Interesting DNS issues

[mortstar]

This one is going to take some explaining, so I apologise in advance for its length and digressions.

Okay, over the Summer we had our admin and curriculum networks joined by a two way trust. Up until recently we have only been using this trust in one direction (namely curriculum to admin). We have the teacher laptops (curriculum) on a specific IP range that are allowed through the PIX box to access data such as the S: drive for SIMS on the admin network server.

However, the SMT want admin staff to be able to move files over from the admin network to curriculum, so that teachers can find the information they need in one area of the network. Simple I thought, a call to Serco to have a similar rule added to the PIX, to allow an IP range on the admin network through to the curriculum.

This is were it gets slightly strange. The admin network machines have static IPs and their DNS is explicitily set to the admin network server. The curriculum network are assigned IPs by DHCP from the curriculum network server, apart from the teacher laptops which have reservations so that they fall within the IP range that is allowed through the PIX box, and so make use of the domain trust. This was all working fine until Serco added a rule to the PIX so that admin machines on a specific range of IPs could access the curriculum network.

When this rule was in place, the curriculum network was not affected in any way. However, the admin machines would happily log on and allow access to the admin network shares. But some minutes (30-60) later, at seemingly random intervals, they would drop their connection to the DNS server (set statically). An NSLookup would say that no DNS server was present. Then a ping to the DNS server would time out. Strangely, once you ping the curriculum server the machines would pick up their original DNS settings once again and all would work fine. Until the next random drop.

Because of the need to go round individual admin machines to get them back on the network by pinging the curriculum server (?!?) I asked Serco to remove the new rule from the PIX and since then everything has gone back to working the way it was before, no random drops and no access to curriculum network for admin staff.

Now this has absolutely no rhyme or reason to me, the LEA support or Serco. I was wondering if anybody can suggest what may be a reasonable explanation for this and what I can do to try and rectify it. I may ask Serco to re-apply the PIX setting and then monitor network traffic to see if the curriculum server is tripping up the admin machines, but I see no reason why as the admin machines have their DNS explicitly set.

Thanks for reading this and any help!

Sam

P.S. Both networks are vanilla Win 2k3 and all clients XP

[Geoff]

Presumably your stub zones are configured on your DNS servers for correct cross domain lookups?

What are the machines default gateway?

[mortstar]

Cheers for the reply Geoff

Both servers within their own domain are acting as Primary Zones and then the opposite server is acting as a Secondary Zone

i.e.
Curriculum Network ->
Name: curriculum ----- Zone: AD integrated Primary
Name: admin ----- Zone: Secondary

Admin Network ->
Name: admin ----- Zone: AD integrated Primary
Name: curriculum ----- Zone: Secondary

Would it be far more logical to set up Stub zones on each server and remove the Secondary Zones?

[Geoff]

In this situation 'correct' way to do it is to use stub zones. You only really use Secondary zones when you want to be able to cache data (for example for performance reasons or redundancy).