|
Home > Archive > 70-216 > April 2002 > Nat
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| CyberDude 2002-04-08, 10:12 am |
| I have set up NAT with its defaults. I am using the DHCP and DNS server services, NOT the NAT one's. Why is my computer now always connecting to the net? I thought NAT was similar to ICS, where the interface only connects when it gets told to (by a user). It continuosly connects and disconnects itself when I am not using the net. I do not think it should be behaving like this. It is installed on a member server which is part of the workgroup, and at the moment it is the only computer switched on. What service is always connecting to the net and why?  | |
| jeff_j_black 2002-04-08, 10:19 am |
| I seem to remember a Knowledge Base Article for this one. It is pretty much by design. Any service that might possibly want to query DNS for example, could initiate your connection. Every time I have seen a DC on ICS or NAT, the connection opens and closes frequently on its own. | |
| CyberDude 2002-04-08, 10:23 am |
| I think I have sussed it. Once I had re-enabled RRAS, ther was an inbound connection that I had configured during my RAS study day. I deleted this, restarted RRAS, and lo-and-behold it does not connect automatically now. But the questions that is bothering me is why was the inbound connection going on and off considering the policy had it disabled? | |
| CyberDude 2002-04-08, 10:33 am |
| No it is back again doing what it wants to. When I look at the NAT portion in RRAS it says that it is down, so it is not NAT. I have not configured it to use remote dns so why is it connecting. The book does not state that this will happen. This is becoming a pain in the ***.  | |
| jeff_j_black 2002-04-08, 12:57 pm |
| Maybe it's lonely? Looking for some replication partners. Do you have WINS active? This might broadcast to find partners, as well. Basically any service that might broadcast or look for addresses outside of your local network range, is going to generate a request for connectivity. You could try to filter the Demand Dial Interface and lock it down to particular users or something? | |
| CyberDude 2002-04-08, 1:23 pm |
| It is something to do with RAS. When I said I had sussed it I was there on the ball. In start/settings/network connections there is an inbound connection. I believe this is placed there by RRAS when it has been configured, and I also believe this is connected to the RAS default policy. When I delete this from settings, there were no more auto-connects. Unfortunatley when it started happening again (as when you delete this it disables RRAS) the inbound connection returns and starts talking. I had a quick look at its properties and it was enabled for my null-modem connection aswell as my dial-up. Unforunately, out of pure frustration, I deleted the policy and deleted the connection. When I try to configure RRAS again, it of course says no as there is no default policy to be found. I have tried booting from CD and letting the program do a complete repair, but i has not installed the default policy so still refuses to load RRAS service. I am now going to attempt to find the default policy on the CD and install it, or failing that create a policy and save it as the default one.  | |
| mcdoud 2002-04-08, 11:20 pm |
| I have the same thing happening. I too configured NAT on a member server. I also have a DC, a DNS server, & a WINS server on my network. I haven't taken time to troubleshoot though. Only so many hours in a day. It is irritating, especially when trying to use the system. | |
| mcdoud 2002-04-09, 6:34 am |
| I just noticed that there is an error in the system log of my DC that says: "Because of repeated network problems, the time service has not been able to find a domain controller to synchronize with for a long time..." It appears to be trying to syncronize the TOD, which may be causing the autodials. | |
|
|
|
|
| CyberDude 2002-04-10, 3:51 am |
| As I only have one server for study, and I want to be able to learn the full DNS and DHCP services, if I configure NAT to use itself as these services I will not be able to do so. If I have these services running, do I still need to configure NAT to allow clients to query external dns servers (ie internet), or do I have to do this via the actual dns service? | |
| Zaraspook 2002-04-10, 9:33 pm |
| Ever hear of a catch-22?
The DNS Proxy and the DNS Server, unfortunately, can't coexist on the same host if they are using the same interface and same IP address with the default settings.
The following may shed light on your dilemma:
http://support.microsoft.com/defaul...b;EN-US;q279678
Also, look at jguy's post regarding DNS.  | |
| CyberDude 2002-04-11, 1:35 pm |
| I know that they cannot coexist, which is why I want to only use the full services so that I can study them, and hopefully have NAT work via them. | |
| jeff_j_black 2002-04-11, 3:40 pm |
| I'm sure it will work. How is your DNS zone set up? If you have not set one up yet, good! You want to make sure that your DNS zone is not a root zone, so you can use your ISP's DNS servers as forwarders. Then, your zone will be authoritative for local host addresses, but when queried to resolve external addresses, the query will forward to the Internet. Good luck, let us know how it goes, it's a good discussion thread. | |
| CyberDude 2002-04-12, 6:55 am |
| My DNS zone must already be a root zone as I installed and set it up prior to promoting my member server to a DC. It is configured for my LAN. I am using a dial-up connection to the internet so I do not have a permanent link, which means NAT has to run via a dynamic address to the ISP. Will this work or am I stuck with ICS? | |
| jeff_j_black 2002-04-12, 12:24 pm |
| The DNS servers for your ISP will have the same addresses. Outbound NAT connections should not be effected by the dynamic address, just if you wanted to connect to your network from somewhere else. I don't know how to resolve your situation in terms of having a root zone, unless you've registered your domain name. You still would not be able to resolve addresses outside of your network, without being able to use forwarders. Best case scenario is to build a member server, get DNS running and tested, then promte to DC. This way you get a functional DNS infrastructure, that Win2k is so fond of. | |
| CyberDude 2002-04-12, 1:34 pm |
| That is what I have done. I follwed NR to the letter. Install member server. Install DNS as Primary, and configure forward and reverse lookup zones. Use dcpromo to promote member server to DC. Configure both zones for auto updates and AD-integrated. I installed and authorised my dhcp server as well. I have not yet tried NAT out on the DC yet, so hopefully it will work. When I did try it, I was still using a member server, and it would not let my client connect to the outside world. I have no web domain name as I cannot afford one, and have no time to run one. I am hoping that I can get NAT to use my dial-up connection without having to remove my dns and dhcp servers and configure NAT for dns and dhcp. I will let you know when I have tried NAT on the DC, but I am still practising some of the other things that only come with AD at the moment.  | |
| jeff_j_black 2002-04-12, 2:07 pm |
| I don't know if it effects NAT, but I could not get routing to work until I looked up an MS KB article that states blah blah 'IPEnable' set to '1'. You can search the registry for IPEnable to find this. After that, my routers worked. I'll look up the article if you need. Good luck, keep it going! | |
| Zaraspook 2002-04-12, 10:38 pm |
| I believe the only way to get NAT to work with your current network configuration is to not use the DHCP allocator and DNS proxy services in NAT, but instead use the DHCP server service, which if I understand your post correctly is what you’re wanting to accomplish. This would cause name resolution queries to be sent to your local DNS server for name resolution, which would resolve local names and then forward unresolved names to the Internet.
Jeff’s right about making sure your DNS zone is not setup as a root zone. To check for a root zone, go to the DNS Manager, double click your DNS server to expand it, and then double click the Forward Lookup folder to expand it. Next, look for a zone denoted by a “.”. If it exists, delete it by right clicking on it and choosing delete. This will enable your DNS server to use the Internet root servers. There is no need to configure forwarders to send DNS queries to your ISP’s DNS server, unless you want or need to increase DNS performance.
If I remember correctly, it’s not necessary to have a registered domain name for outbound traffic. It’s only necessary if you want to allow inbound traffic. And the NAT service will work with either a persistent connection to the Internet or a dial-up connection if properly configured. Good luck! | |
| jeff_j_black 2002-04-13, 10:03 am |
| The point of registering a domain name becomes obvious if you connect you network to the internet with a DNS zone that authoritative for an unregistered domain. If someone else has registered that name, then you DNS server can take over or interfere with name resolution. You can avoid this by not making a root zone. To resolve names that are not on the LAN you should direct your queries to a DNS server that can resolve them, hence the forwarders.
I did both of these on my lab using a DSL connection to the Internet. Going online with an unregistered domain name and a root zone, I could not even ping my own server from itself and get the correct address in response. I use the other configuration currently, with no problems. | |
| CyberDude 2002-04-13, 1:40 pm |
| Cheers guys for the good info. I will give it a whirl once I have time, as I am a bit pushed with family matters right now. Will post as soon as I can. | |
| Zaraspook 2002-04-14, 12:13 am |
| Hey Jeff, if I remember my DNS 101 correctly, by default, Windows 2000 DNS uses the root hints file or the a.k.a. cache.dns file in a process called recursion. Root hints is a file or list, if you will, of the root servers authoritative for the top-level root DNS servers on the Internet. Remember that series of iterative queries to the .com DNS server and so forth, or for example, take www.examnotes.net, an iterative query is sent to the .net DNS server to obtain a referral to the examnotes.net server. Then to the examnotes.net server for a referral to the www.examnotes.net server, and then the www.examnotes.net server is finally contacted and the authoritative answer is then received by the DNS server, which finally sends it back to the querying client. All DNS servers use this recursion process by default, unless this feature is disabled or a forwarder has been configured.
Now that’s not to say that forwarders can’t be configured. For instance, forwarders can be configured to send DNS queries directly to the ISP's DNS server or other DNS servers. In most cases, the main reason for configuring forwarders is to reduce DNS traffic and increase performance and efficiency. However, this may also introduce another point of failure if, for example, the configured forwarder is experiencing some sort of a problem.
Regarding domain name registration, it’s not an absolute prerequisite if all you are going to do is access the Internet and do some simple surfing from your home or test network. However, if you want machines on your domain to be accessed from the Internet, then that’s a different story. You must register your domain with an authority like the Internic so that your name can be added to the top-level name servers. If you don’t, then your name will not be added to the top-level name servers, and Internet host will be unable to find and connect to machines on your network.
I’m not so sure that, if you don’t register your domain name, it could possibly take over or interfere with name resolution. If it’s not registered with the top-level name servers, then I don’t see how it could be possible for it to interfere with name resolution. | |
| CyberDude 2002-04-18, 9:02 am |
| I have now implemented NAT on my DC. I had to delete the root zone that it creates, so thanks guys for that tip.
Unfotunately mz server is now continuously connecting to the net, which is very annoying. I only want it to connect when I connect it or if my NAT client connects it.
I keep getting this time error which is previously mentioned on this thread. I have had it ever since I promoted the server to a DC. I have set up my zones so they do not transfer, as I only have one server. If this clock is part of replication, why is it still trying to when I have not configured replication?
Ever since I deleted the root zone, I have been getting lots of dns errors in event viewer.
Is there any way of finding out what service is connecting to the net via NAT, as task manager does not help. The only things I can see using cpu time when it is connected is explorer.exe, system and sometimes crrs.
Any ideas will be grately received. | |
|
|
| CyberDude 2002-04-19, 2:25 am |
| I have no time today to play with my test server, but the dns errors were mainly stating that there was no host record for the server in the scope. This appeared after I deleted the root scope. I have checked my local scope, and there is a host record there.
I have only skimmed through that time doc, but what I did read was very interesting. Thank you. It is a pain though, as I only have one server which is now a dc. Is it possible to configure this server not to connect to the net whenever it wants? If it is due to the time server component and that it is trying to find another sever to synchronise with, I believe I have to turn it into its own time server so it believes it is always correct (or have I just gone way off orbit? | |
|
|
| CyberDude 2002-04-22, 3:18 am |
| That is what I did when I set DNS up. I created a primary zone as I only have one server to play with, and gave it the name of my local domain. I then integrated it with AD. It seems as though it always creates a default zone when you set it up.
Thank you for the links. Once I had deleted the root zone, my NAT client could connect to the internet. I have not configured forwarders, as I do not know any dny server addresses at my isp, and as my client connects to the net now I don't think I need to, the samme for root hints (infact the root hint cache is probably the reason why it can connect?).
The only thing that I have a problem with is that the server is always connecting to the net when it wants and not when I want (probably to do with the time synching?). I am going to configure it to connect to an external ime server, but even then it will want to connect three times on the trot, and then once every so many periods.
If I had two servers they would probably just talk to each other without connecting to the net, but that is not in my budget.
My local dns scope has all its A host records, but the dns server is still reporting errors to event viewer saying that there is no A record for the server. Strange.
I will have another little tinker and then get back to you. | |
|
| I have an identical problem as does a collegue of mine. I have been on the same journey as you and am now close to giving up. I'm watching this thread daily as it is about my last chance!!
Come on guys they must be some bright spark reading this who has done this before!!
With empathy
David | |
| CyberDude 2002-04-26, 1:27 pm |
| I have solved the time server error that kept appearing in event viewer. I decided to carry out what the message said, which was to enter a config string via the DOS prompt. I used my servers name for the server name part, which must have configured my server into its own time server, thus preventing it from looking for other time servers.
deleting the root dns scope does allow clients to access the internet via NAT, as long as you have configured their default gateway with the NAT servers ip address.
Something is still causing the server to connect to the net whenever it wants though. It is either something on the server or something on a client. Unfortunately, event viewer or NAT does not give out this sort of info, they only say that the NAT DUN has connected or disconnected.
I may have stumbled onto something though, as also in event viewer I have errors for direct play. Maybe this is what is trying to connect. It says that NAT has detected it and has disabled it. I believe this is because NAT cannot run direct play, netmeeting and something else which I have forgotten. |
|
|
|
|