Solved

Users can't get to web on new win2003 sbs install

Posted on 2006-11-25
34
205 Views
Last Modified: 2008-02-01
Hi,

I have just installed win 2003 sbs sp1 with dual nics.  The server connects to the internet fine.  The users connect to the server, but I can't get the users connected to the internet.  Is there some DNS or routing configurations that I missed?  From a user's workstaton, I can only ping the internal NIC and nothing further.  

I have followed your advice and used only the wizards so far.  

What do I need to do so that my users can get to the internet?

Internal First nic is 192.168.1.1
mask 255.255.255.0
dhcp no
Primary wins is 192.168.1.2

External Second nic is 192.168.1.2
Mask 255.255.255.0
Gateway 192.168.1.254
dhcp: no
primary wins is 192.168.1.2
netbios over tcp/ip disabled

My connection is static ip assigned by isp, modem uses pppoe

TIA



0
Comment
Question by:Zygopetalum
  • 17
  • 13
  • 4
34 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 18012868
Assuming your router/modem has an IP of 192.168.1.254 then (using the wizards of course):

External NIC should be in the same subnet as the router, so:
IP 192.168.1.2 (OK)
Mask 255.255.255.0 (OK)
Gateway 192.168.1.254 (OK)
DNS 192.168.16.1 (see below)
WINS 192.168.16.1 (See below)

Internal NIC -should be different subnet
IP 192.168.16.1
Mask 255.255.255.0
Gateway <empty>
DNS 192.168.16.1
WINS 192.168.16.1

Workstations -best to use DHCP, with the server being the DHCP server
IP 192.168.16.x
Mask 255.255.255.0
Gateway 192.168.16.1
DNS 192.168.16.1
WINS 192.168.16.1

Also on the server, under forwarders (not forward look up zone) of your DNS management console add the ISP's DNS servers.
In the DHCP management console add Router/Gateway, DNS server, Domain Name, and WINS server as scope options 003, 006, 015, 044

Very important to use the wizard !
0
 

Author Comment

by:Zygopetalum
ID: 18013040
Thanks, I will try that tomorrow.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18013195
Good luck, let us know how you make out.
The wizard should "ask" you the appropriate questions and make the correct entries for you, but the above should give you a better idea of where you are headed and what to verify after complete. The reason the wizard is so important with SBS is it also creates all the interrelated links with the different components of SBS, such as remote access, Sharepoint, and other networked services.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 18014183
Umm..

Your Internal and External IP addresses are on the same network - it won't work.

You NICs must be on different subnets for routing to take place.

This was mentioned above, but he wasn't overly clear on that unless you read carefully.
0
 

Author Comment

by:Zygopetalum
ID: 18014587
OK, some progress.  I am now able to ping the external nic using your answer, but I am still not able to get users to the internet or receive email into exchange.  

I noticed that you changed the wins server to the external nic, is this correct?  I also entered the ISP's DNS servers in the forwarders section of the DNS management console.  Do these need a separate title other than "All Other DNS Domains"?

This is a lot different than NT 4.......

My ipconfig now looks as you prescribed, but still no prize.....
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18014622
>>"not able to get users to the internet or receive email into exchange."
Exchange will need to have port 25 of the router forwarded to the Exchange server/SBS to receive e-mail

>>"I noticed that you changed the wins server to the external nic, is this correct?"
I changed it to the internal NIC, on the external NIC. This is correct, though not really necessary at all on the External NIC.

>>"Do these need a separate title other than "All Other DNS Domains"?"
No that is fine/typical. You want all unknown traffic (non-LAN) to use those DNS servers

>>"This is a lot different than NT 4......."
A lot of changes with the addition of Active directory, but it does work well.

Can the users ping or connect to an Internet IP such as Goggle:
http://64.233.187.99/
If so that means routing is resolved, we only need to worry about DNS
By the way, having made changes to DNS you flush the old cache, both on server and workstations. (restarting accomplishes this by default)
 ipconfig  /flushdns
 ipconfig  /registerdns

0
 

Author Comment

by:Zygopetalum
ID: 18014746
>>Exchange will need to have port 25 of the router forwarded to the Exchange server/SBS to receive e-mail
I am assuming that the "Connect to the Internet Wizard" completed this task.  Is this incorrect?  I am not able to access the router config since the "Connect to the Internet Wizard" was run.

I do recall checking that box for the firewall settings.

After flushing the dns cache and re-registering dns, I still am not able to get the users to connect.  The farthest is the external nic, I can't even ping the gateway.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18014801
>>" am assuming that the "Connect to the Internet Wizard" completed this task.  "
If UPnP is enabled on the router, it is supposed to configure the router. However, there are security concerns with UPnP and it doesn't work very well. Therefore, if present, it is usually disabled and you have to configure the router manually. I would get Internet access working first and then worry about incoming connections such as Exchange.

Perhaps it would be best if you post the results from ipconfig  /all   from the server, and one workstation here.
In case you are not familiar with the process you can export the results to a text file and then just copy and paste here, using at a command line:
 ipconfig  /all  > c:\output.txt
0
 

Author Comment

by:Zygopetalum
ID: 18014881
Server ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : mail
   Primary Dns Suffix  . . . . . . . : XXXX.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : GJGPA.local

Ethernet adapter Server Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VIA Rhine II Fast Ethernet Adapter
   Physical Address. . . . . . . . . : 00-17-31-9B-60-CB
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.10.1
   Primary WINS Server . . . . . . . : 192.168.10.1

Ethernet adapter Network Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VIA VT86C100A Rhine Fast Ethernet Adapter
   Physical Address. . . . . . . . . : 00-80-C8-4B-CD-06
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 192.168.10.1
   Primary WINS Server . . . . . . . : 192.168.10.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Workstation ipconfig /all
Windows IP Configuration
        Host Name . . . . . . . . . . . . : adelalago
        Primary Dns Suffix  . . . . . . . : XXXX.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : XXXX.local
                                            XXXX.local

Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : XXXX.local
        Description . . . . . . . . . . . : VIA Rhine II Fast Ethernet Adapter
        Physical Address. . . . . . . . . : 00-17-31-12-1E-2D
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.10.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.1
        DHCP Server . . . . . . . . . . . : 192.168.10.1
        DNS Servers . . . . . . . . . . . : 192.168.10.1
        Primary WINS Server . . . . . . . : 192.168.10.1
        Lease Obtained. . . . . . . . . . : Sunday, November 26, 2006 12:24:39 PM
        Lease Expires . . . . . . . . . . : Monday, December 04, 2006 12:24:39 PM

I will connect to the router by alternate means, but I thought that since we had the router configured to pinhole through to the mail server before (same ip address) that I would not have a problem, but I will check it out.
0
 

Author Comment

by:Zygopetalum
ID: 18014898
Geezzzz   How do I edit that last comment?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18014911
>>"Geezzzz   How do I edit that last comment?"
I don't think you can  

>>"thought that since we had the router configured to pinhole through to the mail server before (same ip address) that I would not have a problem"
If the IP's haven't changed that is correct, you should be fine.

The above IP configuration looks great. You mention the users can ping as far as the server's external NIC, but not beyond. I suspect then that the problem is between the external NIC and the router/modem.

I had suggested earlier the gateway should be 192.168.1.254. That was based on above notes, but is that correct? Is that the IP of the router? Can the server ping that IP. Also does the router use a 255.255.255.0 subnet mask ? That would be normal, but it could be 255.255.0.0  If so that could be a problem as it will incorporate your LAN as well. Let us know if so.
0
 

Author Comment

by:Zygopetalum
ID: 18015300
Yes, the server can ping the gateway, and the ip is correct.  Only users can't ping the gateway.

I was able to gain access to the router, but still no prize...
0
 

Author Comment

by:Zygopetalum
ID: 18015665
GOOD NEWS!  External email is flowing.  Still no luck on the users internet access...  Is anyone out there?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18015916
If Exchange is working then the server must have Internet access ???

You do need routing configured between the 2 NIC's but if you use the Wizard, that should configure RRAS for you. I assume you did use the router.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18015918
Sorry, last line should read; I assume you did use the wizard.
0
 

Author Comment

by:Zygopetalum
ID: 18015966
What I did was connect to the router through My Computer and manually set pinholes through it.  I think this is the culprit.  I am going to check to be sure I have all the right ports open tomorrow.

I didn't use the wizard to configure rras.....  It's not configured.... is this a bad thing?
0
 

Author Comment

by:Zygopetalum
ID: 18015978
BTW, the server always had internet access...  It's the users that is the problem
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18016981
>>"I didn't use the wizard to configure rras.....  It's not configured.... is this a bad thing?"
You need to use the CEICW (Configure E-mail and Internet Connection Wizard), located in the Server Management Console, under "Internet and E-Mail", "Connect to the Internet". This should configure RRAS and the  other necessary interrelated components for you.

>>" the server always had internet access...  "
I assumed since you mentioned "I am not able to access the router" that Internet access was not available either.

0
 

Author Comment

by:Zygopetalum
ID: 18019909
If I open ports on the router, will this make the ISA firewall moot?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18020008
>>"will this make the ISA firewall moot?"
ISA ?  There was no mention of ISA earlier. ISA requires it's own sets of rules/policies to allow users to connect to the Internet. There are wizards that will assist you in doing this, but I am afraid I have not worked with ISA enough to walk you through it. Many others here have, but it is a holiday weekend for many, and rather quiet.

Opening ports on the firewall is used to allow incoming services such as Exchange, not out going services such as web browsing. Though personally I don't recomend it, it is quite common to eliminate the router when you have ISA. It is used as the firewall.
0
 

Author Comment

by:Zygopetalum
ID: 18021179
Rob,

I was under the impression that SBS 2003 automatically configures ISA when you install SBS.  I will have to investigate further.  

Thanks again for your help.  You have definately earned the 500 pts on this one.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 18021207
ISA? hehe...

This would have been solved days ago had we known about this.

By default, ISA installs fully locked down.

Since you have changed your NIC settings, you need to reconfigure ISA's LAT (network tables) then create a rule to allow HTTP and HTTPS from Internal to External as applied to all users.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18021303
>>"I was under the impression that SBS 2003 automatically configures ISA when you install SBS."
No I am afraid not. It is an option available only with SBS Premium. I should have suspected there was something else causing problems, as configuration should be quite simple with the wizard.

I'm sure Netman66 can help you out with this part. ISA should be easy as well, but I haven't worked with it since 2000 version (a bit of a pain), and not much with that version either.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 18021321
Rob, there's little difference.  The concept is the same - prettier eye candy!

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18021398
Netman66, I understood it was a little more user friendly with wizards and such. I suppose the underlying functionality is still the same. I actually have had a copy of ISA 2006 on my desk for a month meaning to install and get familiar with it. Full time job keeping up :-)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 18021430
I hear you!

2004 to 2006 is virtually identical (to me anyway).  A little different interface from 2000 to 2004/2006.  Either way, the whole thing takes no learning curve at all between versions.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18021468
I have looked at 2004 and 2006, and I agree I see very little difference. 2000 seemed to have the same features, but a little less friendly, if you didn't know what you were looking for. In any case, other than installing 2000 and playing with it for a few days, I haven't used it. I have always felt it was a fantastic product, one of their better, but haven't had occasion to work with it. I'll move it up on my todo list  :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18021494
Having said all of the above, SBS is so intuitive with all of it's wizards, I am surprised ISA is not automatically configured with the CEICW. The wizard automatically configures internet, e-mail, firewalls, routers (if UPnP actually works), and internal routing, so I am surprised it doesn't give you access permission options with the Wizard for ISA. I don't have a SBS w/ISA here to check.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18021539
Zygopetalum, when you joined the workstations to the domain did you use the wizard for that ? Yes, another wizard :-)
Proper way to join them is with a web browser and going to   http://YourServerName/connectcomputer
This configures a lot of the networking, services, and permissions automatically. Perhaps related to the problem. If you did it in the traditional, manual way, you might try re-joining one as a test.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18021578
Back again :-)
Have a look at the following. You should be able to configure ISA within the CEICW wizard:
http://download.microsoft.com/download/4/0/8/40860507-c351-4308-a876-e1b83ee4e77a/isainstallsteps.htm
0
 

Author Comment

by:Zygopetalum
ID: 18022032
Ok, everyone relax.  There is no ISA.  It's just the firewall.  And I still can't get my users to connect to the internet.  The good news is that the print servers are up and runnning!

I received this message from the server this morning in my email:
  NETLOGON 5774 11/26/2006 10:20 AM 30 *
The dynamic registration of the DNS record 'GJGPA.local. 600 IN A 192.168.10.1' failed on the following DNS server: DNS server IP address: <UNAVAILABLE> Returned Response Code (RCODE): 0 Returned Status Code: 0 For computers and users to locate this domain controller, this record must be registered in DNS. USER ACTION Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD. Or, you can manually add this record to DNS, but it is not recommended. ADDITIONAL DATA Error Value: The requested address is not valid in its context.  
 
Any thoughts.  I am going to find the DCDiag.exe file .....
0
 

Author Comment

by:Zygopetalum
ID: 18022049
PS.  yes, I used the browser to join the workstations,  except that x@#*&^%!! WinME workstation....
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18023368
>>"except that x@#*&^%!! WinME workstation...."
Mmmmmm.... been there, done that !!!

Though the error may be the result of the problem, I would think it is more of a routing issue than DNS, since the workstations can ping the server but not beyond. If it was simply DNS they should be able to ping an Internet IP.

DCdiag would help to diagnose this problem. also are there any Event Id #'s in the event log relating to this. While at it, in the same location as DCdiag there should be another utility netdiag, which may help with this connection issue. Try running it on the server. It has been removed from some CD's, if it is not available, try the version from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/   it may work. There are different versions, and not all work on all Windows versions. I find that one the most compatible.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18115087
Thanks Zygopetalum,
--Rob
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now