Some https sites not resolved

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Recently users have been unable to connect to some https sites from my
W2k AD network. I have a Windows 2000 DNS server and am using a non
authentic domain name internally. All machines have static private ip's
and my DNS server as the preferred DNS server, and our ISP's DNS as
secondary. I can access the sites using the sites ip address
-https://206.204.191.104/dcx/login.jsp will connect, but
https://chf.ilumin.com/dcx does not.

If I move the ISP's dns up to preferred dns, I can access the sites.



--
suegun
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message437785.html

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

When you send a query to DNS for an external domain name, the DNS server
needs to either resolve it via root hints, or forward it via configuring
forwarder to your ISP.
If the server attempts the root hints route and timesout itself, then it
will send a negative query result back to the client. (I think this is how
it works)
The client trusts the DNS servers response and does not try its secondary
DNS server. The secondary is only used if the first query times out.

I suggest you configure a forwarder on your DNS server to point to your ISP.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


"suegun" <suegun.1ecgaf@mail.webservertalk.com> wrote in message
news:suegun.1ecgaf@mail.webservertalk.com...
>
> Recently users have been unable to connect to some https sites from my
> W2k AD network. I have a Windows 2000 DNS server and am using a non
> authentic domain name internally. All machines have static private ip's
> and my DNS server as the preferred DNS server, and our ISP's DNS as
> secondary. I can access the sites using the sites ip address
> -https://206.204.191.104/dcx/login.jsp will connect, but
> https://chf.ilumin.com/dcx does not.
>
> If I move the ISP's dns up to preferred dns, I can access the sites.
>
>
>
> --
> suegun
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message437785.html
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<blockquote cite="midsuegun.1ecgaf@mail.webservertalk.com" type="cite">All
machines have [...] my DNS server as the preferred DNS server, and our
ISP's DNS as secondary. </blockquote>
<a
href="http://homepages.tesco.net./%7EJ.deBoynePollard/FGA/dns-client-all-proxies-must-provide-same-service.html">Don't
do that.</a><br>
</body>
</html>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks for the suggestion, I added my ISP's DNS as a forwarder on my DNS
server, but still experience the same problem. Also, since I've added
the forwarder, I can no longer connect to those sites by moving my
ISP's DNS into the primay slot on the workstation settings. Any more
thoughts?



--
suegun
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message437785.html

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Ignore that last statement. I can still connect by moving my ISP to the
preferred slot.



--
suegun
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message437785.html

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:suegun.1ecgaf@mail.webservertalk.com,
suegun <suegun.1ecgaf@mail.webservertalk.com> commented
Then Kevin replied below:
> Recently users have been unable to connect to some https
> sites from my W2k AD network. I have a Windows 2000 DNS
> server and am using a non authentic domain name
> internally. All machines have static private ip's and my
> DNS server as the preferred DNS server, and our ISP's DNS
> as secondary. I can access the sites using the sites ip
> address -https://206.204.191.104/dcx/login.jsp will
> connect, but https://chf.ilumin.com/dcx does not.
>
> If I move the ISP's dns up to preferred dns, I can
> access the sites.

First thing, if you have an Active Directory domain, do not use your ISP's
DNS in any position. Second, use the DNS managment console to expand Forward
Lookup Zones, if there is a "." zone, delete it, that will enable root
hints, then allow you to set a forwarder on the forwarders tab to your ISP's
DNS (optional)

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:suegun.1eeayc@mail.webservertalk.com,
suegun <suegun.1eeayc@mail.webservertalk.com> made a post then I commented
below
> Ignore that last statement. I can still connect by moving my ISP to
> the preferred slot.

As everyone is saying, don't use your ISP DNS on any machines. It will cause
numerous issues. Please configure a forwarder.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================