[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cannot Access Interent

Posted on 2008-11-14
200
Medium Priority
?
1,486 Views
Last Modified: 2012-06-21
We have a server running windows Server 2003. The Internet connection is cable through Comcast. There is a wireless router attached to the network and then several switches with cables running to all of the desktop clients. All clients can access the server and the Internet. The Server cannot access the Internet. From the server I can successfully ping the router, clients and some web addresses. I have pinged www.google.com and www.comcast.net and a few others successfully but I have  not been able to ping www.microsoft.com. When I open Internet Explorer I get the infamous page cannot be found error.

Please advise.

Thank you!

Robert
0
Comment
Question by:Robert Ehinger
  • 97
  • 52
  • 25
  • +6
198 Comments
 
LVL 42

Expert Comment

by:Paul Solovyovsky
ID: 22965315
Can you do a traceroute, this will let us know where the connection is stopped

Type in command prompt

tracert 4.2.2.2

provide results
0
 
LVL 3

Expert Comment

by:ddanonimity
ID: 22965328
It may be a firewall or proxy problem. check these settings
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22966552
Try this at the command prompt:

Netsh winsock reset

This seems to be more and more common.

If that doesn't work, sounds like you are having a problem with DNS forwarders. Is this a DNS server?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 19

Expert Comment

by:MrLonandB
ID: 22970590
Had a very similar problem a couple days ago...happened right after a Windows Update on my DNS Servers. Rebooted DNS Servers and all was well again.
0
 

Author Comment

by:Robert Ehinger
ID: 22970661
This problem has been going on for over a year and we have just been living with it. Now, though, we would like to fix it. The system has been rebooted several times but there has been no change.
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 22980917
Robert,

The Comcast modem/router is probably acting as the network Gateway and is doing DNS (and possibly DHCP) for your workstations, so they have Internet connectivity.

In your server, check the TCP/IP properties of the NIC. It should be set to a static IP address, with the Comcast modem/router address as the Gateway. Below that, it should have it's own IP address in the "Use the following DNS server addresses."

Then, as ChiefIT mentioned, you should use Forwarder entries in the server's DNS setup to point to the Comcast DNS servers. (We can point you to these settings, if you need.)

This is just one possible way to configure server DNS, but I've used this exact setup more than once. Let us know if this sounds helpful.
0
 

Author Comment

by:Robert Ehinger
ID: 22983288
Yesterday I ran "Netsh winsock reset." I thought that might work after the required reboot. I accessed one internet site (Google) but when I tried to navigate to another I got the Page cannot be displayed message.

I then ran tracert 4.2.2.2 and it found the site in 13 hops. There was nothing to show the connection stopping before it got to its destination.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22990748
Do you have zone alarm on this server?

0
 

Author Comment

by:Robert Ehinger
ID: 23012327
No zone alarm on the server
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23012395
I also heard symantec can do this.

Any symatec related material, like AV or end point protection?
0
 

Author Comment

by:Robert Ehinger
ID: 23012618
We use Norton Anti-virus on this system.
0
 

Author Comment

by:Robert Ehinger
ID: 23012630
If we can get on the Internet Comcast provides McAfee online protection but then the issue would be getting it installed on all the clients. A bit of work but doable.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23012998
No, it is just a configuration of symantec. Let me find the information to make the configuration changes. I am not suggesting you change your AV protection, just configure it to work.

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23013197
The reference material I was going to provide actually pointed to:

Zone alarm as the major culprite
Ad Aware as a second culprite
AVG antivirus as another culprite.
Winsock fix as a plausible solution:

http://en.kioskea.net/forum/affich-5044-can-t-browse-but-can-ping?page=4

Try this, temporarily disable your AV package and see if you are able to browse to Known good sites, like google and Experts exchange. If this works, update your virus definitions and scan engine by doing an manually forced AV update. I still remember somewhere that Symantec 10 can cause this issue prior to an update performed on this AV package.

Another thing to be aware of is I think there is a possible GPO to disable browsing on a server. Some people disable browsing on servers through this GPO because they don't want people browsing the internet with a server. So, maybe look at your Resultant set of policies, (RSOP).

0
 

Author Comment

by:Robert Ehinger
ID: 23146948
I tried to disable the Norton but it is password protected and noone seems to know the password. The previous computer support person did not do a lot of documentation. Is there a way around this?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23155334
Try:

symantec

All small cased. That is the default password.
0
 

Author Comment

by:Robert Ehinger
ID: 23406913
Still working on this issue. I will provide feed back soon.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23483709
I am back from DC and would like to help with a fresh mind. I think we should be able to get this issue resolved pretty quick.

Let me know when you wish to proceed.
0
 

Author Comment

by:Robert Ehinger
ID: 23485064
Whenever you are ready
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23486946
The easiest way to combat this is to look at the network settings and tracing over the routes.

Let's pick a site that you are having problems with, (like MSN.com), and see if we can't figure out what's going on. Let's also look into the IPconfiguration and network bindings of this PC.

Can you Supply an IPconfig /all?
There we can check for IPver6 and see if your gateway and subnet mask are good for that computer.

Now, let's go to the command prompt an do: NSlookup www.msn.com
This should show you how many hops you have prior to getting to that site. If the connection times out it will also show you it timing out.

One other thing I would do is an MTU ping. MTU stands for Maximum Transfer units. If your MTU settings are set too high, then your packets start to fragment and your connection will most likely time out.
http://help.expedient.com/broadband/mtu_ping_test.shtml

Then, let's go into your browser and make sure we don't have the security settings SOOO hight that we can't get out on it. I assume you are using Internet Explorer as your Web browser, If not please advise.
0
 

Author Comment

by:Robert Ehinger
ID: 23507526
I will be working on this issue again today and will provide feedback as I go.
0
 

Author Comment

by:Robert Ehinger
ID: 23510765
Here is a screen short from the status page of the Linksys router we are using
router.bmp
0
 

Author Comment

by:Robert Ehinger
ID: 23510928
And here are some other screen shots from the server -
ipconfig-all.bmp
LAN-Settings.bmp
Tracert.bmp
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23511472
Robert,

It looks like your server has two active ethernet connections... Adapter 1 seems to be grabbing a public IP address, which should not be the case. Try disabling Adapter 1 in the server's Network Connections settings, or just try temporarily unplugging the ethernet cable from the adapter. (where is that cable coming from?). There should just be one cable from the ISP's modem/router to your Linksys, then one from the Linksys to your server.
0
 

Author Comment

by:Robert Ehinger
ID: 23511514
I disables the unused connection. There is only one cable from the modem to the router and then from the router to the server. Still no Internet connection. I currently have the AV disabled, too,
0
 

Author Comment

by:Robert Ehinger
ID: 23511570
Also, I can successfully ping the router and the modem, the IP address 4.2.2.4, www.google.com. is not recognized as an internal or external command, and I can ping the comcast Default Gateway: 69.245.138.1
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23511571
Your server has different DNS numbers than your router (this would explain why your clients - who get their numbers from the router - can access the Internet).

Try what I suggested in my earlier post:
"In your server, check the TCP/IP properties of the NIC. It should be set to a static IP address, with the Comcast modem/router address as the Gateway. Below that, it should just have it's own IP address in the "Use the following DNS server addresses."

Then, as ChiefIT mentioned, you should use Forwarder entries in the server's DNS setup to point to the Comcast DNS servers. (We can point you to these settings, if you need.)"


0
 

Author Comment

by:Robert Ehinger
ID: 23511587
You probably should point me to the forwarder settings
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23511633
Did you check the NIC's setup? Can you do an ipconfig /all again to see if it changed?
(I'll double check the path to the forwarder settings in the meantime...)
0
 

Author Comment

by:Robert Ehinger
ID: 23511644
Also, when I change to default gateway I lose my wireless connection
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23511718
What did you change the gateway to?
What device is at 192.168.0.250?
0
 

Author Comment

by:Robert Ehinger
ID: 23511723
When I change to the Comcast default gateway and do ipconfig /all there is no default gateway shown.
0
 

Author Comment

by:Robert Ehinger
ID: 23511741
I changed it to the comcast Default Gateway: 69.245.138.1. The router IP address is 192.168.0.250
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23511849
The default gateway should be a private address (192.168.0.x). This will be the device that's doing DHCP (handing out your internal IP addresses).

Before you do anything else - write down/remember what your configuration was before we started - just so you can undo these changes if they don't work.

If the router is doing DHCP, then it should be the gateway. (In my setups, I sometimes let the Comcast router do the DHCP - sorry for the confusion...)
0
 

Author Comment

by:Robert Ehinger
ID: 23511889
OK, I have the settings recorded and the default gateway is the router.
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23511901
What are the DNS numbers that show up when you do an ipconfig/ all?

0
 

Author Comment

by:Robert Ehinger
ID: 23511926
OK, school is out and they are wanting to lock up for the weekend. I will be back at this on Monday so please send any ideas and suggestions and I will provide feedback as I try them. Thanks!!
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23511945
Ok - have a good weekend.

Here's the info about the forwarders, in case I'm tied up in the AM:

Under Administrative Tools, go to the DNS management console. Right click on your server and go to Properties. On the Forwarders tab, you should have an entry under DNS Domains called "All other DNS domains". Then you should add the 2 or 3 Comcast DNS servers.
0
 

Author Comment

by:Robert Ehinger
ID: 23511986
DNS are 193.168.0.3
68.42.244.5
68.244.42.6
192.168.0.250

You have a great weekend too!!
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23512183
According to your router, they should be 68.87.72.130, 68.87.77.130 and 68.87.66.196

Make sure you took the other numbers (68.42.244.5 and 68.244.42.6) out of both of the Nic TCP/IP Properties (remember we're using Adapter 2).

Check/create the Forwarders as above

Your ipconfig should then have the 3 Comcast DNS numbers and the server address 192.168.0.3 under DNS and the router/gateway as 192.168.0.250.
 
0
 

Author Comment

by:Robert Ehinger
ID: 23528018
I madde the changes you suggested and I can ping all of the DNS addresses, the server, the router and I even pinged 4.2.2.4. I still can not get out on the Internet. What am I overlooking?
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23528896
Are the changed DNS servers showing up when you do an ipconfig /all?
 
0
 

Author Comment

by:Robert Ehinger
ID: 23531468
I will check tomorrow when I am back at the school
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23531906
Your overthinking this>

DNS are 193.168.0.3
68.42.244.5
68.244.42.6
192.168.0.250

Use your router to route with, not the server.

Your server has four DNS addresses. Two are within the LAN and two are outside the LAN.

I assume 192.168.0.xxx is your private IP space.

SO, the internal IP of the router should be within the IP space of 192.168.0.x. That will be your default gateway that is manually set on all fixed IP address nodes and Also in DHCP scope options.

This is what you are currently doing and failing at it.

WWW>>NAT router (comcast)69.xxx.xxx.xxx>>69.xxx.xxx.xxxNAT routing (over server)192.168.0.xxx>>Nodes on the LAN.

This is what you want to do for best operational satus:
WWW>>NAT Router (comcast) 192.168.0.xxx= gateway>>Servers and other nodes

The second nic of your server can be disabled and the router's inside IP will be the gateway for the entire LAN. I don't see a reson for you to have two subnets on the nodes of your LAN.

0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23532002
Hi ChiefIT,

His DNS settings - that appear to be in the NIC's properties - don't match the DNS settings in the router. I'm assuming that the router numbers are correct and that he needs to remove the settings from the NIC. We put the correct numbers in the server as DNS Forwarders...
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23532194
As a general LAW for a domain, the ONLY place outside DNS servers should be configured is in DNS forwarders. All fixed IP NIC cards and within the DHCP scope options should have outside IPs removed from the list of preferred DNS servers. DHCP scope options passes down the DNS servers to the DHCP clients. This is why it is important to get this right.

Also DO NOT allow your router to be the DHCP server. If the router supplies DHCP, it will also attempt to supply DNS. Routers with DHCP and DNS capabilities, (Like your DSL router), are used for home use without servers. So, it can't be supplying DHCP. The router will NOT hold the SRV records for DNS, only a Microsoft server will. Without those SRV records, you will not be able to authenticate with your DC's. So, it is important that your DSL router NOT supply DHCP. You must have DHCP supplied by your Windows servers.

For reference, this is how DNS works. This article was as basic as I could make it and explains the path of a DNS query.
http://beta.experts-exchange.com/articles/Networking/Protocols/DNS/DNS-TROUBLESHOOTING-MADE-EASY.html
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23532485
ChiefIT,

Your first paragraph is exactly right and is what we were working on... His client PCs are working okay - getting DNS (and DHCP) from the router. I figure his server is having problems because of the incorrect settings hard-coded in the NIC properties.

I don't know if you want to walk him through changing both DNS and DHCP to the server?


0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23537718
@Rick
I would be glad to help. But, I think you are doing a fine job. So, I will monitor in the background.

These are the things I would do to resolve these issues>

A) I think I would make sure DHCP is straightened out first, by:
1) make sure the router isn't supplying DHCP.
2) make sure Windows servers are supplying DHCP
3) go into DHCP scope options and make sure the DNS servers, time servers and router are all configured.

B) Then, I would make sure the inside IP to the Router is within the LAN's subnet of 192.168.0.x

C) Then, I would attack these DNS issues by:
1) go to each fixed IP station, (like the servers), and make sure the NIC bindings don't have outside DNS servers listed as a preferred server.
2) on each fixed IP station, also make sure your router's IP on the LAN side is listed as your default gateway.
3) make sure DNS forwarders are listed as being your ISP's DNS servers.
4) Flush your DNS cache and make sure there are NO entries in DNS SRV records for that old router IP.
5) finally, renew your DHCP lease on the clients.

I can help at any stage of this, if you wish.

@Robert:
So that it is explained to you, this is what your issue is. You have 68.xxx.xxx.xxx listed in your preferred DNS server. There is no telling wether these servers were strictly from manually configured nics or if DHCP is passing down this bogus information too. What happens is this: clients are going there to find outside DNS resolution. It appears, that IP address doesn't have the ability to provide outside resolution. This is why you don't have internet access. Also, since that IP will not provide inside resolution to your LAN, you will probably experience lag times or the inability to logon and/or authenticate to your LAN domain servers from time to time. You will probabably experience intermittent communications on your LAN.


0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23538754
ChiefIT,

As per his original post, his clients aren't having any problems - it's just his server which appears to be hard-coded with the wrong DNS settings and can't access websites by URL. I think once this is resolved he'll probably be happy. If he wants to go further, I think I'll defer to your expertise.
0
 

Author Comment

by:Robert Ehinger
ID: 23540857
A) I think I would make sure DHCP is straightened out first, by:
1) make sure the router isn't supplying DHCP.

It is not

2) make sure Windows servers are supplying DHCP

It is

3) go into DHCP scope options and make sure the DNS servers, time servers and router are all configured.

006 DNS Servers - No Server Name
IP Addresses are -
192.168.0.3
68.42.244.5
68.42.244.6

003 Router - No Server Name
IP Address 192.168.0.250

There is no time server set.


B) Then, I would make sure the inside IP to the Router is within the LAN's subnet of 192.168.0.x
It is

C) Then, I would attack these DNS issues by:
1) go to each fixed IP station, (like the servers), and make sure the NIC bindings don't have outside DNS servers listed as a preferred server.
2) on each fixed IP station, also make sure your router's IP on the LAN side is listed as your default gateway.

Dynamic IP addresses

3) make sure DNS forwarders are listed as being your ISP's DNS servers.

How??

4) Flush your DNS cache and make sure there are NO entries in DNS SRV records for that old router IP.

How??

5) finally, renew your DHCP lease on the clients.

Done

I successfully pinged several sites including google, comcast, at&t and my own web site. I cannot ping msn, ebay or paypal.

Further instructions would be greatly appreciated.
0
 

Author Comment

by:Robert Ehinger
ID: 23540945
Sorry, my bad. I did not renew DHCP. When I tried to perform an ipcongig /release or /renew on the server or the clients I got the same message -

"This operation fialed as no adapter is in the state permissable for this operation."
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23541581
Robert,

I'm going to defer back to ChiefIT at this point - he seems to understand what's going on better than me... I can't understand why you're seeing three separate sets of DNS numbers... one set from your router's screenshot, one set from your ipconfig screenshot, and yet a third from the info you just posted.

I'll keep tuned in to see how this works out...
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23549359
Let's see if I can write this up so you understand what we are doing:
________________________________________________________________________
THE UNDERSTANDING OF WHAT IS GOING ON:
When you go to the NIC card settings on a computer and set it to dynamically get an IP address or dynamically (automacially) get a list of DNS servers, that particular computer will look in your DHCP scope options to find your DNS servers, default gateway, and a number of other important nodes on the network. So, any settings on your NIC card that are set to get that information automatically gets it from the LAN DHCP server.

Also, when setting up servers, some come with multiple NICs. Dell has sent out, for years, servers with multiple NICs. These nics can be used for a variety of applications. None of them I see as important to a good network for you.
1) One application is to ROUTE over the server. This makes your server the NAT router for the network and dramatically adds to the network traffic over the server.  Though your network appears to be set up to route over the server, it doesn't look like RRAS, (Routing and Remote Access Services), was configured to actually route over the server. Routing over the server is often done my administrators to further secure the network. However, you are already providing NAT (Network Address Translation) by using a hardware router from Comcast.
This is how your network was attempted to set up: (This is called double NATting and can be difficult to do)
WWW>> Dynamic IP from comcast that NATs to 68.xxx.xxx.xxx subnet>>68.xxx.xxx.xxy subnet that NATs over the server to the 192.xxx.xxx.xxx subnet>>clients and other nodes

This is how to bets set it up: (This will work best and prevent extra communications over your server)
WWW>>Dynamic IP from comcast that NATs to 192.xxx.xxx.xxx subnet>>Your LAN

2) The second use of dual nics is to load balance. Load balancing is done on large lans with, let's say, 250 nodes or more. Load balancing takes two nics and uses both as a resource to allow more communications between computers and your servers.
3) The third application of dual nics is to provide a LAN connection and a separate VPN connection that might bypass your firewall for outside access to your LAN. This is like a VPN connection.

On your LAN, I don't see either case as being necessary except maybe a VPN connection. However, I see a few issues that you are running into that lead me to believe it was set up to route over the server.
_______________________________________________________________________________
THE ISSUES:

Let's start with this:
From what I saw above: your servers are told to automatically go out and find their DNS servers. So, they will seek out what is listed IN DHCP SCOPE OPTIONS. Let's see what is listed there:

006 DNS Servers - No Server Name
IP Addresses are -
192.168.0.3<<<<<<<<GOOD
68.42.244.5<<<<<<<<< NOT GOOD
68.42.244.6<<<<<<<< NOT GOOD

When this was configured, you had two NICS on both domain servers. One of them was on the 192 subnet while the other was on the 68 subnet.  As RICK Was pointing out to you, you don't need two nics. You already had NAT routing and you should leave routing to your hardware router. So, disabling that 68.xxx.xxx.xxx NIC was good advice. The administrator before you, or you have configured the DHCP scope options to pass down both NICs as preferred DNS servers to ANY computer that requests to provide a DNS server Automatically within the NIC card configuration. Unfortunately, I think this includes your servers. So, your servers are trying to find a 68.xxx.xxx.xxx DNS server THAT DOESN'T EXIST. That NIC was disabled wasn't it?

(SIDE NOTE) Let me tell you what your saving grace was on your clients in comparison to your server. When your client goes out to find a DNS query, it looks for the very first preferred DNS server according to the way your DHCP scope options is listed, that will be:
192.168.0.3
Since that is a valid and active DNS server, your query works.
When you do a DNS query on the server, 192.168.0.3 NIC is busy, so it goes to secondary preferred DNS server. That would be:
68.42.244.5
Since that is not a valid DNS server, you will not be able to get DNS resolution. This is why I think you have a small LAN. Your primary preferred DNS server doesn't seem to be busy often and that's why the clients don't seem to have an issue.
________________________________________________________________________________
THE FIXES:
To fix your issues concentrate your efforts on, 1) disabling the 68.xxx.xxx.xxx NIC on both servers, 2) preventing DHCP configuration  from passing down bogus info, 3) then remove BAD DNS records from the forward and reverse lookup zones as well as your caced records, 4) then manually configure your Server's NIC configurations properly instead of having the NIC automatically going out to find your DNS servers, 5)finally check DNS forwarders (to make sure they are your ISP's DNS servers) this part I will bet are good shape, 6) any clients having issues afterwards will need to renew their DHCP lease and get the latest DHCP information from the server.

_________________________________________________________________________
HOW TO DO THESE THINGS:
1) disabling the 68.xxx.xxx.xxx NIC on both servers:
I assume you already know how to disable the NIC. However, you might have to tell DHCP that OLD NIC doesn't provide DHCP. To do this:
>>DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding
You can disable any binding from providing DHCP
2) preventing DHCP configuration  from passing down bogus info,
This is all done in your DHCP scope options that you already showed me you can navigate to. A) SET your router's IP to be the LAN side IP of the router (192 address). B) Set your DNS servers to be both DNS servers on the 192 subnet. C) Set your default gateway as your router's LAN IP address. D) If you have a LAN time server then set that IP. if not, leav it blank. Save your settings.

3) then manually configure your Server's NIC configurations properly instead of having the NIC automatically going out to find your DNS servers,
To do this: go to each server's NIC configuration settings and perform the following.
1) do not allow this to get a dynamic IP Manually configure both servers as fixed IPs.
2) do not allow these servers to go out and find your DNS servers. Manually configure your DNS servers as follows:
A) On server A make sure the primary preferred DNS server is itself and the secondary is the other server. Example:
192.168.0.A
192.168.0.B
B) On server B make sure the primary preferred DNS server is itself and the secondary is the other server. Example:
192.168.0.B
192.168.0.A
Make sure you check the advanced settings on DNS tab and WINS tab. For the WINS tab, disable LMhost lookup and enable NETBIOS over TCP/IP, (NOT netbios over DHCP). On the DNS tab, Make sure it registers the DNS suffix and appends the DNS suffix checkboxes are checked. Also make sure there are NO alternate DNS servers listed in there.

4) then remove BAD DNS records from the forward and reverse lookup zones as well as your cached records:

Step 1) To resolve these issues, Follow this link: (NOTE: By default, 2003 server registers both NICs SRV records in DNS) (for you this means you have both the 68.xxx... and the 192.xxx.... IP registered in DNS as proper DNS servers that provide Domain services)
 -- http://support.microsoft.com/?id=832478
Step 2) Once you prevent bot SRV records from registering in DNS when the netlogon service restarts, then you need to prevent it from registering its DNS records in DNS. To do this go to the NIC configuration>> TCP/IP properties>>Advanced Button>>DNS tab and disable the ability of the NIC to register its DNS settings in DNS or disable that second NIC.
Step3)) Once you have disabled the ability to register that outside NICs DNS address, then you must remove all HOST A, SRV, and cached records of that outside NIC. I assume you already know how to remove HOST A records from the forward lookup zone. To remove DNS cache, go to the command prompt and type IPconfig /flushDNS. To remove the SRV records, please follow the advice on this link:
http://support.microsoft.com/kb/241515

Or to remove SRV records you can follow this link and delete ALL SRV records on both servers and go to the command prompt and type:
Net Stop Netlogon
Net Start Netlogon
Restarting the Netlogon service re-registers the SRV records in DNS. With the second NIC, not being able to re-register the DNS SRV records, you will have  a fresh set of SRV records for the proper NICs of the server.


5)finally check DNS forwarders (to make sure they are your ISP's DNS servers) this part I will bet are good shape,
To check the SRV records, right click the DNS snapin and go to PROPERTIES. Select the Forwarders tab and manually configure your Forwarders to be your ISP's DNS servers.

6) any clients having issues afterwards will need to renew their DHCP lease and get the latest DHCP information from the server.
To do this, go to the command prompt of your problem child computer and type:
IPconfig /release
and
IPconfig /renew

Eventually, these DHCP leases and bogus information will weed themselves out when the DHCP lease expires and your network will appear to grow in performance. The reason is your DHCP clients will be getting good information.

 
Let us know if you have any questions. Righ was spot on by disabling the NICS. We just needed to address DHCP for a moment and cover ALL bases.

0
 

Author Comment

by:Robert Ehinger
ID: 23554211
Thank you for all of the information but I have another question. Why do you think I have two servers? I have one server with two NICs. How does that affect the settings you suggested?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23554602
Same settings:

The reason I thought you have two servers is because of this information right here, that you provided on an IPconfig /all:

DNS are 193.168.0.3<<<good
68.42.244.5<<DNS NIC 2 of the server, Or it could be the router
68.244.42.6<<<Assumed DNS provided by NIC 2 of server 2
192.168.0.250<<<<DNS provided by something

It made sense, four IPs with two servers. Now I am thinking four IPs (2 for a server) and (2 for another node, like the router or a mass storage device like a NAS server.
0
 

Author Comment

by:Robert Ehinger
ID: 23554950
The set up we have is a server, modem and a router.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23555084
These are the settings for your single server LAN:

HOW TO DO THESE THINGS:
1) disabling the 68.xxx.xxx.xxx NIC :
I assume you already know how to disable the NIC. However, you might have to tell DHCP that OLD NIC doesn't provide DHCP. To do this:
>>DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding
You can disable any binding from providing DHCP
2) preventing DHCP configuration  from passing down bogus info,
This is all done in your DHCP scope options that you already showed me you can navigate to. A) SET your router's IP to be the LAN side IP of the router (192 address). B) Set your DNS as your DNS server. C) Set your default gateway as your router's LAN IP address. D) If you have a LAN time server then set that IP. if not, leave it blank. Save your settings.

3) then manually configure your Server's NIC configurations properly instead of having the NIC automatically going out to find your DNS servers,
To do this: go to each server's NIC configuration settings and perform the following.
1) do not allow this to get a dynamic IP Manually configure both servers as fixed IPs.
2) do not allow these servers to go out and find your DNS servers. Manually configure your DNS servers as follows:
A) On server A make sure the primary preferred DNS server is itself
Example:
192.168.0.A
Make sure you check the advanced settings on DNS tab and WINS tab. For the WINS tab, disable LMhost lookup and enable NETBIOS over TCP/IP, (NOT netbios over DHCP). On the DNS tab, Make sure it registers the DNS suffix and appends the DNS suffix checkboxes are checked. Also make sure there are NO alternate DNS servers listed in there.

4) then remove BAD DNS records from the forward and reverse lookup zones as well as your cached records:
Step 1) To resolve these issues, Follow this link: (NOTE: By default, 2003 server registers both NICs SRV records in DNS) (for you this means you have both the 68.xxx... and the 192.xxx.... IP registered in DNS as proper DNS servers that provide Domain services)
 -- http://support.microsoft.com/?id=832478
Step 2) Once you prevent bot SRV records from registering in DNS when the netlogon service restarts, then you need to prevent it from registering its DNS records in DNS. To do this go to the NIC configuration>> TCP/IP properties>>Advanced Button>>DNS tab and disable the ability of the NIC to register its DNS settings in DNS or disable that second NIC.
Step3)) Once you have disabled the ability to register that outside NICs DNS address, then you must remove all HOST A, SRV, and cached records of that outside NIC. I assume you already know how to remove HOST A records from the forward lookup zone. To remove DNS cache, go to the command prompt and type IPconfig /flushDNS. To remove the SRV records, please follow the advice on this link:
http://support.microsoft.com/kb/241515

Or to remove SRV records you can follow the link and delete ALL SRV records and go to the command prompt and type:
Net Stop Netlogon
Net Start Netlogon
Restarting the Netlogon service re-registers the SRV records in DNS. With the second NIC, not being able to re-register the DNS SRV records, you will have  a fresh set of SRV records for the proper NICs of the server.

5)finally check DNS forwarders (to make sure they are your ISP's DNS servers) this part I will bet are good shape,
To check the SRV records, right click the DNS snapin and go to PROPERTIES. Select the Forwarders tab and manually configure your Forwarders to be your ISP's DNS servers.

6) any clients having issues afterwards will need to renew their DHCP lease and get the latest DHCP information from the server.
To do this, go to the command prompt of your problem child computer and type:
IPconfig /release
and
IPconfig /renew

Eventually, these DHCP leases and bogus information will weed themselves out when the DHCP lease expires and your network will appear to grow in performance. The reason is your DHCP clients will be getting good information.

 
Let us know if you have any questions. Rick was spot on by disabling the NICS.
0
 

Author Comment

by:Robert Ehinger
ID: 23555629
Thank you. I will make these changes first thing in the morning and give you feedback.
0
 

Author Comment

by:Robert Ehinger
ID: 23569165
I started at the beginning and here is what happened -

#1 - went OK. The second NIC is disabled and only the NIC we are using shows up in the DHCP configuration.
#2 - Router IP is 192.169.0.250
#3 - When I take out all alternate DNS servers I get the message that at least one DNS suffix is required.
#4 - When I got to this step the link "http://support.microsoft.com/?id=832478" directed me to update to the latest service pack. We are at service pack 1 so I need to go to SP2 at least. Since we don't have a connection to the Internet I have to go home, download SP2 to a flash drive and then go back and install it.

I will continue later today and let you know.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23570614
On the NICs DNS tab, Under Alternative DNS servers, list your DNS server as the DNS server.

#3 - When I take out all alternate DNS servers I get the message that at least one DNS suffix is required.

FIX A) On the TCP/IP main menu tab, type in as the primary preferred DNS server as your DNS server, and leave the secondary blank.

FIX B) On the TCP/IP Advanced button:


Also make sure the radio button and check boxes of:
""Append primary and connection specific DNS suffixes""
     ""Append parent suffixes of the primary DNS suffix""

and

""Register this connection's address in DNS""

are all enabled.
_______________________________________________________________________________
#4 - When I got to this step the link "http://support.microsoft.com/?id=832478" directed me to update to the latest service pack. We are at service pack 1 so I need to go to SP2 at least. Since we don't have a connection to the Internet I have to go home, download SP2 to a flash drive and then go back and install it.

Fix:
Once you have DNS straigh, you could go right to the Forwarders section and make sure that is set correctly. With forwarders and your NIC settings correct, you should be able to communicate the WWW and download SP2.

SP1 can cause intermittant problems with your communications. So, it is a very good idea to download and install SP2.
0
 

Author Comment

by:Robert Ehinger
ID: 23571313
On the forwarders tab - Under DNS domain there is an entry that says "All other DNS Domains,

There were 4 IP addresses in the forwarder list that began with either 68. or 67.

When I tried to enter the DNS server 192.168.0.3 I got the message "The server forwarders cannot be updated. The IP address is in valid." I double checked my entry and the typing is good.
0
 

Author Comment

by:Robert Ehinger
ID: 23571344
Here are the addresses that were in the forwarders list -

68.87.72.130

68.87.77.130


68.53.176.6

68.87.66.196
0
 

Author Comment

by:Robert Ehinger
ID: 23572665
When I make all of the changes I completely lose my connection to the Internet both wireless and cabled.
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23573147
Hi Robert,

Just one brief comment... You should probably give a quick call to Comcast to see what the DNS server number should be. You probably have some old numbers in some of these settings.

Rick
0
 

Author Comment

by:Robert Ehinger
ID: 23573280
Interestingly, Comcast is coming Monday because they have determined we have a modem problem. So are you saying my DNS server #s should be from Comcast? From the modem?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23573741
Robert:

On the forwarders tab of DNS, you can disable recursive lookups. That will default you to Root Hints servers. Root Hints servers for DNS are used as public DNS servers. If Comcast DNS servers are not working for you, Root Hints will for the time being.

the forwarders tab of DNS is used for ONLY outside DNS servers. Either you use forwarders to your ISP's DNS servers or you use Root Hint servers.


For more information on how DNS works, you can review this article I wrote for EE. It tells the steps of a DNS query from the client to the outside world.

http://beta.experts-exchange.com/articles/Networking/Protocols/DNS/DNS-TROUBLESHOOTING-MADE-EASY.html
 
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23573835
Not necessarily "from the modem" - I think ChiefIT would say that your server will provide those numbers to your network - but, yes, these are servers that are provided by Comcast. (Comcast will tell you what those numbers should be.) They're the machines that actually translate/resolve URLs to IP addresses. I tell my clients that they're the White Pages of the Internet.

When you enter a URL inside your network, your server will try to resolve it first, in case your have an Intranet or a web-based application in-house. If it can't resolve it, then it passes the request out to Comcast's DNS servers.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23574205
That's true Rick, to a certain extent.

Sometimes you can set your router's internal IP as a DNS forwarder. What that does is the router will look at itself, determine it can't provide DNS resolution and then go to comcasts external DNS servers from there. Those external DNS servers are provided from Comcast when your router gets a dynamic external IP in the 67.... or 68... subnet. With internal DHCP and therfore DNS disabled on the router, the router will default to the outside Comcast DNS servers for DNS queries.

If I am not mistaken, this is a router/modem combination from comcast, (not two separate units). If this is true, the settings apply. There are no real settings for a modem. It just modulates or demodulates the signal. The settings you do on the modem actually control the routing capability of the unit.

So, either you can set your forwarders to the router's internal IP or manually to Comcast's servers. Some administrators set it to the router's internal IP, but that makes more work for the router. Some administrators set these settings to the ISP's DNS servers, but if they change out the servers, you don't have contact with them.


Client>>>Server>>>Router>>>ISP DNS servers

or

Client>>>Server>>>>>ISP DNS servers through a NAT router
0
 

Author Comment

by:Robert Ehinger
ID: 23574461
Actually, this is a modem provided by Comcast and a Linksys WRT54G Router.
0
 

Author Comment

by:Robert Ehinger
ID: 23595544
Comcast tech was in today and he told me that the type modem we have does not support static ip addresses. He said we need the SMS modem that use for businesses and not the residential modem we are currently using.
0
 

Author Comment

by:Robert Ehinger
ID: 23607480
Comcast is telling me that we need to upgrade to a business modem with four available ports to support the static IP on the server. That means that we would have to upgrade our service as well. Up to now Comcast has been providing our little Catholic school with complimentary service which would no longer be the case with the upgrade. We would much prefer to keep our Comcast service as it is.

Anyway, lets start at the beginning and see if we can get through this because I can't believe there is no way to set this up to where we get Internet service on the server and the clients. So lets start with the physical structure.

We have a Motorola modem provided by Comcast and it connects to a Linksys WRT54G Router which in turn connects via Ethernet cable to NIC #2 on the server. We also have NIC #1 that is disabled. All of our lab and classroom clients and printers are connected via Ethernet cables to our switches. The teachers and principal all have laptops that use wireless to access the Internet.

I have upgraded the Server the to Windows Server 2003 SP2. We are running Norton Anti-Virus (would like to switch to Comcast supplied McAfee).

Currently, after all the stuff we tried above, the only way I could restore Internet access to the clients was to give each of them static preferred DNS servers of 208.67.222.222 and 208.67.220.220. At some point, while I was doing this the server had Internet access, at least briefly, because it started downloading Windows Updates. It stopp at 20% when it apparently lost its connection.

Through all of this we have maintain access between the clients and the network drives on the server.

I guess I am trying to determine what to do now. maybe start over??

Thank you!

Robert
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23607909
Hi Robert...

I work exclusively with small to mid-sized nonprofits, so I can empathize with your situation,

There might be some sort of work-around, but I can assure you that it would go against everything that ChiefIT has been (correctly) telling you.

I may be wrong, but I believe that your current (residential) modem/router is actually set up to do DHCP and to supply DNS info for your network. (This is what most people do at home - they don't usually bother with an internal router (like your Linksys).

When we started this, your clients were probably grabbing dynamic IP addresses and DNS numbers from the modem/router - no problem. But, your server insisted on having a static IP address, and probably outdated DNS numbers.

Once we started pointing your clients to the server for IP's and DNS, then they also got messed up.

Here are some thoughts:

1) Can you call Comcast and ask them if your modem/router is doing DHCP? If so, ask them if it's possible for them to turn it off. If they can, then it's possible to proceed along the lines ChiefIT was heading.

2) If they can't or won't turn it off, you might then want to change your server's static IP address to a high number, like 192.168.0.251 - an address that isn't likely to be handed out by their modem/router via DHCP. You could also try hard-coding those new DNS numbers into your server's NIC. If this works then... well, let's see if this works...

Rick

(If you check back to my original comment on 11/17, I figured your modem was doing the DHCP, but I assumed that you had a business class device that would allow you to modify the scope so that your server and Linksys would be okay as static devices.)

0
 

Author Comment

by:Robert Ehinger
ID: 23608090
Thanks for the response. Keep in mind we already have set the server IP address at 192.168.0.3. The static IP of the Linksys router is 102,168.0.250. And just to clear up any confusion (which may be mine alone) the modem and router are separate devices in our setup.
0
 
LVL 1

Expert Comment

by:Rick Nicholson
ID: 23608119
Hi Robert,

I understand - I'm referring to the Comcast device as the modem/router, since it seems to be filling both roles. I'll refer to your router as the Linksys - which I'm not sure is doing much at this point.

If we proceed like this, we'll need to move the server to a high IP address, since 192.168.0.3 is probably being assigned to one of your clients by the Comcast modem/router. Unless you have 200+ devices on your network, I'm assuming that 192.168.0.251 is "safe."

Rick
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23608974
Can you give me a make/model of your "modem". Once we have that I think we can get you up and going.

I was a High Speed Data Tech for QWest communications and know how to set up such things for you. I don't believe for a second that Comcast has a modem that will not allow you to connect more than one computer and will also not allow you to accept an fixed IP. I think the information they gave you was incorrect.

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23609025
@ Rick:

The router shouldn't be supplying DHCP, nor do I think the Comcast tech is correct in saying everything needs to be DHCP on the network.

The reason is, if the router supplies DHCP, it will also try to provide DNS. For Microsoft server, you have Host A and SRV records in a DNS server's forward lookup zone. The router only stored Host A records. DNS on a router doesn't store any SRV records for DNS. This means there will be no domain services that rely upon those SRV records. This includes Domain authentication and logons.

Some routers, (not the Linksys router), allows you to provide DHCP and disable it from providing DNS.

So, if the Comcast modem is just a modem, then the network connections will look like this:

Comcast sends DHCP>>Modem>>WAN side of the Linksys router to accept the DHCP address NAT to a fixed IP of the LAN side of the router>>fixed or DHCP clients and servers.

If the comcast modem is actually a modem/router combo we can remove the linksys modem:

Comcast provides DHCP to WAN side of modem/router and then NATs to a fixed IP on the LAN side>>network switches allow for one port of the router to be distributed out to fixed or DHCP clients and servers.
0
 

Author Comment

by:Robert Ehinger
ID: 23612567
The modem is a Motorola Surfboard SB5101.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23614024
OK:

Try this:

Plug your coax cable into the modem, then plug the LAN connection into the WAN port of your linksys router. Then use any of the network jacks of the linksys router to plug either computers or switches to complete the internal LAN connections.

Log onto the Linksys router. Let's separate the WAN side with the LAN side.

~~On the WAN side tell it to accept a DHCP address from Comcast, (or get an IP automatically).
~~On the LAN side disable DHCP and therfore DNS of the router and give it a fixed IP for your LAN to communicate with. That internal side of your router will be your default gateway.

So, the router will get a dynamic IP from comcast and allow yoiu to support a Small domain on the other side. I have done this a hundred times. When our NOAA ships pull into port I have them set up EXACTLY like this except we use Roadrunner service. I also did this with Qwest as a High-Speed Data Tech. Your Linksys router will appear to the modem like a single computer that excepts dynamic IPs. So, it will work just fine.

If you have problem getting DHCP from comcast to your router, then unplug and plug in your router. Sometimes these settings are lost and you just need to reset things a little.

If you still have problems with the entire lan getting out to the WWW. Let me know and we will troubleshoot DNS. We made a lot of changes and may have overlooked something.

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23614926
So, let's paraphrase and review:

_______________________________________________________________________
Connecting the hardware together:

Coax cable to the modem>>modem>>LAN connection of the modem>>WAN port of the Linksys router>>LAN side of the router with your computers, server and smart switches.
_________________________________________________________________________________
Configuring the different NODES:

Modem>>There are NO configuration changes you need to perform on your modem.

+++++++++++++++++++++++++++++++++
LINKSYS ROUTER>> (on the Setup tab)
  ~~WAN side-
1)get an IP from comcast automatically, (also could say something like get a DHCP address) So, the WAN side is where you want to permit DHCP, this means get an IP dynamically from Comcast.
  ~~LAN side-
1) Give it a fixed IP, (that IP will be your default gateway for your entire LAN so it is very important)
2) its preferred DNS server is your Domain server NO outside servers. You want everything in your LAN to seek your DNS server prior to going to outside servers.
3) make sure the subnet mask it correct (default 255.255.255.0)
4) Disable it from providing DHCP
++++++++++++++++++++++++++
SERVER>>
NIC CONFIGURATION- (this is the same for all FIXED IP CLIENTS and SERVERS)
1) give it a fixed IP so all computers can contact it at will
2) it's preferred DNS server should be manually set to be the server's OWN IP, ***NO OUTSIDE SERVERS.** Leave the second  preferred DNS server BLANK until you get another microsoft DNS server.
3) click on the Advanced button and go to the Wins Tab. Enable LMHOST lookup and enable NETBIOS over TCP/IP, (not the default of netbios over DHCP)
4) Also on the advance settings>>DNS tab
    a) enable the radio button of "Append primary and connection specific DNS suffixes"
   b) check the box that says         "Append parent suffixes of the primary DNS suffixes"
   c) check the box that says "register this connections addresses in DNS"
5) Also on the Advanced settings>>TCP/IP tab
   a) configure your default gateway to be the internal fixed IP of the Linksys router

DHCP CONFIGURATION OF THE SERVER:
1) Go to the DHCP snapin and configure the scope options like this:
   a) configure your default gateway to be the LAN side fixed IP you gave the linksys router
   b) configure your list of DNS servers to be the IP of your server, NO OTHERS
   c) configure your router to be the router's IP

(NOTE) once DHCP scope options are corrected, you will have to go to your DHCP clients and renew their IP addresses to accept the configuration settings.
 

NOTE: now everything points to your internal LAN for DNS queries, it's now time to show your lan how to get to the outside world for DNS resolution>

DNS CONFIGURATION OF YOUR SERVER:
Navigate to the forwarders settings by:
Open the DNS snapin>>right click your server and go to properties>>go to the forwarders tab of your server.
1) Make your forwarders Comcast's DNS servers 69... or 68... servers. THIS IS THE >>ONLY<< PLACE ON THE NETWORK YOU CONFIGURE OUTSIDE DNS SERVERS FOR DNS RESOLUTION.

NOTE) An alternative to configuring forwarders is to disable recursive lookups. That will default the server to Root Hints servers. Root Hints servers are a list of public DNS servers that come pre-configured on Win 2003 server. So, you don't have to configure them at all. Just disabling Recursive lookups on the forwarders tab in DNS will cause your domain server to default to Root Hints servers. So, if you continue to have problems with outside DNS on the entire network, then it sounds like a problem with your forwarders having bad addresses. So, try Root Hints servers.

Once all settings are done:
Go to the server's command prompt and type:

IPconfig /flushDNS
Net Stop Netlogon
Net Start Netlogon
____________________________________________________________________________
If you are in the Seattle area, I would be willing to drop by and guide you through this voluntarily. Just the name of the school and I would coordinate a time with you and show up.
0
 

Author Comment

by:Robert Ehinger
ID: 23616395
I would love it if you could drop by and our current weather would make you feel right at home but I am in Huntington, IN. a long ways from Seattle. I will be working on this issue tomorrow and will provide feedback.

There is one other question that I have regarding problems we have with this setup. The cable that comes from the outside to the modem goes from a connection on the side of the school, up about 25 or 30 feet, across the roof of the gym (about 100 feet), another 30 or so feet to the area above the server room and then probably 20 feet down to the server. Could the length of this cable be partly the cause of our poor performance as far as intermittent connection issues? If so, what can we do about it? Is there a hardware solution? The cable and modem are new and there are no splices in the cable.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23617823
No, comcast adjusts the levels of your signal to accomodate such runs. We run our cable modems 500' sometimes, without issue. What they do is check the levels at the modem and adjust accordingly.

DNS has been your issues all along.
0
 

Author Comment

by:Robert Ehinger
ID: 23622638
Maybe I have been looking at this too long but I cannot find where to set the router's preferred DNS server. Also, with the configuration noted above I cn only access the Internet with the clients and then only if their preferred DNS server is statically set to 192.168.0.250 (the router's IP address. The server still does not get on the Internet
0
 

Author Comment

by:Robert Ehinger
ID: 23622689
Also, what did you mean in #2 under server when you wrote - it's preferred DNS server should be manually set to be the server's OWN IP, ***NO OUTSIDE SERVERS.** Leave the second  preferred DNS server BLANK until you get another microsoft DNS server.
0
 

Author Comment

by:Robert Ehinger
ID: 23623288
OK I was online for awhile and had google up. Windos updates downloaded but then I lost my connection. I can successfully ping several sites such as google, ndnation and experts exchange but I could not ping yankees.com, ivytech.edu or microsoft.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23627489
Little Q/A, huh?:

Q: ""Maybe I have been looking at this too long but I cannot find where to set the router's preferred DNS server. ""

A: The router has two sides to it. One is the WAN side and the other is the LAN side to it's configuration. On the LAN side, is where you set up your server as the preferred DNS server, if that setting is available. I am pretty sure it is there on a Linksys router, but it might not be.
++++++++++++
Q: "Also, with the configuration noted above I can only access the Internet with the clients and then only if their preferred DNS server is statically set to 192.168.0.250"

A: Have you made the DHCP scope option changes and renewed your DHCP client's IPs? If so, you may have a ROGUE DHCP server. What is a rogue DHCP server, you might ask? A rogue DHCP server is a DHCP server that you don't want supplying DHCP and it is supplying DHCP. Rogue DHCP servers interfere and will shut down your Windows server's DHCP. To find a rogue DHCP server, run a little program called DHCPloc.exe. Usually rogue DHCP servers are your ROUTERS and MASS STORAGE DEVICES. So, triple check your router's LAN side and make sure your router is NOT supplying DHCP to your LAN but IS getting DHCP from comcast on the WAN side.
++++++++++++++++++++++++++++++++++
Q:""Also, what did you mean in #2 under server when you wrote - it's preferred DNS server should be manually set to be the server's OWN IP, ***NO OUTSIDE SERVERS.** Leave the second  preferred DNS server BLANK until you get another microsoft DNS server.""

A: This means you are going to manually set your server's NIC preferred DNS server to its own IP.
Example of the NIC settings on the server:

IP: 192.168.0.250
Subnet Mask: 255.255.255.0
Default gateway: (your router's IP)
Prefered DNS server 1: 192.168.0.250
Prefered DNS server 2: (Blank)
+++++++++++++++++++++++++++++++++++
Q: ""OK I was online for awhile and had google up. Windows updates downloaded but then I lost my connection. I can successfully ping several sites such as google, ndnation and experts exchange but I could not ping yankees.com, ivytech.edu or microsoft.""

A: It looks like your packets are getting fragmented by possibly MTU channels. Because of this discrepancy you are having intermittent communications. This is my favorite thing to track down and fix on EE. We are going to have to troubleshoot and fix this for you. It appears your server is intermittently communicating. So, let's start there.

Please provide an IPconfig /all of the server, provide DC diagnostics by going to the command prompt and typing DCdiag /verbose, and let me know what service pack you are currently on.

NOTE: We are going to use NSlookup for most of our troubleshooting rather than ping. NSlookup will tell you where the packet stops. Also Ping is a multi-communications protocol troubleshooting tool unless specifically tasked to do otherwise. This means Ping is used to troubleshoot DNS, Netbios, and ARP while NSlookup is strictly for DNS troubleshooting.

 
0
 

Author Comment

by:Robert Ehinger
ID: 23628322
OK, here is the latest and I did all of this before I saw your latest response. I got to thinking about the second NIC and why it was active when I first took this job. There is/was no one here to answer that question, no files or notes to refer to. So I wondered if maybe they used the second NIC to connect the server to the Internet and then disconnected the cable as a security measure when the connection was not required. So, I enabled the second NIC, gave it its own static IP settings and I was able to get online. I downloaded and installed all of the current updates for Windows and for our anti-virus. I then disconnected the Ethernet cable from the second NIC and still had access with all of the clients.

I don't know that this is a proper setup but it seems to be working and it actually does provide and additional layer of security in case some unauthorized individual gets access to the server.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23630208
That is the reason I was looking for an IPconfig /all of the server.

Even with the cable disconnected, your server is still multihomed. Multihomed servers are problematic at best for even some of the best IT administrators. It messes with things like DNS, DHCP and netbios. This means you will experience intermittent problems with internet and communications with your clients.

Let's talk about IT security for a moment. IT security is best handled through a set of best met practices. %99.99 percent of all malicious code out there must have the operator initiate the install of the virus, worm or other types of malware. Let me explain why. You are behind a NAT firewall that changes your outside IP address that comcast gives you to an internal IP, (called a private IP space). 192.168.0.250 means nothing to me. I can not contact your server unless I know the outside IP of your server. Even then, firewalls and your ISPs firewall will block most alll communications to your server from a remote location unless you provide a door to the outside world that bypasses the firewall. This means if you download a virus or a trojan of some sort they may have access to your server.

What best met practices means is this:
--Have strong passwords that are not easily guessed so if they get past firewalls you have something hard to crack
--don't download things from other sites unless you absolutely trust the site
--don't open up email attachments while on your server
--don't directly hook up your server to your modem or to an outside IP.

Your DNS and therefore Internet problems comes from disconnecting your second nic and not DISABLING IT.

Let's say NIC 1 is busy and your server automatically defaults DNS queries to NIC2. NIC 2 is not disabled, but it is disconnected. This means you will not be able to get out to the internet and you will probably have problems with your clients. When a NIC is busy, it defaults to the other NIC. By telling the computer you have ONE nic to operate with, you are pointing all traffic to that nic and not to a dead end. Now let's say that one nic is busy, now it has to share its resources to accomodate the LAN.

Go to that NIC you disconnected and right click it. Now, disable it. Don't use it on the server. Use only one nic and let's get your DNS straight so you can use the internet off that one NIC. To keep your server secure, don't do crazy things on the server and use some best met practices to keep it from downloading a virus or some form of malicious code.

Now you may need to make sure you don't have SRV records in DNS for that NIC you disabled. If you do, the clients may try to contact that nic that no longer exists. Or the server may try to rely upon that nic that no longer exists. Disconnecting that NIC is not enough, it must be disabled.

Once done, provide an IPconfig /all. If that is straight, we will correct DNS.

0
 

Author Comment

by:Robert Ehinger
ID: 23633158
I am attaching the screen shot of ipconfig /all after disabling the second NIC. Physically, the NIC we are using is listed a Local Area Connection 2 and the one that is disabled is Local Area Connection 1. I have also included a screen shot of the IP settings I used for NIC #1 (now disabled) that got us out on the Internet. The DNS server info came from the status page of the router and is a Comcast DNS server.
ipconfig-all.bmp
NIC1.bmp
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23633403
Your IPconfig is PERFECT when Nic 2 is disabled.

The preferred DNS server of NIC two is one of comcast's DNS servers.

>>Just for instructional purposes:
Let's say you disabled NIC one and enabled NIC 2. Then you try to contact the internet. It would have looked at that comcast server and found an outside internet address. Now, you try to contact one of your clients. Your client would not have been found unless the client's record is in DNS cache. So, your client would have been skipped. This is what happens if you use an outside server as your preferred DNS server for ANY NIC on the LAN.

Now, let's go to the command prompt and type: IPconfig /flushdns and try to contact the internet.

If not, let's go to a client and see if it has communications to the internet.

Let me know the results of your findings. If your server doesn't have internet access, but your clients do, then let's fix the server.
0
 

Author Comment

by:Robert Ehinger
ID: 23637330
OK before I check this, which may be Monday until I get back to it, am I supposed to have Local Area Connection 1 (NIC 1) enabled with the ipconfig /all settings and Local Area Connection 2 (NIC 2) disabled? Currently Local Area Connection 1 is disabled and has the Comcast DNS server. Local Area Connection 2 is the active NIC with the ipconfig /all settings. Or does it really matter which one we use?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23637766
~~The one with the IPconfig /all settings is the one you want enabled.

~~The other one with comcast as the preferred DNS server should be disabled.

If that works for server and clients, let's watch it to see if we succeded in DNS and removing multihomedness on your server. If not, tell me of the issues you see, and let's fix them.
0
 

Author Comment

by:Robert Ehinger
ID: 23642964
With the setup as you described the clients access the server and the Internet but the server does not get on the Internet.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23643943
OK:

Sounds like a port blockage on that NIC.

Let's see what a portqry says:

Portqry is a tool that you can use to figure out if your ports are accessible. Since you are having problems with the internet, it sounds like your  issue is with port 80, the HTTP port. Go to your server's command prompt and type:

portqry -n 192.168.0.3 -p both -e 80,53

This checks both the Http port 80 and DNS port 53
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23643945
Let's also get an idea of what service pack you are on. If service pack 1, we may need to update to SP2.
0
 

Author Comment

by:Robert Ehinger
ID: 23644851
I will do the port query tomorrow. We are on SP2.
0
 

Author Comment

by:Robert Ehinger
ID: 23660492
I had to download and install Port Query so I got the version with the User Interface. Anyway, I am sending a screen shot of the results. It appears that port 53 is OK but port 80 is not listening. We have Norton Antivirus running but I don't see a firewall with it and the Windows firewall is disabled.
Port-Query.bmp
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23665962
It is accessible, but your server may be looking for the wrong NIC for its default gateway.

Let's try to clear the arp cache>>

http://www.tech-faq.com/clear-arp-cache.shtml
+++++
and make sure the non-disabled nic has control of the gateway>>

http://technet.microsoft.com/en-us/library/cc779696.aspx
+++
then, lets make sure the security settings are not denying you access to these sites because third party cookies are disabled.

Go to the browser, security settings and set them all back to default settings. For explorer, click on the blue world Icon in the bottom right corner and make sure the zone and cookie settings are all set to default levels. Then, clear the cookies and history of the server.
0
 

Author Comment

by:Robert Ehinger
ID: 23698024
OK, I did all of the above and we have the same situation. Nothing has changed. I cleard the arp cache, checked the nics for gateway control and reset the browser security settings. What next?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23718016
OK, port 80 is shut down (not listening according to portqry)


Zone Alarm by default should stop incomming traffic to port 80 unless you specify otherwise. Also TCP filtering may be the issue:

To check TCP filtering, go to the NIC configuration>>TCP/IP properties>>Advanced button>>Options tab and see if you are filtering and if port 80 was made an exception, (if you filter your TCP/IP connections).

0
 

Author Comment

by:Robert Ehinger
ID: 23745670
OK, I checked the TCP filtering and here is what I found -

"Enable TCP/IP Filtering (All Adapters)" was NOT checked.
All 3 "Permit Only" radio buttons were checked.

Just for funsies I checked the "Enable TCP/IP Filtering (All Adapters)" check box and clicked all of the "Permit All" radio buttons. I then tried to access the Internet and, at first I thought it was going to but then the connection timed out. I tried again with Firefox and IE with no success.

I then did a port query of port 80 and it is still not listening.

So then I put it back like it was originally except I added TCP port 80 under the TCP ports list.
I ran port query again and got the same message.

The last thing I did was to check the "Enable TCP/IP Filtering (All Adapters)" check box and clicked all of the "Permit All" radio buttons except for the one for TCP ports. I clicked "Permit Only" and added port 80.

No access to the Internet and port query still shows port 80 not listening.

Any other suggestions?

Thanks!

Robert
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23925577
Sorry for not replying earlier robert.

I have to rely upon some research, because I am stumped.

Found this:

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Q_22736533.html
0
 

Author Comment

by:Robert Ehinger
ID: 23925880
Thanks for the link I will see if that helps. While working on this issue all of the sudden all of our connections are really slow. At first I thought it was when an entire class went to the lab and logged in but it doesn't matter if it is a whole class or just one user, the connection to the server is brutally slow.
0
 

Author Comment

by:Robert Ehinger
ID: 23929637
I am sending several screen shots because I don't know how much of this is related, probably all of it. It is even to the point that I can't add computers to the domain. Actually, they are the same computers, we just replaced hard drives and loaded a fresh copy of windows XP Pro. I give them the same computer name as before and they show up in the A records but not in Active Directory Users and Computers. When I try to add the in Active Directory Users and Computers I get a message that the computer name is already in use. Anyway, some of the screen shots deal with this issue.

Also, There are several errors noted in the event log. Event 6702 seems to be the most common. The description is as follows and leads to the question, should I delete the 192.168.0.1 record or change it to 192.168.0.250?

DNS server has updated its own host (A) records.  In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.
 
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
 
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.
 
To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact.  (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner.  It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

Thanks for your help.

Robert
Error1.bmp
Error2.bmp
TCPIP.bmp
tcpip-details2.bmp
0
 

Author Comment

by:Robert Ehinger
ID: 23990774
I hope someone is still there - OK, I reinstalled DNS and we seem to be maintaining connection to the network but cannot add any nodes. The only way to stay connected, though, is with static DNS servers on all the clients. If a printer or drive is already mapped then it seems to be OK but if we try to map a drive or printer we can't get there. These are drives and printers that may be mapped to other clients and are working OK there. Essentially, our DHCP server is not able to act as our DNS server as well. Any ideas.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23998003
Hi robert:

It's been a while. I am lost at where we are at. So, I am going to provide an all inclusive fix for you in lei terms. Some of these fixes are going to be already in place and will be a repeat from above:

OK: So I have a list of things I think we need to do in order.

Multihomed fixes::
1) To make sure we are on ONE Single NIC. Ensure the second NIC is DISABLED, not just disconnected. A disabled NIC can be bound to via DHCP, DNS, and netbios.

2) To straighten out DHCP:
    2a) Download and run DHCPloc.exe to determine if you have any rogue DHCP servers. Rogue
DHCP servers would include your router if it is supplying DHCP.

NOTE:  DHCPloc.exe is found on the 2003 server support tools. To get these tools, go to your install disk of 2003 server and manually navigate to the folder D:/support/tools. There is an install file for all these tools and you probably already have installed them. a part of these tools will be dcdiag and netdiag. Very useful tools.

Explanation of DHCP locate:
http://technet.microsoft.com/en-us/library/cc759117.aspx

    2b) you need to make sure it is not trying to provide DHCP to the NIC you disabled. In other words
    2c) Go into DHCP scope options, and make sure the DNS server list is set to only your windows DNS server

3) To straighten out DNS
    3a) Register the SRV records. To do so, let's verify these SRV records, first: I believe you have SRV records for both the disabled nic and the enabled NIC.
How to verify your SRV records:
http://support.microsoft.com/kb/241515

If NO SRV records exist, go to the command prompt and type:
Net stop netlogon
Net start netlogon

Restarting the netlogon service should register your SRV records for you.
 
If the SRV records for both nics are present. Then, you will have to delete your SRV records, download this patch and re-register your SRV records:
http://support.microsoft.com/?id=832478

    3b) Make sure all fixed IP clients and servers don't have any outside DNS servers listed as a preferred DNS server. You can do this by going to the command prompt and typing IPconfig /all.

    3c) Straighten out DNS Scavaging. DNS scavaging deletes old records from DNS. If the scavaging is set prior to the DHCP lease expiration or the SRV records time to live, your Host A records of your DHCP clients and your SRV records can be deleted. You will want to set your DHCP scavaging to after your DHCP leases duration expire. So, if you have an 8 day DHCP lease, you can set DNS scavaging to a 7 day refresh and 2 day no refresh for a total of a 9 day DNS scavaging date. To do this, follow this link:
http://windowsitpro.com/article/articleid/95228/configuring-dns-scavenging.html
    3c) Make sure no HOST records are configured on servers and clients. The host file is a file that a client or server will look at prior to going out to the DNS server for DNS resolution. If the host file is configured, the client or server with that host file may think it can provide DNS for itself. During a DNS query, the client will always try to resolve a DNS query by itself by first looking at its own host file, then within its own DNS cache. So, if you are having DNS problems you will want to check this host file, and flush the DNS cache. The host file is found on all machines at, C:\Windows\system32\drivers\ect\Host. To flush the dns cache, go to the command prompt and type IPconfig /flushdns.

    3d) Flush the Server's DNS cache
   
    3e) Now we need to set up forwarders. I recommend setting your forwarders to your router's LAN IP. Why do I do this, you might ask. Your router is between you and your ISP. It gets a Dynamic IP from your ISP. Along with that Dynamic IP, it also recieves a list of DNS servers from your ISP. But, it does this dynamically. So, if your ISP takes a DNS server off line, (without your knowledge), you will not get a bad IP to forward DNS queries to. The router automatically updates your forwarding servers for you.  Those 64.... addresses on your WAN server for DNS are the servers you will be forwarding to for DNS.

To set forwarders, open up the DNS snaping>right click on the forward lookup zone of your domain> and select properties. Select the forwarders tab. You only have to enter in your router's LAN IP (the 192... address) for a forwarder. Then, enable the recursion checkbox.

4) to straighten out netbios
   4a) You already disabled the second NIC. So all you have to do is flush the WINS/Netbios cache. To flush the WINS/Netbios cache. To do this, go to the command prompt of the server and type: NBTSTAT -rr. Now we need to make sure it binds to the right NIC for Netbios. To do so, reboot the server.

+++++++++++++++++++++++++++++++++++++++
Let me explain these errors to you and why you are having some difficulty:

Missing SRV records:
SeRVice (SRV) records are DNS records found on the DNS server. (not the router or an outside server). These records provide crucial points of contact to your domain controller. For one, they provide the IP to your authentication server. (This is the very reason you are having problems finding the domain server for joining or logging onto the domain).
Three things are the usual causes of these records missing:
 1) DNS scavaging deletes the records.
 2) Your server or clients are going to outside servers (as their preferred DNS server in the NIC configuration) to locate these SRV records.
 3) You have a dual NIC set up and one NIC may be an outside address. So, the client may see these SRV records, but the DNS server responds to the outside NIC and the client doesn't receive a confirmation back.

>>>The inability to conatact your SRV records is the bane of your existence right now.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The ability to ping some websites, while not being able to reach them by using the URL, could be a DNS problem, but is most likely a firewall problem. Do you have zone alarm or symantec on this server? We may have to troubleshoot this a little more:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The ability of your clients to contact the internet, but not local machines or your server is because you have outside DNS servers on that machine's NIC configuration. You want your clients to look at your DNS server as the preferred DNS server. Your DNS server will forward the outside requests to outside servers if you need an outside lookup, like (google.com).

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The inability to see some machines in "my network places" comes from having two NICS. Netbios may have bound to the second NIC and you may have had problems with network shares and browsing the LAN.


______________________________________________________________________________
Reference material for you: (I highly recommend this read)

http://beta.experts-exchange.com/articles/Networking/Protocols/DNS/DNS-TROUBLESHOOTING-MADE-EASY.html
NOTE: If this link takes you to the main Articles page. Then, click "go to articles" and select the "networking" zone. There you will find an article called "DNS TROUBLESHOOTING MADE EASY" that I wrote for you.

let me know how things look after this!!! I will wait.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23998043
Ah, crikey:

type-oh:
1) To make sure we are on ONE Single NIC. Ensure the second NIC is DISABLED, not just disconnected. A disabled NIC can be bound to via DHCP, DNS, and netbios.

Should have read:
1) To make sure we are on ONE Single NIC. Ensure the second NIC is DISABLED, not just disconnected. A disconnected NIC can still be bound to via DHCP, DNS, and netbios.

I also missed one:

2d) lets make sure we are not bound to that disabled NIC. To do this:
DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding

You can disable any binding from providing DHCP. You want to disable the NIC binding of the nic you disabled. (NIC 2 I believe)
0
 

Author Comment

by:Robert Ehinger
ID: 23999636
I will be back at the school this morning and then I will provide feedback. Actually, though, NIC2 is the one we are using.
0
 

Author Comment

by:Robert Ehinger
ID: 24002266
OK, I went through your instruction step by step and here are the results -

I am attaching a screen shot of the Bindings.

When I tried the Net Stop netlogon command it said it was stopping then I got a message that it couldn't be stopped. I looked in the services list and the status was "Stopping." I waited at least 15 minutes before resuming and the status was still stopping. I decided to continue with your instructions.

Even with the changes we can still only access the Internet and the server with static IP addresses 208.67.222.222 and 208.67.220.220.

I am attaching several other screen shots for you to analyze.

Another thing that may be completely unrelated and the it might not, our server is running extremely slow and we continually get a low virtual memory error. We have a 2.8 GHx CPU and 1 GB RAM. The paging file is set at 1535 MB.

For some of the other items you mentioned-
Missing SRV records:

Three things are the usual causes of these records missing:
 1) DNS scavaging deletes the records.

Change that setting per instructions

 2) Your server or clients are going to outside servers (as their preferred DNS server in the NIC configuration) to locate these SRV records.

As I already mentioned, that seems to be the only way to get connected.

 3) You have a dual NIC set up and one NIC may be an outside address. So, the client may see these SRV records, but the DNS server responds to the outside NIC and the client doesn't receive a confirmation back.

NIC #1 is disabled and set to automatic on both counts.


The ability to ping some websites, while not being able to reach them by using the URL, could be a DNS problem, but is most likely a firewall problem. Do you have zone alarm or symantec on this server? We may have to troubleshoot this a little more:

We do have symantec installed.

I am also including screen shots of the TCP/IP error message we have been receiving when we start the server and when I restated it today as well as the error I get when I try to add a client to the domain.
And screen shots of the DNS Management Window before and after DNS reinstall.

Thanks for your help.

Bindings.bmp
Forwarders.bmp
Netbios.bmp
NIC1-TCPIP.bmp
IPCONFIGall.bmp
TCPIP-Services.bmp
TCPIP-ServicesTechInfo.bmp
Domain-Error-1.bmp
Domain-Error-2.bmp
Domain-Error-3.bmp
dnsmgt-previous.bmp
dnsmgt-today.bmp
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24003133
looks like you are having problems with the TCP/IP stack. Uninstall TCP/IP on the server's nic configuration, and reinstall it.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24003145
Also, if this is SP1, update to SP2. Some issues with the TCP/IP stack were fixed with SP2.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24003173
The server's list of preferred DNS servers should be only itself, the only place you want an outside DNS server listed is in DNS forwarders or Root hints.

Go back to the Forwarders tab, under DNS snapin>>zone properties and uncheck the little box that says, disable recursive lookups for this connection. That will enable your forwarders.

disabling recursion defaults you to root hints servers.
0
 

Author Comment

by:Robert Ehinger
ID: 24005989
>looks like you are having problems with the TCP/IP stack. Uninstall TCP/IP on the server's nic configuration, and reinstall it.>

Should I use the instructions in this article? This is a new procedure for me. http://support.microsoft.com/kb/325356

>Also, if this is SP1, update to SP2. Some issues with the TCP/IP stack were fixed with SP2>

We are up to SP2.

>The server's list of preferred DNS servers should be only itself, the only place you want an outside DNS server listed is in DNS forwarders or Root hints.

Go back to the Forwarders tab, under DNS snapin>>zone properties and uncheck the little box that says, disable recursive lookups for this connection. That will enable your forwarders.

disabling recursion defaults you to root hints servers.>

The server IP address is the only DNS server listed for the server itself. It is on the clients that we are using the static DNS addresses 208.67.222.222 and 208.67.220.220. I will do the other things you mentioned. I may not get back to the school until Monday morning but I will give you feedback after that.

Thank you!!

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24006975
A winsock reset will probably work well in this case. So, the article looks to be a good start.
0
 

Author Comment

by:Robert Ehinger
ID: 24034715
OK, I followed the instructions in the article to the letter and here is the current situation. I am attaching screen shots of dcdiag and netdiag bith after they ran for over 20 minutes. In fact, they were still running when I had to leave for the evening. You can't tell by the screen shots but the cursor was blinking as though there was some sort of activity going on.
I still can not add any node to the network. Those screen shots are attached as well as are the current TCP/IP settings.

Oops, somehow the netdiag screen shot didn't make it to my flash drive.

Please advise.

Thanks!!
Name-Change.bmp
Details1.bmp
Details2.bmp
DCdiag.bmp
TCPIPProperties.bmp
AdvancedTCPIP.bmp
DNS.bmp
WINS.bmp
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24035220
Good screen shots, very helpful:

In the NIC configurations of your cilent and server machines, on the WINS tab, change netbios over DHCP to netbios over tcp/ip and reboot the server and client afterwords.

Now we have metadata in DNS:

To clean this up, (with such a small domain), it is easy. Let's go into the DNS snapin>>forward lookup zone>>and remove any DNS records that are associated with outside IP addresses.

We also need to clean up the SRV records. It appears like the disabled nic, (the one not on your private IP space 192.168....),  was the second NIC. If this is true, your domain controller used the outside IPs as your private IP space. So, those were registered as the primary point of contact for your server. I have a document that will help you """VERIFY the SRV records existance""". You can use this as a reference to delete the IPs not used by the server with that second nic disabled.

REMOVE ALL DNS RECORDS of the disabled nics, including SRV records.
http://support.microsoft.com/kb/241515
0
 

Author Comment

by:Robert Ehinger
ID: 24038848
I made the change on the WINS tab but I can't seem to find any SRV records. Maybe I am not following the instructions properly but I don't even see the folders they are asking for.
For clarification, I have NIC#1 and NIC#2. NIC#1 is disabled. It has been all along. Is it the one that should be disabled or should we be using it rather than NIC#2, or does it make a difference?
And now there is nothing except the sercer IP address in DHCP. I didn't think we had done anything to DHCP. I no longer see my reservations or scope or anything else. HELP.
0
 

Author Comment

by:Robert Ehinger
ID: 24038917
Here is the screen shot of the DHCP console.
DHCP.bmp
0
 

Author Comment

by:Robert Ehinger
ID: 24038974
New Scope on the Action Menu is greyed out.
0
 

Author Comment

by:Robert Ehinger
ID: 24039157
Sorry, never mind. I restarted the server and everything is as it should be in DHCP.
0
 

Author Comment

by:Robert Ehinger
ID: 24039493
One of the lines from the error message we get when trying to add a client to the domain is "The query was for the SRV record for _ldap._tcp.dc._msdcs.huntingtoncatholic.local" I do not have a folder anywhere that looks at all like  _ldap._tcp.dc._
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24045858
OK, this is your only server.

So, let's make sure it has ALL The five FSMO roles. We should verify them.

Then, let's KEEP NIC1 disabled, go to the command prompt and type these three lines:

IPconfig /flushDNS
Net Stop Netlogon
Net Start Netlgon

then, verify your SRV records again.

I am wondering if you set up your DNS zones yet??? If you configured your zones, go into the DNS snapin, select the zone, right click on the zone and select "connect to server". You may not be connected to the server in order to review the zones or SRV records.
0
 

Author Comment

by:Robert Ehinger
ID: 24049722
Here is a screen shot of the Forward Lookup Zones. There is no "connect to server" option.There are no Reverse. I still don't see any SRV records.
Zones.bmp
0
 

Author Comment

by:Robert Ehinger
ID: 24049922
Here are the results of the nslookup. Obviously, the second command, "_ldap._tcp.dc._msdcs.huntingtoncatholic.local" did not work since the first failed.
NSlookup.bmp
0
 

Author Comment

by:Robert Ehinger
ID: 24056360
I am completely lost. If there are SRV records I don't know ho to find them. I have uninstalled and reinstalled DNS twice more and am getting nowhere. Here are the instructions I am following for reconfiguring DNS zones from a previous question someone asked in this forum -  My comments or questions in ()
"
So, you are going to have to recreate TWO Forward Zones:
jsldom.local and (mine would be huntingtoncatholic.local)
_msdcs.jsldom.local (and _msdcs.huntingtoncatholic.local)

Just right click on the SERVERNAME in the DNS Management Console and select New Zone....  do not change any of the defaults, enter jsldom.local on the screen that asks for it and finish out the wizard.

Then do it once more for _msdcs.jsldom.local.

Next, RIGHT CLICK on the new jsldom.local zone and select NEW DELEGATION.  In the second screen of that wizard enter just "_msdcs" (which will create the full _msdcs.jsldom.local below).  On the Name Server screen enter both your FULL SERVER NAME (server.jsldom.local) AND it's IP address -- or you can click "Resolve" to have the IP automatically entered.  Then click ADD and finish out the wizard.
(If I click "Resolve" I get an error that it can't be resolved. I then put in the IP address 192.168.0.3)
Next... (you're almost there).

Stop the DNSSERVER and NETLOGON services.
Open Windows Explorer and go to C:\WINDOWS\system32\config  -- delete both netlogon.dns and netlogon.dnb files
Restart the DNSSERVER and NETLOGON services
Open a command prompt and enter
"IPCONFIG /FLUSHDNS" <enter>
"IPCONFIG /REGISTERDNS" <enter>"


OK, I have done all of the above with no luck. I still can not access the network nor the Internet using my server IP as the preferred DNS server on the clients. Also, I still cannot add any clients to the domain because I continue to get the same error as mentioned a few posts above. I am still confuse by the part of the error message that reads "The query was for the SRV record for _ldap._tcp.dc._msdcs.huntingtoncatholic.local" Whre on earth is this record supposed to be and how do I recreate it if it doesn't exist.
I know I am being a bit of a pain but I am really getting frustrated with this one. I hope we can get it figured out soon. Is there anything on the client side I should be looking at or is this pretty much a server issue?

Thanks!!

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24056848
@ Robert:

I am asking for someone to join us. He is the best tech in EE for DNS. The two of us work very well together, and you will find him most helpful.



Hello Chris:

Let me fill you in:

Dual NICs and the router was acting as a DHCP/DNS server. One NIC was disabled, the router was disabled from providing DHCP and therefore DNS. SRV records are missing and bad. DHCP may be bound to both NICs, even though one is disabled. The above screen shots of DNS and DHCP tell the remaining story. Author has tried to rebuild DNS a couple times.

NSlookup doesn't see the SRV records and Restarting the Netlogon service doesn't register the SRV's. So, I am thinking we may need to go back to the other NIC. Netbios seems to be bound to the wrong NIC as well.

We need to fix DHCP and DNS records and bind them to the right NIC. Welcome and thanks for the help Chris.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24057284
One more thing Chris:

There is a related question with additional information that RobWill was working on:
http://www.experts-exchange.com/Networking/Network_Management/Network_Design_and_Methodology/Q_24193255.html
0
 

Author Comment

by:Robert Ehinger
ID: 24062232
Ok, here is a synopsis of the situation and its current condition.

This network is a school network running Windows Server 2003 SP2 on the server and Windows XP Pro SP3 on the clients. We have client computers in every classroom and in the computer labs, one in each building. We have a Lynksys router in the server room providing wireless access in the Middle School building and two Netgear routers providing wireless access in the Primary School building. The Linksys router has an IP address of 192.168.0.250. The Comcast modem connects to the router and then the router connects to the server.The two buildings are two blocks apart connected with fiber optic cable (I am told). Comcast is the service provider. There is no one here that had any involvement in the original setup of this network and there is no paperwork to reference.

When this discussion began the problem was getting the server to access the Internet. All of the clients could access the Internet and network resources but the server could not get out preventing us from downloading updates to various software applications.

Now the clients can access the network and Internet only if I set static DNS servers. The servers I have been using are 208.67.222.222.and 208.67.220.220. These are the same servers provided by OpenDNS. If I try to use the server IP (192.168.0.3) as the DNS server or set the clients to find DNS automatically I lose access to the Internet and the network.

As it stands right now, I can not add any clients to the network (screen shots of that error are attached), I can not add any printers to clients and the server can not access the Internet.

If I enable NIC#1 and assign it the IP address 192.168.0.4 and give it the static DNS servers 208.67.222.222.and 208.67.220.220 I can get on the Internet and download updates. When I do not need Internet access I disable NIC#1 and physically disconnect the Ethernet cable.

At some point in time the clients began bogging down when logging on to the network taking several minutes to completely boot. It doesnt matter which account or how many users are logging on at the time. That was the point of the second discussion.

Last night I reinstalled DNS and have not made any changes to it since then. I am attaching many screen shots of DNS, DHCP, the router setup, dcdiag and netdiag. Hopefully this will help solve this problem.

Thanks!!
error1.bmp
error2.bmp
error3.bmp
dcdiag1.bmp
dcdiag2.bmp
netdiag1.bmp
netdiag2.bmp
netdiag3.bmp
netdiag4.bmp
netdiag5.bmp
netdiag6.bmp
hcsserverproper.bmp
htgncathlocgeneral.bmp
htgncathlocnameservers.bmp
htgncathlocsoa.bmp
msdcsgeneral.bmp
msdcsnameservers.bmp
msdcsproperties.bmp
msdcssoa.bmp
roothints.bmp
server.bmp
server2.bmp
server3.bmp
server4.bmp
server5.bmp
serveradvanced.bmp
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24067596
We are not far from getting things working stellar: (forgive the long post)

Explaination:

First off, let me explain a few things in the previous configuration. The old admin was using the second nic as sort of a proxy to the internet. It appears like he/she didn't want students surfing during class hours. So, when the students were in he would disable the second nic and stop any internet access for everyone. With that said, I do have an alternative for you that allows you to disable classroom machines at the click of a mouse. I will provide this later.

We messed up that original configuration while going under the assumption that you wanted internet access all the time. We disabled the LAN nic, not the one used for internet access. That's OK, we can easily fix this using the currently enabled NIC. Let's leave that second NIC disabled.

There are still a few bugs we need to troubleshoot and repair. One is DHCP. I still think you have a rogue DHCP server aboard. I also see that forwarders are NOT defined while recursion is enabled. This will block your internet access all together. Furthermore, I see that your currently enabled nic is disabled from registering its DNS settings within DNS, that too is an easy fix. This particular problem is preventing you from registering  your SRV records in DNS.  So, let's first fix these three discrepancies, one at a time.

1) rogue DHCP server:
I have been reading over all of the info on both posts and find out that you may still have a rogue DHCP server. 192.168.0.1 is probably providing DHCP. If so, it is probably providing DNS. If so, it will not hold your SRV records to it's DHCP clients. Go to the command prompt and type NBTStat -a 192.168.0.1. That should provide you with the netbios name of the device. Go to that device and disable it from providing DHCP. Since it has the address of 192.168.0.1, and that IP is the default for mass storage devices and some routers, (and routers and storage devices often come with the default setting of providing DHCP to clients), I'll bet this is a mass storage device like a buffalo server or SNAP server.

At first, I thought rogue DHCP servers were causing your clients to have problems with communicating directly with the server. Your clients are not seeing the SRV records of your authentication server (192.168.0.3). I thought that was because you had a rogue DHCP server that also by default provides DNS. The problem with a router providing DNS is they don't store the SRV records of your authentication server. Instead, you will not be able to resolve your domain controller or distinquish it from another client. These routers and mass storage devices supply DHCP for home use. It is designed for folks without a DHCP server or DNS server. This is why they come default with DHCP and DNS services enabled.

2) registering DNS settings of the server.
I see the NIC we are working with doesn't have the register this DNS server's suffix within DNS selected. The old IT tech realized that the second NIC would register itself in SRV and HOST A records of DNS. That would cause intermittent communications with the server and intermittent DNS access. However, that IT admin aslo has to download a patch to prevent this NIC from registering DNS regardless of that checkbox. For your NIC to register it's DNS settings, you have to premit it to register within DNS.

3) Forwarders:
Forwarders or root hints are used to communicate with outside servers.

To be successful in DNS please read this article, (especially numbers 2 and 7).
http://rcpmag.com/features/article.aspx?editorialsid=413

Number 7 tells you how to set up forwarders, while number 2 tells you how to make sure you elect to register that DNS suffix correctly.


___________________________________________
Now, if you want to control Students from surfing the internet, you may want to review what is transpiring on this particular

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Proxy-Firewall_Anti-Virus/Q_24268403.html?sfQueryTermInfo=1+10+chiefit+school+teacher
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24075322

Morning guys,

Very much playing catch-up with both this and the other thread so apologies if I repeat anything (or everything).

Has anyone checked the Primary DNS Suffix for the server? The NS Record references "hcsserver." rather than "hcsserver.huntingtoncatholic.local" which is unexpected. You can see the Primary DNS Suffix if you run "ipconfig /all" on the server.

I wonder if you would mind dropping a few files in for us? That means generating a few of them first with the following commands (this will require the Windows Support Tools to be installed):

dnscmd hcsserver /ZoneExport huntingtoncatholic.local huntingtoncatholic.local.dns
dnscmd hcsserver /ZoneExport _msdcs.huntingtoncatholic.local huntingtoncatholic.local.dns

Those will save in this path on the server (even if you run the command remotely):

%SystemRoot%\System32\DNS\

The .dns files are text files (will open in Notepad). I would very much like to see those if possible (ideally as attachments). I would love to know where it thinks it's delegating to.

Then can you also attach this one from the server?

%SystemRoot%\System32\Config\netlogon.dns

Again, it's a text file. Don't change it where it is, take a copy of it and rename it to .txt. That file tells the server which entries it should be adding to the DNS zones for Active Directory.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24075369

There's a typo above, the second dnscmd I posted should have been:

dnscmd hcsserver /ZoneExport _msdcs.huntingtoncatholic.local _msdcs.huntingtoncatholic.local.dns

Or it'll just overwrite the first file I asked for which really won't help.

Sorry about that.

Chris
0
 

Author Comment

by:Robert Ehinger
ID: 24078119
To make sure I understand - these commands are entered on the command line -

dnscmd hcsserver /ZoneExport huntingtoncatholic.local huntingtoncatholic.local.dns
dnscmd hcsserver /ZoneExport _msdcs.huntingtoncatholic.local huntingtoncatholic.local.dns
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24078149

Correct, except they should be:

dnscmd hcsserver /ZoneExport huntingtoncatholic.local huntingtoncatholic.local.dns
dnscmd hcsserver /ZoneExport _msdcs.huntingtoncatholic.local _msdcs.huntingtoncatholic.local.dns

Or the second command will overwrite the file we created with the first.

Chris
0
 

Author Comment

by:Robert Ehinger
ID: 24079433
Got it. I knew about the typo I just copied and pasted from the first post
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24082822
@Chris:

I am not sure the NIC is set to register the DNS suffix properly. Look at the NIC configuration. I did notice the Suffix issues.

Also Chris, there was a second NIC aboard. It looked like one was used for the internet while the other was used for internal LAN. The author isn't the original admin. We may have disabled the LAN NIC and enabled the "internet" NIC. That may have messed up the DNS configuration. It stands to reason why the "internet" NIC was set to not register its DNS settings.

Thanks MUCH for your DNS expertise Chris. I can't tell you how much I appreciate the help.

John
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24085367

Ahh yeah, I see it, missed that first time.

We could potentially wipe out DNS and have it rebuild it all, but I'd still like to see if we can see why it might be upset in the first place.

Chris
0
 

Author Comment

by:Robert Ehinger
ID: 24092914
As far as rebuilding DNS, FWIW, what we are no looking at is a reinstall of DNS with no real changes. I am attaching all of the files you wanted to view. I will also attach a screen shot of the current ipconfig /all and a previous screen shot of it. Thanks for the help. Hopefully we can get this resolved soon.
netlogon.txt
huntingtoncatholic.local.txt
-msdcs.huntingtoncatholic.local.txt
ipconfigall.bmp
ipconfig-all.bmp
0
 

Author Comment

by:Robert Ehinger
ID: 24096945
A couple of things - first for ChiefIT - in one post you mentioned "1) rogue DHCP server:
I have been reading over all of the info on both posts and find out that you may still have a rogue DHCP server. 192.168.0.1 is probably providing DHCP. " What am I missing? I don't see where you have found the rogue DHCP server? Maybe I have looked at this thing far too long and everything is running together.

Second, I am not the original admin on this and there is absolutely no documentation for this network. (Will be when I am done). In fact, software is scattered all over the place. It was a treasure hunt to finr the Server 2003 and XP installation disks. Anyway, the NIC that is currently enable is NIC #2. That is the same NIC that was being used when I first arrived on the scene. At that time both were enabled but only one was being used. I don't remember what the tcp/ip settings were on that NIC but I will look for them if that will help. In the registry the NICs are listed as 2 and 3.

Also, we really don't have a problem with the students accessing the Internet because we have filtering programs and antivirus installed. The problem now it that none of the updates are getting distributed to the clients due to the current situation.

So where do we go from here.
Thank you!
Robert
0
 

Author Comment

by:Robert Ehinger
ID: 24111407
One more very important item - I would really like to get this resolved soon so that I can use remote access to troubleshoot. I try to maintain this network and the PDs on a part time, pro bono basis and it would be great to finally have remote access to the network.

Thanks Guys!!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24121238

Sorry for the delay getting back, easter holidays...

Right...

Those zones you posted are suspiciously empty, although I do see why you're getting everything greyed out.

I'd like to take the following actions:

1. Open AD Users and Computers (hold onto this one for a few minutes)
2. Open the DNS Console
3. Expand Forward Lookup Zones
4. Delete _msdcs.huntingtoncatholic.local (in the DNS console)
5. Delete huntingtoncatholic.local
6. Stop the DNS Service (net stop dns)
7. In AD Users and Computers, select View / Advanced Features
8. Expand System
9. Expand MicrosoftDNS
10. If present, delete huntingtoncatholic.local
11. Start the DNS Service (net start dns)
12. Back in the DNS Console, right click on Forward Lookup Zones and select New Zone.
13. Select Primary and Store in Active Directory
14. Enter the name huntingtoncatholic.local
15. Enable Secure Dynamic Updates
16. Select the new zone
17. Verify you can see the zone. Verify that an NS Record exists pointing to hcserver.huntingtoncatholic.local
18. On the command line, run:

net stop netlogon && net start netlogon
ipconfig /registerdns

19. Verify an _msdcs folder has been created within the huntingtoncatholic.local zone.
20. Verify that a Host (A) record exists for hcserver
21. Select the _msdcs folder. Verify that an Alias (CNAME) record exists with a very long GUID name, pointing to hcserver

Once done, run DCDiag and NetDiag to get their opinion of the changes.

Any clients should register in this zone over time. But they are less critical than the server entries we forced to register above.

Chris
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24122110
@Chris:

This is the part that was beside me. What is causing DNS not to populate with SRV records and HOST A records? I am missing the concept. We tried to get them to populate by registering DNS and restarting the netlogon service. I am just curious to see what I missed.
0
 

Author Comment

by:Robert Ehinger
ID: 24122231
Me too.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24125183

netlogon.dns contains interesting entries.

I would guess at some point that the domain was renamed, or at least a Primary DNS Suffix was added to the DC. If we take a look in netlogon.dns you'll see that each service record refers to "hcserver." rather than "hcserver.huntingtoncatholic.local.".

Can we head to that netlogon.dns file again, and replace the contents with the below?

If that has no effect, and if the NS record still creates with "hcserver." then we may want to follow the steps here to rename the DC, giving it a new fully-qualified domain name:

http://technet.microsoft.com/en-us/library/cc782761.aspx

If all else fails we can manually populate the service records, add a new DC, then see if that one behaves before potentially moving on and rebuilding the current DC.

Chris
HuntingtonCatholic.local. 600 IN A 192.168.0.3
gc._msdcs.HuntingtonCatholic.local. 600 IN A 192.168.0.3
ForestDnsZones.HuntingtonCatholic.local. 600 IN A 192.168.0.3
DomainDnsZones.HuntingtonCatholic.local. 600 IN A 192.168.0.3
TAPI3Directory.HuntingtonCatholic.local. 600 IN A 192.168.0.3
_ldap._tcp.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.pdc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.gc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 3268 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.gc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 3268 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.ffe7aca0-36e3-41db-80d3-9e66f4e3cfcb.domains._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
9223748e-b7e1-40e5-9622-2282914a4da6._msdcs.HuntingtonCatholic.local. 600 IN CNAME hcsserver.HuntingtonCatholic.local.
_kerberos._tcp.dc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_kerberos._tcp.Default-First-Site._sites.dc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.dc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.dc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_kerberos._tcp.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_kerberos._tcp.Default-First-Site._sites.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_gc._tcp.HuntingtonCatholic.local. 600 IN SRV 0 100 3268 hcsserver.HuntingtonCatholic.local.
_gc._tcp.Default-First-Site._sites.HuntingtonCatholic.local. 600 IN SRV 0 100 3268 hcsserver.HuntingtonCatholic.local.
_kerberos._udp.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_kpasswd._tcp.HuntingtonCatholic.local. 600 IN SRV 0 100 464 hcsserver.HuntingtonCatholic.local.
_kpasswd._udp.HuntingtonCatholic.local. 600 IN SRV 0 100 464 hcsserver.HuntingtonCatholic.local.
t. 600 IN A 192.168.0.3
_ldap._tcp.t. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.t. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.ForestDnsZones.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.ForestDnsZones.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.DomainDnsZones.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.DomainDnsZones.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.TAPI3Directory.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.TAPI3Directory.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24125208

On reflection, it's extremely likely that the records will fail to register in my original steps because of the issue with the server name. It's very likely that the reason they failed to register for Chief (and Rob?) is that the server believes that it is "hcserver" not "hcserver.huntingtoncatholic.local", as such it won't find a correct zone to register records in.

The problem with the greyed out folders is part of this. The server doesn't contain a valid Host (A) record for "hcserver.", therefore it treats the NS records as a delegation rather than it being a local authority.

Chris
0
 

Author Comment

by:Robert Ehinger
ID: 24127346
OK, please be a bit patient here. First, do you want me to follow the steps from your post of 4/11/2009 and then replace the netlogon.dns file? Or just replace the netlogon.dns file?

Second, I will be out of town for the first three days this week so I may not get to it until Thursday. I will provide feedback as soon as I can. Please stay tuned.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24128660

Run through the steps above, 1 to 21, to replace the current zones. Then see if it still has greyed out folders in the forward lookup zone.

If we're clear of greyed out folders, and it created the _msdcs folder, check the name each of those point to. According to netlogon.dns they should all point to "hcsserver." initially.

If they do all point only to hcsserver, modify the netlogon.dns file as above. Then restart the NetLogon Service. Check the records in the _msdcs folder and see where they point to this time.

If we don't get that far, and just have greyed out folders I'd like to try renaming the DC. That carries a little more risk than the previous actions so ideally we want a backup first. I take it this is the only DC in the domain? And that you're not running Small Business Server?

Chris
0
 

Author Comment

by:Robert Ehinger
ID: 24128782
It is the only DC and we are running Windows Server 2003 Enterprise Edition.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24129442

Okay, that's good, SBS would have complicated things. What else does the server do?

Chris
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24130136
Chris:

With that explaination, I understand how DNS wasn't populated. Rather than a fresh rebuild of the server, maybe a metadata cleanup and then rebuilding DNS could be a viable option. The metadata cleanup might clean out the metadata of the old domain name while the DNS rebuild would put them on the right track for cleaning DNS. The only question that keeps rolling through my head is what about the clients. Will they need to rejoin the domain?? Now, I am on the same page as you. Thanks for the explaination.
0
 

Author Comment

by:Robert Ehinger
ID: 24130490
The server hosts user accounts, manages printers, gives out DHCP, runs various networked applications and houses user data.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24135828

Hmm okay, so demoting it is pretty much out of the question then.

In that case, can you let us know how you get on with the above, then we might look at renaming the server which is much less destructive.

Chief: Metadata cleanup is normally taken care of by rendom /clean. However, we have no real evidence that the domain was renamed, only that it shares some of the symptoms associated with an incomplete rename so I'd be reluctant to run that without very good cause.

Chris
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24138836
Chris:

Are the FSMO roles in order, or are they pointing to a domain that doesn't exist?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24138891

Won't be able to tell much until DNS is online. I think I'll pop together a zone file so even if the steps above get us nowhere we can encourage that component to work.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24139178

Here's the zone file. To use this zone you would have to do the following:

1. Delete any instances of huntingtoncatholic.local using the DNS Console.
2. Save the attached file to %SystemRoot%\System32\DNS\huntingtoncatholic.local.dns on hcsserver (removing it's .txt extension).
3. Run:

dnscmd hcsserver /ZoneAdd huntingtoncatholic.local /Primary /File huntingtoncatholic.local.dns /Load
dnscmd hcsserver /ZoneResetType huntingtoncatholic.local /DsPrimary /OverWrite_Ds

That will give you a new AD Integrated zone with Dynamic Updates disabled, a good enough beginning if nothing else above works.

Chris
huntingtoncatholic.local.dns.txt
0
 

Author Comment

by:Robert Ehinger
ID: 24163747
I followed all of the above steps and ended up using the info from the very last pos.
"That will give you a new AD Integrated zone with Dynamic Updates disabled, a good enough beginning if nothing else above works."

I still cannot add clients to the domain. I was able to add a printer to one of the clients already on the domainand the server still does not access the Internet. And we are still needing to use the static DNS addresses 208.67.222.222 and 208.67.220.220.

Here are some screen shots. Perhaps you can point my in the direction of out next step.

Thanks!!

Robert
dnsconsolerestart.bmp
dnstree.bmp
dhcp.bmp
tcpip.bmp
dns.bmp
ipsettings.bmp
wins.bmp
0
 

Author Comment

by:Robert Ehinger
ID: 24163762
Incidentally, I can ping the server IP and the router IP from the clients, even those that I cannot add to the domain.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24165764

Time zone differences are such a pain, trying to think of every test that might give us information.

From a client either joined to the domain or not, but must be using the server for DNS:

nslookup huntingtoncatholic.local
nslookup -q=srv _ldap._tcp.huntingtoncatholic.local

Both should return the hcsserver, by IP in the first, by name in the second.

When you're joining clients to the domain, are you typing "huntingtoncatholic.local", or the NetBIOS domain name?

Can you also give me the response returned when running this using the server:

nslookup www.google.com

If that fails to resolve, please remove all Forwarders configured on the server (DNS Server properties). Then select Root Hints from the server Properties. Select Copy From Server and enter the IP 198.41.0.4, that's one of the root servers and will have an accurate version of Root Hints.

Once done, right click on the DNS server and select Clear Cache, then run the query for google again.

If it still fails, open the Server Properties again, select Advanced and check that "Disable Recursion" is not ticked. If it's still failing after that we need to start checking the network layer, starting with what traffic is and isn't allowed through the Firewall.

Back on the AD side, can you run these on the server please:

dcdiag /c /v /f:dcdiag.log
netdiag /debug /L

NetDiag will be logging to netdiag.log because of the "/L" switch, it doesn't let you choose a file name. Both will log in the same folder as the commands ran from.

I would also like to see any error messages from the each of these Event Logs:

DNS Server
Directory Service
File Replication Service
System
Application

Save as CSV is probably our best bet for those.

Lets see where our FSMO roles think they are if we can. Please try running:

netdom query fsmo

If that one doesn't work, this longer method will, Start and Run can be used to open up ntdsutil (the first command), just make sure you grab the output from List Roles before closing it with Quit :)

ntdsutil
Roles
Connections
Connect To Server hcsserver
Quit
Select Operation Target
List Roles for Connected Server
Quit
Quit
Quit

And lets see if we can have some debugging from the NetLogon Service. First you need to run this command:

nltest /dbflag:0x2080ffff

Then as soon as you get the chance, reboot the server. After which we should find that %SystemRoot%\Debug\netlogon.dns has a fair bit of information in it. Once that's done, disable debugging again with:

nltest /dbflag:0x0

That's quite a lot, so lets see how much that tells us.

Chris
0
 

Author Comment

by:Robert Ehinger
ID: 24171410
I am attaching screen shots showing the results of
nslookup huntingtoncatholic.local
nslookup -q=srv _ldap._tcp.huntingtoncatholic.local

These were taken from a client that I have tried several times to get on the domain without success. It does access the Internet using the static DNS that I have mentioned before.

When I try joining clients to the domain, I am typing "huntingtoncatholic.local."
nslookup.bmp
nslookup2.bmp
nslookup3.bmp
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24171487

That may well be caused by the yellow exclamation mark in the DNS console. I was hoping that the DNS event log would throw some light on the reason for that.

Chris
0
 

Author Comment

by:Robert Ehinger
ID: 24172368
The yellow exclamation point was from the query I ran that failed.
0
 

Author Comment

by:Robert Ehinger
ID: 24185414
OK, here are more results of tests run. Some of the event logs I just took screen shots because they showed the events since the 16th when I reinstalled DNS per your instructions from 4/14/09.
google.bmp
google2.bmp
dnsevents.bmp
dirservevents.bmp
filerepevents.bmp
sysevents.bmp
Applicationerrors.txt
dcdiag.log
NetDiag.log
Netlogon.log
forwarders.bmp
fsmo.bmp
0
 

Author Comment

by:Robert Ehinger
ID: 24209483
Did that info help any? Are we closer to a solution.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24212698

You have an interesting entry in NetLogon.log:

04/20 07:00:57 [DOMAIN] t: Adding new domain
04/20 07:00:57 [DOMAIN] (null): Setting our computer name to HCSSERVER hcsserver
04/20 07:00:57 [DOMAIN] (null): Setting DNS domain name to t
04/20 07:00:57 [DOMAIN] t: Setting Domain GUID to df903ad8-fe55-4dc9-9f81-867e32ff02ec

I had noticed entries for "t" in netlogon.dns which is part of what made me think a domain rename had gone bad at some point.

How do you feel about adding a new DC to this domain? It can run on a desktop machine, it's only going to be a temporary fixture.

Before doing that, we need to do a little work in DNS again. The huntingtoncatholic.local zone needs deleting again, then the one I posted above importing once more. However, this time we'll skip the step that makes it AD Integrated, that way we keep the valid NS and SOA records DCDiag is complaining about.

Chris