philodendrin
asked on
Possible DNS Resolution Issues on SBS 2003 Server and no luck browsing shares over VPN
We've got a SBS 2003 box that will not resolve http://localhost/exchange & http://servername/exchange or http://localhost/remote & http://servername/remote. Same results for https://
Client PCs connected to the server can resolve to http://servername/exchange and any other of the Web pages hosted on the SBS. We have split DNS configured so that clients can also resolve to the FQDN on the internal LAN. So, http://mail.domain.com/exchange resolves internally for the client PCs... but will not resolve on the server.
The problem is isolated to the server itself. When we're at the console we cannot resolve http://localhost/exchange. Putting in the complete domain name http://servername.domain.com doesn't make any difference. The internal domain is setup with a .com and not a .local. When we try http://servername/exchange ...we get "Internet Explorer cannot display the Webpage".
Additionally, we can VPN to this server remotely and remote desktop over VPN and also ping IP addresses while on VPN but absolutely cannot browse shares while on VPN by using the UNC. This seems related to the above issues, but we're not having any luck figuring out the common denominator between the two problems.
The error we get over VPN when we try to browse shares via UNC is "\\servername is not available. You might not have permission to view this network resource. Access is denied." We're authenticating over VPN as administrators with full access rights. The VPN connection is working fine... GRE is enabled on the firewall... it's not a connection issue. We're using the VPN client built into the server to serve VPN... not a thrid party firewall product. The firewall we're using is a Zyxel and it just passes the traffic over port 1723 to the server.
Could the problem be in the DNS Lookup Zones? We've looked at the LMHosts file... which is clean. WINS is running without issue. By the way... we get exactly the same behavior when we try by IP address instead of server name or UNC.
We've run out of ideas... any help to put us back on track would be appreciated.
Client PCs connected to the server can resolve to http://servername/exchange and any other of the Web pages hosted on the SBS. We have split DNS configured so that clients can also resolve to the FQDN on the internal LAN. So, http://mail.domain.com/exchange resolves internally for the client PCs... but will not resolve on the server.
The problem is isolated to the server itself. When we're at the console we cannot resolve http://localhost/exchange. Putting in the complete domain name http://servername.domain.com doesn't make any difference. The internal domain is setup with a .com and not a .local. When we try http://servername/exchange ...we get "Internet Explorer cannot display the Webpage".
Additionally, we can VPN to this server remotely and remote desktop over VPN and also ping IP addresses while on VPN but absolutely cannot browse shares while on VPN by using the UNC. This seems related to the above issues, but we're not having any luck figuring out the common denominator between the two problems.
The error we get over VPN when we try to browse shares via UNC is "\\servername is not available. You might not have permission to view this network resource. Access is denied." We're authenticating over VPN as administrators with full access rights. The VPN connection is working fine... GRE is enabled on the firewall... it's not a connection issue. We're using the VPN client built into the server to serve VPN... not a thrid party firewall product. The firewall we're using is a Zyxel and it just passes the traffic over port 1723 to the server.
Could the problem be in the DNS Lookup Zones? We've looked at the LMHosts file... which is clean. WINS is running without issue. By the way... we get exactly the same behavior when we try by IP address instead of server name or UNC.
We've run out of ideas... any help to put us back on track would be appreciated.
also, what version of ie is on the server, 6 or 7?
In the IP properties of the server NIC, what do you have set for the primary and secondary DNS servers?
ASKER
Kris...
Yes, http://localhost does work as expected, as does http://127.0.0.1
Yes, this server is the DC and also the domain DNS server. It is pointing to itself for DNS. There is only one NIC.
If I ping localhost, I do get returns from 127.0.0.1
If I ping the server name I get returns from its internal IP address, as expected.
We're using IE7.
Hypercat... We have the IP address for the server under the NIC's primary DNS server and nothing for Secondary.
Yes, http://localhost does work as expected, as does http://127.0.0.1
Yes, this server is the DC and also the domain DNS server. It is pointing to itself for DNS. There is only one NIC.
If I ping localhost, I do get returns from 127.0.0.1
If I ping the server name I get returns from its internal IP address, as expected.
We're using IE7.
Hypercat... We have the IP address for the server under the NIC's primary DNS server and nothing for Secondary.
Sounds like someone went in and messed with the default web site security settings. You should be able to correct this by just running the Configure Email and Internet Connection Wizard (CEICW -- linked as "Connect to the Internet on the To-Do list in the Server Management Console).
But if you want to check to see if what I'm suggesting is wrong is really the problem, open up IIS manager and expand the default web site. Right click on "Remote" and select properties.
On the Directory Security Tab > IP address and domain name restrictions > click the Edit... button.
There should be nothing in the box and the "Granted Access" should be selected. If this is not the case, then someone must have changed things.
You can compare this to the same settings on the Default Web Site root which should have "Denied Access" and then list two lines for Granted. The first being your IP Subnet and the second being 127.0.0.1.
Jeff
TechSoEasy
But if you want to check to see if what I'm suggesting is wrong is really the problem, open up IIS manager and expand the default web site. Right click on "Remote" and select properties.
On the Directory Security Tab > IP address and domain name restrictions > click the Edit... button.
There should be nothing in the box and the "Granted Access" should be selected. If this is not the case, then someone must have changed things.
You can compare this to the same settings on the Default Web Site root which should have "Denied Access" and then list two lines for Granted. The first being your IP Subnet and the second being 127.0.0.1.
Jeff
TechSoEasy
i've seen this behavior with IE7, it's usually resolved by adding the owa site to the trusted sites on the server. your issue with accessing network shares can also be caused the new 'internet explorer enhanced security'. i usually remove this from my servers via add/remove programs. this and/or adding the owa site to trusted sites usually resolves the issue. since only the server itself is having issues, i wouldn't mess with any permissions, etc, until you've checked these items
ASKER
Jeff...
I took a look at the security settings for "Remote" and they are correct. Granted Access is selected and there's nothing listed in the box.
However, the settings are different than you've described for the same setting under "default Web site". There, we have Granted Access selected and again, nothing listed in the box.
So... that might be the cuprit. Would this have possibly been changed by the previous administrator who setup Split DNS so that the internal clients could resolve OWA via the FQDN internally? Or, are these two things like comparing apples and oranges?
I don't truly understand Split DNS... so, I'm always suspicious that whatever this guy did to make that work caused these problems.
I took a look at the security settings for "Remote" and they are correct. Granted Access is selected and there's nothing listed in the box.
However, the settings are different than you've described for the same setting under "default Web site". There, we have Granted Access selected and again, nothing listed in the box.
So... that might be the cuprit. Would this have possibly been changed by the previous administrator who setup Split DNS so that the internal clients could resolve OWA via the FQDN internally? Or, are these two things like comparing apples and oranges?
I don't truly understand Split DNS... so, I'm always suspicious that whatever this guy did to make that work caused these problems.
ASKER
Jeff...
I think you might be wrong about the security setting for the root of Default Web Site. I compared the settings on this box with three other Small Biz servers before making any changes or re-running the Internet Connection Wizard and they all have "Granted Access" and nothing listed in the box. You may be thinking of the Exchange-OMA site which has the settings you've described.
I think you might be wrong about the security setting for the root of Default Web Site. I compared the settings on this box with three other Small Biz servers before making any changes or re-running the Internet Connection Wizard and they all have "Granted Access" and nothing listed in the box. You may be thinking of the Exchange-OMA site which has the settings you've described.
ASKER
Kristin...
I removed the Enhanced Security from IE7 and added the servername to the list of trusted sites. I have seen similar issues with what you've described on other servers... but, unfortunately that's not the problem here.
Thanks for the suggestion, though...
I removed the Enhanced Security from IE7 and added the servername to the list of trusted sites. I have seen similar issues with what you've described on other servers... but, unfortunately that's not the problem here.
Thanks for the suggestion, though...
i wouldn't think split dns would be the culprit. split dns is a good idea in my opinion. is the sbs box running isa or anything? maybe it's some type of isa issue. but i do find it extra confusing that you can get to the default web site, but not the owa site. what do you see in the iis logs after making an access attempt against http://servername, and http//servername/exchange?
kris.
kris.
ASKER
As far as I can tell, there's nothing being logged when I try to go to http://servername/exchange (it never gets anywhere) ...or do go to http://servername (works, but nothing of consequence logged).
I am looking in the C:\windows\system32\logfil
I am looking in the C:\windows\system32\logfil
Actually... my comment about the security settings on the default web site assumed that you did not enable port 80 in the CEICW (by checking the box for "Business Web Site (wwwroot)" on the Web Services Configuration screen. There is rarely a need to check this box. If you did, then you are right, it would be as you are seeing.
And take a look at C:\windows\system32\logfil
Jeff
TechSoEasy
And take a look at C:\windows\system32\logfil
Jeff
TechSoEasy
ASKER
Jeff... "Timer Connection Idle" ...is all that's logged.
Oh, wait... sorry... you said the local domain is the same as the Internet domain.
On the server, what is the result of
C:\>NSLookup servername
Jeff
TechSoEasy
C:\>NSLookup servername
Jeff
TechSoEasy
You can also run the following to see if there are any problems:
C:\>DCDiag /dnsall
DCDiag is included in the Windows Server 2003 SP1 Support Tools.
Jeff
TechSoEasy
C:\>DCDiag /dnsall
DCDiag is included in the Windows Server 2003 SP1 Support Tools.
Jeff
TechSoEasy
ASKER
NSlookup returns:
Server: servername.domain.com
Address: Internal/local IP of the server
..pretty much what you'd expect.
Server: servername.domain.com
Address: Internal/local IP of the server
..pretty much what you'd expect.
Yes, but I was wondering SPECIFICALLY about
NSlookup <servername>
What is returned when you query the server's hostname?
NSlookup <servername>
What is returned when you query the server's hostname?
ASKER
Here's the NSLookup... pretty much what I said in the earlier post... am I missing something?
C:\>nslookup joker
Server: joker.denver.DOMAIN.com
Address: 10.0.0.3
Name: joker.denver.DOMAIN.com
Address: 10.0.0.3
(note... inserting "DOMAIN" for security purposes)
Here's the DNS test
C:\>dcdiag /dnsall
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\JO
Starting test: Connectivity
......................... JOKER passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\JO
Starting test: Replications
......................... JOKER passed test Replications
Starting test: NCSecDesc
......................... JOKER passed test NCSecDesc
Starting test: NetLogons
......................... JOKER passed test NetLogons
Starting test: Advertising
......................... JOKER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... JOKER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... JOKER passed test RidManager
Starting test: MachineAccount
......................... JOKER passed test MachineAccount
Starting test: Services
IsmServ Service is stopped on [JOKER]
......................... JOKER failed test Services
Starting test: ObjectsReplicated
......................... JOKER passed test ObjectsReplicated
Starting test: frssysvol
......................... JOKER passed test frssysvol
Starting test: frsevent
......................... JOKER passed test frsevent
Starting test: kccevent
......................... JOKER passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 07/24/2007 11:57:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/24/2007 11:57:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/24/2007 12:11:23
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/24/2007 12:11:24
(Event String could not be retrieved)
......................... JOKER failed test systemlog
Starting test: VerifyReferences
......................... JOKER passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : denver
Starting test: CrossRefValidation
......................... denver passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... denver passed test CheckSDRefDom
Running enterprise tests on : denver.DOMAIN.com
Starting test: Intersite
......................... denver.DOMAIN.com passed test Intersite
Starting test: FsmoCheck
......................... denver.DOMAIN.com passed test FsmoCheck
C:\>
C:\>nslookup joker
Server: joker.denver.DOMAIN.com
Address: 10.0.0.3
Name: joker.denver.DOMAIN.com
Address: 10.0.0.3
(note... inserting "DOMAIN" for security purposes)
Here's the DNS test
C:\>dcdiag /dnsall
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\JO
Starting test: Connectivity
......................... JOKER passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\JO
Starting test: Replications
......................... JOKER passed test Replications
Starting test: NCSecDesc
......................... JOKER passed test NCSecDesc
Starting test: NetLogons
......................... JOKER passed test NetLogons
Starting test: Advertising
......................... JOKER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... JOKER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... JOKER passed test RidManager
Starting test: MachineAccount
......................... JOKER passed test MachineAccount
Starting test: Services
IsmServ Service is stopped on [JOKER]
......................... JOKER failed test Services
Starting test: ObjectsReplicated
......................... JOKER passed test ObjectsReplicated
Starting test: frssysvol
......................... JOKER passed test frssysvol
Starting test: frsevent
......................... JOKER passed test frsevent
Starting test: kccevent
......................... JOKER passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 07/24/2007 11:57:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/24/2007 11:57:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/24/2007 12:11:23
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/24/2007 12:11:24
(Event String could not be retrieved)
......................... JOKER failed test systemlog
Starting test: VerifyReferences
......................... JOKER passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : denver
Starting test: CrossRefValidation
......................... denver passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... denver passed test CheckSDRefDom
Running enterprise tests on : denver.DOMAIN.com
Starting test: Intersite
......................... denver.DOMAIN.com passed test Intersite
Starting test: FsmoCheck
......................... denver.DOMAIN.com passed test FsmoCheck
C:\>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nope...
I didn't configure this box... and typically don't use .com vs. .local ...or subdomains... but did not know that they were unsupported on SBS.
So... what next?
I didn't configure this box... and typically don't use .com vs. .local ...or subdomains... but did not know that they were unsupported on SBS.
So... what next?
Is ISA Server installed?
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Nope... we're using a hardware firewall.
Looks like subdomain's are supported... but, not recommeded... much like .com's vs. .local.
The disadvantages of using the sub-domain of a publicly registered domain name or a publicly registered domain name include, but may not be limited to, the following issues: " Internal clients may be able to resolve resources on the internal domain, however, queries to external resources of the domain are not resolved by the DNS server. For example, if the internal network namespace is configured by using the publicly registered domain name of Contoso.com, only resources that have "A" (Host) records in the forward lookup zone for Contoso.com are available to local clients. This behavior can pose a problem if Contoso.com hosts resources, such as, a web server by means of an external provider or Internet service provider (ISP). Any queries from internal clients to www.contoso.com are resolved as a negative query by the local DNS server because the "A" record for "www" does not exist in the forward lookup zone for Contoso.com. For clients to access external resources, "A" records must be added to the forward lookup zone of the DNS server for those resources.
" The use of a publicly registered sub-domain name can pose the same problems as described for a publicly registered domain name. If at any time, the start of authority for the registered domain (Contoso.com, in this example) adds records for sub-domains, the currently configured private sub-domain may become public.
Name resolution problems that are created by using a publicly registered domain name can be avoided by planning the private namespace around a .local first-level domain so that, in this example, Contoso.com and Contoso.local are both available to internal clients, but Contoso.com is only available to external internet clients.
The use of a separate and private DNS namespace for Small Business Server is consistent with the recommendations in the following Microsoft Knowledge Base article:
254680 (http://support.microsoft.com/kb/254680/) DNS Namespace Planning
Looks like subdomain's are supported... but, not recommeded... much like .com's vs. .local.
The disadvantages of using the sub-domain of a publicly registered domain name or a publicly registered domain name include, but may not be limited to, the following issues: " Internal clients may be able to resolve resources on the internal domain, however, queries to external resources of the domain are not resolved by the DNS server. For example, if the internal network namespace is configured by using the publicly registered domain name of Contoso.com, only resources that have "A" (Host) records in the forward lookup zone for Contoso.com are available to local clients. This behavior can pose a problem if Contoso.com hosts resources, such as, a web server by means of an external provider or Internet service provider (ISP). Any queries from internal clients to www.contoso.com are resolved as a negative query by the local DNS server because the "A" record for "www" does not exist in the forward lookup zone for Contoso.com. For clients to access external resources, "A" records must be added to the forward lookup zone of the DNS server for those resources.
" The use of a publicly registered sub-domain name can pose the same problems as described for a publicly registered domain name. If at any time, the start of authority for the registered domain (Contoso.com, in this example) adds records for sub-domains, the currently configured private sub-domain may become public.
Name resolution problems that are created by using a publicly registered domain name can be avoided by planning the private namespace around a .local first-level domain so that, in this example, Contoso.com and Contoso.local are both available to internal clients, but Contoso.com is only available to external internet clients.
The use of a separate and private DNS namespace for Small Business Server is consistent with the recommendations in the following Microsoft Knowledge Base article:
254680 (http://support.microsoft.com/kb/254680/) DNS Namespace Planning
ASKER
My mistake... you are correct... according to this TechNet article... the subdomain shouldn't have been created.
"You can't create child domains. With Windows SBS, you cannot create subdomains in your existing root domain (such as subdomain.contoso.local)."
http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/26e36f3b-4259-448a-964b-012be24f226c1033.mspx?mfr=true
I don't know how the original admin ever got through the install... but, now it seems as though I'm stuck with this problem.
Any suggestions?
"You can't create child domains. With Windows SBS, you cannot create subdomains in your existing root domain (such as subdomain.contoso.local)."
http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/26e36f3b-4259-448a-964b-012be24f226c1033.mspx?mfr=true
I don't know how the original admin ever got through the install... but, now it seems as though I'm stuck with this problem.
Any suggestions?
Well, sub-domains are supported to an extent... for instance if you have a .co.uk domain name you will find that domain.co.uk will be supported.
But when I see something like DENVER.domain.com it makes me think that the DNS may have been manually configured as a sub-domain of a larger enterprise domain space as a child domain. I should have specified "child" instead of "sub"
Jeff
TechSoEasy
But when I see something like DENVER.domain.com it makes me think that the DNS may have been manually configured as a sub-domain of a larger enterprise domain space as a child domain. I should have specified "child" instead of "sub"
Jeff
TechSoEasy
But let's at least look at the SBS's Forward Lookup Zone to make sure there's a HOST (A) record for SERVERNAME pointing to it's local IP address.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
The thinking by the previous admin was that there would be multiple locations for this company... which is correct. He was trying to plan ahead by naming the domains by location. The satellite locations are just going to use VPN to get to this server.... and there won't be several servers on different domains. But, this is still in the planning phase... and contingent upon me solving the VPN issues I'm up against.
Here's the Foward Lookup Zones I'm seeing... please let me know if there's a better way to post these...
I've got four zones listed...
_msdcs.Denver.Domain.com
Domain.com
Domain2.com (this is a second domain the server processes mail for)
Denver.Domain.com
Under Domain.com there's a subfolder called "denver" with a Host A record for "Joker" that points to it's IP address.
Under "Denver.Domain.com" I've got the following:
_msdcs
_sites
_tcp
_udp
DomainDnsZones
ForestDnsZones
(same as parent folder) Start of Authority (SOA) [1219], joker.denver.DOMAIN.com., hostmaster.
(same as parent folder) Name Server (NS) joker.denver.DOMAIN.com.
(same as parent folder) Host (A) 10.0.0.3
companyweb Alias (CNAME) joker.denver.DOMAIN.com.
joker Host (A) 10.0.0.3
...there's also a bunch of workstations listed here.
Here's the Foward Lookup Zones I'm seeing... please let me know if there's a better way to post these...
I've got four zones listed...
_msdcs.Denver.Domain.com
Domain.com
Domain2.com (this is a second domain the server processes mail for)
Denver.Domain.com
Under Domain.com there's a subfolder called "denver" with a Host A record for "Joker" that points to it's IP address.
Under "Denver.Domain.com" I've got the following:
_msdcs
_sites
_tcp
_udp
DomainDnsZones
ForestDnsZones
(same as parent folder) Start of Authority (SOA) [1219], joker.denver.DOMAIN.com., hostmaster.
(same as parent folder) Name Server (NS) joker.denver.DOMAIN.com.
(same as parent folder) Host (A) 10.0.0.3
companyweb Alias (CNAME) joker.denver.DOMAIN.com.
joker Host (A) 10.0.0.3
...there's also a bunch of workstations listed here.
I What's in the _msdcs.Denver.Domain.com folder? Anything?
Also, you do not need a zone for domain2.com just because the server's processing it's email. Unless for some reason you have opened this server up to be a public DNS server which is a very bad idea.
The how-to for multiple email domains is here:
http://sbs.seandaniel.com/2004/10/hosting-multiple-domains-on-sbs-2003.html
Jeff
TechSoEasy
Also, you do not need a zone for domain2.com just because the server's processing it's email. Unless for some reason you have opened this server up to be a public DNS server which is a very bad idea.
The how-to for multiple email domains is here:
http://sbs.seandaniel.com/2004/10/hosting-multiple-domains-on-sbs-2003.html
Jeff
TechSoEasy
Also, please look in the Reverse Lookup Zones and tell me what you see after you change the view to Advanced.
Jeff
TechSoEasy
Jeff
TechSoEasy
how about http://127.0.0.1?
"lmhosts file is clean", meaning, it has nothing in it?
since this server is sbs, i'm assuming it is the DC for the domain, and is thus also the domain DNS server? is it pointing to itself for DNS? Does it have more than one network card?
if you're at the server console, can you ping localhost? what name/ip gets returned?
can you ping netbios name? what gets returned?
kris.