First, if you are using ICS on a DC, there;s a HUGE conflict right there due
to ICS reverts to using proxied DNS to the outside NIC's DNS, and creates a
mini DHCP scope that will conflict with your real DHCP server. You just
can't use ICS with AD.

RRAS with NAT is the way to go, but, and a big BUT here, is multihoming a DC
is not really (actually some of us will say the word "never" when associated
with this unless it's SBS) ever multihome a DC. This is due to the domain
service location registration records in DNS. The dual IPs case major issues
and require additional administrative overhead to circumvent or alter a DC's
default behavior to force it to work with two NICs.

Honestly, to really reduce the headaches and not cut into your drinking time
, I would just go out and purchase an inexpensive Linksys, Netgear, or DLink
router that can handle the NAT services for you and let the DC be a DC. You
can even go one step farther and get a PIX. These are dedicated devices that
do a great job.

Hers's a little background about AD and DNS:
AD uses DNS. DNS stores AD's resource and service locations in the form of
SRV records, hence how everything that is part of the domain will find
resources in the domain. If the ISP's DNS is configured in the any of the
internal AD member machines' IP properties, (including all client machines
and DCs), the machines will be asking the ISP's DNS 'where is the domain
controller for my domain?", whenever it needs to perform a function, (such
as a logon request, replication request, querying and applying GPOs, etc).
Unfortunately, the ISP's DNS does not have that info and they reply with an
"I dunno know", and things just fail.
So you cannot use your ISP's DNS addresses anymore in your client or any
other machines. You cannot use your router as a DNS or DHCP server either.
If you are using your NT4 as a DNS server, that all needs to be changed over
to Win2003 DNS. Same with DHCP. NT4 DNS cannot support AD's SRV requirements
and dynamic updates.
If your current scenario is using your NT4 DNS, your ISP's DNS or your
router's DNS, it is strongly suggested and recommended to only use the
internal DNS servers on the network that is hosting the AD zone name. This
applies to all machines, (DCs and clients). Believe me, Internet resolution
will still work with the use of the Root hints (as long as the root zone
doesn't exist).
However, for more effcient Internet resolution, it's HIGHLY recommended to
configure a forwarder. If the forwarding option is grayed out, delete the
Root zone (looks like a period). If not sure how to preform these two tasks,
please follow one of the two articles listed below, depending on your
operating system. They show a step by step on how to perform these tasks:

Here's a snippet from a previous post I made about multihomes DCs and how to
*make* it work. Believe me, it's much easier to just get a separate NAT
device or multihome a non-DC then having to alter the DC. - Good luck!

++++++++++++++++++++
This DC is multi-homed, multi-homing a DC requires
additional configuration to prevent the public interface addresses from
being registered in DNS. This creates a problem for locating the Global
Catalog, file sharing and the SYSVOL DFS share and can cause userenv 1000
events to be logged, authenticating to shares and printers, logging on takes
forever, among numerous other issues.

Here are the manual steps to follow:

1. In the DNS management console, on the properties of the DNS server,
interfaces tab, set DNS to only listen on the private IP you want in DNS for
the server.

2. Add this registry entry with regedt32 to stop the (same as parent folder)
records.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Then create this registry value choosing REG_MULTI_SZ as the data type:

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

(and in the box, you would type in):

LdapIpAddress
GcIpAddress

3. Create a new host in DNS, leave the name field blank, give it the IP of
the internal interface. Windows 2k barks at you saying (same as parent
folder) is
not a valid host name, click OK to create the record anyway. Windows 2003
won't bark.

4. Right click on Network places, choose properties, in the Advanced menu
item
select Advanced settings. Make sure the internal interface is at the top of
the connections pane and File sharing is enabled on the internal interface.

5. And in addition to the (same as parent folder) record in the domain zone
for
the domain name, expand _msdcs, open gc create new host with name field
blank and give it the IP of the internal interface. This resolves as
gc._msdcs.forestroot.

6. On the outer NIC, disable File and Print Services, Microsoft Client
Service, then go into IP properties, click on Advanced, choose the WINS tab
and disable NetBIOS.

7. On the outer NIC, only put in the internal IP address of the DNS server
(this machine).

8. If you haven't done so, configure a forwarder.

You can configure these DNS addresses as a Forwarder for your local DNS
server as per this KB article for Win2000:
300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202&FR=1

323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
(How to configure a forwarder):
http://support.microsoft.com/d/id?=323380

Some additional reading:
825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003 (including how-to configure a forwarder):
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
_________________________

Hello,

When I applied SP1 about a week ago I faced some strange problems, which got
solved by restarting the win2003 server
"3" times.  (some problems solved after 1st restart, some after 2nd and
finally all after 3rd.).
Just telling my experience, but in your case you seems the DNS isn't working
even after uninstalling SP1.

Irrespective of whether ICS or NAT is enabled or not, the client should be
able to resolve external queries,
whether they can access external sites or not is a different matter.

Firtst point the clinets (and AD servcer itself) to the AD server internal
IP for DNS.
Then run nslookup on one of the XP (AD managed) machine. First check,
whether the nslookup lands
on your AD server as defualt domain or not.
If it does, with setting option D2, run an external query and post unedited
log.
If it doesn't inform to which DNS default server does the nslookup lands on.

Sharad