locked
DNS not working after SP1 upgrade RRS feed

  • Question

  • Hey All,

      I've been running DA on a limited use basis for several months.  When SP1 came out, I installed it, and regenerated the GPOs.  Everything seemed fine.

    This week, I was looking at enabling DCA.  I began to look at the GPOs and found they were all duplicated!  I determined one set of the three was from the original install, and the other set from SP1.  So, I determined which was which, byt using the modified date.  I removed the old GPOs.  Now, once the new ones were applied (without the old) DNS does not work.

    Teredo and IP HTTPS both connect without a problem.  I can ping all hosts by IP, but DNS refuses to work. 

    When I look at netsh namespace show effectivepolicy,  it's all correct!

    Confusing! Thanks for the input.


    Friday, March 18, 2011 3:00 AM

Answers

  • Hi Jason,

    there should be only one set of policies, so I suggest you remove all policies, and run the policy generation again, and observe the results. Assuming both client and server get the appropriate policies applied to them (and not being denied), then I see no reason for DA to not work. If it still doesn't, you may have no choice but to open a support case with Microsoft, so we can examine additional parameters that can't be explored via the forum.


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:15 PM
    Tuesday, May 10, 2011 10:15 PM

All replies

  • Is the DNS64 service running?

    http://blog.msedge.org.uk/2010/12/microsoft-forefront-uag-dns64-service.html

    Did the old GPO do anything apart from DCA 1.0 settings?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, March 18, 2011 2:28 PM
  • Let me clarify that =)

     

    I didn't mess with the GPOs *at all* (as in change).  I only started to look at them when I realized they were duplicated.

    Seeing them duplicated prompted me to remove the oldest modified copy.

     

    I checked the DNS64 service.  Unfortunately, mind is set to Automatic and running! 

    Thanks for your reply!

     

     

    Friday, March 18, 2011 8:36 PM
  • Hi Jason,

    there should be only one set of policies, so I suggest you remove all policies, and run the policy generation again, and observe the results. Assuming both client and server get the appropriate policies applied to them (and not being denied), then I see no reason for DA to not work. If it still doesn't, you may have no choice but to open a support case with Microsoft, so we can examine additional parameters that can't be explored via the forum.


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:15 PM
    Tuesday, May 10, 2011 10:15 PM