Solved

Server 2003 RDP works from WAN but not LAN

Posted on 2008-10-23
10
296 Views
Last Modified: 2010-04-21
I have 8 Domain Controllers set up on 8 sites. I can log in to any one of them from any site on the network except the site it is on. If I try to RDC onto a server on the same site (and therefore the same subnet) as the PC I am connecting from it won't work. This seems counter-intuitive and has me confused, can anyone suggtest what could be causing this?
0
Comment
Question by:silent_waters
  • 5
  • 4
10 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 22789058
Are you using DNS or IP ?

What message do you get ?


I hope this helps !
0
 
LVL 9

Expert Comment

by:Sci-Fi-Si
ID: 22789980
Wise words there by SysExpert. If the address of the computer you are trying to access resolves to an external IP address you will get a 'loop-back' your router won't allow this as it's a form of attack.

If you 'ping' the DNS or NetBIOS name of the computer you are trying to access and you get a reply that isn't

10.x.x.x or 192.168.x.x and you get a public IP instead that's the route of your problem.

Your answer lies with DNS and I can talk you through that if you need.

To get immediate results just use the local IP address of the computer you are trying to access.

All the best
Sci-Fi Si

:)
0
 

Author Comment

by:silent_waters
ID: 22791712
Actually I can't ping the servers by IP or by name. The name resolves to a local address, but still doesn't respond either way.
0
 
LVL 9

Expert Comment

by:Sci-Fi-Si
ID: 22791865
This sounds like a firewall issue, do you know the topology of your network? Or what security is in place?
0
 

Author Comment

by:silent_waters
ID: 22791996
I've disabled the firewalls completely to see if that was the problem, and I still can't ping the servers. Anyway, if it was a firewall issue why would it not affect pings from other sites? I certainly haven't created any rules that would cause this behaviour.

The topology is simple. Each site has a single subnet, with an address of 10.x.x.0/24. on .1 is the domain controller, on .252 is an internet router, and on .253 is a WAN router. The WAN is an MPLS network, so I have any-to-any conectivity. The wierd thing is that the connections all work between sites, it is only when I am pinging the server from its own site that it doesn't work.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 9

Expert Comment

by:Sci-Fi-Si
ID: 22792256
Okey Dokey

Looks like were getting somewhere. To cross the subnets locally the 10.x.x.0/24 will mask out any machine that's not in the same 1-254 range. The address you're pinging would need to go out through the router and then back in on itself to get resolved which would be considered a loop-back and so regarded as an attack on your network by your router.

A subnet of 255.0.0.0 would allow you to access all your machines in the 10.x.x.x range without needing to be routed.

If one server had an IP of (for example) 10.0.1.1 and a subnet of 255.255.0.0 you would be able to contact any other machine in the range of 10.0.x.x without any problem.

You could try manually assigning IP's with a subnet of 255.255.0.0 on a couple of machines to test this out, you should be able to contact them without any problem.

Let me know how it goes.

All the best
Sci-Fi Si
0
 

Author Comment

by:silent_waters
ID: 22794768
This is not a problem for any of the other machines though. For example: If I connect my laptop to the network I get a DHCP assigned address of 10.144.154.64. The local server is on 10.144.154.1, the local router is on 10.144..154.253 and there are a bunch of other PCs on the local network, one of which is on 10.144.154.63. All of these have subnet masks of 255.255.255.0.
Exactly the same set of addresses are present on another site, except with the middle octets 169.91. Same mask, same addresses everything identical. From my Laptop I can ping 10.169.91.1 but not 10.144.154.1. I can also ping 10.144.154.253 and 10.144.154.63, just not .1. This maks me think it must be server related.
Essentially we are using Class C networks, but with addresses that are officially in the class A range. It works because it is private. It is only the new server that doesn't want to play.
0
 
LVL 9

Accepted Solution

by:
Sci-Fi-Si earned 500 total points
ID: 22795201
Morning silent waters

I'm with you.

Laptop IP > 10.144.154.64 and pings to 10.169.91.x are also fine, packets are crossing subnets and routing seems to be fine.

Laptop IP > 10.144.154.64 and pings to 10.144.x.x are fine, those packets don't cross subnets and do not need to be routed. However from what I understand you just can't ping 10.144.154.1

So it's just a problem with one server on one subnet that won't respond to a ping either locally or accross your WAN/MAN.

> This makes me think it must be server related.

I agree with you. Your routing is fine and everything looks to be set up properly.

So it's basically just one server in the group 10.144.154.x with the IP of 10.144.154.1 that won't talk.

It's time to give that server a jolly good talking to and let it know who's boss - Don't stand for it.

I take it as it not contactable or of any use at the moment so it wouldn't matter taking it off the main network for some diagnostics? The brute force approach (which I'm particularly fond of) would be to take a crossover cable from your laptop manually assign your IP of 10.144.154.64 and connect it directly to your server, this would remove all other possible issues and get straight to the point. If the server still won't respond you probably have a faulty network card either on the mobo' or a card thats plugged in. Faulty network cards are quite rare but it does happen. However at this stage we just want to eliminate anything that could be causing a problem. It's a new server and therefore anything goes.

It's possible the server firewall is blocking ping packets, but I honestly doubt it.

There's an extreamily handy USB to Ethernet adaptor I have which is great for situations like this and a handy bit of kit to have in ones arsenal.

I suspect your software setup is completely fine and the problem it most likely hardware related and your server just needs a kick in the pants.

All the best
Sci-Fi Si

:)
0
 
LVL 9

Expert Comment

by:Sci-Fi-Si
ID: 22795256
N.B.

>The wierd thing is that the connections all work between sites, it is only when I am pinging the server from its own site that it doesn't work.

This really doesn't make a lot of sence its as though local ICMP packets have been disabled or TCP port 445 has been disabled.

Did you install this server as only the person who configured this server would know.

Does looking at the shares of \\10.144.154.1 work from the same subnet?

Just a thought.
0
 

Author Closing Comment

by:silent_waters
ID: 31509278
It was a DNS problem aparantly. I removed and reinstalled the DNS role and it started working. Why it should affect anything when I was pinging by IP address I don't know.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now