******Begin User Part 1******
…[Server is] a Dell PowerEdge 600sc server with RAID 1. There is 1
NIC. SBS 2003 Standard came pre-installed by Dell. I plugged the server
onto a network that is sharing a public IP in a NAT configuration on a
Sonicwall Firewall, which is also the DHCP server for all PCs on the
network. I configured the NIC on the SBS server with a static IP
address. I configured the DNS server with forwarders to the public IP
addresses of the DNS servers of the Internet provider. And I made the IP
address of the new SBS server the primary DNS server assigned by the
DHCP server. PCs on the LAN, using the IP address of the SBS server as
their primary DNS server, were not able to get DNS resolution. But the
server was for itself.

Here is the response I received from Microsoft:
******End User Part 1******

******Begin Microsoft******
The configurations in SBS 2003 is simialar to configurations in SBS
2000.
There is no need for you to run ICW.exe on the computers.

This issue can occur because Extension Mechanisms for DNS is enabled on
Windows 2003 by default (it is disbled in the Windows/SBS 2000). (The
SBS 2003 is based on the Windows 2003)

828731 – An External DNS Query May Cause an Error Message in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731&Product=w

Please try the following command to turn off EDNS0 support 1. Start a
command prompt.
2. Type “dnscmd /Config /EnableEDnsProbes 0” (without the quotation
marks), and then press ENTER.

Then please check the issue again. You can take a look at the following
URL for more information: 828263 DNS query responses do not travel
through a firewall in Windows Server
http://support.microsoft.com/?id=828263
******End Microsoft******

******Begin User Part 2******
The settings changed that is recommended by Microsoft disables Extension
Mechanisms for DNS that is supposedly blocking the computers using this
DNS server to get their name resolution. So disabling this thing then
allows proper resolution.

Apparently, Extension Mechanisms for DNS was disabled by default in SBS
2000, but Microsoft changed that in 2003 to make it more secure.
******End User Part 2******

 

20 Responses to Having DNS issues with your SBS 2003?

  1. watson says:

    I think you have to let the SBS machine be the DHCP server… I had clients as static IPs and you can’t run the HOSTNAME\Connect wizard. So turn off DHCP on the sonicwall, and make sure that it’s on by runnin EICW on the SBS machine (and check services too…) Make sure the clients are DHCP clients as well…

  2. Tw says:

    That command seemed to solve my dns problem in 99% of the cases… now, I had the feeling, that after a reboot these settings are lost. Is there a way to makes this command/setting permanent?

  3. MikeD says:

    This helped tremendously!! We had a client that couldn’t use blackberry.net within their network. nslookup timed out. Once we executed the dns fix on the MSKB all worked perfectly! I am also wondering if this is a static registry-type setting or if it has to be done on each reboot? Fow now, I am running a script on reboot, just to make sure.

    Thanks

  4. MikeD says:

    This helped tremendously!! We had a client that couldn’t use blackberry.net within their network. nslookup timed out. Once we executed the dns fix on the MSKB all worked perfectly! I am also wondering if this is a static registry-type setting or if it has to be done on each reboot? Fow now, I am running a script on reboot, just to make sure.

    Thanks

  5. RickS says:

    This did not help browsing to mail.yahoo.com. Has anyone else seen this problem? I only happens with larger domains.

  6. Tonio says:

    Cool this solved my DNS issue too on a SBS2003…about RickS’ mail.yahoo.com issue, I had a similar problem and using the ISP DNS forwarders instead of root hints DNS fixed it – I was getting nslookup timeout on most of CNAME records, like mail.yahoo.com, http://www.altavista.com..

    Regards,

    Tonio

  7. Mike says:

    Here’s how to SET the UDP packet size in the registry permanently

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_pro_ModifyUDP.asp

    Second: If you have Multi-Honed servers, uncheck "Round-Robin on the DNS Server that is multi-honed (two nics: one to the Internal network, one to the Internet).

    Third: On the Multi-honed server that has the DNS server also installed on it, MAKE Sure "ONLY" the LAN interface is specified to "listen".

    You should have an external DNS server on the Internet side be the reference for your Internet NIC. I use ENON.com for my External DNS. Low price and changes to my Internet IP address DNS records are replicated across the Internet root servers in under 15 minutes.

    Hope this helps.

    Mike

  8. Trey says:

    I found this solution to be the best for 2003 and SBS 2003. Make this addition to the registry on the server:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

    and add this name/value pair:

    EnableEDNSProbes DWORD 0x0

    and stop and restart your DNS service.

  9. StianA says:

    I think the problem here is DNS suffix, you have to either set manualy the dns-suffix on the clients or if you can add it on the SonixWall.

  10. SloppyGoat says:

    I was having this problem with our SBS. Since we’re connected to our ISP through a Cisco modem/router, I just assigned a static IP to both NIC’s. The error hasn’t shown up again yet. Are you trying to tell me a DHCP router could try to fight with the server to assign addresses? I’m sort of new to SBS, so don’t laugh at me if I don’t understand everything yet. Hehe

  11. jcs says:

    I am getting similar but not exact errors mentioned here and none of the fixes corrects the problem. Client wkstns still get intermittent "Page cannot be displayed" errors when browsing. Pressing refresh several times will eventually display the website–happens with several websites, not just one or two.

    Also, when I ping yahoo.com from the SBS2003 server I get Ping request could not find host yahoo.com. Yet if I try again in a minute or so, it works.

    Any ideas? Thanks in advance.

  12. jcs says:

    I am getting similar but not exact errors mentioned here and none of the fixes corrects the problem. Client wkstns still get intermittent "Page cannot be displayed" errors when browsing. Clicking refresh several times will eventually display the website–happens with several websites, not just one or two.

    Also, when I ping yahoo.com from the SBS2003 server I get Ping request could not find host yahoo.com. Yet if I try again in a minute or so, it works.

    Any ideas? Thanks in advance.

  13. eric says:

    I try this one, it works. thank

    I found this solution to be the best for 2003 and SBS 2003. Make this addition to the registry on the server:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

    and add this name/value pair:

    EnableEDNSProbes DWORD 0x0

    and stop and restart your DNS service

  14. steveb says:

    cool!. Was having a problem on our new SBS2003 Std server. We use an IPCop firewall, and with the DNS forwarder on the SBS machine set as the firewalls internal IP, it would timeout when trying to resolve windowsupdate.microsoft.com and download.microsoft.com…this caused us enough headache with the SUS server failing to update because of timeouts…this fix fixed it 🙂 looking at the registry after using the dnscmd command, the change looks permanent…?

    thanks!

    steveb

  15. LesaH says:

    I was also having browsing issues with a recent customer install. Some web pages wouldn’t display graphics, others wouldn’t display at all. In addition to all that, the Trend OfficeScan software wouldn’t update. It would contact the update server then error out. The strangest thing of all was that the ScanMail part of Trend was working like a champ.

    I ended up calling Microsoft for a fix and they used KB832223 to fix the issue.

    Now if I can just get Quickbooks to work a little faster the customer will be happy campers!

    L

  16. Travis says:

    For Tonio and MikeD having CNAME issues you might want to check out

    http://support.microsoft.com/?kbid=873430

    KB article 873430. I had several timeout issues using forwarders and had much better results using root hints instead, but then had the cname issues. The hotfix described in this article fixed the problem with the cname issues.

    just fyi

  17. JWA says:

    We’re having the identical probelm as the poster named "JCS" in the comments above. Is there any more info on that?

    Thanks…

  18. Martin says:

    I am having problems with the JCS type error – once IE is refreshed a few time the page displays – more info would indeed be appreciated on this error!

  19. Jerry says:

    I’m having similar intermittent timeout issues. We have two forwarders configured on SBS 2003 SP1, and I’ve tried the enableednsprobes fix with no luck. When I turned on debug logging, I noticed that the second forwarder in my list is never tried before reporting a DNS error.

    Any ideas?

  20. VSolutions says:

    I was having DNS issues with my client, I put in a foward to only one (1) of the ISP’s dns servers and everything is acting accourdingly. I have them setup on a PIX 501, SBS 2003, and DHCP via SBS 2003. In the DHCP scope I am also issuing out the ISP’s DNS IP as a secondary DNS server for their TCP/IP settings so that if the it doesnt hop to the internet on the server then it should access the internet directly. The DNS server is only 2 hops away so having security problems at this level shouldnt be too risky, I dunno though it just seems to be like everyone says there really is no right answer here just to find whatever works and seems to proove secure (no attacks). If the DNS was having problems due to attacks I would pull the foward and try this registry change in a heart beat anyway hope this good VAR info….