ISA Server problems communicating with Domain Controller DNS Server 1

[rsurovick]

As of 2 days ago network was working fine.

We have windows 2000 Small Business Server Running Exchange
Windows 2000 Server running ISA Server
I have a 2003 Server file server (No Problems)
Another 2000 server running (App for scanner)

All clients can not connect to web using firewall client. I have to manually enter the settings into the browser for it work properly.

I have been getting an event id 1000 with error 1722 on the isa server.

I believe this maybe a dns problem because it is taking a longtime for the firewall client to resolve the dns name or address of ISA Server.

From the ISA Management console on the client configuration tab I can not browse to firewall client.

Another problem is one user is taking a long time to pop account from exchange server. They get there mail but is very slow.

Any Suggestions will help.

 

[markdmac]

This does sound like a DNS problem. Try flushing the DNS Cache and then re-register with DNS.

IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[rsurovick]

Thanks, Mark. I have changed a configuration on the ISA server to take out external dns configuration on the Internal LAN adapter. Everything was working fine for 2 days and then again today the ISA Client does not work. The Exchange server sends email very slow. Pop clients have trouble receiving email. Not sure where to go next.

 

[markdmac]

Verify that the DNS server does not have an entry in its LAN adapter for an external DNS server. It should only have the listings for the external DNS in the Forwarders list itn eh DNS server properties.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[rsurovick]

I know there is the external DNS numbers in its LAN setting for the ISP. I will remove these tonight and let you know what corresponds. Thanks very much for your assistance.


Thanks,

RAS

 

[rsurovick]

Mark,

I have made the changes to the DNS server Internal nic. But with no luck. I have more information to add. This is happening spartacilly. The following happens

Outbound mail slows down.
I can not use remote desktop connection can not connect to external address.
The isa firewall client does not work.(I have manually set all browsers)
Outside users trying to connect to pop account is very slow.
When I browse under ISA Management it can not find the isa server to select.

I hope this information is helpful.

 

[rsurovick]

Event 7063 I got this message.

The DNS server is configured to forward to a non-recursive DNS server at 202.12.27.33.

DNS servers in forwarders list MUST be configured to process recursive queries.
Either
1) fix the forwarder (202.12.27.33) to allow recursion
- connect to it with DNS Manager
- bring up server properties
- open "Advanced" tab
- uncheck "Disable Recursion"
- click OK
OR
2) remove this forwarder from this servers forwarders list
- DNS Manager
- bring up server properties
- open "Forwarders" tab
- remove (202.12.27.33) from list of forwarders
- click OK

 

[markdmac]

Have you verified with your ISP that the DNS servers you are using are OK?

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[rsurovick]

I changed my dns numbers to my dsl providers. We switched DSL Providers and I nevered changed the dns on the primary dns server. Now I have a delay in local delivery as well like 15 min.

 

[markdmac]

Flush your DNS cache.

IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS
NET STOP NETLOGON
NET START NETLOGON

Wait up to 15 minutes and check the event logs for errors.

I think that should help.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[rsurovick]

Mark,

It appears that the DNS Problem has been corrected. My network seems to work for a period of time and then it goes down again. What about a bad switch? Could it possibly be causing these problems? Any help would be appreciative.

 

[rsurovick]

Mark,

You may want to ignore my previous message.

Here is what I did. I turned off exclaimer and GFI both email monitoring software. Now local delivery is fine.

The problems that still occurr are

Outbound messages take a long time to send.
Firewall client does not work.
Remote desktop connection does not allow me to connect to external sites.

I think my issue is with the ISA server which is located on a different box running 2000.

 

[markdmac]

In my personal experience, switch ports usually are good or bad. Cables tend to be intermittant. I'd start there.

I'd still suggest you do the steps above to flush the DNS cache.

Do you have any kind of a firewall installed? I've discovered in the past that some older devices like Cisco Pix can't handle extended DNS queries and there is a registry hack that fixes that.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[rsurovick]

Mark,

Switch does not seem to be the problem.

My problem I think lies in dns forward lookup zones and reverse lookup zones. Does my external IP address of ISA Server need to be in those zones?

 

[markdmac]

No, you need to have the Forwarder addresses configured in DNS.

Remote Desktop uses port 3390. You may need to open that port up in ISA for your incoming and outgoing traffic.

For your Outbound traffic problem, take a look at the message queues and see if you have anything stuck or really big being sent and awaiting delivery.

Not sure why the firwall client isn't working you will need to post more info such as any error messages you are getting.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[rsurovick]

Mark I am getting the following warning. Event 5504.

The Dns number below is one for my isp. any ideas


The DNS server encountered an invalid domain name in a packet from 4.2.2.1. The packet is rejected.


Thanks for all of your suggestions. My cache pollution is checked suggested in microsoft article.

 

[markdmac]

I might be wrong but I think the message you are referring to is for incoming packets and would indicate some form of a spoof attack.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark