?
Solved

DNS on SBS issue?

Posted on 2006-04-21
33
Medium Priority
?
747 Views
Last Modified: 2012-05-05
I have a MS Small Business Server setup with standard best practices for a 2 NIC system.  Nothing fancy, and almost everything is working fine.

The network uses a Linksys SRW2016 switch and a RV016 router.

PCs connecting to the network access internal and external HTTP/HTTPS traffic just fine but something is blocking all FTP and all external http://mail.domainname.com requests from going out.

I turned off my router’s firewall, but that wasn’t the problem, it’s got to be something in SBS.  I’m not running ISA server on it.

It’s nothing on the PC configuration either.  A mobile PC can access these services just fine, but as soon as it connects to the MS VPN and gets an IP from the SBS server, it looses these connections.

Is it DNS or some sort of SBS firewall?  
I know NOTHING about MS DNS, so if that’s the problem, please be specific.

This probably isn’t a really tough question but walking me through it may be so I posted it with high points!

Thanks.
0
Comment
Question by:Webtologist
  • 13
  • 9
  • 8
  • +1
31 Comments
 
LVL 4

Expert Comment

by:mattridings
ID: 16511658
Could you clarify one thing for me first, you've got me confused about which direction of traffic we are talking about here.

You said something is blocking all ftp and mail.xxxxx.xxx traffic from going *out*, but then describe a machine losing these connections as soon as it gets an IP from SBS over vpn.  Which would seem like a vpn *inbound* connection to me? (unless you are forcing clients to connect via vpn on lan due to wireless security or something?).  I understand that they could be connecting via vpn from the outside then sending traffic back out to the internet, I just need to know where the traffic connections are sourcing from to narrow down the possible problem.

Matt Ridings
MSR Consulting
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16511874
Can you please post an IPCONFIG /ALL from both the server and a sample workstation?

Thanks.

Jeff
TechSoEasy
0
 
LVL 5

Expert Comment

by:mickinoz2005
ID: 16512260
By default you will not be able to access mail.yourdomain.com from internally you would have to add an entry to your dns called mail, so you would create a new record in your dns and call it mail that way when you type mail.yourdomain.com dns will resolve it.

When you are internal you server just sees yourdomain.com as your internal active directory domain. Another way to get to that mail.domain.com is just to type

https://mainservername/exchange (for example)  that is if you are looking to get to web outlook or something like that.

Michael
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:Webtologist
ID: 16513398
Clarification

The mail.domain.com addresses that cannot be accessed are working public servers that have nothing to do with my network.  Same with the FTP addresses.

The VPN or local scenario is not the issue.  I simply did a bad job explaining it.

Basically, what I was trying to say is that any system pointing to the SBS server for DNS and DHCP cannot access any public mail.something addresses or any FTP addresses. This goes for systems remotely connection through RWW’s VPN utility or systems directly connected on the network.  

I hope this clarifies it, please let me know if you need more information.

0
 
LVL 1

Author Comment

by:Webtologist
ID: 16513435

SERVER (company name changed)

Windows IP Configuration

   Host Name . . . . . . . . . . . . : lacerta
   Primary Dns Suffix  . . . . . . . : COMPANYNAME.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : COMPANYNAME.local

Ethernet adapter Internal NIC:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-18-22-57-0A-C2
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   Primary WINS Server . . . . . . . : 192.168.16.2

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-17-55-66
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.19
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter External NIC:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
   Physical Address. . . . . . . . . : 00-14-86-18-0A-C3
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.100.156
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.100.155
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.7
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   NetBIOS over Tcpip. . . . . . . . : Disabled
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16513440
Here's a VPN Connected machine (the one I'm using now).  This is the best I can do at the moment.  

Windows IP Configuration

        Host Name . . . . . . . . . . . . : Polaris
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : COMPANYNAME.local

Ethernet adapter Local Area Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Cont
roller
        Physical Address. . . . . . . . . : 00-C0-9F-F7-FA-31

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . : attbi.com
        Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200BG Network
 Connection
        Physical Address. . . . . . . . . : 00-0E-35-C3-82-5E
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.110
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.100.7
                                            192.168.100.8
                                            68.87.72.130
        Lease Obtained. . . . . . . . . . : Friday, April 21, 2006 10:22:06 PM
        Lease Expires . . . . . . . . . . : Saturday, April 22, 2006 10:22:06 PM


PPP adapter Connect to Small Business Server:

        Connection-specific DNS Suffix  . : COMPANYNAME.local
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.16
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.16.16
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.16.2
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16513447

Michael - Again, sorry for the bad explanation.
The mail.domain.com addresses that cannot be accessed are working public servers that have nothing to do with my network.  Same with the FTP addresses.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16513526
Actually, I was looking for an IPCONFIG from an internal workstation, but this is a good start...

Why do you have TWO private IP addresses on your External NIC?  192.168.100.155 and 192.168.100.156?  This will certainly be a problem.

Also, it looks like you've manually entered a couple of DNS servers on your VPN connected laptop --- 192.168.100.7 and 192.168.100.8?  This will also cause a problem because it's not allowing the connection to go through to the internal side of the server.

One way that you can see what is going on is to enable logging on the Small Business Server Connection client.  Click the Properties... button on it and you'll find logging on the OPTION tab.

Also, I just realized you said you have a SRW2016 switch.  Is this on the Internal NIC of the SBS?  If it's not, isolated to the internal side, and you've got both NICs plugged into it, then I'd suspect a configuration problem with the switch.  Any reason you went with a managed switch?  I tend to stay away from them for SBS networks... just for simplicity's sake.

Jeff
TechSoEasy

0
 
LVL 4

Expert Comment

by:mattridings
ID: 16514873
Are you using the "Connect To Small Business Server" automatically configured VPN connection on your client or one that you made yourself using the "New Connection Wizard"?  

If the former I would recommend making your own vpn connection using the wizard.  Then go into your new VPN connection, and uncheck the "Use default gateway on remote network" under the properties/advanced tab.  I don't believe this option is available on the automatically configured vpn connection (which is why we usually don't use it).

You should then be able to use the external ftp and mail clients.  My guess is that there is something blocking those outbound connections from within your LAN.  If this works you can leave it that way and use that connection, but you may still want to find what is blocking those connections from inside your lan....

Matt Ridings
MSR Consulting
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16516433
I believe that to be true as well... and think that the Switch is what's causing the block.  SBS's VPN client doesn't have that option to not use the remote network gateway... but not using it will cause other problems like not being able to resolve network resources.

So the best thing to do would be to find out what's blocking the ftp and mail traffic and fix it.

Jeff
TechSoEasy
0
 
LVL 4

Expert Comment

by:mattridings
ID: 16516760
it won't stop his access to his lan resources at all (unless something has changed in the world of networking and someone forgot to let me in on the secret)....just won't route packets through his remote network back out to the internet....which is why we disable it on all our vpn connections anyway (waste of traffic).

Matt Ridings
MSR Consulting
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16527592
Here’s the IPCONFIG from a directly connected workstation:

C:\Documents and Settings\Ludwig>ipconfig -all

        Host Name . . . . . . . . . . . . : FORNAX
        Primary Dns Suffix  . . . . . . . : COMPANYNAME.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : COMPANYNAME.local
                                            COMPANYNAME.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : COMPANYNAME.local
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
rnet NIC
        Physical Address. . . . . . . . . : 00-0F-EA-33-21-BA
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.16.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.16.2
        DHCP Server . . . . . . . . . . . : 192.168.16.2
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.100.155
        Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 2:14:17 PM
        Lease Expires . . . . . . . . . . : Friday, April 28, 2006 2:14:17 PM
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16527848
JEFF’s QUESTIONS
----------------------------------------------------
2 addresses on the NIC: I can get rid of one, but we’re trying to do something here that I’ll save for another question.  I don’t think it’s the problem but I’ll remove it if you really think I need to.

The 100.7 and 100.8 DNS shouldn’t be the problem either for 2 reasons: 1. the local connected systems have the same problem, and 2. this is the local LAN config that the VPN connected machine uses.  I can say with some certainty that the SBS VPN overrides this. When connected I am clearly using the SBS DNS/

I have login on SBS VPN; nothing shows when these errors occur.

The external NIC is connected to the RV016 (VPN Router/Firewall), the internal one is plugged into the switch which is also what the PCs plug into.  The switch is “managed” by necessity. I really haven’t set much of anything up on it.  I simply purchased it because the SOHO switches don’t install in racks, no front mounted ports, and they tend to overheat and fail under heavy use when stacked.


MATTS QUESTIONS
----------------------------------------------------
I’m using the default.  After setting up a working network, the users download the connection tool and run it.  That’s it.  I do not setup “computers” for the users, just user IDs.


MORE INFO
----------------------------------------------------
I’m not sure what you guys are saying about: "find out what's blocking the ftp and mail traffic and fix it."

That’s exactly what my question is; I have no idea.

FTP for instance makes a connection, then times out after prompting for user name and password.  Mail.somthing.com addresses simply don’t connect “page not found”.  

All other HTTP, HTTPS, connections work.  Exchange works, SharePoint, and all external web sites work fine. All RWW features work fine.
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16528059
More clarification:
Everything on this network runs well. ZERO errors in the server logs.  
I need to make some DNS changes to Exchange, because some remote mail systems fail to send to me because of some reverse lookup issues, but for the most part everything is fine.

The two types of failures give errors that blame the remote system, for example:
“page not found” and the mail.something addresses, or “operation timed out” on FTP.  

The solution here is probably going to be something minor. Not a major configuration issue.  Unfortunately, because this is a production system, I’m extremely hesitant to change things that may disable working systems.  I’m a web developer not a systems admin so I’m not too confident in messing around.  

Does SBS have any security built in?  Other than the router/firewall and SBS DNS, I cant think on anything else that would cause this.  The more I think about it the more this seems to be a security issue.  It seems to me like the kind of user restrictions you see on corporate networks, no errors, just blocking.  I think I missed something during setup of the router or SBS network and enabled some “feature” that I want off.

My statements about the VPN connected machines seem to have caused some confusion. Simply put, these FTP/mail services work fine, then become disabled when users connect to SBS. So something about routing the traffic through the network is the problem, not the machine itself.  This is important to trouble shooting (at least from my point of view) because it proves that the problems have noting to do with the client machines.
0
 
LVL 4

Expert Comment

by:mattridings
ID: 16528454
Jeff and I both understand pretty well what the issue is.  So don't worry too much about trying to clarify at this point.

Your right in that the problem is not with the client machines, or your server as far as I can tell.  It's most likely just a couple of network ports being blocked by a piece of hardware/software at your network edge.  Typically the router would be the culprit.  The only slightly mysterious piece to this story is the http://mail.xxxxxx.com stuff being blocked.  I'd imagine it's much more likely that it just so happens that the mail.xxx.com address that's been attempted to get to happens to be blocked....not *all* mail.xxxx.com type addresses.  That just wouldn't make any sense.

I'm assuming you can log in to the router?  If so let me know and we can manually make sure all the necessary ports, etc. are setup and routed properly.  It's possible that they were manually configured originally and some were left out or entered incorrectly, or that UPnP is enabled on it to be configured automatically by SBS but it's not working 100% right.  If you've got full access to it I'll just draw a visual representation of all the elements on the network and post it up to the web for you.

In regards to my earlier statement with the vpn client,  I'm a big believer in getting the users working *now* if possible while I continue to figure out what the issue is/was.  If you have them create a new vpn network connection (very simply actually in xp, sounds more difficult that it is) and uncheck the 'Use Default Gateway on  remote network' they will be working immediately while we continue to figure out the port issue.

Matt Ridings
MSR Consulting
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16530384
Well, in looking at the IPCONFIG from the workstation, I'm wondering how it's getting a WINS server IP of 192.168.100.155.  I would suspect it has something to do with this secondary IP address on your external router that you say has nothing to do with the issue... but I believe that it has everything to do with the issue.

If you want to see the recommended configuration for an SBS with two nics, please see http://sbsurl.com/twonics.

With Small Business Server, it's VERY important to configure the server to the best practices model at first, to make sure everything works correctly.  Then, if you have some unique situation that you want to alter the base configuration, do it AFTER you've got the core services running so you will know what is causing problems.

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16530392
To recap... please remove the extra IP from the external NIC.  Then, make sure the binding order is correct by opening Network Connections > Advanced > Advanced Settings... and make sure that your Local Area Connection (Internal NIC) is FIRST>

Then, rerun the Configure Email and Internet Connection Wizard (CEICW), followed by rerunning the Configure Remote Access Wizard.  You must then download a new VPN client to the machines.

You can repost the IPCONFIGs after you've done that if things still don't work.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16530762
MATT
------------------------------------------------

I only setup a few things on the router.

1.I have 5 public IP addresses.  One IP is linked to an internal server not on the SBS network via port forwarding with 3 specific services. That server has the same 192.168.100.xxx scheme as the external NICs on the SBS server.
2.Two other public IPs are linked to the SBS server through “one-to-one NAT” the (private range of) 155 and  156 to the public range of xxx.

That’s about it.  At least for major stuff. DHCP is off, the firewall is on with all defaults.

I’ll try to verify the mail.xxx.com issue tomorrow; I’ll try a larger variety and see if the issue is consistent.

JEFF
------------------------------------------------

The server was set up properly to your specifications (you actually helped me through it, thanks again!)

The WINS is wrong, I’ll look into this, I’m not sure why it’s happening.  

The reason I added a second IP was to separate services between a publicly hosted name server.  For instance having Outlook web mail as one DNS name, and Sharepoint under another domain.  

I understand you want to make sure best practices are followed, but the 156 address was added later after the network had been setup as was working fine.  (per your instructions).  At least I though it was working fine.  These errors took a while to come up since during the network transition there were a lot of non SBS systems for work around.

Nothing is bound to 156 and it was not part of SBS setup.

Anyways, I removed the second IP, it does absolutely nothing.
I did not re-run CEICW, yet because it’s a lot of work to re-do every PC.  
I can do this, but I’m about 99% sure this isn’t the problem.  It was added afterwards.


0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16530808
You don't need to have a separate IP address to have separate DNS names for Outlook and Sharepoint.  You just need to add host headers to the IIS manager's web site properties.  Adding additional IPs like this is problematic and is what's causing a VPN "misconfiguration" when you connect.

Removing the second IP and NOT rerunning the CEICW won't accomplish much.  What are you talking about regarding re-doing every PC though????  You shouldn't have to touch any of the PC's.

Jeff
TechSoEasy
0
 
LVL 4

Expert Comment

by:mattridings
ID: 16531673
Webtologist,

Couple of things I also noticed.  For some reason the network connection on the remote workstation that you posted the ipconfig from (not the vpn connection, the actual wireless network settings) is showing its first two main DNS servers as 192.168.100.7 and 192.168.100.8?  Neither of which should work at all for that workstation when not connected via vpn, and should be causing you issues when you *are* connected via vpn as at least one of those addresses exists as your *external* dmz network on the sbs server.

Are you not noticing rather slow internet browsing from that machine when not connected via vpn?  Right now it should be having to timeout twice on every dns lookup before reaching a valid dns server (by default this would add about 4-6 seconds per lookup.)

Secondly, in some instances you are using port redirection while in others you are using 1to1 NAT.  Both of which are fine but you need to insure that you aren't overlapping one set of rules with another in the router configuration.  Typically port redirection will override 1:1 NAT but it can vary by manufacturer.  In these types of situations I would recommend completely opening up the SBS server via either a DMZ host settings or 1:1 NAT mapping between the server and a external IP address to insure everything works that way, then begin locking down the router/server step by step at that point.

Regardless of any of the above though, can you just *confirm* for us whether or not a machine sitting on the local LAN has these same issues that you are describing or is this just peculiar to a vpn connected machine?  If the latter have you confirmed that it is occuring on all vpn connections and not just the one listed above with the ipconfig?

The reason I ask is that we are working off of the assumption at the moment that this is a router configuration issue.  If that's true though, in most cases you would see the same issues with a LAN machine...not just a vpn connection.  After seeing the misconfiguration in the remote machines settings though I need to insure that we aren't just exploring a single machines problems vs. all machines.

Matt Ridings
MSR Consulting


0
 
LVL 1

Author Comment

by:Webtologist
ID: 16535796
I’ll take a look at the VPN connection machine, I’m not sure why that’s coming up the way it is.  I have not noticed any problems, but something is screwy. The PC is a laptop used at work and at home the 1.1xx addresses are coming from a home router, with wireless AP, but the DNS servers are the office switch and router and should not be there.

The port redirect / NAT situation is something I don’t really understand. I can say that they are both working because the IPs for each are different.  I had trouble using SBS on the port forwarding, that’s why it ended up the way it, did.

I was going to use the DMZ port for a public web server, I’d prefer not putting SBS on it.  Wouldn’t that cut it off from the PCs on the Switch?

*confirm* all:
This one is LAN connected, most PCs are using VPN, but I’ll check a couple more local ones.

        Host Name . . . . . . . . . . . . : FORNAX
        Primary Dns Suffix  . . . . . . . : COMPANYNAME.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : COMPANYNAME.local
                                            COMPANYNAME.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : COMPANYNAME.local
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
rnet NIC
        Physical Address. . . . . . . . . : 00-0F-EA-33-21-BA
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.16.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.16.2
        DHCP Server . . . . . . . . . . . : 192.168.16.2
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.100.155
        Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 2:14:17 PM
        Lease Expires . . . . . . . . . . : Friday, April 28, 2006 2:14:17 PM
0
 
LVL 4

Expert Comment

by:mattridings
ID: 16535861
The WINS server is wrong, but I think you already know that?  I assume they are getting that from your DHCP scope settings.

In regards to your DMZ settings.  If your router has a separate port for a DMZ then yeah, it probably is restricted from lan routing.  Some lower routers use the 'DMZ' moniker to mean that *all* traffic bound for the routers internet address are forwarded along to the specified 'dmz host' without any restrictions.  In that case the lan isn't restricted from that machine.  The bottom line is that I'd like to see all firewall based restrictions removed from the SBS server so that you can be sure that is your issue.  In other words open up all traffic to the sbs server (usually nat 1:1 is how you'd do it, or some routers call it a 'Virtual Server').  This would just be short term to test.  Easiest way while you are making changes is to make sure you are backing up the router configuration to files on your computer so that you can just upload that configuration back to the router when done testing.

Still waiting to hear if your lan computers are experiencing the same issues getting to ftp sites or not?  Also, please provide the type of ftp client you are using as I want to make sure it's not something simple like a ftp client settings (PASV) instead of the router before you start tearing the router settings apart.

Matt Ridings
MSR Consulting
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16535892
Per Matt, Would it help to forget about the VPN machines and focus on the local connected one to simplify trouble shooting?  To simplify things, perhaps just the FTP on a local machine should be resolved.  The only thing wrong with this config is the WINS, which I will change.  I can confirm that the same problems occur locally.

Troubleshooting idea:
Would it help if I setup a machine that bypasses the SBS server but goes through the router and check status there?  

As far as the mail.xxx.com issues, I think this might be something else.  We have some publicly hosted web mail servers, and all are inaccessible, but I’ve asked around and some who have personal web mail with a mail.xxx address have told me that they can access it. It seemed like all, but it might just be all accounts on one host. This isn’t exactly confirmed yet though.

JEFF
--------------------------------------
  I confused the CEICW with the VPN tool’s configuration file at first (ie: running on all machines).  Still, I’m a bit worried about screwing something else up on the network.  Is this procedure safe?  I just worry about running “wizards” when I don’t know what they are doing.  If the second IP is added AFTER configuration, it shouldn’t be affecting anything, don’t you think?  I don’t mean to question your advice; I just like to know what I’m doing a bit and this doesn’t make sense to me.
0
 
LVL 4

Expert Comment

by:mattridings
ID: 16536018
So yes, do the following first before moving the workstation outside onto the dmz network:

1. Correct WINS address in the DHCP scope to point to SBS internal NIC
2. Run ipconfig /release  ,  then ipconfig /renew from the local workstation we are going to test with.
3. Select a publicly accessible ftp site that we know is working, let's use ftp.microsoft.com
4. at command prompt ping that server and note that ip address returned by typing: "ping ftp.microsoft.com" (the ping will likely timeout as microsoft has icmp denied on that address, just get the ip address....should be something like 207.46.236.xxx)
5. still from command prompt type: "ftp ftp.microsoft.com"
6. if you connect type in the requested username: anonymous  password: (any email address)
7. If that worked type in "quit" to leave the ftp client and let me know.  If that didn't work then login to the SBS Server, and do the same series of steps from the command prompt and let me know if results are same or if it works.

Matt Ridings
MSR Consulting

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16539788
The CEICW can be run as many times as you like.  The wizards are nothing more than GUI Scripts.  When you first open the CEICW it tells you what it's going to do... on the last page, it tells you specifically what it's going to do.  If you wnat to see even more, then go to C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW and open the latest HTML file that's there which will give you an overview of the settings that were done the last time it was run.

I have no idea whether "the second IP added after configuration" would make a difference... without knowing how you did it, etc... but I would be highly doubtful that it wouldn't make a difference.

You can't be leary of the wizards in SBS... it's the ONLY way you can configure some things... most things actually.

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16539799
Also, the WINS server needs to be corrected on the NIC configuration, not the DHCP scope... the scope would be handled by the CEICW.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16566175
Matt and Jeff, thank you guys so much for the help.  Sorry for the delay responding.
I've been pulled off on other issues, but I will probably have time to test this stuff this weekend. I'll post my results soon.
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16601010
Ok, this is driving me crazy now.

The problem is with a variety of FTP sites, but not all, Microsoft for instance works.
If you’ve got any ideas, let me know.  I don’t even know where to start.

One small idea: It might be an issue with password redirects.  For instance when a FTP server has just and IP address then a user name and password is used to route to the correct directory. One server I have never been able to access from work but can access from any public computer is using Bullet Proof FTP.

Here’s another IP config, this one was taken after running CEICW:

Windows IP Configuration

        Host Name . . . . . . . . . . . . : Aries
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : NAME.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : NAME.local
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
rnet NIC
        Physical Address. . . . . . . . . : 00-0F-BA-22-88-BA
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.16.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.16.2
        DHCP Server . . . . . . . . . . . : 192.168.16.2
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.16.2
        Lease Obtained. . . . . . . . . . : Friday, April 28, 2006 3:09:33 AM
        Lease Expires . . . . . . . . . . : Saturday, May 06, 2006 3:09:33 AM
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 1000 total points
ID: 16601213
Okay, here's what stands out as irregular to me.  If you had followed the default installation of SBS, your DHCP scope would have begun at 192.168.16.20.  Because the first 10 slots are removed from the scope and the next 10 are usually taken by the VPN.  If you didn't run the Configure Remote Access Wizard prior to adding workstations, then you could end up with 192.168.16.10 being assigned out by DHCP.

Also, above you said, "This one is LAN connected, most PCs are using VPN, but I’ll check a couple more local ones".  Why are MOST PC's using VPN?  Are they not at the same location? And how many PCs do you have in total on this network?

Also, you don't mention whether you've installed Service Pack 1 yet, have you?  If so, did you install all 5 components?

I'd like to explore your AD and  DNS config a bit to see if that's where you're off...

For AD, can you please confirm that you have NOT moved any object manually or created any object manually, and that all users are in MyBusiness\Users\SBSUsers and all computers are in MyBusiness\Computers\SBSComputers with the exception of the SBS which is in the DomainControllers OU?

Then, I'd like you to run a netdiag /l from the C:\ directory.  The /l flag will create a log file called netdiag.log in the C:\ root directory.  Please post the entire contents of that file.  NetDiag.exe is part of the Windows Server 2003 Support Tools which must be installed automatically from the original DISK 2.  If you did install Service Pack 1, then you will need to download the updated version: http://support.microsoft.com/kb/892777.

Jeff
TechSoEasy
0
 
LVL 4

Assisted Solution

by:mattridings
mattridings earned 1000 total points
ID: 16602497
Webtologist,

I still say it seems like the ftp client or server.  I just want to confirm again what ftp client are you using?  Are you *sure* you have PASV set on whatever ftp client you are using, even if it's just Internet Explorer?  And finally, is there a proxy server *anywhere* in this mix?

In general there are quite a few ftp servers out there that frankly will refuse to work with things like Internet Explorer or the DOS ftp client.  Even with PASV supposedly enabled on the client end there is no guarantee that the admin of the ftp server in question has setup his firewall to *allow* PASV mode.  For compatibility reasons that's pretty rare these days but certainly possible.  I'd really like to see you download a trial version of a quality ftp client like FTP Voyager at http://www.ftpvoyager.com for testing so that we could eliminate all the little issues and misconfiguration items as a possibility.

Then, If you still think it might have something to do with DNS (I'm not convinced) then set the workstation you are testing on to only use one of your ISP's valid DNS server addresses and eliminate your internal DNS altogether (note that you'll possibly lose some of your internal sbs functionality during that period).  Run ipconfig /flushdns after you make that change and all lookups will now be done outside of your company on that machine.

Finally, now that you've got a workstation ready, the above will help you to clarify the basics of the issue....but as far as I'm concerned it's either PASV issues with whatever ftp client you're using or the sites that you are attempting to visit have your internet IP's blocked or don't support PASV at all.  While I realize that's much more mundane than you having infrastructure configuration issues let's look at the facts.

1) Your DNS is resolving external addresses.  Typically it's all or nothing, so since you are resolving some I'll assume that it works.
2) You can successfully ftp to external sites....just not some of them.  Therefore all of the requisite settings are in place at the routing/firewall level to allow this to happen or it wouldn't work with anyone.

Not much wiggle room with those facts for it to be in your infrastructure configuration.
------------------
Note:  Before beginning the next series of steps please do this first:
From your testing workstation can you successfully run the following command from the command line and receive back raw information from the ftp server? ;  "ftp ftp.server.com 21"   (ignore quotes, replace with the ftp server name you are trying to connect to)

If so, then continue with the series of steps laid out below....if not then nothing below is going to help you because your network packets are not reaching the server in question at all.
-----------------

That leaves the following, listed in the order I recommend checking.  However, if you have the luxury of being able to connect directly to your broadband connection with a workstation and bypassing the router and everything else altogether then by all means do so with the ftp client listed above as it'll save you a lot of headache.:

Possibility 1: The ftp client - Install the trial client listed above, insure that you go into the connection options and set it to PASV mode for that connection, and attempt to connect.  Didn't work?  Log directly into your server (SBS I suppose if that's the one that you are redirecting traffic from the internet to).  Try connecting to the ftp server from there (using command line on server is fine...I'd prefer not to see you install a ftp client there).  Still didn't work?  Go to next item.

Possibility 2: The ftp server (PASV)- See if you can find out whether or not the server supports PASV mode.  Easiest way would be to ftp to that site from somewhere that works using a command line.  Once connected and logged in type "debug" just so we'll see all responses from the server, then type "quote pasv" or "quote passive" if the former doesn't work.  Ignore quotation marks.  It will tell you whether or not it goes into passive mode, if so then the server accepts it and move on to the next item.  If not that's the issue, and unless the server admin owes you something that's pretty much the end of road without buying a high end router.

Possibility 3: The ftp server (blocked) - If the server does accept PASV from the test above, except when you go back to the office you still can no longer connect to it, then contact the server administrator and determine whether or not your internet IP addresses are blocked.  Their not?  Go to next step.

Possibility 4: Your Router.  I really hate to bring up your router/firewall here as I'd hate for you to get sidetracked, so keep in mind that you've already proven that you *can* connect to an ftp server on the internet successfully.  As I said, in my mind that means it's highly unlikely that you've screwed something up in your configuration.  That said...many router/firewalls running NAT simply will not deal with properly redirecting the ftp command port request.  They need to be smart enough to inspect the ftp packets bound for one port and find the corresponding ip address information they need there and redirect to another port appropriately for 'Active' FTP to work at all behind a NAT router.  This is why 'Passive' FTP was devised in the first place.  Higher end routers obviously do this pretty well, and some lower end ones do but I certainly don't have or know of a list that you could review.  If when checking the ftp server above showed that it *did* accept PASV though...and you are 300% sure that your router/firewall allows *both* ports 21 and 20 outbound to everyone and that you've turned off any local windows firewall on the workstation then insure that you have the latest firmware installed on your router.  If even that turns out to be ok we're getting into the really complicated land where if it where my network I'd either be pulling out a packet sniffer, contacting the admin at that location directly, or re-evaluating just how important this ftp site is



Matt Ridings
MSR Consulting
0
 
LVL 1

Author Comment

by:Webtologist
ID: 16655196
Again I apologize for the delay.  I’m the only “tech guy” here and it’s not even my real job.

I love this quote: “or re-evaluating just how important this ftp site is”
That’s exactly what I was thinking!  Unfortunately it’s very important, and more than one FTP.  It’s one of our own, and several public web servers that we host client sites on.

Ok, I haven’t completed the trouble shooting suggestions yet.  It’s a going to be a bit of work and take some creative scheduling on a production system!  I’ll do this ASAP

Yes, I’m certain that PASV is set.  I’ve tried it both ways.  There is not proxy server.

I’m about 99% certain that it’s not an issue with the FTP client.  This is why:
My home system connected on my own network can connect to FTP.xxx with no problem, after initializing the “Connect to Small Business Server” tool, the connection is lost and will not reconnect.

Jeff,
Most PCs hear are on VPN.  It’s a work-at-home environment for a small company of programmers. We’ve got just a few local PCs in the office, and 7 remote users.

I have SP1 installed, and all updates.

As far as the other troubleshooting goes, I’ll get to this ASAP.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question