W2K AD-Integrated DNS - "bogus" DC DNS entries auto-delete

[wallst32]

I have two W2K servers separated by a firewall. One machine is a domain controller running AD DNS. The other machine is a member server of the same domain. The DC's IP is 10.0.0.1 and is NAT'd to 10.10.0.1. The member server is 10.10.0.2. The member server is cofigured to use 10.10.0.1 as it's DNS server. For this to work, I need to add an A record entry for the DC at 10.10.0.1 (a "virtual" IP).

Every 30 minutes, the A record for DC at 10.10.0.1 is automatically removed. I assume AD is verifying the entry since it is for a domain controller, and removing it if not valid.

Does anyone know if there is a way to force the A record for DC at 10.10.0.1 to stick?

TIA

 

[mattjurado]

Have you looked the properties of your resource record. If you open your DNS manager, and review the record, there is a checkmark that says "Delete this record when it becomes stale." Uncheck it.

Matt

 

[kweh4]

You are trying to configure two dns server on the same computer. In setup NAT in 2000, if the computer you are using already have dns install and configured on it, you can't configre nat dns. The same hold true for dhcp. I am not sure what you are trying to accomplish with this scheme anyway. I really thought NAT was for us to get multiple pcs on the internet. I am not following your design.

MCP 2000

 

[wallst32]

Matt - Thanks, that seems to have done the trick. I just had to change to Advanced view and there it was.

Kweh4 - It's just one DNS server:

member server ---------Firewall--------DC/DNS
10.10.0.2 10.0.0.1

DC has a NAT'ed IP of 10.10.0.1 to talk to the member server.

 

[wallst32]

Matt - The DNS record is still being removed automatically even when that option is selected. I think it is an AD issue, since this is a domain controller. I have always been able to add standard/non-dc records and they are never removed.

Any other ideas?

TIA

 

[GiaBetiu]

Maybe I don't underatnd what you did there. Why do you need to add the entry manually? If you have dynamic updates in that DNS then of course that the AD will add/update the record. If you have secure update too, then it will also flag that record with an ownership information.

Then, what is with that NAT? Have you this?:
[server]---NAT---[DC] ????


Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[wallst32]

DC only has one interface, 10.0.0.1.

The 10.10.0.1 address is the NAT'ed address (it doesn't really exist, but to the firewall), so this DNS entry has to be manually created.

I basically want a DNS lookup on DC to resolve to both 10.0.0.1 and 10.10.0.1.

The firewall between the two systems is a cisco pix.

 

[GiaBetiu]

Well,... then something is wrong in your configuration.
As long as I don't see the subnet mask, I suppose thatis the default one. In thatcase, your both servers are part of the same network, separated by a firewall, that more, is making NAT too.
Everything that is behind the NAT is unaccessible if you are not configuring "reserved public addresses".
That's the way your computers from behind the NAT can be accessed. Or, can be via services individually (and that's sure not a solution for you).
Another way to solve this is to build a VPN between the two.

Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[wallst32]

Gia - Communication between the two systems works fine on all of the ports I have opened.

It's a 24-bit netmask, so the systems are on different subnets.

The problem has nothing to with NAT. I was just explaning my entire scenario. The real problem is W2K AD-Integrated DNS will not allow me to make static A record entries for domain controllers if they point to unknown IP addresses. I can create the record, but it will be removed automatically every 30 minutes. Throw NAT out the window, and I still have this problem. You can make bogus A record entries for non-domain controllers, but something in AD must be checking the validity of records for DCs because of their importance to an AD infrastructure.

 

[GiaBetiu]

i know what you mean. but it has a lot to do with NAT. because of NAT you are trying to have this "bogus A record".

What you did was to allow service by service on your firewall tobe routed to that internal machine. And this is not the way to do it.

Have that IP address bounded to the interface of you DC and will be OK.


Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[kweh4]

It is rejecting those records because W2K unlike NT 4.0 have a way of authorizing DHCP servers before they can issue IP addresses on a network. The Intergrated DNS server is checking with all AD authorized Dhcp servers on your network to see if they issued such an address to such a host or if this address is a part of a valid scope, and I think you know what the answer is. So, due to the security and intergrated nature of 2000 all host records that apear in the zone database must come from an authorize server. Believe me, there is no way around it. You can go into dns and tell it to accept any method of update rather than secure update only. However, that defeat your purpose of having a firewall or secure network. That means I can walk of the street and plug my laptop into one of your hubs and register my entry in dns. With that amount of access, you don't want to know what I will be able to do next.

MCP 2000

 

[wallst32]

Kweh4 - The thing is, I can make as many bogus A record entires as I please, and they all stick. The only time they don't stick is the case when the hostname resolves to a domain controller.

For example, I have another system behind the firewall, with a NAT'ed address. It is a member server only. If I add an A record for this system to it's virutal NAT'd IP, it remains in the zone file.