Client workstations point to ISP's dns servers

Similar Messages

• Airport not distributing DNS servers over network

  Hi everyone,
  I connect to the Internet over ADSL (ISP: Arnet Highway, Buenos Aires, Argentina) using PPPoE from my MacBook Pro.
  I have my ADSL modem connected to the Airport Extreme (802.11n) and distributing IP over DHCP just fine. Every device that joins the network obtains a valid IP.
  However, DNS servers aren't distributed by the router over the network. Every connected device has to be manually configured to set the DNS servers of my ISP to be able to resolve hosts, instead of 'asking' these addresses to the router, as it should be.
  Initially I thought there might be a problem obtainig the DNS servers from the ISP. So in the Airport Utility, in Internet / PPPoE settings, I've manually set my ISP's DNS servers, which should be distributed over the network to all connected devices.
  This doesn't happen, and every somebody new joins my wireless network I have to manually change the DNS servers for that connection which, as I'm sure you'll agree with me, can be quite annoying. Not to mention what would happen if my ISP decides to use dynamic DNS addresses.
  Thanks for any help you might provide.
  Cheers.

  Hello belbo,
  I connect to the Internet over ADSL using PPPoE from my MacBook Pro.
  Is your Macbook Pro Network configured to use PPPoE or DHCP?
  I have my ADSL modem connected to the Airport Extreme (802.11n) and distributing IP over DHCP just fine. Every device that joins the network obtains a valid IP.
  Is NAT enabled on the AE? Are the valid IP Address obtained from your ISP or from the AE?
  However, DNS servers aren't distributed by the router over the network. Every connected device has to be manually configured to set the DNS servers of my ISP to be able to resolve hosts, instead of 'asking' these addresses to the router, as it should be.
  When you setup the AE to use PPPoE did you enter a Domain Name or a DHCP Client ID?
  Initially I thought there might be a problem obtainig the DNS servers from the ISP. So in the Airport Utility, in Internet / PPPoE settings, I've manually set my ISP's DNS servers, which should be distributed over the network to all connected devices.
  The DNS servers listed in the AE aren't distributed to each Network Device but are only used to translate names into IP addresses when need by a Network Device.
  This doesn't happen, and every somebody new joins my wireless network I have to manually change the DNS servers for that connection which, as I'm sure you'll agree with me, can be quite annoying. Not to mention what would happen if my ISP decides to use dynamic DNS addresses.
  If your AE is distributing IP Address using DHCP and NAT then this should not be a problem but I'm not sure without more information about the questions I asked.
  Later.
  Buzz

• How can I override the DNS Servers and Domain Name used by my Airport Time Capsule?

  The defaults picked up from my ISP's DHCP are to use the ISP's DNS servers and ISP's domain. I do not want this.
  With my prior router I set the DNS servers to Google's Public DNS (8.8.8.8 and 8.8.4.4) and my domain to either "bannister.us" (which I own) or "bannister.home". I do not want simple names resolving to some ISP default. (Yes, I know exactly what this does.)
  In the Apple AIrport Utility (version 6.3.2) the fields for DNS and Domain do not allow editing. (Why??)
  Is there some way to override this?

  Unfortunately not one that will work with the latest version TC.
  The way around it is to use a different router.. It can be a very simple router.. I usually recommend units like the TP-Link WDR3600 as they take good third party firmware like gargoyle, openwrt, dd-wrt.. ie they have real controls and beyond that a proper Linux firmware with command line interface.
  You can then change the TC over to static IP. It will not be the router.. but it will effectively become the local dhcp server.
  I have adsl so I cannot reproduce your system.. I have a bridged modem.. a router.. AC66U.. and a TC.. but the TC is not in bridge.. it is in static IP mode.
  Let me demonstrate.
  By setting a range on the main router from 1-199 (leave a space.. ) so set the TC to 192.168.2.201 and then you can set DNS and domain as you like. Set the dhcp range (leave a space) you could use 203-253.. then I use the main router as 254.
  It is brilliant.. all computers behind the TC receive the IP from the TC with whatever IP and dns (and domain although I haven't changed it).. Effectively the TC works as its own dhcp device.. but is merely a secondary dhcp server to the main unit.
  (This gives me netflix which is why I do it.. from well outside the US).
  It may be of use.
  Why leave a space.. well it helps it to work.. I have not tested it but another person reported issues and found leaving a space .. ie last ip in the router.. 199, static ip 201.. first dhcp 203 (i used 205 to help me keep count!!). worked.. I have not tried to reproduce the problem.. so I reproduce the solution.. it might be like sheep jumping over the fence.. even if the fence was removed the sheep keep jumping over at the same place. Just say bahhh and do likewise.

• Domain Controllers that are DNS servers DNS Client settings

  [Copying verbatim from a mail by Joe ]
  So I have been pinged by a few folks recently on configuration of client DNS settings on Domain Controllers that are also functioning as DNS Servers. Lots of debate. I understand there has been long time debate within MSFT as well.
  From http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx there
  is the quote
  "3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address."
  From http://www.microsoft.com/en-us/download/confirmation.aspx?id=9166 (Windows
  Server 2008 R2 Core Network Guide)
  "9.        In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the
  local computer.
  10.       In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of
  the local computer."
  From http://technet.microsoft.com/en-us/library/dd378900(v=ws.10).aspx (DNS:
  DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers)
  "The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to
  itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should
  be configured only as a secondary or tertiary DNS server on a domain controller...
  Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
  ESPECIALLY "For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only as a secondary or tertiary
  DNS server on a domain controller." and "Add the loopback IP address to the list of DNS servers on all active interfaces. The loopback IP address should not be the first server in the list."
  Why shouldn't loopback not be first, the justification is why you shouldn't only use loopback, not why it shouldn't be first.
  From http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx (DNS:
  DNS servers on <adapter name> should include the loopback address, but not as the first entry)
  "If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners. 
  The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain controller and it points only to itself,
  or points to itself first for name resolution, this can cause a delay during startup. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller. The loopback address should be configured only
  as a secondary or tertiary DNS server on a domain controller."
  This also seems like justification against only using loopback versus using it first.
  Are there any actual real documented issues for using loopback first and a remote DNS server second and perhaps third? If the local DNS server service isn't working yet (or at all), I would expect the DNS Client process
  to try to connect to it, fail, and then failover to the secondary just like I would expect it to failover if the remote DNS server was secondary and it was unavailable and it failed back to the loopback. Am I making a bad assumption?
  And by documented I don't mean random responses to questions on the internet or other such items. I mean a KB article or technet article or properly researched and tested other web article from a reliable resource.
  thanks, 
  joe

  As I understand it, the scenario whereby a DC could become an 'island' if it points only to itself, or to itself first, was repaired in the Windows Server 2003 product cycle. See
  http://support.microsoft.com/kb/275278 for information about this scenario.
  However, there is still a known problem of slow boot times that can occur. See
  http://support.microsoft.com/kb/2001093 for information about this. The scenario that is discussed assumes there is a power failure and servers shut down due to overheating while on backup power. When
  multiple servers come online simultaneously after power is restored, there can be a significant delay.
  The recommended configuration is one that avoids a single point of failure, but also tries to optimize the speed of resource record registration, so that Active Directory can properly synchronize.
  -Greg

• Lync 2013 android client fails to login bug when ISP overrides DNS

  Hello all,
  I've noticed an issue occurring in the latest Android client (as of 3/9/2015) with internet networks where the provider resolves all DNS queries to an IP address (e.g. T-Mobile, Cox Cable, and lots of others).
  Essentially, sometimes I have noticed my android client stuck on "Signing in".  The diagnostic logs show that the client is attempting to resolve http://lyncdiscover.contoso.com (which is not resolvable
  externally), but T-Mobile is sending it into a search engine.  The app continues to try to connect despite not realizing that it really did not resolve properly.  See below logs.
  <html><head><meta http-equiv="refresh" content="0;url=http://lookup.t-mobile.com/index.php?origURL=http://lyncdiscoverinternal.contoso.com/"/></head><body><script type="text/javascript">window.location="http://lookup.t-mobile.com/index.php?origURL="+escape(window.location)+"&r="+escape(document.referrer);</script></body></html>
  </ReceivedResponse>
  Mar 9, 2015 8:26:50 AM ERROR LYNC: ERROR TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/common/private/TransportUtilityFunctions.cpp/1874:Accept-types (application/vnd.microsoft.rtc.autodiscover+xml;v=1) not found in Content-Type response from server (text/html). Not decoding.
  Mar 9, 2015 8:26:50 AM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/requestprocessor/private/CHttpRequestProcessor.cpp/266:Sending event to main thread for request(0x9a306048)
  Mar 9, 2015 8:26:50 AM INFO LYNC: INFO APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/infrastructure/private/CTransportRequestRetrialQueue.cpp/822:Req. completed, Stopping timer.
  Mar 9, 2015 8:26:50 AM INFO LYNC: INFO APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/infrastructure/private/CUrlRedirectAndTrustResolver.cpp/610:UrlRedirectAndTrustResolver complete with url = http://lyncdiscoverinternal.contoso.com/, Hops = 1, status = E_ResponseUnknown (E2-1-5)
  Mar 9, 2015 8:26:50 AM INFO LYNC: INFO APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/infrastructure/private/CTransportRequestRetrialQueue.cpp/725:Response received for req. UrlTrustResolver(0x9a306048): E_ResponseUnknown (E2-1-5) (RemoteNetworkPermanentError); Done with req.; Stopping resend timer
  Mar 9, 2015 8:26:50 AM INFO LYNC: INFO APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/infrastructure/private/CUcwaAutoDiscoveryGetUserUrlOperation.cpp/393:CUcwaAutoDiscoverGetUserUrlOperation::onEvent received. Status = E_ResponseUnknown (E2-1-5), url = http://lyncdiscoverinternal.contoso.com/
  Mar 9, 2015 8:26:50 AM INFO LYNC: INFO APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/infrastructure/private/CUcwaAutoDiscoveryGetUserUrlOperation.cpp/224:UcwaAutoDiscoveryGetUserUrlOperation completed with url = http://lyncdiscoverinternal.contoso.com/?sipuri=sip:[email protected], userUrl = , status = E_ResponseUnknown (E2-1-5)
  Mar 9, 2015 8:26:50 AM DEBUG SigningInActivity: onStop()
  Mar 9, 2015 8:26:50 AM DEBUG SigninActivity: onStop()
  Mar 9, 2015 8:27:20 AM DEBUG HubActivity: onPause()
  Mar 9, 2015 8:27:20 AM DEBUG MyStatusFragment: onPause()
  Mar 9, 2015 8:27:20 AM DEBUG ContactsFragment: onPause()
  Mar 9, 2015 8:27:20 AM DEBUG HubActivity: onStop()
  Mar 9, 2015 8:27:20 AM INFO LYNC: INFO APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/objectmodel/private/CApplication.cpp/944:CApplication::serialize() called
  Mar 9, 2015 8:27:20 AM VERBOSE LYNC: VERBOSE APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/infrastructure/privateandroid/CCredentialStore.cpp/90:storing credentials for service:0
  Mar 9, 2015 8:27:20 AM VERBOSE LYNC: VERBOSE APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/infrastructure/privateandroid/CCredentialStore.cpp/90:storing credentials for service:1
  Mar 9, 2015 8:27:20 AM INFO LYNC: INFO APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/objectmodel/private/CBasePersistableEntity.cpp/179:Storing 1 out-of-sync Object Models took 32ms
  Mar 9, 2015 8:27:20 AM INFO LYNC: INFO UTILITIES /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/platform/persistentstorage/private/CBasePersistableComponent.cpp/245:Storing 3 out-of-sync components took 1ms
  Mar 9, 2015 8:27:20 AM INFO PreferencesManager: commit is called on
  Mar 9, 2015 8:27:20 AM DEBUG MyStatusFragment: onStop()
  Mar 9, 2015 8:27:20 AM DEBUG ContactsFragment: onStop()
  Mar 9, 2015 8:27:27 AM ERROR HttpConnection: org.apache.http.conn.HttpHostConnectException: Connection to https://lyncdiscoverinternal.contoso.com refused
  at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:183)
  at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
  at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
  at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
  at com.microsoft.office.lync.platform.http.HttpEngine.execute(HttpEngine.java:502)
  at com.microsoft.office.lync.platform.http.HttpConnection$1.run(HttpConnection.java:219)
  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:422)
  at java.util.concurrent.FutureTask.run(FutureTask.java:237)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
  at java.lang.Thread.run(Thread.java:818)
  Caused by: java.net.ConnectException: failed to connect to /198.105.244.104 (port 443) after 180000ms: isConnected failed: ECONNREFUSED (Connection refused)
  at libcore.io.IoBridge.isConnected(IoBridge.java:238)
  at libcore.io.IoBridge.connectErrno(IoBridge.java:171)
  at libcore.io.IoBridge.connect(IoBridge.java:122)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:183)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:456)
  at java.net.Socket.connect(Socket.java:882)
  at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:119)
  at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:144)
  ... 12 more
  Caused by: android.system.ErrnoException: isConnected failed: ECONNREFUSED (Connection refused)
  at libcore.io.IoBridge.isConnected(IoBridge.java:223)
  ... 19 more
  Since DNS overrides by ISPs are a common occurance, I believe the app should properly handle this situation.  I installed an app to override my DNS and use Google's DNS servers, and the client connects fine.

  Hi,
  Did you login Lync 2013 mobile client internal or external the company?
  Did the issue also happen for IOS/Windows Phones or just happen for Android Phones?
  Please try to check if the issue only happen for your mobile Lync client or also happen for other Android mobile clients.
  If the issue only happen for your Android mobile, please try to uninstall Lync client and install the latest version from Android Market and test the issue again.
  If the issue happen for multiple mobile clients, please double check the Reverse Proxy settings, if you use IIS ARR for Reverse Proxy, you can troubleshooting with the help of the link below:
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
  Eason Huang
  TechNet Community Support
  Ok, I figured out that I had a partial misconfiguration, but the existing client behavior still leads to long delays on a variety of networks.  I had the reverse proxy forwarding into port 80 instead of 8080, which seemingly caused problems
  during the second autodiscovery phase after the first timed out.   I have since confirmed that it's not just T-Mobile, but any such provider (e.g. Cox Cable, see below) that resolves all DNS entries.
  Essentially, the following is happening:
  1) Client attempts to resolve lyncdiscoverinternal first.
  2) DNS record resolves to ISP's website, because they resolve everything and will return their own page if the entry really doesn't exist.
  3) Lync client continues to try to connect to the ISP's address, and sits for at least a minute until it eventually falls to the lyncdiscover record.
  From the below log entries, you can see that the login process is delayed a full minute due to the client being stuck on the lyncdiscoverinternal record!  Again, this does not occur on ISPs that do not catch all DNS resolution
  attempts, regardless of validity.
  Mar 9, 2015 8:10:04 PM INFO HttpConnection: originalurl is
  https://lyncdiscoverinternal.contoso.com/?sipuri=sip:[email protected] method Get
  Mar 9, 2015 8:10:04 PM INFO HttpConnection: decodedurl is
  https://lyncdiscoverinternal.contoso.com/?sipuri=sip:[email protected]
  Mar 9, 2015 8:10:04 PM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/common/private/TransportUtilityFunctions.cpp/689:<SentRequest>
  GET
  https://lyncdiscoverinternal.contoso.com/?sipuri=sip:[email protected] 9, 2015 8:10:05 PM INFO LYNC: INFO APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/infrastructure/private/CUcwaAutoDiscoveryGetUserUrlOperation.cpp/224:UcwaAutoDiscoveryGetUserUrlOperation
  completed with url =
  http://lyncdiscoverinternal.contoso.com/?sipuri=sip:[email protected], userUrl = , status = E_ResponseUnknown (E2-1-5)
  GET http://lyncdiscoverinternal.contoso.com/
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "<html><head><meta">http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><meta
  http-equiv="refresh" content="0;url=http://finder.cox.net/main?InterceptSource=0&ClientLocation=us&ParticipantID=96e687opkbv4scrood8k84drs6gw5duf&FailureMode=1&SearchQuery=&FailedURI=http%3A%2F%2Flyncdiscoverinternal.contoso.com%2F&AddInType=4&Version=2.1.8-1.90base&Referer=&Implementation=0&method=GET"/><script
  type="text/javascript">url="http://finder.cox.net/main?InterceptSource=0&ClientLocation=us&ParticipantID=96e687opkbv4scrood8k84drs6gw5duf&FailureMode=1&SearchQuery=&FailedURI=http%3A%2F%2Flyncdiscoverinternal.contoso.com%2F&AddInType=4&Version=2.1.8-1.90base&Referer=&Implementation=0&method=GET";if(top.location!=location){var
  w=window,d=document,e=d.documentElement,b=d.body,x=w.innerWidth||e.clientWidth||b.clientWidth,y=w.innerHeight||e.clientHeight||b.clientHeight;url+="&w="+x+"&h="+y;}window.location.replace(url);</script></head><body></body></html>
  </ReceivedResponse>
  Mar 9, 2015 8:10:21 PM INFO LYNC: INFO APPLICATION /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/applicationlayer/infrastructure/private/CUcwaDataSynchronizer.cpp/799:Mode 0
  timed out
  Mar 9, 2015 8:11:08 PM ERROR HttpConnection: org.apache.http.conn.HttpHostConnectException:
  Connection to https://lyncdiscoverinternal.contoso.com refused
   at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:183)
  Mar 9, 2015 8:11:08 PM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/common/private/TransportUtilityFunctions.cpp/1032:<ReceivedResponse>
  GET http://lyncdiscover.contoso.com/

• Assigning 2 DNS servers to VPN clients

  It seems like I can only assign 2 DNS servers to VPN clients using the "dns-server" command in config-group-policy? How do I go about assigning more than 2?
  what exactly does dns server-group do? Can I use that command to assign dns servers to vpn clients since I can add more than 2 dns servers?

  ciscoasa# sh run
  : Saved
  ASA Version 8.0(4)
  hostname ciscoasa
  enable password c.LHJMlCqC0Qvrsf encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  speed 100
  duplex full
  nameif outside
  security-level 0
  ip address extip 255.255.255.240
  interface Ethernet0/1
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 172.17.193.100 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot config disk0:/exit
  ftp mode passive
  clock timezone mst -7
  clock summer-time mdt recurring
  dns domain-lookup inside
  dns server-group TA-UAT
  name-server 44.44.44.102
  domain-name ta.corp.adds
  access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0
  access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inbound_on_outside extended permit icmp any any
  access-list inbound_on_outside extended permit tcp any host extip eq 5555
  access-list inbound_on_outside extended permit tcp any host extip eq www
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpnuserspool 192.168.20.101-192.168.20.254 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-613.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 44.44.44.0 255.255.255.0
  nat (inside) 1 172.17.193.0 255.255.255.0
  static (inside,outside) tcp extip 5555 172.17.193.96 5555 netmask 255.255.255.255
  static (inside,outside) tcp extip www 172.17.193.1 www netmask 255.255.255.255
  access-group inbound_on_outside in interface outside
  route outside 0.0.0.0 0.0.0.0 extip 1
  route inside 44.44.44.0 255.255.255.0 172.17.193.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.20.0 255.255.255.0 inside
  http 172.17.193.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set firstset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dyn1 1 set transform-set firstset
  crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
  crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
  crypto dynamic-map dyn1 1 set reverse-route
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  crypto isakmp nat-traversal 3600

• Update Policy for multiple networks with specific DNS servers

  I have a mid size network with 5 locations all with different IP addresses. All sites host their own DNS servers and connect directly through an ISP dedicated VLAN.
  Main Site
  10.1.1.1
  255.0.0.0
  Remote Site 1
  192.168.100.1
  255.255.255.0
  Remote Site 2
  192.168.101.1
  255.255.255.0
  Remote Site 3
  192.168.102.1
  255.255.255.0
  Remote Site 4
  192.168.103.1
  255.255.255.0
  All sites can be managed through the main site, but have their own DNS servers on location.
  My purpose is to point all computers and devices to a new DNS server from their previous static assignment. (XP and later versions)
  My question is can I use GP or DHCP* to push DNS server information to each device making them site specific without having to travel to those locations?
  Requirements:
  All devices on 10.1.1.1 will be changing from 10.1.1.2 to 10.1.1.4 (decom of old 2k3 server)
  DNS servers at each 192 location will need to point secondary server to 10.1.1.4
  Devices at main will need to use 10.1.1.4 as primary and 10.1.1.3 as secondary.
  Devices at each site will need to keep their respective DNS server.
  *If I use DHCP to change the information on a per scope level, can I use GP to force computers with locally set static assignments to update to DHCP static assignments
  Bonus: If anyone can give me an estimate on how much network traffic/bandwidth this would create that would be great because I would consider staggering the assignments as I am a 24 hour business.

  Hi,
  You may configure a Scheduled Task Item in Group Policy.
  To create a new Scheduled Task preference item, please follow the steps below,
  Open the Group Policy Management Console . Right-click the Group Policy object (GPO) that should contain the new preference item, and then click
  Edit .
  In the console tree under Computer Configuration or
  User Configuration , expand the Preferences folder, and then expand the
  Control Panel Settings folder.
  Right-click the Scheduled Tasks node, point to
  New , and select Scheduled Task .
  In the New Scheduled Task Properties dialog box, select an
  Action for Group Policy to perform. (For more information, see "Actions" in this topic.)
  On the Task tab, enter task settings for Group Policy to configure or remove. (For more information, see "Task settings" in this topic.)
  If creating, updating, or replacing a task:
  Click the Schedule tab, and configure one or more schedules for the task. (For more information, see "Schedule settings" in this topic.)
  Click the Settings tab, and enter any additional task settings for Group Policy to configure. (For more information, see "Other scheduled task settings" in this topic.)
  Click the Common tab, configure any options, and then type your comments in the
  Description box. (For more information, see
  Configure Common Options.)
  Click OK . The new preference item appears in the details pane.
  In the task, you may use netsh to set the DNS address.
  netsh interface ip set dns name="Local Area Connection" static yourdnssetting
  Here is an article about netsh command,
  http://technet.microsoft.com/en-us/library/cc738592(v=WS.10).aspx#BKMK_5
  Hope this helps.
  Steven Lee
  TechNet Community Support

• DirectAccess 2012 has wrong DNS servers listed

  Hello,
  I'm setting up DirectAccess on Server 2012 and having issues with the wrong DNS servers continually added to the configuration. My setup is as follows, 2 Server 2008 R2 DCs running DNS, both have a static IPv4 and IPv6 addresses.  The DirectAccess
  server has a single NIC behind a NAT device and also has static IPv4 and IPv6 addresses.  My problem is that I keep getting a DNS: Not working properly error on the dashboard.  It says:
  Error:
  Enterprise DNS servers (fd7e:ed10:5cb6:7777::ac10:a22, fd7e:ed10:5cb6:7777::ac10:a21) used by DirectAccess clients for name resolution are not responding.  This might affect DirectAccess client connectivity to corporate resources.
  The thing is these are not nor ever have been the IP addresses of my DC/DNS servers.  I've removed them by using the configuration editor but with each restart of the server they reappear.  I examined the DirectAccess Server
  Settings GPO and they are listed in the Extra Registry Settings section buy I am unable to edit that portion.  I've read other threads on this forum that state I need to add the IPv6 address of the DA server as the DNS server but I still get DNS errors
  when I do that and after a restart the same two DNS servers show up again.
  Anyone have any ideas?  Your assistance is greatly appreciated.

  Hi,
  Thanks for you reply and sorry for relying so late.
  Did you point the DNS server address to the IP address of the internal NIC? Maybe you can refer to the similar thread below:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/df08fa06-d3fc-4ca9-b4a2-85824a10819a/direct-access-server-dns-error?forum=winserver8setup
  Best regards,
  Susie

• Testing an ISA Server Rule, the recursive query to other DNS Servers test fails

  Hello,
  I am trying to configure the following infrastructure with ISA Server 2006 and two W2003 servers (called "Server1" and "Server2") . "Server1" is a domain controller, and in
  "Server2" is the ISA Server installed, which also has
  attached two network Ethernet cards, one called "Internal Ethernet Card", and the other one called
  "External Ethernet Card".
  The infrastructure would be:  "Internal Ethernet Card"---- ISA Server ----"External Ethernet Card"---"Router"----"Internet"
  "Internal Ethernet Card" manages the internal package traffic of the infrastructure, the network segment which belongs is isolated from what we could called the Outbound traffic, which is linked to a router. "Internal Ethernet Card" it`s
  a virtual network.
  "Internal Ethernet Card" feature configuration is the following:
  - IP address: 192.168.3.3
  - Subnet Mask: 255.255.255.0
  - DHCP Enabled: No
  - DNS Server: 192.168.3.1 (Must point to the DC "Server1" which has the DNS Service installed)
  - Default Gateway:  None  (because doesnt point to outside)
  - Primary WINS Server: 192.168.3.1  
  The "External Ethernet Card" provides, the outbound connection, and this card is connected to the physical router.
  It`s feature configuration is the following:
  - IP address: 192.168.1.50
  - Subnet Mask: 255.255.255.0
  - DHCP Enabled: No
  - Default Gateway: 192.168.1.1
  - DNS Servers: 192.168.3.1 (Must point to the DC "Server1" which has the DNS Service installed)
  After configuring the network cards, I create the following rule in the ISA Server to allow the traffic towards outside from the server and the clients which have joined to the domain:
  Action: Allow.  Protocol: DNS.  From:"Server2".  To : External.  Condition: All Users
  After applying the changes to update the configuration, I enter in the Dns Server of "Server1" and in the "Monitoring" tab, I run a "recursive query to other DNS Servers" but fails.
  Only works the "simple query against this DNS Server".
  I don`t know why fails, but I`m stucked on this issue, because in the "Server1" DNS Server, in the "domain forward IP address list", I have added two DNS addresses which work OK.
  I would appreciate some help to solve this issue.
  Thanks
  Regards 

  Hello Ms. Long, 
  Yes, you are right. In the Server1 is configured the DNS server, to use forwarders whose are set in the field "Selected domain`s forwarder IP address list", two DNS address numbers obtained from "Open DNS", which work well.
  There is no DNS Server linked to the External NIC.
  The Server1 belongs to a private network configured as "VMnet3", which it is set as follows:
  IP address: 192.168.3.1
  Subnet Mask: 255.255.255.0
  Default Gateway: 192.168.3.3
  DNS Server: 192.168.3.1
  I have tried to test your suggested idea:
  > set d2
  > google.com
  Server:  srv-dcfs-01.dominio.local
  Address:  192.168.3.1
  SendRequest(), len 42
      HEADER:
          opcode = QUERY, id = 2, rcode = NOERROR
          header flags:  query, want recursion
          questions = 1,  answers = 0,  authority records = 0,  additional = 0
      QUESTIONS:
          google.com.dominio.local, type = A, class = IN
  Got answer (113 bytes):
      HEADER:
          opcode = QUERY, id = 2, rcode = NXDOMAIN
          header flags:  response, auth. answer, want recursion, recursion avail.
          questions = 1,  answers = 0,  authority records = 1,  additional = 0
      QUESTIONS:
          google.com.dominio.local, type = A, class = IN
      AUTHORITY RECORDS:
      ->  dominio.local
          type = SOA, class = IN, dlen = 46
          ttl = 3600 (1 hour)
          primary name server = srv-dcfs-01.dominio.local
          responsible mail addr = hostmaster
          serial  = 41
          refresh = 900 (15 mins)
          retry   = 600 (10 mins)
          expire  = 86400 (1 day)
          default TTL = 3600 (1 hour)
  SendRequest(), len 28
      HEADER:
          opcode = QUERY, id = 3, rcode = NOERROR
          header flags:  query, want recursion
          questions = 1,  answers = 0,  authority records = 0,  additional = 0
      QUESTIONS:
          google.com, type = A, class = IN
  DNS request timed out.
      timeout was 2 seconds.
  timeout (2 secs)
  SendRequest failed
  *** Request to srv-dcfs-01.dominio.local timed-out
  As you can see highlighted in bold, the problem remains in the "recursive query to other DNS Servers" check.
  Maybe is better to put the issue on the "Windows Server General Forum" , because the issue has not nothing in common with the ISA Server, dont you?
  Thanks
  Best regards

• SAP 8.8 Crystal Report Layout problem in client workstation

  Hi Experts,
  We have import crystal report to SAP Business One as Form Layout or AP Invoice. We have already created the token DocKey@ so it would automatically be printed and will not ask for the document number. The layout works fine using the server workstation but in the client workstation we cannot proceed with the printing because when we click on the preview button, a login window appears with this details:
  Database Login
  Server Name : gray out or not active
  Database: gray out or not active
  Login ID: active
  Password: active
  We tried to enter the SQL login but fails.
  Is there any components that we need to install in the workstation before it could function the same way as PLD?
  Thanks,
  Janice

  You can try creating the ODBC connection, which is the same as on the server.
  Assuming this is the scenario:
  1. You write the invoice using crystal report on the server
  2. On the server, Control Panel--> ODBC, you have created an ODBC link eg; SAPB1.
  3. The report is connecting to ODBC link and pointing to database OECUS
  On the client workstation, you need to create:
  1. Control Panel--> ODBC, you need to create an ODBC link as on the server.

• Time Capsule - No DNS servers and Double NAT

  I'm connecting an MBP running 10.5.6 to a Time Capsule which accesses Virgin Media broadband using a cable modem.
  It has been working fine for 6 months, but I made some changes this morning to get my wireless camera onto the network, which broke the connection, and don't seem to be able to undo them.
  The TC now flashes amber, and going into Airport Utility I get the following errors:
  - No DNS Servers
  - Double NAT
  I've typed the DNS servers' IP addresses for my ISP into Airport Utility but it doesn't seem to recognise them. It also complains about a double NAT problem but I don't have another router assigning IP addresses.
  I've also tried a hard reset on the TC, switched it and the modem off, waited 30 mins and then switched back on again - no luck.
  Screenshots of all the settings on my TC from Airport Utility are here:
  http://web.me.com/julianlove/Site/TimeCapsule.html
  I'm not very knowledgeable about networking so any assistance appreciated.

  Double NAT is an indication that you have two devices on the network both trying to perform routing duties. You only want one device doing this on a network. Solve the NAT issue and the DNS issue will go away as well.
  What is the make and model number of the device that you call your "modem"?

• Time Capsule Problems - No DNS Servers Where did they go?

  I have an iMac and macbookpro using a TC connected to high speed cable modem. Everything has worked fine for a year+. All of the sudden I can't connect to Internet. Under airport utility it says I have no dns servers and has two empty boxes. Then it says something about choosing or not choosing the bridge option. Never had to deal with any of this before and don't know what to enter.
  I checked and modem and everything leading to TC is working ok. I tried turning off/on, unplugging, some other guesses but no luck.
  I work from home and could really use some help asap. It is extremely appreciated...thanks!

  I am experiencing the same problem with my time capsule. I have owned the timecapsule for a couple of years and have had no connectivity issues with it.
  Regarding the Double NAT:
  I have tried switching to bridge mode, but I just loose internet connectivity completely. I would appreciate it if someone would post any common problems with using bridge that I should look for.
  I would think that if Double NAT were an issue that the Airport would report it consistently rather then intermittently.
  Regarding the lack of DNS:
  I also switched to several combinations of DNS servers (comcast, google, and openDNS). No combinations solves the problem.
  When I loose connectivity in NAT mode I go get a drink of water and comeback and the problem has resolved itself. I then reestablish my VPN link and continue work.
  I have not noticed this when I am not using VPN; but I have a hard time believing that a VPN running on my MBP would affect the TC. I use VPN a lot, so the odds are that it will happen when I am using VPN.
  I have had this ISP (comcast) since February. The problem (the TC reporting double NAT and no DNS) started to happen in June.
  I have always had problems with my VPN dropping while I am using comcast. Under my previous ISP VPN rarely dropped.

• Mac client not showing up in Windows DNS

  Hi,
  I've got a Windows Server 2003 Active Directory network with DNS, DHCP, etc. all running. I have a Mac OS X Panther client I want to be added to my DNS servers automatically. I can successfully bind the mac to AD, and login to AD just fine. The client gets an address from DHCP, but it never shows up in DNS. I have added the DNS servers and domain in the TCP/IP settings, and double-checked all of the network settings. The mac client and windows servers all have the latest patches and updates.
  Any ideas?
  Thanks,
  Mike

  Have you tried removing that client from the computer list and re-adding it? If it won't show up, even via the IP, and of course presuming that you've checked any firewalls or routers to make sure nothing's change that could block ARD from reaching that system, you may need to remove the client and reinstall. Instructions for removing the client can be found here.
  Hope this helps.
  Message was edited by: Dave Sawyer

• Is Verizon not allowing connections to alternate DNS servers anymore?

  Last night I ran a DNS benchmark test, and a notice popped up saying my ISP was intercepting and redirecting all outgoing DNS requests. I've been using OpenDNS for a year now without any problems, then I found out last night I am not connecting to their servers, so I tried Googles servers, no luck there either.
  I called tech support (several times) and no one could give me a straight answer to my question: Is Verizon not allowing connections to alternate DNS servers anymore? I was forced to switch back to Verizon servers, not happy about that.
  Can someone please answer my question? Thanks.

  I'm on FiOS and I've got no issues using OpenDNS.  I have the Quantum router set to use it.  Works fine.
  I've manually changed DNS on my computer to google's servers.  No problems with this, either.
  If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.

• BUG in IMS 5.2 P 1 on Windows 2000 : not using the correct DNS servers

  Hi everyone,
  I encountered a queer bug in Ims 5.2 on Windows 2000.
  Let me explain it to all of you to avoid spending time and money debugging this problem.
  The problem may occur on Windows 2000 Server if the server used was formerly configured to obtain its IP address from a DHCP server (before using it for mail purposes).
  Windows 2000 doesn't delete its DHCP client configuration even if the machine is re-configured with a static IP.
  It stores the information in an interface registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
  If you install IMS52 after this, the server will use the DNS servers configured in the DHCP configuration rather than the ones specified in the static IP config to lookup the MXs.
  So if the nameservers configured in the DHCP config are not reachable, the smtp server will systematically fail sending outbond mails.
  To avoid this, locate the DHCP interface key in the Registry and remove it.
  Remarks :
  I know that this situation is not common but it may occur in certain occasions for people like me who are making demonstrations on clients sites.
  I'm not sure it is specifically related to DHCP rather than static config. I would say that IMS uses the first interface found in the registry (in alphabetical order) even if this interface is not active...
  A good idea is to remove completely from the registry all the interfaces keys not currently used by the system.
  Hope this will help some of you.
  Best regards,
  Vincent MAZARD
  DML FRANCE

  Interesting. Thank you for the observation. Not something I have seen, either.