The only reason they were "unexpected" is because I didn't recognize the IPs. Once I compared them to the Root Hint IPs, it made sense. I hadn't configured our ISP's DNS server as the forwarding server on that one, since it wasn't "supposed" to be acting as a forwarder. So, that makes sense why it contacted the Root Hint servers instead. Thanks, the more I explain the symptoms, the more it makes sense to me. I'm thinking it is more of a replication problem now, where settings from the PDC DNS server are not making it to that one server, thus screwing up the ISA server's name resolution, and slowing everything down. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, February 28, 2005 09:22 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Interesting problem... http://www.ISAserver.org Hi Dan, Actually, it does. ISA doesn't care how you've built your LAN. What it does care about is that if a host wants to cross its boundaries, the ISA policies allow it. Using the root servers isn't unexpected if your LAN DNS servers aren't "root" themselves. If the PDC is also your primary LAN DNS server and it needs to perform root lookups, then it also needs to be part of the DNS access policy. Another way to get around this is to install a caching DNS server on the ISA itself and let the LAN DNS servers forward to it.