[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1018
  • Last Modified:

Possible DNS Resolution Issues on SBS 2003 Server and no luck browsing shares over VPN

We've got a SBS 2003 box that will not resolve http://localhost/exchange & http://servername/exchange or http://localhost/remote & http://servername/remote. Same results for https://

Client PCs connected to the server can resolve to http://servername/exchange and any other of the Web pages hosted on the SBS. We have split DNS configured so that clients can also resolve to the FQDN on the internal LAN. So, http://mail.domain.com/exchange resolves internally for the client PCs... but will not resolve on the server.    

The problem is isolated to the server itself. When we're at the console we cannot resolve http://localhost/exchange. Putting in the complete domain name http://servername.domain.com doesn't make any difference. The internal domain is setup with a .com and not a .local. When we try http://servername/exchange ...we get "Internet Explorer cannot display the Webpage".

Additionally, we can VPN to this server remotely and remote desktop over VPN and also ping IP addresses while on VPN but absolutely  cannot browse shares while on VPN by using the UNC. This seems related to the above issues, but we're not having any luck figuring out the common denominator between the two problems.

The error we get over VPN when we try to browse shares via UNC is "\\servername is not available. You might not have permission to view this network resource. Access is denied." We're authenticating over VPN as administrators with full access rights. The VPN connection is working fine... GRE is enabled on the firewall... it's not a connection issue. We're using the VPN client built into the server to serve VPN... not a thrid party firewall product. The firewall we're using is a Zyxel and it just passes the traffic over port 1723 to the server.

Could the problem be in the DNS Lookup Zones? We've looked at the LMHosts file... which is clean. WINS is running without issue. By the way... we get exactly the same behavior when we try by IP address instead of server name or UNC.

We've run out of ideas... any help to put us back on track would be appreciated.



0
philodendrin
Asked:
philodendrin
  • 13
  • 12
  • 4
  • +1
1 Solution
 
kristinawCommented:
does http://localhost work?
how about http://127.0.0.1?
 
"lmhosts file is clean", meaning, it has nothing in it?

since this server is sbs, i'm assuming it is the DC for the domain, and is thus also the domain DNS server? is it pointing to itself for DNS? Does it have more than one network card?

if you're at the server console, can you ping localhost? what name/ip gets returned?
can you ping netbios name? what gets returned?

kris.
0
 
kristinawCommented:
also, what version of ie is on the server, 6 or 7?
0
 
Hypercat (Deb)Commented:
In the IP properties of the server NIC, what do you have set for the primary and secondary DNS servers?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
philodendrinAuthor Commented:
Kris...

Yes, http://localhost does work as expected, as does http://127.0.0.1 

Yes, this server is the DC and also the domain DNS server.  It is pointing to itself for DNS. There is only one NIC.

If I ping localhost, I do get returns from 127.0.0.1

If I ping the server name I get returns from its internal IP address, as expected.

We're using IE7.

Hypercat... We have the IP address for the server under the NIC's primary DNS server and nothing for Secondary.  
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Sounds like someone went in and messed with the default web site security settings.  You should be able to correct this by just running the Configure Email and Internet Connection Wizard (CEICW -- linked as "Connect to the Internet on the To-Do list in the Server Management Console).

But if you want to check to see if what I'm suggesting is wrong is really the problem, open up IIS manager and expand the default web site.  Right click on "Remote" and select properties.

On the Directory Security Tab > IP address and domain name restrictions > click the Edit... button.
There should be nothing in the box and the "Granted Access" should be selected.  If this is not the case, then someone must have changed things.

You can compare this to the same settings on the Default Web Site root which should have "Denied Access" and then list two lines for Granted.  The first being your IP Subnet and the second being 127.0.0.1.

Jeff
TechSoEasy


0
 
kristinawCommented:
i've seen this behavior with IE7, it's usually resolved by adding the owa site to the trusted sites on the server. your issue with accessing network shares can also be caused the new 'internet explorer enhanced security'. i usually remove this from my servers via add/remove programs. this and/or adding the owa site to trusted sites usually resolves the issue. since only the server itself is having issues, i wouldn't mess with any permissions, etc, until you've checked these items
0
 
philodendrinAuthor Commented:
Jeff...

I took a look at the security settings for "Remote" and they are correct. Granted Access is selected and there's nothing listed in the box.

However, the settings are different than you've described for the same setting under "default Web site". There, we have Granted Access selected and again, nothing listed in the box.

So... that might be the cuprit. Would this have possibly been changed by the previous administrator who setup Split DNS so that the internal clients could resolve OWA via the FQDN internally? Or, are these two things like comparing apples and oranges?

I don't truly understand Split DNS... so, I'm always suspicious that whatever this guy did to make that work caused these problems.

0
 
philodendrinAuthor Commented:
Jeff...

I think  you might be wrong about the security setting for the root of Default Web Site. I compared the settings on this box with three other Small Biz servers before making any changes or re-running the Internet Connection Wizard and they all have "Granted Access" and nothing listed in the box. You may be thinking of the Exchange-OMA site which has the settings you've described.  
0
 
philodendrinAuthor Commented:
Kristin...

I removed the Enhanced Security from IE7 and added the servername to the list of trusted sites. I have seen similar issues with what you've described on other servers... but, unfortunately that's not the problem here.
 
Thanks for the suggestion, though...
0
 
kristinawCommented:
i wouldn't think split dns would be the culprit. split dns is a good idea in my opinion. is the sbs box running isa or anything? maybe it's some type of isa issue. but i do find it extra confusing that you can get to the default web site, but not the owa site. what do you see in the iis logs after making an access attempt against http://servername, and http//servername/exchange?

kris.
0
 
philodendrinAuthor Commented:
As far as I can tell, there's nothing being logged when I try to go to http://servername/exchange (it never gets anywhere) ...or do go to http://servername (works, but nothing of consequence logged).

I am looking in the C:\windows\system32\logfiles\w3svc1 folder...
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Actually... my comment about the security settings on the default web site assumed that you did not enable port 80 in the CEICW (by checking the box for "Business Web Site (wwwroot)" on the Web Services Configuration screen.  There is rarely a need to check this box.  If you did, then you are right, it would be as you are seeing.

And take a look at C:\windows\system32\logfiles\HTTPERR for the lates error log file.

Jeff
TechSoEasy
0
 
philodendrinAuthor Commented:
Jeff... "Timer Connection Idle" ...is all that's logged.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
What happens if you try http://servername.domain.local/remote?

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Oh, wait... sorry... you said the local domain is the same as the Internet domain.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
On the server, what is the result of

C:\>NSLookup servername

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You can also run the following to see if there are any problems:

C:\>DCDiag /dnsall

DCDiag is included in the Windows Server 2003 SP1 Support Tools.

Jeff
TechSoEasy
0
 
philodendrinAuthor Commented:
NSlookup returns:

Server: servername.domain.com
Address: Internal/local IP of the server

..pretty much what you'd expect.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Yes, but I was wondering SPECIFICALLY about

NSlookup <servername>

What is returned when you query the server's hostname?

0
 
philodendrinAuthor Commented:
Here's the NSLookup... pretty much what I said in the earlier post... am I missing something?

C:\>nslookup joker
Server:  joker.denver.DOMAIN.com
Address:  10.0.0.3

Name:    joker.denver.DOMAIN.com
Address:  10.0.0.3

(note... inserting "DOMAIN" for security purposes)

Here's the DNS test

C:\>dcdiag /dnsall

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\JOKER
      Starting test: Connectivity
         ......................... JOKER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\JOKER
      Starting test: Replications
         ......................... JOKER passed test Replications
      Starting test: NCSecDesc
         ......................... JOKER passed test NCSecDesc
      Starting test: NetLogons
         ......................... JOKER passed test NetLogons
      Starting test: Advertising
         ......................... JOKER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... JOKER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... JOKER passed test RidManager
      Starting test: MachineAccount
         ......................... JOKER passed test MachineAccount
      Starting test: Services
            IsmServ Service is stopped on [JOKER]
         ......................... JOKER failed test Services
      Starting test: ObjectsReplicated
         ......................... JOKER passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... JOKER passed test frssysvol
      Starting test: frsevent
         ......................... JOKER passed test frsevent
      Starting test: kccevent
         ......................... JOKER passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/24/2007   11:57:28
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/24/2007   11:57:28
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/24/2007   12:11:23
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/24/2007   12:11:24
            (Event String could not be retrieved)
         ......................... JOKER failed test systemlog
      Starting test: VerifyReferences
         ......................... JOKER passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : denver
      Starting test: CrossRefValidation
         ......................... denver passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... denver passed test CheckSDRefDom

   Running enterprise tests on : denver.DOMAIN.com
      Starting test: Intersite
         ......................... denver.DOMAIN.com passed test Intersite
      Starting test: FsmoCheck
         ......................... denver.DOMAIN.com passed test FsmoCheck

C:\>
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Do you realize that SBS does not support the use of sub-domains?

Jeff
TechSoEasy
0
 
philodendrinAuthor Commented:
Nope...

I didn't configure this box... and typically don't use .com vs. .local ...or subdomains...  but did not know that they were unsupported on SBS.

So... what next?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Is ISA Server installed?

Jeff
TechSoEasy
0
 
philodendrinAuthor Commented:
Nope... we're using a hardware firewall.

Looks like subdomain's are supported... but, not recommeded... much like .com's vs. .local.

The disadvantages of using the sub-domain of a publicly registered domain name or a publicly registered domain name include, but may not be limited to, the following issues: " Internal clients may be able to resolve resources on the internal domain, however, queries to external resources of the domain are not resolved by the DNS server. For example, if the internal network namespace is configured by using the publicly registered domain name of Contoso.com, only resources that have "A" (Host) records in the forward lookup zone for Contoso.com are available to local clients. This behavior can pose a problem if Contoso.com hosts resources, such as, a web server by means of an external provider or Internet service provider (ISP). Any queries from internal clients to www.contoso.com are resolved as a negative query by the local DNS server because the "A" record for "www" does not exist in the forward lookup zone for Contoso.com. For clients to access external resources, "A" records must be added to the forward lookup zone of the DNS server for those resources.
" The use of a publicly registered sub-domain name can pose the same problems as described for a publicly registered domain name. If at any time, the start of authority for the registered domain (Contoso.com, in this example) adds records for sub-domains, the currently configured private sub-domain may become public.
Name resolution problems that are created by using a publicly registered domain name can be avoided by planning the private namespace around a .local first-level domain so that, in this example, Contoso.com and Contoso.local are both available to internal clients, but Contoso.com is only available to external internet clients.

The use of a separate and private DNS namespace for Small Business Server is consistent with the recommendations in the following Microsoft Knowledge Base article:


254680 (http://support.microsoft.com/kb/254680/) DNS Namespace Planning
0
 
philodendrinAuthor Commented:
My mistake... you are correct... according to this TechNet article... the subdomain shouldn't have been created.

"You can't create child domains. With Windows SBS, you cannot create subdomains in your existing root domain (such as subdomain.contoso.local)."

http://technet2.microsoft.com/WindowsServerSolutions/SBS/en/library/26e36f3b-4259-448a-964b-012be24f226c1033.mspx?mfr=true

I don't know how the original admin ever got through the install... but, now it seems as though I'm stuck with this problem.

Any suggestions?  
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, sub-domains are supported to an extent... for instance if you have a .co.uk domain name you will find that domain.co.uk will be supported.  

But when I see something like DENVER.domain.com it makes me think that the DNS may have been manually configured as a sub-domain of a larger enterprise domain space as a child domain.  I should have specified "child" instead of "sub"

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
But let's at least look at the SBS's Forward Lookup Zone to make sure there's a HOST (A) record for SERVERNAME pointing to it's local IP address.

Jeff
TechSoEasy
0
 
philodendrinAuthor Commented:
The thinking by the previous admin was that there would be multiple locations for this company... which is correct. He was trying to plan ahead by naming the domains by location.  The satellite locations are just going to use VPN to get to this server.... and there won't be several servers on different domains. But, this is still in the planning phase... and contingent upon me solving the VPN issues I'm up against.

Here's the Foward Lookup Zones I'm seeing... please let me know if there's a better way to post these...

I've got four zones listed...

_msdcs.Denver.Domain.com
Domain.com
Domain2.com (this is a second domain the server processes mail for)
Denver.Domain.com

Under Domain.com there's a subfolder called "denver" with a Host A record for "Joker" that points to it's IP address.

Under "Denver.Domain.com" I've got the following:

_msdcs            
_sites            
_tcp            
_udp            
DomainDnsZones            
ForestDnsZones            
(same as parent folder)      Start of Authority (SOA)      [1219], joker.denver.DOMAIN.com., hostmaster.
(same as parent folder)      Name Server (NS)      joker.denver.DOMAIN.com.
(same as parent folder)      Host (A)      10.0.0.3
companyweb      Alias (CNAME)      joker.denver.DOMAIN.com.
joker      Host (A)      10.0.0.3

...there's also a bunch of workstations listed here.
   

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I What's in the _msdcs.Denver.Domain.com folder?  Anything?

Also, you do not need a zone for domain2.com just because the server's processing it's email.  Unless for some reason you have opened this server up to be a public DNS server which is a very bad idea.  

The how-to for multiple email domains is here:
http://sbs.seandaniel.com/2004/10/hosting-multiple-domains-on-sbs-2003.html

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Also, please look in the Reverse Lookup Zones and tell me what you see after you change the view to Advanced.

Jeff
TechSoEasy
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 13
  • 12
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now