specified the fully qualified name. We've since restored the
>> internet connection, so things are operating properly again, but there is
>> obviously a misconfiguration somewhere that I want to get resolved in
>> case the internet is lost again.
>>
>>
>
>

should i be doing this?

To Add the Organization's Main DNS Servers to the List of Forwarders on the
Windows Server 2003 Computer
1. Click Start, point to Programs, click Administrative Tools, and
then click DNS to open the DNS Management Console.
2. Right-click the DNS Server object for your server, and then click
Properties.
3. Click the Forwarders tab, type the IP address of the DNS server to
which you want to forward non-local queries, and then click Add.
4. Continue adding the IP addresses of any additional DNS servers to
be used as forwarders until you have added all forwarders.
5. Click OK to save the settings and return to the DNS Management
Console.


Rather than my current forwarders config which is
"DNS domain: All other DNS domains"
and forwarder IP address list empty

thanks,
Trevor


"Trevor Christie" <bbtrev@gmail.com> wrote in message
news:i8hci.18453$vT6.38@edtnps90...
> Sorry Paul, I neglected to mention that all clients point only to internal
> DNS servers and each of the DNS servers points to one another. none of
> them points to an external DNS server.
>
>
> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
> news:ObbX%23mqrHHA.500@TK2MSFTNGP02.phx.gbl...
>> These two systems should be totally disconnected from one another when it
>> comes to name resolution.
>>
>> Your internal AD dns servers should not have any reference to external
>> dns servers. What you want to do is forward any external requests to
>> your ISP and all your clients should be requesting all dns queries to
>> your AD dns server.
>>
>> Take a look at
>> http://support.microsoft.com/kb/323418/
>>
>> With particular interest in the paragraph -> To Integrate Windows Server
>> 2003 DNS into Your existing DNS Domain
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Trevor Christie" <bbtrev@gmail.com> wrote in message
>> news:2Deci.18421$vT6.12639@edtnps90...
>>> Yesterday, we lost our ISA server and while it was down, internal DNS
>>> went
>>> in the toilet.
>>>
>>> Our internal DNS is AD integrated. Our domain is internal.mycompany.com
>>> (clients are set to append this suffix). We have 2 subdomains,
>>> printers.internal.mycompany.com and net.internal.mycompany.com. When the
>>> internet was lost, and therefore external DNS was lost, clients became
>>> unable to contact resources in either of the 2 subdomains by name unless
>>> they specified the fully qualified name. We've since restored the
>>> internet connection, so things are operating properly again, but there
>>> is obviously a misconfiguration somewhere that I want to get resolved in
>>> case the internet is lost again.
>>>
>>>
>>
>>
>
>

Read inline please.

In news:2Deci.18421$vT6.12639@edtnps90,
Trevor Christie <bbtrev@gmail.com> typed:
> Yesterday, we lost our ISA server and while it was down, internal DNS
> went in the toilet.
>
> Our internal DNS is AD integrated. Our domain is
> internal.mycompany.com (clients are set to append this suffix). We
> have 2 subdomains, printers.internal.mycompany.com and
> net.internal.mycompany.com. When the internet was lost, and therefore
> external DNS was lost, clients became unable to contact resources in
> either of the 2 subdomains by name unless they specified the fully
> qualified name. We've since restored the internet connection, so
> things are operating properly again, but there is obviously a
> misconfiguration somewhere that I want to get resolved in case the
> internet is lost again.

The only sure way for clients to resolve hostnames only in any domain, is to
have all domains in which you want hostname only resolution listed in the
DNS suffix search list.
If internal.mycompany.com is the only suffix in your list, I would find it
strange that hosts in other domains would resolve in this one, unless you
have WINS lookup enabled or those hosts is registered in that zone.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

So Kevin, are you saying that in our domain suffix search list we should
have:

internal.mycompany.com
printer.internal.mycompany.com
net.internal.mycompany.com

In my mind, this would make sense if we were referencing these devices by
hostname only. However when we reference printers, they are referenced by
printername.printers. Then when the suffix (internal.mycompany.com) is
appended, all is well.

So let me just re-itterate that under normal operation this works perfectly
well. It was just when we lost internet (and thereby lost external DNS) that
we lost the ability to reach these devices unless explicitly specifying the
FQDN. To ping printer1.printers would fail, but pinging
printer1.printers.internal.mycompany.com worked fine. Also, oddly, an
nslookup of printer1.printers successfully resolves. I have checked a couple
of the print servers and NetBIOS over TCP/IP is enabled.

Thoughts?


"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:ukC6xfasHHA.4916@TK2MSFTNGP04.phx.gbl...
> Read inline please.
>
> In news:2Deci.18421$vT6.12639@edtnps90,
> Trevor Christie <bbtrev@gmail.com> typed:
>> Yesterday, we lost our ISA server and while it was down, internal DNS
>> went in the toilet.
>>
>> Our internal DNS is AD integrated. Our domain is
>> internal.mycompany.com (clients are set to append this suffix). We
>> have 2 subdomains, printers.internal.mycompany.com and
>> net.internal.mycompany.com. When the internet was lost, and therefore
>> external DNS was lost, clients became unable to contact resources in
>> either of the 2 subdomains by name unless they specified the fully
>> qualified name. We've since restored the internet connection, so
>> things are operating properly again, but there is obviously a
>> misconfiguration somewhere that I want to get resolved in case the
>> internet is lost again.
>
> The only sure way for clients to resolve hostnames only in any domain, is
> to
> have all domains in which you want hostname only resolution listed in the
> DNS suffix search list.
> If internal.mycompany.com is the only suffix in your list, I would find it
> strange that hosts in other domains would resolve in this one, unless you
> have WINS lookup enabled or those hosts is registered in that zone.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>

Read inline please.

In news:hoTdi.32488$kY6.27290@edtnps82,
Trevor Christie <bbtrev@gmail.com> typed:
> So Kevin, are you saying that in our domain suffix search list we
> should have:
>
> internal.mycompany.com
> printer.internal.mycompany.com
> net.internal.mycompany.com
>
> In my mind, this would make sense if we were referencing these
> devices by hostname only. However when we reference printers, they
> are referenced by printername.printers. Then when the suffix
> (internal.mycompany.com) is appended, all is well.

You did not state this in your original post, but I don't think this is a
good idea because these names can only be resolved by DNS, and will not fail
over to NetBIOS resolution. It is also affected by the search order, and can
be construed by the DNS client to be a DNS name and could send the name to
DNS without appending a suffix.

>
> So let me just re-itterate that under normal operation this works
> perfectly well. It was just when we lost internet (and thereby lost
> external DNS) that we lost the ability to reach these devices unless
> explicitly specifying the FQDN. To ping printer1.printers would fail,
> but pinging printer1.printers.internal.mycompany.com worked fine.

Are you using your internal AD DNS servers only in TCP/IP properties?


> Also, oddly, an nslookup of printer1.printers successfully resolves.
Nslookup gets it DNS server list and DNS suffix search list from the DNS
client, but bypasses the DNS Client cache.


> I have checked a couple of the print servers and NetBIOS over TCP/IP
> is enabled.
This would be basically useless since you do not access the Printers by a
NetBIOS name.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Read inline please

"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:Oa8csOrsHHA.2124@TK2MSFTNGP02.phx.gbl...
> Read inline please.
>
> In news:hoTdi.32488$kY6.27290@edtnps82,
> Trevor Christie <bbtrev@gmail.com> typed:
>> So Kevin, are you saying that in our domain suffix search list we
>> should have:
>>
>> internal.mycompany.com
>> printer.internal.mycompany.com
>> net.internal.mycompany.com
>>
>> In my mind, this would make sense if we were referencing these
>> devices by hostname only. However when we reference printers, they
>> are referenced by printername.printers. Then when the suffix
>> (internal.mycompany.com) is appended, all is well.
>
> You did not state this in your original post, but I don't think this is a
> good idea because these names can only be resolved by DNS, and will not
> fail
> over to NetBIOS resolution. It is also affected by the search order, and
> can
> be construed by the DNS client to be a DNS name and could send the name to
> DNS without appending a suffix.

NetBIOS is junk and we will never count on it. We have removed all but one
WINS server and this is due only to Exchange.
The reason behind the separation into subdomains is mostly for organization.
We have 1800+ records under internal.mycompany.com and it is of value to us
to segregate printers and network devices into separate areas. When you say
"can be construed by the DNS client to be a DNS name and could send the name
to DNS without appending a suffix." I would think that if this were an
issue, that we would see the symptoms whether the internet was present or
not.
>>
>> So let me just re-itterate that under normal operation this works
>> perfectly well. It was just when we lost internet (and thereby lost
>> external DNS) that we lost the ability to reach these devices unless
>> explicitly specifying the FQDN. To ping printer1.printers would fail,
>> but pinging printer1.printers.internal.mycompany.com worked fine.
>
> Are you using your internal AD DNS servers only in TCP/IP properties?

Yes, the only DNS servers that are listed in any client (DNS client, ie all
servers) are internal DNS servers. External DNS is found through the servers
listed on the "Root Hints" tab on the properties of the DNS server.


>> Also, oddly, an nslookup of printer1.printers successfully resolves.
> Nslookup gets it DNS server list and DNS suffix search list from the DNS
> client, but bypasses the DNS Client cache.

I'm certain that client cache had nothing to do with this as this affected
all printers, therefore anything in the client cache would have been
correct.

>> I have checked a couple of the print servers and NetBIOS over TCP/IP
>> is enabled.
> This would be basically useless since you do not access the Printers by a
> NetBIOS name.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This s
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oe.com/OEBackup/Default.aspx
> ===================================
>
>