Windows 2003 server, DNS forwarding to internet not working

I have a windows 2003 std server that currently is a member of a
workgroup AT, as are the xp workstations. I'm trying to get ready to
install AD but first DHCP and DNS. DHCP works fine. LAN pc names are
resolved by the DNS service but the workstations cannot browse to the
internet (server can).

Setup:
Firewall (smoothwall) ip 192.168.0.1 (dhcp service turned off)

Win2003 server std, one nic.
IP 192.168.0.10 /24
default gateway 192.168.0.1 (ie firewall)
pref dns server (my isp's dns server address
this win2003 server can browse the internet fine.
dhcp service scope range 192.168.0.100 192.168.0.200

All xp workstation are set to auto obtain ip and pref dns server.

Switch joins firewall, server, workstations.

Server and workstations can ping each other and the firewall fine.

I've been using whatever.local at the machine name suffix, I think I
need to do that (at the ws and server dialogs for network identity) but
it's a point of confusion.

I've run the DNS wizard many times, it seems straightforward. Does
resolve local pc names so that part is ok. Steps:

Choose to create a forward lookup zone
This server maintains the zone
Zone name set to whatever.local
Accept default for zone file name
Have variously opted to allow or disallow dynamic updates
Forward requests that this server cannot handle to: (my isp's dns server
ip)

I am sure it's something simple that I'm missing, hopefully someone can
spot it?

Install DNS on the server. Create a zone on it for your local network.
Set all the workstations and the server itself to use this server as their
preferred (preferably only) DNS server. Set the DNS server to forward to a
public DNS (such as your ISP).


kiln wrote:
> I have a windows 2003 std server that currently is a member of a
> workgroup AT, as are the xp workstations. I'm trying to get ready to
> install AD but first DHCP and DNS. DHCP works fine. LAN pc names are
> resolved by the DNS service but the workstations cannot browse to the
> internet (server can).
>
> Setup:
> Firewall (smoothwall) ip 192.168.0.1 (dhcp service turned off)
>
> Win2003 server std, one nic.
> IP 192.168.0.10 /24
> default gateway 192.168.0.1 (ie firewall)
> pref dns server (my isp's dns server address
> this win2003 server can browse the internet fine.
> dhcp service scope range 192.168.0.100 192.168.0.200
>
> All xp workstation are set to auto obtain ip and pref dns server.
>
> Switch joins firewall, server, workstations.
>
> Server and workstations can ping each other and the firewall fine.
>
> I've been using whatever.local at the machine name suffix, I think I
> need to do that (at the ws and server dialogs for network identity)
> but it's a point of confusion.
>
> I've run the DNS wizard many times, it seems straightforward. Does
> resolve local pc names so that part is ok. Steps:
>
> Choose to create a forward lookup zone
> This server maintains the zone
> Zone name set to whatever.local
> Accept default for zone file name
> Have variously opted to allow or disallow dynamic updates
> Forward requests that this server cannot handle to: (my isp's dns
> server ip)
>
> I am sure it's something simple that I'm missing, hopefully someone
> can spot it?

Thanks Bill. As far as I can tell I've done all of that. The ws report
the server ip as the DNS server. Forwarding for dns that the server
cannot handle is pointed to the isp dns server. I'm not sure if you read
all that I wrote, I know it's kind of long, but something in the details
of what I laid out must be wrong.

In article <e$(E-Mail Removed)>, not.available@online
says...
> Install DNS on the server. Create a zone on it for your local network.
> Set all the workstations and the server itself to use this server as their
> preferred (preferably only) DNS server. Set the DNS server to forward to a
> public DNS (such as your ISP).
>
>
> kiln wrote:
> > I have a windows 2003 std server that currently is a member of a
> > workgroup AT, as are the xp workstations. I'm trying to get ready to
> > install AD but first DHCP and DNS. DHCP works fine. LAN pc names are
> > resolved by the DNS service but the workstations cannot browse to the
> > internet (server can).
> >
> > Setup:
> > Firewall (smoothwall) ip 192.168.0.1 (dhcp service turned off)
> >
> > Win2003 server std, one nic.
> > IP 192.168.0.10 /24
> > default gateway 192.168.0.1 (ie firewall)
> > pref dns server (my isp's dns server address
> > this win2003 server can browse the internet fine.
> > dhcp service scope range 192.168.0.100 192.168.0.200
> >
> > All xp workstation are set to auto obtain ip and pref dns server.
> >
> > Switch joins firewall, server, workstations.
> >
> > Server and workstations can ping each other and the firewall fine.
> >
> > I've been using whatever.local at the machine name suffix, I think I
> > need to do that (at the ws and server dialogs for network identity)
> > but it's a point of confusion.
> >
> > I've run the DNS wizard many times, it seems straightforward. Does
> > resolve local pc names so that part is ok. Steps:
> >
> > Choose to create a forward lookup zone
> > This server maintains the zone
> > Zone name set to whatever.local
> > Accept default for zone file name
> > Have variously opted to allow or disallow dynamic updates
> > Forward requests that this server cannot handle to: (my isp's dns
> > server ip)
> >
> > I am sure it's something simple that I'm missing, hopefully someone
> > can spot it?
>
>
>

Is there any chance that I'm missing a network element, something like a
router? I have a switch connecting the various boxes. I'm reading some
notes that seem to indicate that things might turn out as I see them if
I don't ahve a NAT/PAT router, I don't. Well I do, a wireless linksys
cable modem router but that's only being used for WAP.

In article <e$(E-Mail Removed)>, not.available@online
says...
> Install DNS on the server. Create a zone on it for your local network.
> Set all the workstations and the server itself to use this server as their
> preferred (preferably only) DNS server. Set the DNS server to forward to a
> public DNS (such as your ISP).
>
>
> kiln wrote:
> > I have a windows 2003 std server that currently is a member of a
> > workgroup AT, as are the xp workstations. I'm trying to get ready to
> > install AD but first DHCP and DNS. DHCP works fine. LAN pc names are
> > resolved by the DNS service but the workstations cannot browse to the
> > internet (server can).
> >
> > Setup:
> > Firewall (smoothwall) ip 192.168.0.1 (dhcp service turned off)
> >
> > Win2003 server std, one nic.
> > IP 192.168.0.10 /24
> > default gateway 192.168.0.1 (ie firewall)
> > pref dns server (my isp's dns server address
> > this win2003 server can browse the internet fine.
> > dhcp service scope range 192.168.0.100 192.168.0.200
> >
> > All xp workstation are set to auto obtain ip and pref dns server.
> >
> > Switch joins firewall, server, workstations.
> >
> > Server and workstations can ping each other and the firewall fine.
> >
> > I've been using whatever.local at the machine name suffix, I think I
> > need to do that (at the ws and server dialogs for network identity)
> > but it's a point of confusion.
> >
> > I've run the DNS wizard many times, it seems straightforward. Does
> > resolve local pc names so that part is ok. Steps:
> >
> > Choose to create a forward lookup zone
> > This server maintains the zone
> > Zone name set to whatever.local
> > Accept default for zone file name
> > Have variously opted to allow or disallow dynamic updates
> > Forward requests that this server cannot handle to: (my isp's dns
> > server ip)
> >
> > I am sure it's something simple that I'm missing, hopefully someone
> > can spot it?
>
>
>

In news:(E-Mail Removed) om,
network_out <none.none.none> stated, which I commented on below:
> Thanks Bill. As far as I can tell I've done all of that. The ws report
> the server ip as the DNS server. Forwarding for dns that the server
> cannot handle is pointed to the isp dns server. I'm not sure if you
> read all that I wrote, I know it's kind of long, but something in the
> details of what I laid out must be wrong.

Actually I read it and you stated:
> Win2003 server std, one nic.
> IP 192.168.0.10 /24
> default gateway 192.168.0.1 (ie firewall)
> pref dns server (my isp's dns server address
> this win2003 server can browse the internet fine.
> dhcp service scope range 192.168.0.100 192.168.0.200

The thing that I see wrong, which you may have missed, which seems apparent
to your response to Bill, is you sated:
"> pref dns server (my isp's dns server address". That tells me that you are
mixing the DNS addresses in IP properties. What Bill stated is to ONLY use
the internal DNS, that's it. As long as the client is set to use this too,
as you stated, that's cool.

For this:
"> default gateway 192.168.0.1 (ie firewall)"
Is that your Linksys NAT router, or whatever name brand? I am assuming the
NAT/router is connected to your ISP (cable or DSL) and that performs NAT and
the internal interface is plugged into the switch all other machines are
plugged into.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile
Infinite Diversities in Infinite Combinations

"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.

Hi Ace and thanks for responding.

So, for the server nic, do not use the isp dns server address for
preferred dns server? I'll change that (thought Bill meant the ws to be
like that).

The firewall is a smoothwall (as I mentioned but maybe you didn't know
what that was) Smoothwal is an open source project that uses a stripped
down version of FreeBSD running on an old pc with three nics (lan,
internet, and dmz). It has a static ip of 192.168.0.1.

Separately I have a linksys router cable modem but it's actually not
connected...of course it used to be how I connected to the internet.
Maybe I need to use it as a router?

In article <#85#(E-Mail Removed)>,
PleaseSubstituteMyActualFirstName&LastNameHere@hot mail.com says...
> In news:(E-Mail Removed) om,
> network_out <none.none.none> stated, which I commented on below:
> > Thanks Bill. As far as I can tell I've done all of that. The ws report
> > the server ip as the DNS server. Forwarding for dns that the server
> > cannot handle is pointed to the isp dns server. I'm not sure if you
> > read all that I wrote, I know it's kind of long, but something in the
> > details of what I laid out must be wrong.
>
> Actually I read it and you stated:
> > Win2003 server std, one nic.
> > IP 192.168.0.10 /24
> > default gateway 192.168.0.1 (ie firewall)
> > pref dns server (my isp's dns server address
> > this win2003 server can browse the internet fine.
> > dhcp service scope range 192.168.0.100 192.168.0.200
>
> The thing that I see wrong, which you may have missed, which seems apparent
> to your response to Bill, is you sated:
> "> pref dns server (my isp's dns server address". That tells me that you are
> mixing the DNS addresses in IP properties. What Bill stated is to ONLY use
> the internal DNS, that's it. As long as the client is set to use this too,
> as you stated, that's cool.
>
> For this:
> "> default gateway 192.168.0.1 (ie firewall)"
> Is that your Linksys NAT router, or whatever name brand? I am assuming the
> NAT/router is connected to your ISP (cable or DSL) and that performs NAT and
> the internal interface is plugged into the switch all other machines are
> plugged into.
>
>
>

Sorry, the server nic was already set to use it's own ip as the pref dns
server. So are the workstations. Still can't browse to the internet from
the workstations.

In article <(E-Mail Removed) >,
network_out <none.none.none> says...
> Hi Ace and thanks for responding.
>
> So, for the server nic, do not use the isp dns server address for
> preferred dns server? I'll change that (thought Bill meant the ws to be
> like that).
>
> The firewall is a smoothwall (as I mentioned but maybe you didn't know
> what that was) Smoothwal is an open source project that uses a stripped
> down version of FreeBSD running on an old pc with three nics (lan,
> internet, and dmz). It has a static ip of 192.168.0.1.
>
> Separately I have a linksys router cable modem but it's actually not
> connected...of course it used to be how I connected to the internet.
> Maybe I need to use it as a router?
>
> In article <#85#(E-Mail Removed)>,
> PleaseSubstituteMyActualFirstName&LastNameHere@hot mail.com says...
> > In news:(E-Mail Removed) om,
> > network_out <none.none.none> stated, which I commented on below:
> > > Thanks Bill. As far as I can tell I've done all of that. The ws report
> > > the server ip as the DNS server. Forwarding for dns that the server
> > > cannot handle is pointed to the isp dns server. I'm not sure if you
> > > read all that I wrote, I know it's kind of long, but something in the
> > > details of what I laid out must be wrong.
> >
> > Actually I read it and you stated:
> > > Win2003 server std, one nic.
> > > IP 192.168.0.10 /24
> > > default gateway 192.168.0.1 (ie firewall)
> > > pref dns server (my isp's dns server address
> > > this win2003 server can browse the internet fine.
> > > dhcp service scope range 192.168.0.100 192.168.0.200
> >
> > The thing that I see wrong, which you may have missed, which seems apparent
> > to your response to Bill, is you sated:
> > "> pref dns server (my isp's dns server address". That tells me that you are
> > mixing the DNS addresses in IP properties. What Bill stated is to ONLY use
> > the internal DNS, that's it. As long as the client is set to use this too,
> > as you stated, that's cool.
> >
> > For this:
> > "> default gateway 192.168.0.1 (ie firewall)"
> > Is that your Linksys NAT router, or whatever name brand? I am assuming the
> > NAT/router is connected to your ISP (cable or DSL) and that performs NAT and
> > the internal interface is plugged into the switch all other machines are
> > plugged into.
> >
> >
> >
>

In news:(E-Mail Removed) om,
network_out <none.none.none> stated, which I commented on below:
> Sorry, the server nic was already set to use it's own ip as the pref
> dns server. So are the workstations. Still can't browse to the
> internet from the workstations.

I've heard of Smoothwall. I've used a FreeBSD firewall as an arp only
(bridge) firewall. No ip addresses on it. It can scan packets for rules
without the threat of an attacker hurtin git because it has NO IP addresses
on it.

Can you access the internet from the BSD machine? If not, I may be thinking
traffic's being blocked. Double check your rules.

I am assuming the smoothwall is also your NAT device connected to the
router, DSL modem or cable modem (whatever you have)?

Let's try to simplify it with a basic graphic on what you have. Can you
describe the connections in more detail please, such as:

cable modem -> smoothwall -> internal network.

Internal network has:
- Win2003 DOmain Controller
- XP Clients


And yes, ALL machines in an AD environment MUST only use the internal DNS.
This also bades best practices for a non-AD network for your internal DNS to
control resolution. Configure a forwarder for efficient internet resolution.
DNS traffic must be allowed by the firewall inbound/outbound from the DNS
server.

Ace

Have you checked to see whether it is DNS or routing? Can you ping a public
IP from a workstation? What about nslookup from a workstation?

network_out wrote:
> Sorry, the server nic was already set to use it's own ip as the pref
> dns server. So are the workstations. Still can't browse to the
> internet from the workstations.
>
> In article <(E-Mail Removed) >,
> network_out <none.none.none> says...
>> Hi Ace and thanks for responding.
>>
>> So, for the server nic, do not use the isp dns server address for
>> preferred dns server? I'll change that (thought Bill meant the ws to
>> be like that).
>>
>> The firewall is a smoothwall (as I mentioned but maybe you didn't
>> know what that was) Smoothwal is an open source project that uses a
>> stripped down version of FreeBSD running on an old pc with three
>> nics (lan, internet, and dmz). It has a static ip of 192.168.0.1.
>>
>> Separately I have a linksys router cable modem but it's actually not
>> connected...of course it used to be how I connected to the internet.
>> Maybe I need to use it as a router?
>>
>> In article <#85#(E-Mail Removed)>,
>> PleaseSubstituteMyActualFirstName&LastNameHere@hot mail.com says...
>>> In news:(E-Mail Removed) om,
>>> network_out <none.none.none> stated, which I commented on below:
>>>> Thanks Bill. As far as I can tell I've done all of that. The ws
>>>> report the server ip as the DNS server. Forwarding for dns that
>>>> the server cannot handle is pointed to the isp dns server. I'm not
>>>> sure if you read all that I wrote, I know it's kind of long, but
>>>> something in the details of what I laid out must be wrong.
>>>
>>> Actually I read it and you stated:
>>>> Win2003 server std, one nic.
>>>> IP 192.168.0.10 /24
>>>> default gateway 192.168.0.1 (ie firewall)
>>>> pref dns server (my isp's dns server address
>>>> this win2003 server can browse the internet fine.
>>>> dhcp service scope range 192.168.0.100 192.168.0.200
>>>
>>> The thing that I see wrong, which you may have missed, which seems
>>> apparent to your response to Bill, is you sated:
>>> "> pref dns server (my isp's dns server address". That tells me
>>> that you are mixing the DNS addresses in IP properties. What Bill
>>> stated is to ONLY use the internal DNS, that's it. As long as the
>>> client is set to use this too, as you stated, that's cool.
>>>
>>> For this:
>>> "> default gateway 192.168.0.1 (ie firewall)"
>>> Is that your Linksys NAT router, or whatever name brand? I am
>>> assuming the NAT/router is connected to your ISP (cable or DSL) and
>>> that performs NAT and the internal interface is plugged into the
>>> switch all other machines are plugged into.

Hi - no I'm not able to ping a public ip addr from a workstation.
nslookup does work. I've only used nslookup a couple of times so I'm not
sure what it implies about my issues.

Thanks

In article <(E-Mail Removed)>, not.available@online
says...
> Have you checked to see whether it is DNS or routing? Can you ping a public
> IP from a workstation? What about nslookup from a workstation?
>
> network_out wrote:
> > Sorry, the server nic was already set to use it's own ip as the pref
> > dns server. So are the workstations. Still can't browse to the
> > internet from the workstations.
> >
> > In article <(E-Mail Removed) >,
> > network_out <none.none.none> says...
> >> Hi Ace and thanks for responding.
> >>
> >> So, for the server nic, do not use the isp dns server address for
> >> preferred dns server? I'll change that (thought Bill meant the ws to
> >> be like that).
> >>
> >> The firewall is a smoothwall (as I mentioned but maybe you didn't
> >> know what that was) Smoothwal is an open source project that uses a
> >> stripped down version of FreeBSD running on an old pc with three
> >> nics (lan, internet, and dmz). It has a static ip of 192.168.0.1.
> >>
> >> Separately I have a linksys router cable modem but it's actually not
> >> connected...of course it used to be how I connected to the internet.
> >> Maybe I need to use it as a router?
> >>
> >> In article <#85#(E-Mail Removed)>,
> >> PleaseSubstituteMyActualFirstName&LastNameHere@hot mail.com says...
> >>> In news:(E-Mail Removed) om,
> >>> network_out <none.none.none> stated, which I commented on below:
> >>>> Thanks Bill. As far as I can tell I've done all of that. The ws
> >>>> report the server ip as the DNS server. Forwarding for dns that
> >>>> the server cannot handle is pointed to the isp dns server. I'm not
> >>>> sure if you read all that I wrote, I know it's kind of long, but
> >>>> something in the details of what I laid out must be wrong.
> >>>
> >>> Actually I read it and you stated:
> >>>> Win2003 server std, one nic.
> >>>> IP 192.168.0.10 /24
> >>>> default gateway 192.168.0.1 (ie firewall)
> >>>> pref dns server (my isp's dns server address
> >>>> this win2003 server can browse the internet fine.
> >>>> dhcp service scope range 192.168.0.100 192.168.0.200
> >>>
> >>> The thing that I see wrong, which you may have missed, which seems
> >>> apparent to your response to Bill, is you sated:
> >>> "> pref dns server (my isp's dns server address". That tells me
> >>> that you are mixing the DNS addresses in IP properties. What Bill
> >>> stated is to ONLY use the internal DNS, that's it. As long as the
> >>> client is set to use this too, as you stated, that's cool.
> >>>