WinGate Forums

[darizonah]

Trying for some help again.

I set up a new windows 2000 server. Active Directory and DNS.

Wingate is on the Same machine as Windows 2000 Server.


First I don't think I have set up DNS correctly. Our internal domain is the same as our public one.. NOt sure if this is a problem or not?

THere are two nic cards in the machine. One goes to the DSL modem (ActionTek) and the other goes to the internal lan.

WIndows 2000 server has been set up to provide dhcp and DNS and I have disabled these in wingate. I also disable DHCP on the Action Tek DSL modem

All machines on the internal network have there own static ip's

I can't get out on the internet on either the server or the other client machines on the internal network

I believe it is a DNS issue as even the server can't resolve the IP addresses of the DNS servers listed when I look at the ActionTek information

By the way this is only a 10 person network and all worked fine when I had NT 4 Server and wingate on that machine

I have read the articles on Active DIrectory here and can't seem to get this to work

PLEASE if you have any ideas on how I should configure this let me know!

[kgoodknecht]

Trying for some help again.

I set up a new windows 2000 server. Active Directory and DNS.

Wingate is on the Same machine as Windows 2000 Server.


First I don't think I have set up DNS correctly. Our internal domain is the same as our public one.. NOt sure if this is a problem or not?

THere are two nic cards in the machine. One goes to the DSL modem (ActionTek) and the other goes to the internal lan.

WIndows 2000 server has been set up to provide dhcp and DNS and I have disabled these in wingate. I also disable DHCP on the Action Tek DSL modem

All machines on the internal network have there own static ip's

I can't get out on the internet on either the server or the other client machines on the internal network

I believe it is a DNS issue as even the server can't resolve the IP addresses of the DNS servers listed when I look at the ActionTek information

By the way this is only a 10 person network and all worked fine when I had NT 4 Server and wingate on that machine

I have read the articles on Active DIrectory here and can't seem to get this to work

PLEASE if you have any ideas on how I should configure this let me know!

Have you deleted the Root " . " Forward Lookup zone in DNS?

If not Use the DNS managment console, expand the server object, expand forward lookup zones, delete the " . " zone, then refresh the console (or close and re-open) then right click on the server object choose properties, on the Forwarders tab, enable forwarders and put your ISP's DNS addresses in.
Multi-homed domain controllers require additional configuration so that the correct addresses on the DC are registered in DNS, this is not the forum for that subject, but I will post the instrutions below JFYI.

1. In the DNS management console, on the properties of the DNS server,
interfaces tab, set DNS to only listen on the private IP you want registered in DNS for the server.

2. Add this registry entry with regedt32 to stop the (same as parent folder)
records.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress

(If the DC is also a Global Catalog see note below)

3. Create a new host in DNS, leave the name field blank, give it the IP of
the internal interface. Win2k barks at you saying (same as parent folder) is
not a valid host name, click OK to create the record anyway.

4. Right click on Network places, choose properties, in the Advanced menu
select Advanced settings. Make sure the internal interface is at the top of
the connections pane and File sharing is enabled on the internal interface.


Note-

If the DC is also a Global Catalog use this registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress
GcIpAddress

And in addition to the (same as parent folder) record in the domain zone for the domain name, expand _msdcs, open gc create new host with name field blank and give it the IP of the internal interface. This resolves as gc._msdcs.forestroot.

[darizonah]

Kevin:

Just to let you know there is "." zone, so no need to delete it.

Just wanted to clarify... Since I am using wingate... I should still enter the isp's dns servers in the forwarding area?

Also do I need to have the reverse-lookup in DNS items configured ?
Thanks
Dave

[kgoodknecht]

Kevin:

Just to let you know there is "." zone, so no need to delete it.

Just wanted to clarify... Since I am using wingate... I should still enter the isp's dns servers in the forwarding area?

Also do I need to have the reverse-lookup in DNS items configured ?
Thanks
Dave

There is or isn't a "." zone?

Yes use your ISP's DNS as a forwarder. They are not required but they offload some of the external DNS resolution load from your DNS server, which must otherwise use recursion to resolve internet names.

Reverse lookup zones are not require for Active Directory functionality, having one won't hurt and it will stop nslookup from giving you a "can't find server name for address" message when nslookup starts.
You can use nslookup to test for DNS resolution.

Also, since this is Active Directory, do _not_ use any DNS server, in any position except the local AD DNS server in TCP/IP properties on any domain member.

[darizonah]

Sorry, to clarify, there is NOT a "." zone

ANd can you tell me the proper way to put in the revers lookup zone?
Thanks
Dave

[kgoodknecht]

Sorry, to clarify, there is NOT a "." zone

ANd can you tell me the proper way to put in the revers lookup zone?
Thanks
Dave

sure if you tell me your IP range like 192.168.x.x or 192.168.1.x or whatever

[kgoodknecht]

Sorry, to clarify, there is NOT a "." zone

Dave

Sorry I did not mean to ignore this.

1st, make sure all adapters on all machine use only the AD DNS server, no ISP's DNS allowed, in any position.

If you run nslookup against the local DNS and it does not resolve external domains, make sure there is at least one adapter with a Default gateway to an internet router.

Check the Advanced tab, make sure "Disable recursion" is NOT checked.

Make sure it is able to connect to an external DNS server on TCP AND UDP ports 53 (DNS will attempt UDP first then failover to TCP)

You can use the command "nslookup domain dnsipaddress" to resolve to an external DNS server e.g. nslookup example.com 4.2.2.2

Make sure Root hints are in place and resolved or the external DNS server are capable of performing recursive lookups. Some ISPs especially the large ISPs will disable recusion on the DNS server they use to host Authoritative domain zones. If you are unsure try 4.2.2.1 and 4.2.2.2.

Post back and let us know how it goes.

[darizonah]

Kevin:

THe internal ip of the server is 10.194.99.1, the other client machines use anywhere from 10.194.99.2 to 10.194.99.150. We us a subnet mask of 255.255.255.0.

ALso as I had mentioned the domain I set up is the same as the one which is hosted on the public ip, hope that is not an issue.

THen I assume I follow the wingate article on wingate in an active domain directory and all should work?

Let me know and thanks so much for your time!
Dave

[darizonah]

One thing I forgot to mention. I changed the IP address of the box form when I first seet it up from 10.194.99.150 to 10.194.99.1. Is there something that I could have screwed up by doing this?

Thanks
Dave

[kgoodknecht]

One thing I forgot to mention. I changed the IP address of the box form when I first seet it up from 10.194.99.150 to 10.194.99.1. Is there something that I could have screwed up by doing this?

Thanks
Dave

This thread is way off topic for this forum, it really should be in the Microsoft Public Groups and I appologize.

It is never a good idea to just change the IP address of a Domain Controller, always add the new IP address and make sure everything is communicating with the new IP address with Netdiag before removing the old IP address.
One of the best tools for testing connectivty is Netdiag it is available on the server CD in Server Support Tools or an updated version is downloadable from http://download.microsoft.com it will run on both servers and workstation OS, though WinXP comes with it on version of Netdiag in Help and Support Tools. I highly recommend using this tool for diagnosing any connectivity problem.

The reverse lookup zone should be named 99.194.10.in-addr.arpa when DNS is in Advanced view, or 10.194.99.x Subnet with Advanced view OFF. When running the new zone wizard you have the choice of creating the reverse lookup zone by Subnet ID or name, the Subnet ID is 10.194.99 the name is 99.194.10.in-addr.arpa. By default reverse lookup zones have Dynamic updates set to "No" you can change that, I suggest "Only secure updates" which required the zone to be Active Directory Integrated.

As for the Domain name, it is an issue because DNS will not Forward for queries in that domain to the external DNS servers. You must add records to the internal DNS zone for names such as www, mail, ftp, etc. But you will not be able to connect to the external sites by only your domain name with out the www, mail, ftp, etc. The record for this is required for DFS shares, the SYSVOL share is a DFS share. That is why internally the Domain name MUST resolve to the IP address that has File Sharing enabled on a Domain Controller. you would have been much better served if you named your AD domain "domain.local" or "lan.domain.com" You cannot rename a WIn2k Domain, you must demote all domain controllers and repromote to change name and you'll lose all domain accounts.

[darizonah]

Kevin - I apologize for this being off topic.. I do appreciate you trying to help me. Let me ask a couple of more things please. I really don't want to start over on this by changing the domain name here.

But if it is best maybe I should, can I demote this server rename it and promote it ( I only have this one server) ANd will I loose whatever programs I have installed

I don't understand your comments on the problems I will have if I did not rename??

Secondly I did add the IP's DNS addresses in the forward area.

I used nslookup and got the following:

DNS request timed out
Can't find server name for 216.9.200.11 ( this is the isp dns)

Default Server: localhost
Address 127.0.0.1 ( this is in wingate bindings)

Then I typed our domain name and the address that came back said

Address 192.168.0.2, 10.194.99.1 which is the ip's of both the external and internal nic card

ANy thoughts or should I get some dynamite and start over?

Thanks
Dave

[kgoodknecht]

> Kevin - I apologize for this being off topic.. I do appreciate you trying to help me.

I don't really have a problem with it, this is the Wingate support group, I usually watch the Microsoft DNS groups to help people with your exact questions. It is probably more of a bother to the Qbik support personell. The MS NG Web interface is to say the least, a weak way of posting to the NG and you may only have web browser access to the NG.

> Let me ask a couple of more things please. I really don't want to start over on this by changing the domain name here.

I understand, you may not have to start over if you are still in mixed mode in your domain. You would need to bring an NT4 BDC into the domain, disconnect it from the rest of the network, but still connected to a hub. Then promote it to a PDC and upgrade it to Win2k, DCPROMO it to an Active Directory DC using a different domain name. Then demote the current Win2k DC with DCPROMO and repromote it as a replica DC to the DC you just upgaded from NT4 with the changed domain name.

> But if it is best maybe I should, can I demote this server rename it and promote it ( I only have this one server) ANd will I loose whatever programs I have installed

You won't lose programs, you lose domain accounts because they will not be converted back to local accounts. When you use DCPROMO it converts all the local accounts to domain accounts but not vice-versa.

> I don't understand your comments on the problems I will have if I did not rename??

When using your web browser to connect to your public website with http://www.example.com it is not a problem, once you add the www host to your internal AD domain zone. The problem is if you try to use http://example.com, the record that resolves the name this way in Active Directory MUST resolve to the private IP of the interface that has file sharing enabled. This is because when all users and computers logon to the domain they get their group policy settings from the Domain DFS share \\example.com\SYSVOL\example.com\policies.
In my earlier response I posted the directions for configuring Multi-homed Domain Controllers so that the SYSVOL share is accessable by the domain name. It will always be available by the machine name BUT, when users and computers Authenticate, they are "told" to get their GPOs from the SYSVOL share using the domain name i.e.\\example.com\SYSVOL and not \\machine\SYSVOL.

> Secondly I did add the IP's DNS addresses in the forward area.

Good, that is the ONLY place in an AD domain that should referrence the ISP's DNS, never use your ISP's DNS in TCP/IP properties, not even in in ANY position.

> I used nslookup and got the following:

> DNS request timed out
> Can't find server name for 216.9.200.11 ( this is the isp dns)

If you are geting this when you start nslookup it would appear to me you have your ISP's DNS in TCP/IP properties, refer back to my previous paragraph.
The message from nslookup means nothing except that nslookup can't find a PTR record for your ISP's DNS address.

> Default Server: localhost
> Address 127.0.0.1 ( this is in wingate bindings)

> Then I typed our domain name and the address that came back said

> Address 192.168.0.2, 10.194.99.1 which is the ip's of both the external and internal nic card

This is as expected and should be the answer your internal DNS server gives for your domain name, although the answer should be only the IP of the internal NIC for the SYSVOL share, until you make the registry entries and fix the record that has the internal NIC this configuration is going to give Wingate fits. When a DC starts it creates so much TCP/IP activity that it can actually cause the Wingate NAT service to fail, this I learned the hard way. Go back to the previos post I made, print it and follow the directions exactly for correcting this behavior.

Now as for the IP addresses you assigned your NICs they are OK but Wingate may have a problem deciding which NIC is the external NIC, since they are both private addresses. It should pick the NIC that has a default gateway as the external NIC, just don't give both NICs a gateway. you may have to tell Wingate which is the internal and which is the external NIC.

> ANy thoughts or should I get some dynamite and start over?

Dynamite is kinda extreme, it can be made to work, but anytime you multi-home a DC you are adding extra Administration work

[darizonah]

Kevin - UPDATE Beer is on me!

I went ahead and demoted the server and then re promoted it to active directory. Presto Chango, Everything works perfectly.

I can't thanks you enough! If you are ever in Phoenix, Beer is on me

Thanks again so much for tolerating this and helping me solve the problems

Dave

[darizonah]

Kevin - One more question... I forgot this. I am getting a lot of errors in the event viewer system log like this
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5775
Date: 8/7/2004
Time: 2:03:54 PM
User: N/A
Computer: GCSWIN2K
Description:
Deregistration of the DNS record 'GCSCPA.COM. 600 IN A 10.194.99.1' failed with the following error:
DNS operation refused.
Data:
0000: 2d 23 00 00 -#..

ANy thoughts what might be causing this?
Thanks
Dave

[kgoodknecht]

Kevin - One more question... I forgot this. I am getting a lot of errors in the event viewer system log like this
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5775
Date: 8/7/2004
Time: 2:03:54 PM
User: N/A
Computer: GCSWIN2K
Description:
Deregistration of the DNS record 'GCSCPA.COM. 600 IN A 10.194.99.1' failed with the following error:
DNS operation refused.
Data:
0000: 2d 23 00 00 -#..

ANy thoughts what might be causing this?
Thanks
Dave

I would have to see the ipconfig /all to answer this correctly on the first shot. But I can tell you how this DC must be configured.

I don't know which IP address is the internal NIC. Disable the DNS service in Wingate, this is very important. Then the MS DNS server must be configured on the interfaces tab to listen only on the IP of the internal NIC. Then use ONLY the address of the internal NIC for DNS on both interfaces, in fact use this address only for all domain members, do not use 127.0.0.1 as a DNS server address on the DC, it will cause registration errors. make sure the Primary DNS suffix and Connection specific suffix are the same as your AD domain name in AD Users & Computers. -Note- The Connection specific suffix can be published by option 15 in DHCP. the Primary DNS suffix comes from the computer name tab in the system control panel. (Properties of My Computer)

IF you want to email me direct with your ipconfig /all (identify which is internal and which is external) you can send email to admin at WFTX dot US.
I will generally respond with in an hour. And give you exact instructions to make your multi-homed domain controller do what it is supposed to do and even tell you how to publish your Proxy settings through Group Policies.

[darizonah]

Kevin:
How do I make the ipconfig/all command go to a file so I can send it to you. And thanks for the offer to assist!
Thanks
Dave

[kgoodknecht]

Kevin:
How do I make the ipconfig/all command go to a file so I can send it to you. And thanks for the offer to assist!
Thanks
Dave

in the upper left click on the small black icon, edit, then Mark. You the mouse to highlight all the text then copy (hit enter) then paste it to the body of the e-mail.

[kgoodknecht]

Kevin:
How do I make the ipconfig/all command go to a file so I can send it to you. And thanks for the offer to assist!
Thanks
Dave

Just to add, you can also run this command:

ipconfig /all >c:\ipconfig.txt

[saubrey]

How can WG be configured to allow two webservers, listening on two different IP:ports to be accessed transparently from the Internet (i.e. without specifying the port).

For instance I have a multihomed computer with two IP addresses 66.66.66.1 and 66.66.66.2. I have two web servers running on the WG computer--one is listening on IP 66.66.66.1:80 and the other is listening on 66.66.66.2:8081.

I want all external browsers not to have to specify the port when accessing 66.66.66.2.

So I think I want to configure WG’ENS to perform port redirection based on the incoming request’s destination IP. If the destination IP is 66.66.66.2:80 redirect to port 8081. If the incoming destination IP is 66.66.66.1:80 then no redirection. But I don’t see how to do this.

How can I configure WG to allow two webservers?

I have WG 6.04 running on w2k sp4

Thanks,

Steve

[saubrey]

Sorry. I clicked "post" instead of "new" and posted in the wrong place