DNS issues on Win2Kserver 1

[rwoody]

I'm not a network pro, but have built several NT networks in the past. This is a friends small company and I'm trying to help out. They have Win2Server as their DC with about 10 clients of a mix bag of OS (ME, 98, 2kpro and XP). They connect to the internet using a satelite connection with Direcway, which is configured directly on the DC (which is of concern..but will address that later)First priority, is they have two major issues 1. The clients cannot send or receive email via the internet. (they use an ISP's POP3 server where they host their domain for email) I did check to see if I could send email and view SSL site directly from the server and the answer is yes. No issues whatsoever.

2. When they try to browse any SSL sites, they get an immediate site not found.

All wrkst. have 128bit IE Exp. so that's not the issue. I believe it is a DNS issue. Each of the client's have a static IP as that is the only way the satellite setup will work for them. I've not ever configured for satellite so its a bit different. Each of the client's have their DNS pointed to the two DSNS servers (primary/alternate) of the Satellite com. The default gateway points to the DC (192.168.0.1), which is also functioning as a Proxy answering on port 85.

Each wrkst. can browse the network and the internet without any other issues, however you cannot ping outside with DNS or IP address from any of the workstations (my first clue that its a DNS issue). I'm a bit stumped here and support with the satellite provider doesn't have a clue, in regards to networking, he could only provide me with the DNS info, so no help there. Let me know if I've not provided enough info.

I've d/l netdiag and when I go back there later today, I'm going to run that. Many things are different as you well know, from NT 4.5 to Server 2000 so I'm a bit lost. Reading docs as fast as I can, but not sure I'm asorbing all.

Thanks in advance for any help you can offer.

 

[Celestil]

You may have more than one issue. Firstly, if you are using a proxy is it configured for SSL traffic (Port 443). If you can browse non-SSL pages then the proxy is working for http traffic but not for https traffic.

Secondly, your workstations should have the DNS address of your domain controller NOT the satellite provider. Subsequently you should configure the W2K DNS server to FORWARD any requests by your clients to the Satellite provider DNS.

Open the DNS Snap-In
Start/Programs/Administrative Tools/DNS

Open the DNS "Tree" (I am assuming your AD Server is also your DNS server since it is a small company"

Right-mouse click on the servername and click the "Forwarding" tab.

Put a checkmark in the "Enable Forwarding"
Add the IP Addresses of the Satellite provider DNS"

Close the MMC Console.

You should now be able to ping the Satellite provider DNS from a workstation without having the DNS entry for the ISP in thier configuration. Unfortunately, I am not at work now so I do not have a server to double-check the steps. If the "Forwarding" tab is unavailable to you that is because the "." or root designation has not been removed from the DNS server. This means the DNS server sees itself as the root of all DNS name resoloution. Once you remove that you can then "Forward" requests that the DNS server cannot resolve.

Hope this helps.

 

[rwoody]

I will try this when I go back tomorrow. I had found some other docs that indicated the dns was in fact incorrect, but you've clarified for me where and how to change it, which is great. Can we revisit, the port 443 issue? Yes you are correct, the server is also acting as a proxy. The client's cannot view https sites. How can I correct that issue?

Thanks in advance for all your help

 

[Celestil]

I don't know much about Proxy Server but it seems to me it is not configured to forward HTTPS(SSL)wou traffic. This traffic
would go over the same Port 85 you have configured for HTTP(standard web).

If it asks for the "Source Port", the port the traffic usually uses you would enter 443.

In fact, examine the current rule for HTTP. You should see something who's meaning is as follows.

Source (Local LAN) Destination (WWW)
HTTP:85 ==> HTTP:80

Then you would add

Source (Local LAN) Destination (WWW)
HTTPS:85 ==> HTTPS:443

 

[rwoody]

Can you be more specific regarding where I will find the rules in W2K? If not I'm sure I'll find it when I get over there tomorrow, but a bit of direction is a time saver. Thanks again for you quick and kind attention.

 

[Celestil]

What proxy software are you using (including version)? I need to know that first before I can give you any more specific information

 

[rwoody]

I'm using the facillities built into W2kServer IIS

 

[Celestil]

Ok, then you are running Microsoft ISA. I found an article with diagrams and explaination for "Outgoing SSL Tunneling", which is what you need to enable.

http://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.html

 

[rwoody]

This looks like really helpful info. I'll drop a repsonse of how I made out tomorrow. You may have just made my day tomorrow!!! Thanks a ton. I have been away from all of this for so long now, it's really made me streatch my brian...lol, but that's a good thing. Thanks for giving me the tools I needed to help my friends.

 

[Celestil]

Good Luck

 

[rwoody]

I am now at the client site, and I've configured the fowarding by removing the "." and configured to their ISP's DNS IP's. I still cannot ping from the workstations. Any other ideas??

 

[NickFerrar]

Are you running a firewall as well?

When you try and ping an external host does it resolve the IP and then give timeouts or does it just return something like 'unknown host'. In our environment we block ICMP (pings) at our firewall so although I can resolve external addresses I can't ping them.