CC3 to Vanilla now cant connect to internet through proxy

[sadams1980]

I dont know if anyone can help me with this but i would be very grateful if somebody could as its driving me batty!!

We are a school who have recently moved from RM CC3 to a vanilla network, the servers (DNS, DHCP) were setup by a company, but since the move I can't connect to the internet through staffproxy.swgfl.org.uk (which is an external proxy, which allows for lighter filtering for staff). We have gone from Server 2003 to Server 2008r2. We have a smartcache that goes through an alternative proxy for students which is more heavily filtered and once I added this to DNS its working fine, but the staffproxy....... proxy wont. When i run the connection troubleshooter it says about DNS not resolving the name.

I contacted SWGFL and they gave me a external DNS to use, I put this into my PCs DNS settings and it works, but i cant see why i have to use an external DNS because I went from 2003 to 2008r2. This is happening on all PCs and servers.

Is there a setting that I need to change on Server2008r2?

Any advice would be gratefully received, as when the staff come back if this is not working, I am going to get my a** chewed.

Many thanks
Sean

[MicrodigitUK]

On your new Server2008r2 setup you need to add the setings from the SWGFL as DNS forward addresses. Your old RM cc3 network would have been set up like this. So if your local (on site) DNS server can't resolve the address it forwards it to the SWGFL DNS servers. Once done your hosts should then be able to resolve external names like the staff proxy one.

I expect if you currently try and ping somthing like google.co.uk from the command line it can't resolv the address.

Once the local DNS server is set up to forward unresolved addresses to the SWGFL it will start working.

[Michael]

RM or no RM, DNS Forwarders are normal and required to resolve external requests (as mentioned above).

[MicrodigitUK]

To configure a DNS server to use forwarders using the Windows interface
Open DNS Manager.

In the console tree, click the applicable DNS server.

Where?

DNS/Applicable DNS server

On the Action menu, click Properties.

On the Forwarders tab, under DNS domain, click a domain name.

Under Selected domain's forwarder IP address list, type the IP address of a forwarder, and then click Add.

Add the two SWGFL DNS server IP addresses to this list of forwarders.

Then test and it should now work.

[SYNACK]

RM or no RM, DNS Forwarders are normal and required to resolve external requests (as mentioned above).

Slight and partial correction, they are required to resolve non-global requests such as stuff internal to your LEA network like the proxy. The DNS system actually has a bunch of root-hint servers that make up the core and can be used to dig down and resolve the addresses. This is much slower and less efficient than using a fowarded server from the likes of your ISP. It all boils down to the same thing, passing the requests up the chain to find the addresses but one is a top down approach and the other is a bottom up. As stated above, adding the LEA DNS in as the main fowarder to your DNS server is the right answer as using external DNS on internal client machines will also break internal DNS resoluion for your client breaking stuff like AD in very interesting and annoying ways.

[Michael]

As well as the Forwarders in DNS Server, Birmingham LA also recommend internal then external DNS servers to be set in DHCP Server. I've never noticed any problems in doing this.

[psydii]

As well as the Forwarders in DNS Server, Birmingham LA also recommend internal then external DNS servers to be set in DHCP Server. I've never noticed any problems in doing this.

If you've always had it set that way, you just might not have noticed that it isn't working as well as it could be.

More prescriptively: if your DHCP is configured like this and serving an Active Directory Domain environment then you will notice a performance and reliability improvement by removing the external DNS Server reference in DHCP, and also from any client where it is statically configured. Assuming that your DC/DNS servers can communicate with the LA Forwarders.

[sparkeh]

As well as the Forwarders in DNS Server, Birmingham LA also recommend internal then external DNS servers to be set in DHCP Server. I've never noticed any problems in doing this.

You should not have external DNS servers configured on the client. This is a bad idea and against MS advice.

[Michael]

There is a reason though and I cannot remember why top of my head... I could still remove it if you guys think it'll improve performance.

[sparkeh]

MS advice on this:

Do not configure the DNS client settings on the domain controllers to point to your Internet Service Provider's (ISP's) DNS servers. If you configure the DNS client settings to point to your ISP's DNS servers, the Netlogon service on the domain controllers does not register the correct records for the Active Directory, directory service. With these records, other domain controllers and computers can find Active Directory-related information. The domain controller must register its records with its own DNS server.

[Michael]

I've removed the external DNS settings from all DHCP Servers and updated static configs too. Internet connectivity tested OK, as of course I left Forwarders in place. If I find out why they're needed in future I'll post back!

Thanks for the tips

[sadams1980]

Thanks to everyone for the advice. I setup the forwarders and it is working fine. Thanks for all the help.