Archived from groups: microsoft.public.win2000.dns (
More info?)
"Ted" <Ted@discussions.microsoft.com> wrote in message
news:26F21E40-9AC4-47CD-B2ED-320A056FBA2C@microsoft.com...
> > "Ted" <Ted@discussions.microsoft.com> wrote in message
> > news:85084BCC-81E0-4C24-B4A7-18786065DC6C@microsoft.com...
> > > I have ISA 2004 working perfectly except that occasionally the client
will
> > > get a message back that the Gateway could not find an authoritative
DNS
> > > server for the domain....
> > >
> > > The client is querying an internal DNS and then it forwards to the
cahcing
> > > server on ISA. everything is local to the client so the speed should
be
> > > there....I was thinking of increasing the DNS server forwarder timeout
but
> > it
> > > is currently set to 5 seconds which should be enough??
> >
> > You can certainly increase the timeout, but eventually the
> > client (or any querying DNS server) will itself timeout.
> >
> > Confirm:
> >
> > Clients point STRICTLY to internal DNS servers ONLY.
>
> correct
>
> > Internal DNS servers point to ISA as Forwarder
>
> correct
>
> > (Optionally: internal servers choose "Do not use recursion"*)
>
> recursion is disabled for 'this domain'
Recursion must NOT be disabled within the Advanced
tab of the Server (there is says "Disable Recursion")
since that disables forwarding also -- it does not sound
like that is your problem but being explicit never hurts.
"Do not use recursion" on the Server Forwarder tab IS
APPROPRIATE in most cases.
Neither is related to any domain or zone but are both
SERVER settings.
> > ISA does it's own physical recursion from the Internet root down
> > OR it forwards to a (reliable, large) ISP? **
>
> ISA forwards to the ISP (Bell Canada T1)
>
> >
> > * Although, I cannot precisely explain why "Do not use recursion"
> > might help, doing the recursion AND forwarding is seldom
> > helpful itself IF the forwarder is reliable, and may not even be
> > possible due to firewalls. Disabling the internal server recursion
> > (ONLY) on the Forwarders tab has been (unconfirmed) reported
> > to help this specific issue.
>
> Recusrion is disabled here but 'This domain' is only the user and computer
> domain. There are multiple DNS suffix's and resources in each domain.
Disabling recursion is a SERVER wide setting.
Unrelated to any zone/domain individually.
May we assume you handle those other zones and
domains by holding cross secondaries to them or
at least to there parent?
Client suffixes are not part of the DNS server setup
and are merely multiple choices the client may ATTEMPT
before giving up and saying "host not found".
Such might cause APPLICATION timeouts but will not
affect the timeout of an individual request made explicitly
(e.g., through NSLookup or by using a FQDN -- note, an
FQDN is technically only one that TERMINATES in a DOT.)
> >
> > If the ISP is large (big caches, near the backbone) and RELIABLE,
> > then most of the time a second forward from the first forwarder
> > at the gateway/firewall ISP will actually help.
>
> This is exactly what is in place now....
> >
> >
> > > When I dont use ISA, the response is pretty fast so I'm not sure if
this
> > is
> > > the right move.
You might try nslookup individually to everyone in the
chain.
See if this also agrees that ISA/DNS is the culprit.
Are you actually running a caching only DNS on the ISA
box or using some setting of ISA (I believe it has one like
the NAT/ICS do.)