Solved

Server blocking trusted sites?

Posted on 2008-06-26
15
607 Views
Last Modified: 2012-06-27
My server was set back up recently. Everything went pretty smooth but after about a week, a site I go to on a daily basis started not coming up. It is a site I know I had added to my trusted sites but I went back and checked and it wasnt in the list so I put it back. The site worked for a few days and then stopped working. It is still on the trusted list but being blocked by my server. I can not access it from the server or client machines. I decided to check into the GP but the snap in fails to load every time I try. Has anyone had a problem like this? I am not at my server now but I will be in about an hour if any more info is needed.

Thanks!
0
Comment
Question by:Mentiroso
  • 8
  • 6
15 Comments
 
LVL 4

Expert Comment

by:Wiired
ID: 21876178
Try disabling Data Execution Prevention on the MMC. This may help you get in to check your GP's. I had this issue with the snappins failing to load and tht resolved that part
0
 

Author Comment

by:Mentiroso
ID: 21876852
Thanks, still stuck out and about but once I get back into the office (hopefully in another hour or so) I will check that out.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21896126
Many MMC problems can be resolved by updating the MMC to the latest version.

As for your website blockage, do you have another on site administrator that may be going in and removing the trusted sites?? If not, then it is pretty curious that the trusted sites ended up missing.
0
 

Author Comment

by:Mentiroso
ID: 21898433
No, I am the only admin and I can guarantee that everyone else in the office is not doing it. I will update the MMC when I get in town (I have been stuck out of town longer than expected). I sorry for being so slow to try out these solutions but I should be done ASAP.

Thanks!
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 250 total points
ID: 21900996
Let me tell you what I know about GPOs and plausible fixes for you.

GPOs are saved locally in SYSVOL. Then, they are replicated out to the other domain replication partners through the FRS (File replication Service). After that they are distributed out to other computers and member servers via the DFS (Distributive File Service). If your sites are seen one day and the next gone. It may be a problem with FRS. These policies may not be getting from one server to another. So, you may have intermittant GPOs.

MMC snapins had problems and the latest update may cure that. Once you fix MMC then look on your cluster of servers, in SYSVOL, for the Group policy object that holds the information on your trusted sites. So, you may want to look for FRS errors, like this one>
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23516713.html

If you have the GPOs in the SYSVOL records of your replicating machine. Then, it is probably a DFS error and your SYSVOL shares are not getting shared out. These shares are shared out using Netbios over TCP/IP.

Trusted sites for GPOs may be needed to bypass internet explorer enhanced Security. Here is a little explaination on IEES errors and work arounds for this service.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23351830.html
0
 

Author Comment

by:Mentiroso
ID: 21908999
Ok, I fixed the MMC, added the site to the trusted site under a new GPO, tried the site again and it is still being blocked on every client machine and the server itself. If I reboot the server it will work fine for a short period and then just stop, no errors. The site will still be listed under the trusted sites though. Any more info?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21909384
Yah, I think this is an easy fix:

Let's get a network topology from you:

Example: (this is what it sounds like to me)
WWW>>router>>PDCe +1DC, member servers and clients (site1)
VPN connection>>DC, member servers and clients (site2)
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:Mentiroso
ID: 21909821
Well it is just the internet coming in through a basic linksys router (WRT54G), then a line into the Server which is the Exchange server and PDC, and then the clients go form there. A total of 5 client machines hooked up. There is no second site. It is small time. Also I noticed today that the site that is being blocked is actually only blocked intermittently, it will work mainly in the mornings and stop in the afternoon. It is not the site itself because I checked it from other locations using the same ISP and no problems and it worked fine before the server crashed and everthing had to be reloaded.

So just to put it like you asked:

WWW>>Router>>PDC>>clients and nothing else.  
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21910850
In the server's nic configuration, it should only have itself as the preferred DNS server. Use the IP, and not the loopback address of 127.

Then, do you use forwarders or root hints? Forwarders do recursive lookups, if you have recursive lookups disabled, then you are using root hints.

Intermittancy is usually a sign of the prefered DNS server being an outside server. However, if you have a forwarder that is suppose to be a public Name server in your DNS forwarder's section, then recursive lookups will be denied and you can also get intermittant DNS.
0
 

Author Comment

by:Mentiroso
ID: 21911014
If I am not mistaken the DNS is set up using the IP and not the loopback. I do not use any forwarders or root hints because of the small nature of the company and the fact that the handful of employees have no restrictions on what they do, I just set it up quick and easy up until this road bump.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21912734
OK I think we have your problem:
Under the DNS snapin:
Disable recursive lookups and that will automatically use root hints. To do this go into the DNS snapin and right click it. Select properties. Select the forwarders tab. Disable recursive lookup.

ON ALL NIC CONFIGURATIONS:
Also make sure that NOWHERE on this domain is the Prefered DNS server an outside server. The prefered DNS server should be your server.
To make sure, go to the command prompt and type IPconfig /all. If the prefered DNS server is an outside server, you will have DNS problems and AD problems. So, it is important to get this right.

To change it, (for fixed IPs), go into the NIC configuration, select tcp/ip and choose properties, then configure only your server as the prefered DNS server. (Fixed IP will include the router, some fixed clients and the server).

To change it, (for dynamic IPs), go to the DHCP snapin. Select your DHCP server. expand the DHCP server properties until you get a "options" folder. Double click the folder and edit the prefered DNS server's list. That again will be your server.




0
 

Author Comment

by:Mentiroso
ID: 21917943
Ok, I wont be able to try it today. My son is home sick with a stomach bug so I will try it first thing in the mornign and report back. Thanks for the info!
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22013075
How goes the battle?
0
 

Author Comment

by:Mentiroso
ID: 22062003
Sorry for the extremely slow response. Been in the hospital with a bad sinus/ear infection. I checked all NIC configurations on all machines, all set to using the server as the DNS, so no outside servers or dynamic servers. I am lost. Everyday it works fine in the morning and around 12pm-1pm it just stops on all computers????
0
 

Author Comment

by:Mentiroso
ID: 22062012
I did check the DHCP snapin and both scopes are set to use the same DNS as the network. Forgot to say that.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now