Re: Is this a DNS issue or something else?

>
>
> Our DNS server appears to be working OK, [...]
>
> All workstations work fine. [...]
>
So it's not a DNS issue.

> If I tracert it gets to the router (192.168.1.1) then we get time
> outs. If I simply change the IP on the machine to one that has never
> been used before, [...]
>
This is a NAT issue, and possibly also an ARP issue on your router.

Thanks for the replies...
Scavenging is set in DNS, records are updated.

So I'll focus my angst against the router!

Many thanks MW and JdB!

"Jonathan de Boyne Pollard" <J.deBoynePollard-(E-Mail Removed)> wrote
in message
news:(E-Mail Removed) lard.localhost...
> >
>>
>> Our DNS server appears to be working OK, [...]
>>
>> All workstations work fine. [...]
>>
> So it's not a DNS issue.
>
>> If I tracert it gets to the router (192.168.1.1) then we get time outs.
>> If I simply change the IP on the machine to one that has never been used
>> before, [...]
>>
> This is a NAT issue, and possibly also an ARP issue on your router.
>

"bob" <(E-Mail Removed)> wrote in message
news:uOAr%(E-Mail Removed)...
> Thanks for the replies...
> Scavenging is set in DNS, records are updated.
>
> So I'll focus my angst against the router!
>
> Many thanks MW and JdB!
>


Bob,

What type of router/firewall is it?

Are you using ISA?

Can you post an ipconfig /all of a machine that is working and not working
after you change the IP?

When you say you are re-using an IP, are your machines configured statically
or DHCP?

If using DHCP, even if Scavenging is enabled, when a new IP is provided to a
machine, it cannot update the old IP and may cause multiple entries in DNS
so the records will remain. The machine would have to update itself, since
it owns the record. Kerberos authentication is used when a machine performs
this task with a zone set to Secure ONly updates. So if you give another
machine an IP as such, it cannot update its own record because the SID is
different, hence why Meinolf said you have to manually delete it. If using
DHCP, you have to configure DHCP with credentials and configure DHCP to
*force* all updates whether a machine can do it or not (DHCP properties, DNS
tab) in order to own the records and update any changes.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

>
>
> If using DHCP, even if Scavenging is enabled, when a new IP is
> provided to a machine, it cannot update the old IP and may cause
> multiple entries in DNS so the records will remain.
>
Symptoms of that would be various problems in local operation, though.
Xe did say that local operations over the LAN, including machines being
able to "see" one another (presumably meaning all with the correct IP
addresses), were all working just fine.

Of greater interest, perhaps, is what xe said about the router knowing
the IP addresses, MAC addresses, and domain names of machines that are
supposedly statically configured and not using DHCP.

"Jonathan de Boyne Pollard" <J.deBoynePollard-(E-Mail Removed)> wrote
in message
news:(E-Mail Removed) lard.localhost...
> >
>>
>> If using DHCP, even if Scavenging is enabled, when a new IP is provided
>> to a machine, it cannot update the old IP and may cause multiple entries
>> in DNS so the records will remain.
>>
> Symptoms of that would be various problems in local operation, though. Xe
> did say that local operations over the LAN, including machines being able
> to "see" one another (presumably meaning all with the correct IP
> addresses), were all working just fine.
>
> Of greater interest, perhaps, is what xe said about the router knowing the
> IP addresses, MAC addresses, and domain names of machines that are
> supposedly statically configured and not using DHCP.
>


The latter paragraph worries me, for it may indicate that the router is
being used as a DNS IP address in internal machines' IP properties, however
Bob did state that the DNS address is 192.168.1.220, and the gateway
(assuming firewall), is 192.168.1.1, so I'm not too worried now.

As for tracerts timing out at the router, it indicates to me it's more than
just a router, and possibly a true firewall such as a Cisco ASA, Pix,
Sonicwall, etc. If this is the case, to allow the use of the tracert command
would require additional acces rules to be allowed, such as (going on
memory) ICMP echo, source quench, and time-exceeded and possibly
'unreachable' (however, if I remember correctly, I've found "unreachable" is
not really needed), to be added to the firewall rules.

Ace



Ace

"Jonathan de Boyne Pollard" <J.deBoynePollard-(E-Mail Removed)> wrote
in message
news:(E-Mail Removed) lard.localhost...
> Of greater interest, perhaps, is what xe said about the router knowing
> the IP addresses, MAC addresses, and domain names of machines that are
> supposedly statically configured and not using DHCP.
>
>
> The latter paragraph worries me, for it may indicate that the router is
> being used as a DNS IP address in internal machines' IP properties,
> however Bob did state that the DNS address is 192.168.1.220, and the
> gateway (assuming firewall), is 192.168.1.1, so I'm not too worried now.
>
>
> It's not the DNS server that's the most interesting. I have several
> hypotheses, one of which is that there's a DHCP server on that router,
> whose tables are fully populated with all of that information but that is
> nonetheless unused because all of the machines are statically, not
> dynamically, configured.
>
> If this is the case, to allow the use of the tracert command would
> require additional acces rules to be allowed, [...]
>
> Yes, not routing the outbound ICMP/IP traffic is one possibility. So, too,
> however, is mis-routing the inbound reply traffic, as a consequence of
> several possible things. Depending from what the device is, it could be
> doing one of a number of things.
>
>
>


Good points. I'm starting to have a feeling it is a Verizon router, the type
that comes with FIOS and some SDSL solutions. They are linux based. The
reason I have a feeling it's one of them is based on the statement that
"the router knowing the IP addresses ..." because those units compiles a
list of internal IPs based on inbound/outbound traffic. When I first had
FIOS installed, Verizon provided one of those router/firewalls. I changed it
to a PIX shortly afterwards. Looking at the router's control panel, it
showed me all my internal machines listed by IP and MAC.

Ace