Cannot Access Interent

We have a server running windows Server 2003. The Internet connection is cable through Comcast. There is a wireless router attached to the network and then several switches with cables running to all of the desktop clients. All clients can access the server and the Internet. The Server cannot access the Internet. From the server I can successfully ping the router, clients and some web addresses. I have pinged www.google.com and www.comcast.net and a few others successfully but I have  not been able to ping www.microsoft.com. When I open Internet Explorer I get the infamous page cannot be found error.

Please advise.

Thank you!

Robert
Robert EhingerIT specialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul SolovyovskySenior IT AdvisorCommented:
Can you do a traceroute, this will let us know where the connection is stopped

Type in command prompt

tracert 4.2.2.2

provide results
0
ddanonimityCommented:
It may be a firewall or proxy problem. check these settings
0
ChiefITCommented:
Try this at the command prompt:

Netsh winsock reset

This seems to be more and more common.

If that doesn't work, sounds like you are having a problem with DNS forwarders. Is this a DNS server?
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

MrLonandBCommented:
Had a very similar problem a couple days ago...happened right after a Windows Update on my DNS Servers. Rebooted DNS Servers and all was well again.
0
Robert EhingerIT specialistAuthor Commented:
This problem has been going on for over a year and we have just been living with it. Now, though, we would like to fix it. The system has been rebooted several times but there has been no change.
0
Rick NicholsonIT ManagerCommented:
Robert,

The Comcast modem/router is probably acting as the network Gateway and is doing DNS (and possibly DHCP) for your workstations, so they have Internet connectivity.

In your server, check the TCP/IP properties of the NIC. It should be set to a static IP address, with the Comcast modem/router address as the Gateway. Below that, it should have it's own IP address in the "Use the following DNS server addresses."

Then, as ChiefIT mentioned, you should use Forwarder entries in the server's DNS setup to point to the Comcast DNS servers. (We can point you to these settings, if you need.)

This is just one possible way to configure server DNS, but I've used this exact setup more than once. Let us know if this sounds helpful.
0
Robert EhingerIT specialistAuthor Commented:
Yesterday I ran "Netsh winsock reset." I thought that might work after the required reboot. I accessed one internet site (Google) but when I tried to navigate to another I got the Page cannot be displayed message.

I then ran tracert 4.2.2.2 and it found the site in 13 hops. There was nothing to show the connection stopping before it got to its destination.
0
ChiefITCommented:
Do you have zone alarm on this server?

0
Robert EhingerIT specialistAuthor Commented:
No zone alarm on the server
0
ChiefITCommented:
I also heard symantec can do this.

Any symatec related material, like AV or end point protection?
0
Robert EhingerIT specialistAuthor Commented:
We use Norton Anti-virus on this system.
0
Robert EhingerIT specialistAuthor Commented:
If we can get on the Internet Comcast provides McAfee online protection but then the issue would be getting it installed on all the clients. A bit of work but doable.
0
ChiefITCommented:
No, it is just a configuration of symantec. Let me find the information to make the configuration changes. I am not suggesting you change your AV protection, just configure it to work.

0
ChiefITCommented:
The reference material I was going to provide actually pointed to:

Zone alarm as the major culprite
Ad Aware as a second culprite
AVG antivirus as another culprite.
Winsock fix as a plausible solution:

http://en.kioskea.net/forum/affich-5044-can-t-browse-but-can-ping?page=4

Try this, temporarily disable your AV package and see if you are able to browse to Known good sites, like google and Experts exchange. If this works, update your virus definitions and scan engine by doing an manually forced AV update. I still remember somewhere that Symantec 10 can cause this issue prior to an update performed on this AV package.

Another thing to be aware of is I think there is a possible GPO to disable browsing on a server. Some people disable browsing on servers through this GPO because they don't want people browsing the internet with a server. So, maybe look at your Resultant set of policies, (RSOP).

0
Robert EhingerIT specialistAuthor Commented:
I tried to disable the Norton but it is password protected and noone seems to know the password. The previous computer support person did not do a lot of documentation. Is there a way around this?
0
ChiefITCommented:
Try:

symantec

All small cased. That is the default password.
0
Robert EhingerIT specialistAuthor Commented:
Still working on this issue. I will provide feed back soon.
0
ChiefITCommented:
I am back from DC and would like to help with a fresh mind. I think we should be able to get this issue resolved pretty quick.

Let me know when you wish to proceed.
0
Robert EhingerIT specialistAuthor Commented:
Whenever you are ready
0
ChiefITCommented:
The easiest way to combat this is to look at the network settings and tracing over the routes.

Let's pick a site that you are having problems with, (like MSN.com), and see if we can't figure out what's going on. Let's also look into the IPconfiguration and network bindings of this PC.

Can you Supply an IPconfig /all?
There we can check for IPver6 and see if your gateway and subnet mask are good for that computer.

Now, let's go to the command prompt an do: NSlookup www.msn.com
This should show you how many hops you have prior to getting to that site. If the connection times out it will also show you it timing out.

One other thing I would do is an MTU ping. MTU stands for Maximum Transfer units. If your MTU settings are set too high, then your packets start to fragment and your connection will most likely time out.
http://help.expedient.com/broadband/mtu_ping_test.shtml

Then, let's go into your browser and make sure we don't have the security settings SOOO hight that we can't get out on it. I assume you are using Internet Explorer as your Web browser, If not please advise.
0
Robert EhingerIT specialistAuthor Commented:
I will be working on this issue again today and will provide feedback as I go.
0
Robert EhingerIT specialistAuthor Commented:
Here is a screen short from the status page of the Linksys router we are using
router.bmp
0
Robert EhingerIT specialistAuthor Commented:
And here are some other screen shots from the server -
ipconfig-all.bmp
LAN-Settings.bmp
Tracert.bmp
0
Rick NicholsonIT ManagerCommented:
Robert,

It looks like your server has two active ethernet connections... Adapter 1 seems to be grabbing a public IP address, which should not be the case. Try disabling Adapter 1 in the server's Network Connections settings, or just try temporarily unplugging the ethernet cable from the adapter. (where is that cable coming from?). There should just be one cable from the ISP's modem/router to your Linksys, then one from the Linksys to your server.
0
Robert EhingerIT specialistAuthor Commented:
I disables the unused connection. There is only one cable from the modem to the router and then from the router to the server. Still no Internet connection. I currently have the AV disabled, too,
0
Robert EhingerIT specialistAuthor Commented:
Also, I can successfully ping the router and the modem, the IP address 4.2.2.4, www.google.com. is not recognized as an internal or external command, and I can ping the comcast Default Gateway: 69.245.138.1
0
Rick NicholsonIT ManagerCommented:
Your server has different DNS numbers than your router (this would explain why your clients - who get their numbers from the router - can access the Internet).

Try what I suggested in my earlier post:
"In your server, check the TCP/IP properties of the NIC. It should be set to a static IP address, with the Comcast modem/router address as the Gateway. Below that, it should just have it's own IP address in the "Use the following DNS server addresses."

Then, as ChiefIT mentioned, you should use Forwarder entries in the server's DNS setup to point to the Comcast DNS servers. (We can point you to these settings, if you need.)"


0
Robert EhingerIT specialistAuthor Commented:
You probably should point me to the forwarder settings
0
Rick NicholsonIT ManagerCommented:
Did you check the NIC's setup? Can you do an ipconfig /all again to see if it changed?
(I'll double check the path to the forwarder settings in the meantime...)
0
Robert EhingerIT specialistAuthor Commented:
Also, when I change to default gateway I lose my wireless connection
0
Rick NicholsonIT ManagerCommented:
What did you change the gateway to?
What device is at 192.168.0.250?
0
Robert EhingerIT specialistAuthor Commented:
When I change to the Comcast default gateway and do ipconfig /all there is no default gateway shown.
0
Robert EhingerIT specialistAuthor Commented:
I changed it to the comcast Default Gateway: 69.245.138.1. The router IP address is 192.168.0.250
0
Rick NicholsonIT ManagerCommented:
The default gateway should be a private address (192.168.0.x). This will be the device that's doing DHCP (handing out your internal IP addresses).

Before you do anything else - write down/remember what your configuration was before we started - just so you can undo these changes if they don't work.

If the router is doing DHCP, then it should be the gateway. (In my setups, I sometimes let the Comcast router do the DHCP - sorry for the confusion...)
0
Robert EhingerIT specialistAuthor Commented:
OK, I have the settings recorded and the default gateway is the router.
0
Rick NicholsonIT ManagerCommented:
What are the DNS numbers that show up when you do an ipconfig/ all?

0
Robert EhingerIT specialistAuthor Commented:
OK, school is out and they are wanting to lock up for the weekend. I will be back at this on Monday so please send any ideas and suggestions and I will provide feedback as I try them. Thanks!!
0
Rick NicholsonIT ManagerCommented:
Ok - have a good weekend.

Here's the info about the forwarders, in case I'm tied up in the AM:

Under Administrative Tools, go to the DNS management console. Right click on your server and go to Properties. On the Forwarders tab, you should have an entry under DNS Domains called "All other DNS domains". Then you should add the 2 or 3 Comcast DNS servers.
0
Robert EhingerIT specialistAuthor Commented:
DNS are 193.168.0.3
68.42.244.5
68.244.42.6
192.168.0.250

You have a great weekend too!!
0
Rick NicholsonIT ManagerCommented:
According to your router, they should be 68.87.72.130, 68.87.77.130 and 68.87.66.196

Make sure you took the other numbers (68.42.244.5 and 68.244.42.6) out of both of the Nic TCP/IP Properties (remember we're using Adapter 2).

Check/create the Forwarders as above

Your ipconfig should then have the 3 Comcast DNS numbers and the server address 192.168.0.3 under DNS and the router/gateway as 192.168.0.250.
 
0
Robert EhingerIT specialistAuthor Commented:
I madde the changes you suggested and I can ping all of the DNS addresses, the server, the router and I even pinged 4.2.2.4. I still can not get out on the Internet. What am I overlooking?
0
Rick NicholsonIT ManagerCommented:
Are the changed DNS servers showing up when you do an ipconfig /all?
 
0
Robert EhingerIT specialistAuthor Commented:
I will check tomorrow when I am back at the school
0
ChiefITCommented:
Your overthinking this>

DNS are 193.168.0.3
68.42.244.5
68.244.42.6
192.168.0.250

Use your router to route with, not the server.

Your server has four DNS addresses. Two are within the LAN and two are outside the LAN.

I assume 192.168.0.xxx is your private IP space.

SO, the internal IP of the router should be within the IP space of 192.168.0.x. That will be your default gateway that is manually set on all fixed IP address nodes and Also in DHCP scope options.

This is what you are currently doing and failing at it.

WWW>>NAT router (comcast)69.xxx.xxx.xxx>>69.xxx.xxx.xxxNAT routing (over server)192.168.0.xxx>>Nodes on the LAN.

This is what you want to do for best operational satus:
WWW>>NAT Router (comcast) 192.168.0.xxx= gateway>>Servers and other nodes

The second nic of your server can be disabled and the router's inside IP will be the gateway for the entire LAN. I don't see a reson for you to have two subnets on the nodes of your LAN.

0
Rick NicholsonIT ManagerCommented:
Hi ChiefIT,

His DNS settings - that appear to be in the NIC's properties - don't match the DNS settings in the router. I'm assuming that the router numbers are correct and that he needs to remove the settings from the NIC. We put the correct numbers in the server as DNS Forwarders...
0
ChiefITCommented:
As a general LAW for a domain, the ONLY place outside DNS servers should be configured is in DNS forwarders. All fixed IP NIC cards and within the DHCP scope options should have outside IPs removed from the list of preferred DNS servers. DHCP scope options passes down the DNS servers to the DHCP clients. This is why it is important to get this right.

Also DO NOT allow your router to be the DHCP server. If the router supplies DHCP, it will also attempt to supply DNS. Routers with DHCP and DNS capabilities, (Like your DSL router), are used for home use without servers. So, it can't be supplying DHCP. The router will NOT hold the SRV records for DNS, only a Microsoft server will. Without those SRV records, you will not be able to authenticate with your DC's. So, it is important that your DSL router NOT supply DHCP. You must have DHCP supplied by your Windows servers.

For reference, this is how DNS works. This article was as basic as I could make it and explains the path of a DNS query.
http://beta.experts-exchange.com/articles/Networking/Protocols/DNS/DNS-TROUBLESHOOTING-MADE-EASY.html
0
Rick NicholsonIT ManagerCommented:
ChiefIT,

Your first paragraph is exactly right and is what we were working on... His client PCs are working okay - getting DNS (and DHCP) from the router. I figure his server is having problems because of the incorrect settings hard-coded in the NIC properties.

I don't know if you want to walk him through changing both DNS and DHCP to the server?


0
ChiefITCommented:
@Rick
I would be glad to help. But, I think you are doing a fine job. So, I will monitor in the background.

These are the things I would do to resolve these issues>

A) I think I would make sure DHCP is straightened out first, by:
1) make sure the router isn't supplying DHCP.
2) make sure Windows servers are supplying DHCP
3) go into DHCP scope options and make sure the DNS servers, time servers and router are all configured.

B) Then, I would make sure the inside IP to the Router is within the LAN's subnet of 192.168.0.x

C) Then, I would attack these DNS issues by:
1) go to each fixed IP station, (like the servers), and make sure the NIC bindings don't have outside DNS servers listed as a preferred server.
2) on each fixed IP station, also make sure your router's IP on the LAN side is listed as your default gateway.
3) make sure DNS forwarders are listed as being your ISP's DNS servers.
4) Flush your DNS cache and make sure there are NO entries in DNS SRV records for that old router IP.
5) finally, renew your DHCP lease on the clients.

I can help at any stage of this, if you wish.

@Robert:
So that it is explained to you, this is what your issue is. You have 68.xxx.xxx.xxx listed in your preferred DNS server. There is no telling wether these servers were strictly from manually configured nics or if DHCP is passing down this bogus information too. What happens is this: clients are going there to find outside DNS resolution. It appears, that IP address doesn't have the ability to provide outside resolution. This is why you don't have internet access. Also, since that IP will not provide inside resolution to your LAN, you will probably experience lag times or the inability to logon and/or authenticate to your LAN domain servers from time to time. You will probabably experience intermittent communications on your LAN.


0
Rick NicholsonIT ManagerCommented:
ChiefIT,

As per his original post, his clients aren't having any problems - it's just his server which appears to be hard-coded with the wrong DNS settings and can't access websites by URL. I think once this is resolved he'll probably be happy. If he wants to go further, I think I'll defer to your expertise.
0
Robert EhingerIT specialistAuthor Commented:
A) I think I would make sure DHCP is straightened out first, by:
1) make sure the router isn't supplying DHCP.

It is not

2) make sure Windows servers are supplying DHCP

It is

3) go into DHCP scope options and make sure the DNS servers, time servers and router are all configured.

006 DNS Servers - No Server Name
IP Addresses are -
192.168.0.3
68.42.244.5
68.42.244.6

003 Router - No Server Name
IP Address 192.168.0.250

There is no time server set.


B) Then, I would make sure the inside IP to the Router is within the LAN's subnet of 192.168.0.x
It is

C) Then, I would attack these DNS issues by:
1) go to each fixed IP station, (like the servers), and make sure the NIC bindings don't have outside DNS servers listed as a preferred server.
2) on each fixed IP station, also make sure your router's IP on the LAN side is listed as your default gateway.

Dynamic IP addresses

3) make sure DNS forwarders are listed as being your ISP's DNS servers.

How??

4) Flush your DNS cache and make sure there are NO entries in DNS SRV records for that old router IP.

How??

5) finally, renew your DHCP lease on the clients.

Done

I successfully pinged several sites including google, comcast, at&t and my own web site. I cannot ping msn, ebay or paypal.

Further instructions would be greatly appreciated.
0
Robert EhingerIT specialistAuthor Commented:
Sorry, my bad. I did not renew DHCP. When I tried to perform an ipcongig /release or /renew on the server or the clients I got the same message -

"This operation fialed as no adapter is in the state permissable for this operation."
0
Rick NicholsonIT ManagerCommented:
Robert,

I'm going to defer back to ChiefIT at this point - he seems to understand what's going on better than me... I can't understand why you're seeing three separate sets of DNS numbers... one set from your router's screenshot, one set from your ipconfig screenshot, and yet a third from the info you just posted.

I'll keep tuned in to see how this works out...
0
ChiefITCommented:
Let's see if I can write this up so you understand what we are doing:
________________________________________________________________________
THE UNDERSTANDING OF WHAT IS GOING ON:
When you go to the NIC card settings on a computer and set it to dynamically get an IP address or dynamically (automacially) get a list of DNS servers, that particular computer will look in your DHCP scope options to find your DNS servers, default gateway, and a number of other important nodes on the network. So, any settings on your NIC card that are set to get that information automatically gets it from the LAN DHCP server.

Also, when setting up servers, some come with multiple NICs. Dell has sent out, for years, servers with multiple NICs. These nics can be used for a variety of applications. None of them I see as important to a good network for you.
1) One application is to ROUTE over the server. This makes your server the NAT router for the network and dramatically adds to the network traffic over the server.  Though your network appears to be set up to route over the server, it doesn't look like RRAS, (Routing and Remote Access Services), was configured to actually route over the server. Routing over the server is often done my administrators to further secure the network. However, you are already providing NAT (Network Address Translation) by using a hardware router from Comcast.
This is how your network was attempted to set up: (This is called double NATting and can be difficult to do)
WWW>> Dynamic IP from comcast that NATs to 68.xxx.xxx.xxx subnet>>68.xxx.xxx.xxy subnet that NATs over the server to the 192.xxx.xxx.xxx subnet>>clients and other nodes

This is how to bets set it up: (This will work best and prevent extra communications over your server)
WWW>>Dynamic IP from comcast that NATs to 192.xxx.xxx.xxx subnet>>Your LAN

2) The second use of dual nics is to load balance. Load balancing is done on large lans with, let's say, 250 nodes or more. Load balancing takes two nics and uses both as a resource to allow more communications between computers and your servers.
3) The third application of dual nics is to provide a LAN connection and a separate VPN connection that might bypass your firewall for outside access to your LAN. This is like a VPN connection.

On your LAN, I don't see either case as being necessary except maybe a VPN connection. However, I see a few issues that you are running into that lead me to believe it was set up to route over the server.
_______________________________________________________________________________
THE ISSUES:

Let's start with this:
From what I saw above: your servers are told to automatically go out and find their DNS servers. So, they will seek out what is listed IN DHCP SCOPE OPTIONS. Let's see what is listed there:

006 DNS Servers - No Server Name
IP Addresses are -
192.168.0.3<<<<<<<<GOOD
68.42.244.5<<<<<<<<< NOT GOOD
68.42.244.6<<<<<<<< NOT GOOD

When this was configured, you had two NICS on both domain servers. One of them was on the 192 subnet while the other was on the 68 subnet.  As RICK Was pointing out to you, you don't need two nics. You already had NAT routing and you should leave routing to your hardware router. So, disabling that 68.xxx.xxx.xxx NIC was good advice. The administrator before you, or you have configured the DHCP scope options to pass down both NICs as preferred DNS servers to ANY computer that requests to provide a DNS server Automatically within the NIC card configuration. Unfortunately, I think this includes your servers. So, your servers are trying to find a 68.xxx.xxx.xxx DNS server THAT DOESN'T EXIST. That NIC was disabled wasn't it?

(SIDE NOTE) Let me tell you what your saving grace was on your clients in comparison to your server. When your client goes out to find a DNS query, it looks for the very first preferred DNS server according to the way your DHCP scope options is listed, that will be:
192.168.0.3
Since that is a valid and active DNS server, your query works.
When you do a DNS query on the server, 192.168.0.3 NIC is busy, so it goes to secondary preferred DNS server. That would be:
68.42.244.5
Since that is not a valid DNS server, you will not be able to get DNS resolution. This is why I think you have a small LAN. Your primary preferred DNS server doesn't seem to be busy often and that's why the clients don't seem to have an issue.
________________________________________________________________________________
THE FIXES:
To fix your issues concentrate your efforts on, 1) disabling the 68.xxx.xxx.xxx NIC on both servers, 2) preventing DHCP configuration  from passing down bogus info, 3) then remove BAD DNS records from the forward and reverse lookup zones as well as your caced records, 4) then manually configure your Server's NIC configurations properly instead of having the NIC automatically going out to find your DNS servers, 5)finally check DNS forwarders (to make sure they are your ISP's DNS servers) this part I will bet are good shape, 6) any clients having issues afterwards will need to renew their DHCP lease and get the latest DHCP information from the server.

_________________________________________________________________________
HOW TO DO THESE THINGS:
1) disabling the 68.xxx.xxx.xxx NIC on both servers:
I assume you already know how to disable the NIC. However, you might have to tell DHCP that OLD NIC doesn't provide DHCP. To do this:
>>DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding
You can disable any binding from providing DHCP
2) preventing DHCP configuration  from passing down bogus info,
This is all done in your DHCP scope options that you already showed me you can navigate to. A) SET your router's IP to be the LAN side IP of the router (192 address). B) Set your DNS servers to be both DNS servers on the 192 subnet. C) Set your default gateway as your router's LAN IP address. D) If you have a LAN time server then set that IP. if not, leav it blank. Save your settings.

3) then manually configure your Server's NIC configurations properly instead of having the NIC automatically going out to find your DNS servers,
To do this: go to each server's NIC configuration settings and perform the following.
1) do not allow this to get a dynamic IP Manually configure both servers as fixed IPs.
2) do not allow these servers to go out and find your DNS servers. Manually configure your DNS servers as follows:
A) On server A make sure the primary preferred DNS server is itself and the secondary is the other server. Example:
192.168.0.A
192.168.0.B
B) On server B make sure the primary preferred DNS server is itself and the secondary is the other server. Example:
192.168.0.B
192.168.0.A
Make sure you check the advanced settings on DNS tab and WINS tab. For the WINS tab, disable LMhost lookup and enable NETBIOS over TCP/IP, (NOT netbios over DHCP). On the DNS tab, Make sure it registers the DNS suffix and appends the DNS suffix checkboxes are checked. Also make sure there are NO alternate DNS servers listed in there.

4) then remove BAD DNS records from the forward and reverse lookup zones as well as your cached records:

Step 1) To resolve these issues, Follow this link: (NOTE: By default, 2003 server registers both NICs SRV records in DNS) (for you this means you have both the 68.xxx... and the 192.xxx.... IP registered in DNS as proper DNS servers that provide Domain services)
 -- http://support.microsoft.com/?id=832478
Step 2) Once you prevent bot SRV records from registering in DNS when the netlogon service restarts, then you need to prevent it from registering its DNS records in DNS. To do this go to the NIC configuration>> TCP/IP properties>>Advanced Button>>DNS tab and disable the ability of the NIC to register its DNS settings in DNS or disable that second NIC.
Step3)) Once you have disabled the ability to register that outside NICs DNS address, then you must remove all HOST A, SRV, and cached records of that outside NIC. I assume you already know how to remove HOST A records from the forward lookup zone. To remove DNS cache, go to the command prompt and type IPconfig /flushDNS. To remove the SRV records, please follow the advice on this link:
http://support.microsoft.com/kb/241515

Or to remove SRV records you can follow this link and delete ALL SRV records on both servers and go to the command prompt and type:
Net Stop Netlogon
Net Start Netlogon
Restarting the Netlogon service re-registers the SRV records in DNS. With the second NIC, not being able to re-register the DNS SRV records, you will have  a fresh set of SRV records for the proper NICs of the server.


5)finally check DNS forwarders (to make sure they are your ISP's DNS servers) this part I will bet are good shape,
To check the SRV records, right click the DNS snapin and go to PROPERTIES. Select the Forwarders tab and manually configure your Forwarders to be your ISP's DNS servers.

6) any clients having issues afterwards will need to renew their DHCP lease and get the latest DHCP information from the server.
To do this, go to the command prompt of your problem child computer and type:
IPconfig /release
and
IPconfig /renew

Eventually, these DHCP leases and bogus information will weed themselves out when the DHCP lease expires and your network will appear to grow in performance. The reason is your DHCP clients will be getting good information.

 
Let us know if you have any questions. Righ was spot on by disabling the NICS. We just needed to address DHCP for a moment and cover ALL bases.

0
Robert EhingerIT specialistAuthor Commented:
Thank you for all of the information but I have another question. Why do you think I have two servers? I have one server with two NICs. How does that affect the settings you suggested?
0
ChiefITCommented:
Same settings:

The reason I thought you have two servers is because of this information right here, that you provided on an IPconfig /all:

DNS are 193.168.0.3<<<good
68.42.244.5<<DNS NIC 2 of the server, Or it could be the router
68.244.42.6<<<Assumed DNS provided by NIC 2 of server 2
192.168.0.250<<<<DNS provided by something

It made sense, four IPs with two servers. Now I am thinking four IPs (2 for a server) and (2 for another node, like the router or a mass storage device like a NAS server.
0
Robert EhingerIT specialistAuthor Commented:
The set up we have is a server, modem and a router.
0
ChiefITCommented:
These are the settings for your single server LAN:

HOW TO DO THESE THINGS:
1) disabling the 68.xxx.xxx.xxx NIC :
I assume you already know how to disable the NIC. However, you might have to tell DHCP that OLD NIC doesn't provide DHCP. To do this:
>>DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding
You can disable any binding from providing DHCP
2) preventing DHCP configuration  from passing down bogus info,
This is all done in your DHCP scope options that you already showed me you can navigate to. A) SET your router's IP to be the LAN side IP of the router (192 address). B) Set your DNS as your DNS server. C) Set your default gateway as your router's LAN IP address. D) If you have a LAN time server then set that IP. if not, leave it blank. Save your settings.

3) then manually configure your Server's NIC configurations properly instead of having the NIC automatically going out to find your DNS servers,
To do this: go to each server's NIC configuration settings and perform the following.
1) do not allow this to get a dynamic IP Manually configure both servers as fixed IPs.
2) do not allow these servers to go out and find your DNS servers. Manually configure your DNS servers as follows:
A) On server A make sure the primary preferred DNS server is itself
Example:
192.168.0.A
Make sure you check the advanced settings on DNS tab and WINS tab. For the WINS tab, disable LMhost lookup and enable NETBIOS over TCP/IP, (NOT netbios over DHCP). On the DNS tab, Make sure it registers the DNS suffix and appends the DNS suffix checkboxes are checked. Also make sure there are NO alternate DNS servers listed in there.

4) then remove BAD DNS records from the forward and reverse lookup zones as well as your cached records:
Step 1) To resolve these issues, Follow this link: (NOTE: By default, 2003 server registers both NICs SRV records in DNS) (for you this means you have both the 68.xxx... and the 192.xxx.... IP registered in DNS as proper DNS servers that provide Domain services)
 -- http://support.microsoft.com/?id=832478
Step 2) Once you prevent bot SRV records from registering in DNS when the netlogon service restarts, then you need to prevent it from registering its DNS records in DNS. To do this go to the NIC configuration>> TCP/IP properties>>Advanced Button>>DNS tab and disable the ability of the NIC to register its DNS settings in DNS or disable that second NIC.
Step3)) Once you have disabled the ability to register that outside NICs DNS address, then you must remove all HOST A, SRV, and cached records of that outside NIC. I assume you already know how to remove HOST A records from the forward lookup zone. To remove DNS cache, go to the command prompt and type IPconfig /flushDNS. To remove the SRV records, please follow the advice on this link:
http://support.microsoft.com/kb/241515

Or to remove SRV records you can follow the link and delete ALL SRV records and go to the command prompt and type:
Net Stop Netlogon
Net Start Netlogon
Restarting the Netlogon service re-registers the SRV records in DNS. With the second NIC, not being able to re-register the DNS SRV records, you will have  a fresh set of SRV records for the proper NICs of the server.

5)finally check DNS forwarders (to make sure they are your ISP's DNS servers) this part I will bet are good shape,
To check the SRV records, right click the DNS snapin and go to PROPERTIES. Select the Forwarders tab and manually configure your Forwarders to be your ISP's DNS servers.

6) any clients having issues afterwards will need to renew their DHCP lease and get the latest DHCP information from the server.
To do this, go to the command prompt of your problem child computer and type:
IPconfig /release
and
IPconfig /renew

Eventually, these DHCP leases and bogus information will weed themselves out when the DHCP lease expires and your network will appear to grow in performance. The reason is your DHCP clients will be getting good information.

 
Let us know if you have any questions. Rick was spot on by disabling the NICS.
0
Robert EhingerIT specialistAuthor Commented:
Thank you. I will make these changes first thing in the morning and give you feedback.
0
Robert EhingerIT specialistAuthor Commented:
I started at the beginning and here is what happened -

#1 - went OK. The second NIC is disabled and only the NIC we are using shows up in the DHCP configuration.
#2 - Router IP is 192.169.0.250
#3 - When I take out all alternate DNS servers I get the message that at least one DNS suffix is required.
#4 - When I got to this step the link "http://support.microsoft.com/?id=832478" directed me to update to the latest service pack. We are at service pack 1 so I need to go to SP2 at least. Since we don't have a connection to the Internet I have to go home, download SP2 to a flash drive and then go back and install it.

I will continue later today and let you know.
0
ChiefITCommented:
On the NICs DNS tab, Under Alternative DNS servers, list your DNS server as the DNS server.

#3 - When I take out all alternate DNS servers I get the message that at least one DNS suffix is required.

FIX A) On the TCP/IP main menu tab, type in as the primary preferred DNS server as your DNS server, and leave the secondary blank.

FIX B) On the TCP/IP Advanced button:


Also make sure the radio button and check boxes of:
""Append primary and connection specific DNS suffixes""
     ""Append parent suffixes of the primary DNS suffix""

and

""Register this connection's address in DNS""

are all enabled.
_______________________________________________________________________________
#4 - When I got to this step the link "http://support.microsoft.com/?id=832478" directed me to update to the latest service pack. We are at service pack 1 so I need to go to SP2 at least. Since we don't have a connection to the Internet I have to go home, download SP2 to a flash drive and then go back and install it.

Fix:
Once you have DNS straigh, you could go right to the Forwarders section and make sure that is set correctly. With forwarders and your NIC settings correct, you should be able to communicate the WWW and download SP2.

SP1 can cause intermittant problems with your communications. So, it is a very good idea to download and install SP2.
0
Robert EhingerIT specialistAuthor Commented:
On the forwarders tab - Under DNS domain there is an entry that says "All other DNS Domains,

There were 4 IP addresses in the forwarder list that began with either 68. or 67.

When I tried to enter the DNS server 192.168.0.3 I got the message "The server forwarders cannot be updated. The IP address is in valid." I double checked my entry and the typing is good.
0
Robert EhingerIT specialistAuthor Commented:
Here are the addresses that were in the forwarders list -

68.87.72.130

68.87.77.130


68.53.176.6

68.87.66.196
0
Robert EhingerIT specialistAuthor Commented:
When I make all of the changes I completely lose my connection to the Internet both wireless and cabled.
0
Rick NicholsonIT ManagerCommented:
Hi Robert,

Just one brief comment... You should probably give a quick call to Comcast to see what the DNS server number should be. You probably have some old numbers in some of these settings.

Rick
0
Robert EhingerIT specialistAuthor Commented:
Interestingly, Comcast is coming Monday because they have determined we have a modem problem. So are you saying my DNS server #s should be from Comcast? From the modem?
0
ChiefITCommented:
Robert:

On the forwarders tab of DNS, you can disable recursive lookups. That will default you to Root Hints servers. Root Hints servers for DNS are used as public DNS servers. If Comcast DNS servers are not working for you, Root Hints will for the time being.

the forwarders tab of DNS is used for ONLY outside DNS servers. Either you use forwarders to your ISP's DNS servers or you use Root Hint servers.


For more information on how DNS works, you can review this article I wrote for EE. It tells the steps of a DNS query from the client to the outside world.

http://beta.experts-exchange.com/articles/Networking/Protocols/DNS/DNS-TROUBLESHOOTING-MADE-EASY.html
 
0
Rick NicholsonIT ManagerCommented:
Not necessarily "from the modem" - I think ChiefIT would say that your server will provide those numbers to your network - but, yes, these are servers that are provided by Comcast. (Comcast will tell you what those numbers should be.) They're the machines that actually translate/resolve URLs to IP addresses. I tell my clients that they're the White Pages of the Internet.

When you enter a URL inside your network, your server will try to resolve it first, in case your have an Intranet or a web-based application in-house. If it can't resolve it, then it passes the request out to Comcast's DNS servers.
0
ChiefITCommented:
That's true Rick, to a certain extent.

Sometimes you can set your router's internal IP as a DNS forwarder. What that does is the router will look at itself, determine it can't provide DNS resolution and then go to comcasts external DNS servers from there. Those external DNS servers are provided from Comcast when your router gets a dynamic external IP in the 67.... or 68... subnet. With internal DHCP and therfore DNS disabled on the router, the router will default to the outside Comcast DNS servers for DNS queries.

If I am not mistaken, this is a router/modem combination from comcast, (not two separate units). If this is true, the settings apply. There are no real settings for a modem. It just modulates or demodulates the signal. The settings you do on the modem actually control the routing capability of the unit.

So, either you can set your forwarders to the router's internal IP or manually to Comcast's servers. Some administrators set it to the router's internal IP, but that makes more work for the router. Some administrators set these settings to the ISP's DNS servers, but if they change out the servers, you don't have contact with them.


Client>>>Server>>>Router>>>ISP DNS servers

or

Client>>>Server>>>>>ISP DNS servers through a NAT router
0
Robert EhingerIT specialistAuthor Commented:
Actually, this is a modem provided by Comcast and a Linksys WRT54G Router.
0
Robert EhingerIT specialistAuthor Commented:
Comcast tech was in today and he told me that the type modem we have does not support static ip addresses. He said we need the SMS modem that use for businesses and not the residential modem we are currently using.
0
Robert EhingerIT specialistAuthor Commented:
Comcast is telling me that we need to upgrade to a business modem with four available ports to support the static IP on the server. That means that we would have to upgrade our service as well. Up to now Comcast has been providing our little Catholic school with complimentary service which would no longer be the case with the upgrade. We would much prefer to keep our Comcast service as it is.

Anyway, lets start at the beginning and see if we can get through this because I can't believe there is no way to set this up to where we get Internet service on the server and the clients. So lets start with the physical structure.

We have a Motorola modem provided by Comcast and it connects to a Linksys WRT54G Router which in turn connects via Ethernet cable to NIC #2 on the server. We also have NIC #1 that is disabled. All of our lab and classroom clients and printers are connected via Ethernet cables to our switches. The teachers and principal all have laptops that use wireless to access the Internet.

I have upgraded the Server the to Windows Server 2003 SP2. We are running Norton Anti-Virus (would like to switch to Comcast supplied McAfee).

Currently, after all the stuff we tried above, the only way I could restore Internet access to the clients was to give each of them static preferred DNS servers of 208.67.222.222 and 208.67.220.220. At some point, while I was doing this the server had Internet access, at least briefly, because it started downloading Windows Updates. It stopp at 20% when it apparently lost its connection.

Through all of this we have maintain access between the clients and the network drives on the server.

I guess I am trying to determine what to do now. maybe start over??

Thank you!

Robert
0
Rick NicholsonIT ManagerCommented:
Hi Robert...

I work exclusively with small to mid-sized nonprofits, so I can empathize with your situation,

There might be some sort of work-around, but I can assure you that it would go against everything that ChiefIT has been (correctly) telling you.

I may be wrong, but I believe that your current (residential) modem/router is actually set up to do DHCP and to supply DNS info for your network. (This is what most people do at home - they don't usually bother with an internal router (like your Linksys).

When we started this, your clients were probably grabbing dynamic IP addresses and DNS numbers from the modem/router - no problem. But, your server insisted on having a static IP address, and probably outdated DNS numbers.

Once we started pointing your clients to the server for IP's and DNS, then they also got messed up.

Here are some thoughts:

1) Can you call Comcast and ask them if your modem/router is doing DHCP? If so, ask them if it's possible for them to turn it off. If they can, then it's possible to proceed along the lines ChiefIT was heading.

2) If they can't or won't turn it off, you might then want to change your server's static IP address to a high number, like 192.168.0.251 - an address that isn't likely to be handed out by their modem/router via DHCP. You could also try hard-coding those new DNS numbers into your server's NIC. If this works then... well, let's see if this works...

Rick

(If you check back to my original comment on 11/17, I figured your modem was doing the DHCP, but I assumed that you had a business class device that would allow you to modify the scope so that your server and Linksys would be okay as static devices.)

0
Robert EhingerIT specialistAuthor Commented:
Thanks for the response. Keep in mind we already have set the server IP address at 192.168.0.3. The static IP of the Linksys router is 102,168.0.250. And just to clear up any confusion (which may be mine alone) the modem and router are separate devices in our setup.
0
Rick NicholsonIT ManagerCommented:
Hi Robert,

I understand - I'm referring to the Comcast device as the modem/router, since it seems to be filling both roles. I'll refer to your router as the Linksys - which I'm not sure is doing much at this point.

If we proceed like this, we'll need to move the server to a high IP address, since 192.168.0.3 is probably being assigned to one of your clients by the Comcast modem/router. Unless you have 200+ devices on your network, I'm assuming that 192.168.0.251 is "safe."

Rick
0
ChiefITCommented:
Can you give me a make/model of your "modem". Once we have that I think we can get you up and going.

I was a High Speed Data Tech for QWest communications and know how to set up such things for you. I don't believe for a second that Comcast has a modem that will not allow you to connect more than one computer and will also not allow you to accept an fixed IP. I think the information they gave you was incorrect.

0
ChiefITCommented:
@ Rick:

The router shouldn't be supplying DHCP, nor do I think the Comcast tech is correct in saying everything needs to be DHCP on the network.

The reason is, if the router supplies DHCP, it will also try to provide DNS. For Microsoft server, you have Host A and SRV records in a DNS server's forward lookup zone. The router only stored Host A records. DNS on a router doesn't store any SRV records for DNS. This means there will be no domain services that rely upon those SRV records. This includes Domain authentication and logons.

Some routers, (not the Linksys router), allows you to provide DHCP and disable it from providing DNS.

So, if the Comcast modem is just a modem, then the network connections will look like this:

Comcast sends DHCP>>Modem>>WAN side of the Linksys router to accept the DHCP address NAT to a fixed IP of the LAN side of the router>>fixed or DHCP clients and servers.

If the comcast modem is actually a modem/router combo we can remove the linksys modem:

Comcast provides DHCP to WAN side of modem/router and then NATs to a fixed IP on the LAN side>>network switches allow for one port of the router to be distributed out to fixed or DHCP clients and servers.
0
Robert EhingerIT specialistAuthor Commented:
The modem is a Motorola Surfboard SB5101.
0
ChiefITCommented:
OK:

Try this:

Plug your coax cable into the modem, then plug the LAN connection into the WAN port of your linksys router. Then use any of the network jacks of the linksys router to plug either computers or switches to complete the internal LAN connections.

Log onto the Linksys router. Let's separate the WAN side with the LAN side.

~~On the WAN side tell it to accept a DHCP address from Comcast, (or get an IP automatically).
~~On the LAN side disable DHCP and therfore DNS of the router and give it a fixed IP for your LAN to communicate with. That internal side of your router will be your default gateway.

So, the router will get a dynamic IP from comcast and allow yoiu to support a Small domain on the other side. I have done this a hundred times. When our NOAA ships pull into port I have them set up EXACTLY like this except we use Roadrunner service. I also did this with Qwest as a High-Speed Data Tech. Your Linksys router will appear to the modem like a single computer that excepts dynamic IPs. So, it will work just fine.

If you have problem getting DHCP from comcast to your router, then unplug and plug in your router. Sometimes these settings are lost and you just need to reset things a little.

If you still have problems with the entire lan getting out to the WWW. Let me know and we will troubleshoot DNS. We made a lot of changes and may have overlooked something.

0
ChiefITCommented:
So, let's paraphrase and review:

_______________________________________________________________________
Connecting the hardware together:

Coax cable to the modem>>modem>>LAN connection of the modem>>WAN port of the Linksys router>>LAN side of the router with your computers, server and smart switches.
_________________________________________________________________________________
Configuring the different NODES:

Modem>>There are NO configuration changes you need to perform on your modem.

+++++++++++++++++++++++++++++++++
LINKSYS ROUTER>> (on the Setup tab)
  ~~WAN side-
1)get an IP from comcast automatically, (also could say something like get a DHCP address) So, the WAN side is where you want to permit DHCP, this means get an IP dynamically from Comcast.
  ~~LAN side-
1) Give it a fixed IP, (that IP will be your default gateway for your entire LAN so it is very important)
2) its preferred DNS server is your Domain server NO outside servers. You want everything in your LAN to seek your DNS server prior to going to outside servers.
3) make sure the subnet mask it correct (default 255.255.255.0)
4) Disable it from providing DHCP
++++++++++++++++++++++++++
SERVER>>
NIC CONFIGURATION- (this is the same for all FIXED IP CLIENTS and SERVERS)
1) give it a fixed IP so all computers can contact it at will
2) it's preferred DNS server should be manually set to be the server's OWN IP, ***NO OUTSIDE SERVERS.** Leave the second  preferred DNS server BLANK until you get another microsoft DNS server.
3) click on the Advanced button and go to the Wins Tab. Enable LMHOST lookup and enable NETBIOS over TCP/IP, (not the default of netbios over DHCP)
4) Also on the advance settings>>DNS tab
    a) enable the radio button of "Append primary and connection specific DNS suffixes"
   b) check the box that says         "Append parent suffixes of the primary DNS suffixes"
   c) check the box that says "register this connections addresses in DNS"
5) Also on the Advanced settings>>TCP/IP tab
   a) configure your default gateway to be the internal fixed IP of the Linksys router

DHCP CONFIGURATION OF THE SERVER:
1) Go to the DHCP snapin and configure the scope options like this:
   a) configure your default gateway to be the LAN side fixed IP you gave the linksys router
   b) configure your list of DNS servers to be the IP of your server, NO OTHERS
   c) configure your router to be the router's IP

(NOTE) once DHCP scope options are corrected, you will have to go to your DHCP clients and renew their IP addresses to accept the configuration settings.
 

NOTE: now everything points to your internal LAN for DNS queries, it's now time to show your lan how to get to the outside world for DNS resolution>

DNS CONFIGURATION OF YOUR SERVER:
Navigate to the forwarders settings by:
Open the DNS snapin>>right click your server and go to properties>>go to the forwarders tab of your server.
1) Make your forwarders Comcast's DNS servers 69... or 68... servers. THIS IS THE >>ONLY<< PLACE ON THE NETWORK YOU CONFIGURE OUTSIDE DNS SERVERS FOR DNS RESOLUTION.

NOTE) An alternative to configuring forwarders is to disable recursive lookups. That will default the server to Root Hints servers. Root Hints servers are a list of public DNS servers that come pre-configured on Win 2003 server. So, you don't have to configure them at all. Just disabling Recursive lookups on the forwarders tab in DNS will cause your domain server to default to Root Hints servers. So, if you continue to have problems with outside DNS on the entire network, then it sounds like a problem with your forwarders having bad addresses. So, try Root Hints servers.

Once all settings are done:
Go to the server's command prompt and type:

IPconfig /flushDNS
Net Stop Netlogon
Net Start Netlogon
____________________________________________________________________________
If you are in the Seattle area, I would be willing to drop by and guide you through this voluntarily. Just the name of the school and I would coordinate a time with you and show up.
0
Robert EhingerIT specialistAuthor Commented:
I would love it if you could drop by and our current weather would make you feel right at home but I am in Huntington, IN. a long ways from Seattle. I will be working on this issue tomorrow and will provide feedback.

There is one other question that I have regarding problems we have with this setup. The cable that comes from the outside to the modem goes from a connection on the side of the school, up about 25 or 30 feet, across the roof of the gym (about 100 feet), another 30 or so feet to the area above the server room and then probably 20 feet down to the server. Could the length of this cable be partly the cause of our poor performance as far as intermittent connection issues? If so, what can we do about it? Is there a hardware solution? The cable and modem are new and there are no splices in the cable.
0
ChiefITCommented:
No, comcast adjusts the levels of your signal to accomodate such runs. We run our cable modems 500' sometimes, without issue. What they do is check the levels at the modem and adjust accordingly.

DNS has been your issues all along.
0
Robert EhingerIT specialistAuthor Commented:
Maybe I have been looking at this too long but I cannot find where to set the router's preferred DNS server. Also, with the configuration noted above I cn only access the Internet with the clients and then only if their preferred DNS server is statically set to 192.168.0.250 (the router's IP address. The server still does not get on the Internet
0
Robert EhingerIT specialistAuthor Commented:
Also, what did you mean in #2 under server when you wrote - it's preferred DNS server should be manually set to be the server's OWN IP, ***NO OUTSIDE SERVERS.** Leave the second  preferred DNS server BLANK until you get another microsoft DNS server.
0
Robert EhingerIT specialistAuthor Commented:
OK I was online for awhile and had google up. Windos updates downloaded but then I lost my connection. I can successfully ping several sites such as google, ndnation and experts exchange but I could not ping yankees.com, ivytech.edu or microsoft.
0
ChiefITCommented:
Little Q/A, huh?:

Q: ""Maybe I have been looking at this too long but I cannot find where to set the router's preferred DNS server. ""

A: The router has two sides to it. One is the WAN side and the other is the LAN side to it's configuration. On the LAN side, is where you set up your server as the preferred DNS server, if that setting is available. I am pretty sure it is there on a Linksys router, but it might not be.
++++++++++++
Q: "Also, with the configuration noted above I can only access the Internet with the clients and then only if their preferred DNS server is statically set to 192.168.0.250"

A: Have you made the DHCP scope option changes and renewed your DHCP client's IPs? If so, you may have a ROGUE DHCP server. What is a rogue DHCP server, you might ask? A rogue DHCP server is a DHCP server that you don't want supplying DHCP and it is supplying DHCP. Rogue DHCP servers interfere and will shut down your Windows server's DHCP. To find a rogue DHCP server, run a little program called DHCPloc.exe. Usually rogue DHCP servers are your ROUTERS and MASS STORAGE DEVICES. So, triple check your router's LAN side and make sure your router is NOT supplying DHCP to your LAN but IS getting DHCP from comcast on the WAN side.
++++++++++++++++++++++++++++++++++
Q:""Also, what did you mean in #2 under server when you wrote - it's preferred DNS server should be manually set to be the server's OWN IP, ***NO OUTSIDE SERVERS.** Leave the second  preferred DNS server BLANK until you get another microsoft DNS server.""

A: This means you are going to manually set your server's NIC preferred DNS server to its own IP.
Example of the NIC settings on the server:

IP: 192.168.0.250
Subnet Mask: 255.255.255.0
Default gateway: (your router's IP)
Prefered DNS server 1: 192.168.0.250
Prefered DNS server 2: (Blank)
+++++++++++++++++++++++++++++++++++
Q: ""OK I was online for awhile and had google up. Windows updates downloaded but then I lost my connection. I can successfully ping several sites such as google, ndnation and experts exchange but I could not ping yankees.com, ivytech.edu or microsoft.""

A: It looks like your packets are getting fragmented by possibly MTU channels. Because of this discrepancy you are having intermittent communications. This is my favorite thing to track down and fix on EE. We are going to have to troubleshoot and fix this for you. It appears your server is intermittently communicating. So, let's start there.

Please provide an IPconfig /all of the server, provide DC diagnostics by going to the command prompt and typing DCdiag /verbose, and let me know what service pack you are currently on.

NOTE: We are going to use NSlookup for most of our troubleshooting rather than ping. NSlookup will tell you where the packet stops. Also Ping is a multi-communications protocol troubleshooting tool unless specifically tasked to do otherwise. This means Ping is used to troubleshoot DNS, Netbios, and ARP while NSlookup is strictly for DNS troubleshooting.

 
0
Robert EhingerIT specialistAuthor Commented:
OK, here is the latest and I did all of this before I saw your latest response. I got to thinking about the second NIC and why it was active when I first took this job. There is/was no one here to answer that question, no files or notes to refer to. So I wondered if maybe they used the second NIC to connect the server to the Internet and then disconnected the cable as a security measure when the connection was not required. So, I enabled the second NIC, gave it its own static IP settings and I was able to get online. I downloaded and installed all of the current updates for Windows and for our anti-virus. I then disconnected the Ethernet cable from the second NIC and still had access with all of the clients.

I don't know that this is a proper setup but it seems to be working and it actually does provide and additional layer of security in case some unauthorized individual gets access to the server.
0
ChiefITCommented:
That is the reason I was looking for an IPconfig /all of the server.

Even with the cable disconnected, your server is still multihomed. Multihomed servers are problematic at best for even some of the best IT administrators. It messes with things like DNS, DHCP and netbios. This means you will experience intermittent problems with internet and communications with your clients.

Let's talk about IT security for a moment. IT security is best handled through a set of best met practices. %99.99 percent of all malicious code out there must have the operator initiate the install of the virus, worm or other types of malware. Let me explain why. You are behind a NAT firewall that changes your outside IP address that comcast gives you to an internal IP, (called a private IP space). 192.168.0.250 means nothing to me. I can not contact your server unless I know the outside IP of your server. Even then, firewalls and your ISPs firewall will block most alll communications to your server from a remote location unless you provide a door to the outside world that bypasses the firewall. This means if you download a virus or a trojan of some sort they may have access to your server.

What best met practices means is this:
--Have strong passwords that are not easily guessed so if they get past firewalls you have something hard to crack
--don't download things from other sites unless you absolutely trust the site
--don't open up email attachments while on your server
--don't directly hook up your server to your modem or to an outside IP.

Your DNS and therefore Internet problems comes from disconnecting your second nic and not DISABLING IT.

Let's say NIC 1 is busy and your server automatically defaults DNS queries to NIC2. NIC 2 is not disabled, but it is disconnected. This means you will not be able to get out to the internet and you will probably have problems with your clients. When a NIC is busy, it defaults to the other NIC. By telling the computer you have ONE nic to operate with, you are pointing all traffic to that nic and not to a dead end. Now let's say that one nic is busy, now it has to share its resources to accomodate the LAN.

Go to that NIC you disconnected and right click it. Now, disable it. Don't use it on the server. Use only one nic and let's get your DNS straight so you can use the internet off that one NIC. To keep your server secure, don't do crazy things on the server and use some best met practices to keep it from downloading a virus or some form of malicious code.

Now you may need to make sure you don't have SRV records in DNS for that NIC you disabled. If you do, the clients may try to contact that nic that no longer exists. Or the server may try to rely upon that nic that no longer exists. Disconnecting that NIC is not enough, it must be disabled.

Once done, provide an IPconfig /all. If that is straight, we will correct DNS.

0
Robert EhingerIT specialistAuthor Commented:
I am attaching the screen shot of ipconfig /all after disabling the second NIC. Physically, the NIC we are using is listed a Local Area Connection 2 and the one that is disabled is Local Area Connection 1. I have also included a screen shot of the IP settings I used for NIC #1 (now disabled) that got us out on the Internet. The DNS server info came from the status page of the router and is a Comcast DNS server.
ipconfig-all.bmp
NIC1.bmp
0
ChiefITCommented:
Your IPconfig is PERFECT when Nic 2 is disabled.

The preferred DNS server of NIC two is one of comcast's DNS servers.

>>Just for instructional purposes:
Let's say you disabled NIC one and enabled NIC 2. Then you try to contact the internet. It would have looked at that comcast server and found an outside internet address. Now, you try to contact one of your clients. Your client would not have been found unless the client's record is in DNS cache. So, your client would have been skipped. This is what happens if you use an outside server as your preferred DNS server for ANY NIC on the LAN.

Now, let's go to the command prompt and type: IPconfig /flushdns and try to contact the internet.

If not, let's go to a client and see if it has communications to the internet.

Let me know the results of your findings. If your server doesn't have internet access, but your clients do, then let's fix the server.
0
Robert EhingerIT specialistAuthor Commented:
OK before I check this, which may be Monday until I get back to it, am I supposed to have Local Area Connection 1 (NIC 1) enabled with the ipconfig /all settings and Local Area Connection 2 (NIC 2) disabled? Currently Local Area Connection 1 is disabled and has the Comcast DNS server. Local Area Connection 2 is the active NIC with the ipconfig /all settings. Or does it really matter which one we use?
0
ChiefITCommented:
~~The one with the IPconfig /all settings is the one you want enabled.

~~The other one with comcast as the preferred DNS server should be disabled.

If that works for server and clients, let's watch it to see if we succeded in DNS and removing multihomedness on your server. If not, tell me of the issues you see, and let's fix them.
0
Robert EhingerIT specialistAuthor Commented:
With the setup as you described the clients access the server and the Internet but the server does not get on the Internet.
0
ChiefITCommented:
OK:

Sounds like a port blockage on that NIC.

Let's see what a portqry says:

Portqry is a tool that you can use to figure out if your ports are accessible. Since you are having problems with the internet, it sounds like your  issue is with port 80, the HTTP port. Go to your server's command prompt and type:

portqry -n 192.168.0.3 -p both -e 80,53

This checks both the Http port 80 and DNS port 53
0
ChiefITCommented:
Let's also get an idea of what service pack you are on. If service pack 1, we may need to update to SP2.
0
Robert EhingerIT specialistAuthor Commented:
I will do the port query tomorrow. We are on SP2.
0
Robert EhingerIT specialistAuthor Commented:
I had to download and install Port Query so I got the version with the User Interface. Anyway, I am sending a screen shot of the results. It appears that port 53 is OK but port 80 is not listening. We have Norton Antivirus running but I don't see a firewall with it and the Windows firewall is disabled.
Port-Query.bmp
0
ChiefITCommented:
It is accessible, but your server may be looking for the wrong NIC for its default gateway.

Let's try to clear the arp cache>>

http://www.tech-faq.com/clear-arp-cache.shtml
+++++
and make sure the non-disabled nic has control of the gateway>>

http://technet.microsoft.com/en-us/library/cc779696.aspx
+++
then, lets make sure the security settings are not denying you access to these sites because third party cookies are disabled.

Go to the browser, security settings and set them all back to default settings. For explorer, click on the blue world Icon in the bottom right corner and make sure the zone and cookie settings are all set to default levels. Then, clear the cookies and history of the server.
0
Robert EhingerIT specialistAuthor Commented:
OK, I did all of the above and we have the same situation. Nothing has changed. I cleard the arp cache, checked the nics for gateway control and reset the browser security settings. What next?
0
ChiefITCommented:
OK, port 80 is shut down (not listening according to portqry)


Zone Alarm by default should stop incomming traffic to port 80 unless you specify otherwise. Also TCP filtering may be the issue:

To check TCP filtering, go to the NIC configuration>>TCP/IP properties>>Advanced button>>Options tab and see if you are filtering and if port 80 was made an exception, (if you filter your TCP/IP connections).

0
Robert EhingerIT specialistAuthor Commented:
OK, I checked the TCP filtering and here is what I found -

"Enable TCP/IP Filtering (All Adapters)" was NOT checked.
All 3 "Permit Only" radio buttons were checked.

Just for funsies I checked the "Enable TCP/IP Filtering (All Adapters)" check box and clicked all of the "Permit All" radio buttons. I then tried to access the Internet and, at first I thought it was going to but then the connection timed out. I tried again with Firefox and IE with no success.

I then did a port query of port 80 and it is still not listening.

So then I put it back like it was originally except I added TCP port 80 under the TCP ports list.
I ran port query again and got the same message.

The last thing I did was to check the "Enable TCP/IP Filtering (All Adapters)" check box and clicked all of the "Permit All" radio buttons except for the one for TCP ports. I clicked "Permit Only" and added port 80.

No access to the Internet and port query still shows port 80 not listening.

Any other suggestions?

Thanks!

Robert
0
ChiefITCommented:
Sorry for not replying earlier robert.

I have to rely upon some research, because I am stumped.

Found this:

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Q_22736533.html
0
Robert EhingerIT specialistAuthor Commented:
Thanks for the link I will see if that helps. While working on this issue all of the sudden all of our connections are really slow. At first I thought it was when an entire class went to the lab and logged in but it doesn't matter if it is a whole class or just one user, the connection to the server is brutally slow.
0
Robert EhingerIT specialistAuthor Commented:
I am sending several screen shots because I don't know how much of this is related, probably all of it. It is even to the point that I can't add computers to the domain. Actually, they are the same computers, we just replaced hard drives and loaded a fresh copy of windows XP Pro. I give them the same computer name as before and they show up in the A records but not in Active Directory Users and Computers. When I try to add the in Active Directory Users and Computers I get a message that the computer name is already in use. Anyway, some of the screen shots deal with this issue.

Also, There are several errors noted in the event log. Event 6702 seems to be the most common. The description is as follows and leads to the question, should I delete the 192.168.0.1 record or change it to 192.168.0.250?

DNS server has updated its own host (A) records.  In order to ensure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update.  An error was encountered during this update, the record data is the error code.
 
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
 
If this DNS server's Active Directory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.
 
To ensure proper replication:
1) Find this server's Active Directory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact.  (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the Active Directory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner.  It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

Thanks for your help.

Robert
Error1.bmp
Error2.bmp
TCPIP.bmp
tcpip-details2.bmp
0
Robert EhingerIT specialistAuthor Commented:
I hope someone is still there - OK, I reinstalled DNS and we seem to be maintaining connection to the network but cannot add any nodes. The only way to stay connected, though, is with static DNS servers on all the clients. If a printer or drive is already mapped then it seems to be OK but if we try to map a drive or printer we can't get there. These are drives and printers that may be mapped to other clients and are working OK there. Essentially, our DHCP server is not able to act as our DNS server as well. Any ideas.
0
ChiefITCommented:
Hi robert:

It's been a while. I am lost at where we are at. So, I am going to provide an all inclusive fix for you in lei terms. Some of these fixes are going to be already in place and will be a repeat from above:

OK: So I have a list of things I think we need to do in order.

Multihomed fixes::
1) To make sure we are on ONE Single NIC. Ensure the second NIC is DISABLED, not just disconnected. A disabled NIC can be bound to via DHCP, DNS, and netbios.

2) To straighten out DHCP:
    2a) Download and run DHCPloc.exe to determine if you have any rogue DHCP servers. Rogue
DHCP servers would include your router if it is supplying DHCP.

NOTE:  DHCPloc.exe is found on the 2003 server support tools. To get these tools, go to your install disk of 2003 server and manually navigate to the folder D:/support/tools. There is an install file for all these tools and you probably already have installed them. a part of these tools will be dcdiag and netdiag. Very useful tools.

Explanation of DHCP locate:
http://technet.microsoft.com/en-us/library/cc759117.aspx

    2b) you need to make sure it is not trying to provide DHCP to the NIC you disabled. In other words
    2c) Go into DHCP scope options, and make sure the DNS server list is set to only your windows DNS server

3) To straighten out DNS
    3a) Register the SRV records. To do so, let's verify these SRV records, first: I believe you have SRV records for both the disabled nic and the enabled NIC.
How to verify your SRV records:
http://support.microsoft.com/kb/241515

If NO SRV records exist, go to the command prompt and type:
Net stop netlogon
Net start netlogon

Restarting the netlogon service should register your SRV records for you.
 
If the SRV records for both nics are present. Then, you will have to delete your SRV records, download this patch and re-register your SRV records:
http://support.microsoft.com/?id=832478

    3b) Make sure all fixed IP clients and servers don't have any outside DNS servers listed as a preferred DNS server. You can do this by going to the command prompt and typing IPconfig /all.

    3c) Straighten out DNS Scavaging. DNS scavaging deletes old records from DNS. If the scavaging is set prior to the DHCP lease expiration or the SRV records time to live, your Host A records of your DHCP clients and your SRV records can be deleted. You will want to set your DHCP scavaging to after your DHCP leases duration expire. So, if you have an 8 day DHCP lease, you can set DNS scavaging to a 7 day refresh and 2 day no refresh for a total of a 9 day DNS scavaging date. To do this, follow this link:
http://windowsitpro.com/article/articleid/95228/configuring-dns-scavenging.html
    3c) Make sure no HOST records are configured on servers and clients. The host file is a file that a client or server will look at prior to going out to the DNS server for DNS resolution. If the host file is configured, the client or server with that host file may think it can provide DNS for itself. During a DNS query, the client will always try to resolve a DNS query by itself by first looking at its own host file, then within its own DNS cache. So, if you are having DNS problems you will want to check this host file, and flush the DNS cache. The host file is found on all machines at, C:\Windows\system32\drivers\ect\Host. To flush the dns cache, go to the command prompt and type IPconfig /flushdns.

    3d) Flush the Server's DNS cache
   
    3e) Now we need to set up forwarders. I recommend setting your forwarders to your router's LAN IP. Why do I do this, you might ask. Your router is between you and your ISP. It gets a Dynamic IP from your ISP. Along with that Dynamic IP, it also recieves a list of DNS servers from your ISP. But, it does this dynamically. So, if your ISP takes a DNS server off line, (without your knowledge), you will not get a bad IP to forward DNS queries to. The router automatically updates your forwarding servers for you.  Those 64.... addresses on your WAN server for DNS are the servers you will be forwarding to for DNS.

To set forwarders, open up the DNS snaping>right click on the forward lookup zone of your domain> and select properties. Select the forwarders tab. You only have to enter in your router's LAN IP (the 192... address) for a forwarder. Then, enable the recursion checkbox.

4) to straighten out netbios
   4a) You already disabled the second NIC. So all you have to do is flush the WINS/Netbios cache. To flush the WINS/Netbios cache. To do this, go to the command prompt of the server and type: NBTSTAT -rr. Now we need to make sure it binds to the right NIC for Netbios. To do so, reboot the server.

+++++++++++++++++++++++++++++++++++++++
Let me explain these errors to you and why you are having some difficulty:

Missing SRV records:
SeRVice (SRV) records are DNS records found on the DNS server. (not the router or an outside server). These records provide crucial points of contact to your domain controller. For one, they provide the IP to your authentication server. (This is the very reason you are having problems finding the domain server for joining or logging onto the domain).
Three things are the usual causes of these records missing:
 1) DNS scavaging deletes the records.
 2) Your server or clients are going to outside servers (as their preferred DNS server in the NIC configuration) to locate these SRV records.
 3) You have a dual NIC set up and one NIC may be an outside address. So, the client may see these SRV records, but the DNS server responds to the outside NIC and the client doesn't receive a confirmation back.

>>>The inability to conatact your SRV records is the bane of your existence right now.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The ability to ping some websites, while not being able to reach them by using the URL, could be a DNS problem, but is most likely a firewall problem. Do you have zone alarm or symantec on this server? We may have to troubleshoot this a little more:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The ability of your clients to contact the internet, but not local machines or your server is because you have outside DNS servers on that machine's NIC configuration. You want your clients to look at your DNS server as the preferred DNS server. Your DNS server will forward the outside requests to outside servers if you need an outside lookup, like (google.com).

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The inability to see some machines in "my network places" comes from having two NICS. Netbios may have bound to the second NIC and you may have had problems with network shares and browsing the LAN.


______________________________________________________________________________
Reference material for you: (I highly recommend this read)

http://beta.experts-exchange.com/articles/Networking/Protocols/DNS/DNS-TROUBLESHOOTING-MADE-EASY.html
NOTE: If this link takes you to the main Articles page. Then, click "go to articles" and select the "networking" zone. There you will find an article called "DNS TROUBLESHOOTING MADE EASY" that I wrote for you.

let me know how things look after this!!! I will wait.
0
ChiefITCommented:
Ah, crikey:

type-oh:
1) To make sure we are on ONE Single NIC. Ensure the second NIC is DISABLED, not just disconnected. A disabled NIC can be bound to via DHCP, DNS, and netbios.

Should have read:
1) To make sure we are on ONE Single NIC. Ensure the second NIC is DISABLED, not just disconnected. A disconnected NIC can still be bound to via DHCP, DNS, and netbios.

I also missed one:

2d) lets make sure we are not bound to that disabled NIC. To do this:
DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding

You can disable any binding from providing DHCP. You want to disable the NIC binding of the nic you disabled. (NIC 2 I believe)
0
Robert EhingerIT specialistAuthor Commented:
I will be back at the school this morning and then I will provide feedback. Actually, though, NIC2 is the one we are using.
0
Robert EhingerIT specialistAuthor Commented:
OK, I went through your instruction step by step and here are the results -

I am attaching a screen shot of the Bindings.

When I tried the Net Stop netlogon command it said it was stopping then I got a message that it couldn't be stopped. I looked in the services list and the status was "Stopping." I waited at least 15 minutes before resuming and the status was still stopping. I decided to continue with your instructions.

Even with the changes we can still only access the Internet and the server with static IP addresses 208.67.222.222 and 208.67.220.220.

I am attaching several other screen shots for you to analyze.

Another thing that may be completely unrelated and the it might not, our server is running extremely slow and we continually get a low virtual memory error. We have a 2.8 GHx CPU and 1 GB RAM. The paging file is set at 1535 MB.

For some of the other items you mentioned-
Missing SRV records:

Three things are the usual causes of these records missing:
 1) DNS scavaging deletes the records.

Change that setting per instructions

 2) Your server or clients are going to outside servers (as their preferred DNS server in the NIC configuration) to locate these SRV records.

As I already mentioned, that seems to be the only way to get connected.

 3) You have a dual NIC set up and one NIC may be an outside address. So, the client may see these SRV records, but the DNS server responds to the outside NIC and the client doesn't receive a confirmation back.

NIC #1 is disabled and set to automatic on both counts.


The ability to ping some websites, while not being able to reach them by using the URL, could be a DNS problem, but is most likely a firewall problem. Do you have zone alarm or symantec on this server? We may have to troubleshoot this a little more:

We do have symantec installed.

I am also including screen shots of the TCP/IP error message we have been receiving when we start the server and when I restated it today as well as the error I get when I try to add a client to the domain.
And screen shots of the DNS Management Window before and after DNS reinstall.

Thanks for your help.

Bindings.bmp
Forwarders.bmp
Netbios.bmp
NIC1-TCPIP.bmp
IPCONFIGall.bmp
TCPIP-Services.bmp
TCPIP-ServicesTechInfo.bmp
Domain-Error-1.bmp
Domain-Error-2.bmp
Domain-Error-3.bmp
dnsmgt-previous.bmp
dnsmgt-today.bmp
0
ChiefITCommented:
looks like you are having problems with the TCP/IP stack. Uninstall TCP/IP on the server's nic configuration, and reinstall it.
0
ChiefITCommented:
Also, if this is SP1, update to SP2. Some issues with the TCP/IP stack were fixed with SP2.
0
ChiefITCommented:
The server's list of preferred DNS servers should be only itself, the only place you want an outside DNS server listed is in DNS forwarders or Root hints.

Go back to the Forwarders tab, under DNS snapin>>zone properties and uncheck the little box that says, disable recursive lookups for this connection. That will enable your forwarders.

disabling recursion defaults you to root hints servers.
0
Robert EhingerIT specialistAuthor Commented:
>looks like you are having problems with the TCP/IP stack. Uninstall TCP/IP on the server's nic configuration, and reinstall it.>

Should I use the instructions in this article? This is a new procedure for me. http://support.microsoft.com/kb/325356

>Also, if this is SP1, update to SP2. Some issues with the TCP/IP stack were fixed with SP2>

We are up to SP2.

>The server's list of preferred DNS servers should be only itself, the only place you want an outside DNS server listed is in DNS forwarders or Root hints.

Go back to the Forwarders tab, under DNS snapin>>zone properties and uncheck the little box that says, disable recursive lookups for this connection. That will enable your forwarders.

disabling recursion defaults you to root hints servers.>

The server IP address is the only DNS server listed for the server itself. It is on the clients that we are using the static DNS addresses 208.67.222.222 and 208.67.220.220. I will do the other things you mentioned. I may not get back to the school until Monday morning but I will give you feedback after that.

Thank you!!

0
ChiefITCommented:
A winsock reset will probably work well in this case. So, the article looks to be a good start.
0
Robert EhingerIT specialistAuthor Commented:
OK, I followed the instructions in the article to the letter and here is the current situation. I am attaching screen shots of dcdiag and netdiag bith after they ran for over 20 minutes. In fact, they were still running when I had to leave for the evening. You can't tell by the screen shots but the cursor was blinking as though there was some sort of activity going on.
I still can not add any node to the network. Those screen shots are attached as well as are the current TCP/IP settings.

Oops, somehow the netdiag screen shot didn't make it to my flash drive.

Please advise.

Thanks!!
Name-Change.bmp
Details1.bmp
Details2.bmp
DCdiag.bmp
TCPIPProperties.bmp
AdvancedTCPIP.bmp
DNS.bmp
WINS.bmp
0
ChiefITCommented:
Good screen shots, very helpful:

In the NIC configurations of your cilent and server machines, on the WINS tab, change netbios over DHCP to netbios over tcp/ip and reboot the server and client afterwords.

Now we have metadata in DNS:

To clean this up, (with such a small domain), it is easy. Let's go into the DNS snapin>>forward lookup zone>>and remove any DNS records that are associated with outside IP addresses.

We also need to clean up the SRV records. It appears like the disabled nic, (the one not on your private IP space 192.168....),  was the second NIC. If this is true, your domain controller used the outside IPs as your private IP space. So, those were registered as the primary point of contact for your server. I have a document that will help you """VERIFY the SRV records existance""". You can use this as a reference to delete the IPs not used by the server with that second nic disabled.

REMOVE ALL DNS RECORDS of the disabled nics, including SRV records.
http://support.microsoft.com/kb/241515
0
Robert EhingerIT specialistAuthor Commented:
I made the change on the WINS tab but I can't seem to find any SRV records. Maybe I am not following the instructions properly but I don't even see the folders they are asking for.
For clarification, I have NIC#1 and NIC#2. NIC#1 is disabled. It has been all along. Is it the one that should be disabled or should we be using it rather than NIC#2, or does it make a difference?
And now there is nothing except the sercer IP address in DHCP. I didn't think we had done anything to DHCP. I no longer see my reservations or scope or anything else. HELP.
0
Robert EhingerIT specialistAuthor Commented:
Here is the screen shot of the DHCP console.
DHCP.bmp
0
Robert EhingerIT specialistAuthor Commented:
New Scope on the Action Menu is greyed out.
0
Robert EhingerIT specialistAuthor Commented:
Sorry, never mind. I restarted the server and everything is as it should be in DHCP.
0
Robert EhingerIT specialistAuthor Commented:
One of the lines from the error message we get when trying to add a client to the domain is "The query was for the SRV record for _ldap._tcp.dc._msdcs.huntingtoncatholic.local" I do not have a folder anywhere that looks at all like  _ldap._tcp.dc._
0
ChiefITCommented:
OK, this is your only server.

So, let's make sure it has ALL The five FSMO roles. We should verify them.

Then, let's KEEP NIC1 disabled, go to the command prompt and type these three lines:

IPconfig /flushDNS
Net Stop Netlogon
Net Start Netlgon

then, verify your SRV records again.

I am wondering if you set up your DNS zones yet??? If you configured your zones, go into the DNS snapin, select the zone, right click on the zone and select "connect to server". You may not be connected to the server in order to review the zones or SRV records.
0
Robert EhingerIT specialistAuthor Commented:
Here is a screen shot of the Forward Lookup Zones. There is no "connect to server" option.There are no Reverse. I still don't see any SRV records.
Zones.bmp
0
Robert EhingerIT specialistAuthor Commented:
Here are the results of the nslookup. Obviously, the second command, "_ldap._tcp.dc._msdcs.huntingtoncatholic.local" did not work since the first failed.
NSlookup.bmp
0
Robert EhingerIT specialistAuthor Commented:
I am completely lost. If there are SRV records I don't know ho to find them. I have uninstalled and reinstalled DNS twice more and am getting nowhere. Here are the instructions I am following for reconfiguring DNS zones from a previous question someone asked in this forum -  My comments or questions in ()
"
So, you are going to have to recreate TWO Forward Zones:
jsldom.local and (mine would be huntingtoncatholic.local)
_msdcs.jsldom.local (and _msdcs.huntingtoncatholic.local)

Just right click on the SERVERNAME in the DNS Management Console and select New Zone....  do not change any of the defaults, enter jsldom.local on the screen that asks for it and finish out the wizard.

Then do it once more for _msdcs.jsldom.local.

Next, RIGHT CLICK on the new jsldom.local zone and select NEW DELEGATION.  In the second screen of that wizard enter just "_msdcs" (which will create the full _msdcs.jsldom.local below).  On the Name Server screen enter both your FULL SERVER NAME (server.jsldom.local) AND it's IP address -- or you can click "Resolve" to have the IP automatically entered.  Then click ADD and finish out the wizard.
(If I click "Resolve" I get an error that it can't be resolved. I then put in the IP address 192.168.0.3)
Next... (you're almost there).

Stop the DNSSERVER and NETLOGON services.
Open Windows Explorer and go to C:\WINDOWS\system32\config  -- delete both netlogon.dns and netlogon.dnb files
Restart the DNSSERVER and NETLOGON services
Open a command prompt and enter
"IPCONFIG /FLUSHDNS" <enter>
"IPCONFIG /REGISTERDNS" <enter>"


OK, I have done all of the above with no luck. I still can not access the network nor the Internet using my server IP as the preferred DNS server on the clients. Also, I still cannot add any clients to the domain because I continue to get the same error as mentioned a few posts above. I am still confuse by the part of the error message that reads "The query was for the SRV record for _ldap._tcp.dc._msdcs.huntingtoncatholic.local" Whre on earth is this record supposed to be and how do I recreate it if it doesn't exist.
I know I am being a bit of a pain but I am really getting frustrated with this one. I hope we can get it figured out soon. Is there anything on the client side I should be looking at or is this pretty much a server issue?

Thanks!!

0
ChiefITCommented:
@ Robert:

I am asking for someone to join us. He is the best tech in EE for DNS. The two of us work very well together, and you will find him most helpful.



Hello Chris:

Let me fill you in:

Dual NICs and the router was acting as a DHCP/DNS server. One NIC was disabled, the router was disabled from providing DHCP and therefore DNS. SRV records are missing and bad. DHCP may be bound to both NICs, even though one is disabled. The above screen shots of DNS and DHCP tell the remaining story. Author has tried to rebuild DNS a couple times.

NSlookup doesn't see the SRV records and Restarting the Netlogon service doesn't register the SRV's. So, I am thinking we may need to go back to the other NIC. Netbios seems to be bound to the wrong NIC as well.

We need to fix DHCP and DNS records and bind them to the right NIC. Welcome and thanks for the help Chris.
0
ChiefITCommented:
One more thing Chris:

There is a related question with additional information that RobWill was working on:
http://www.experts-exchange.com/Networking/Network_Management/Network_Design_and_Methodology/Q_24193255.html
0
Robert EhingerIT specialistAuthor Commented:
Ok, here is a synopsis of the situation and its current condition.

This network is a school network running Windows Server 2003 SP2 on the server and Windows XP Pro SP3 on the clients. We have client computers in every classroom and in the computer labs, one in each building. We have a Lynksys router in the server room providing wireless access in the Middle School building and two Netgear routers providing wireless access in the Primary School building. The Linksys router has an IP address of 192.168.0.250. The Comcast modem connects to the router and then the router connects to the server.The two buildings are two blocks apart connected with fiber optic cable (I am told). Comcast is the service provider. There is no one here that had any involvement in the original setup of this network and there is no paperwork to reference.

When this discussion began the problem was getting the server to access the Internet. All of the clients could access the Internet and network resources but the server could not get out preventing us from downloading updates to various software applications.

Now the clients can access the network and Internet only if I set static DNS servers. The servers I have been using are 208.67.222.222.and 208.67.220.220. These are the same servers provided by OpenDNS. If I try to use the server IP (192.168.0.3) as the DNS server or set the clients to find DNS automatically I lose access to the Internet and the network.

As it stands right now, I can not add any clients to the network (screen shots of that error are attached), I can not add any printers to clients and the server can not access the Internet.

If I enable NIC#1 and assign it the IP address 192.168.0.4 and give it the static DNS servers 208.67.222.222.and 208.67.220.220 I can get on the Internet and download updates. When I do not need Internet access I disable NIC#1 and physically disconnect the Ethernet cable.

At some point in time the clients began bogging down when logging on to the network taking several minutes to completely boot. It doesnt matter which account or how many users are logging on at the time. That was the point of the second discussion.

Last night I reinstalled DNS and have not made any changes to it since then. I am attaching many screen shots of DNS, DHCP, the router setup, dcdiag and netdiag. Hopefully this will help solve this problem.

Thanks!!
error1.bmp
error2.bmp
error3.bmp
dcdiag1.bmp
dcdiag2.bmp
netdiag1.bmp
netdiag2.bmp
netdiag3.bmp
netdiag4.bmp
netdiag5.bmp
netdiag6.bmp
hcsserverproper.bmp
htgncathlocgeneral.bmp
htgncathlocnameservers.bmp
htgncathlocsoa.bmp
msdcsgeneral.bmp
msdcsnameservers.bmp
msdcsproperties.bmp
msdcssoa.bmp
roothints.bmp
server.bmp
server2.bmp
server3.bmp
server4.bmp
server5.bmp
serveradvanced.bmp
0
ChiefITCommented:
We are not far from getting things working stellar: (forgive the long post)

Explaination:

First off, let me explain a few things in the previous configuration. The old admin was using the second nic as sort of a proxy to the internet. It appears like he/she didn't want students surfing during class hours. So, when the students were in he would disable the second nic and stop any internet access for everyone. With that said, I do have an alternative for you that allows you to disable classroom machines at the click of a mouse. I will provide this later.

We messed up that original configuration while going under the assumption that you wanted internet access all the time. We disabled the LAN nic, not the one used for internet access. That's OK, we can easily fix this using the currently enabled NIC. Let's leave that second NIC disabled.

There are still a few bugs we need to troubleshoot and repair. One is DHCP. I still think you have a rogue DHCP server aboard. I also see that forwarders are NOT defined while recursion is enabled. This will block your internet access all together. Furthermore, I see that your currently enabled nic is disabled from registering its DNS settings within DNS, that too is an easy fix. This particular problem is preventing you from registering  your SRV records in DNS.  So, let's first fix these three discrepancies, one at a time.

1) rogue DHCP server:
I have been reading over all of the info on both posts and find out that you may still have a rogue DHCP server. 192.168.0.1 is probably providing DHCP. If so, it is probably providing DNS. If so, it will not hold your SRV records to it's DHCP clients. Go to the command prompt and type NBTStat -a 192.168.0.1. That should provide you with the netbios name of the device. Go to that device and disable it from providing DHCP. Since it has the address of 192.168.0.1, and that IP is the default for mass storage devices and some routers, (and routers and storage devices often come with the default setting of providing DHCP to clients), I'll bet this is a mass storage device like a buffalo server or SNAP server.

At first, I thought rogue DHCP servers were causing your clients to have problems with communicating directly with the server. Your clients are not seeing the SRV records of your authentication server (192.168.0.3). I thought that was because you had a rogue DHCP server that also by default provides DNS. The problem with a router providing DNS is they don't store the SRV records of your authentication server. Instead, you will not be able to resolve your domain controller or distinquish it from another client. These routers and mass storage devices supply DHCP for home use. It is designed for folks without a DHCP server or DNS server. This is why they come default with DHCP and DNS services enabled.

2) registering DNS settings of the server.
I see the NIC we are working with doesn't have the register this DNS server's suffix within DNS selected. The old IT tech realized that the second NIC would register itself in SRV and HOST A records of DNS. That would cause intermittent communications with the server and intermittent DNS access. However, that IT admin aslo has to download a patch to prevent this NIC from registering DNS regardless of that checkbox. For your NIC to register it's DNS settings, you have to premit it to register within DNS.

3) Forwarders:
Forwarders or root hints are used to communicate with outside servers.

To be successful in DNS please read this article, (especially numbers 2 and 7).
http://rcpmag.com/features/article.aspx?editorialsid=413

Number 7 tells you how to set up forwarders, while number 2 tells you how to make sure you elect to register that DNS suffix correctly.


___________________________________________
Now, if you want to control Students from surfing the internet, you may want to review what is transpiring on this particular

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Proxy-Firewall_Anti-Virus/Q_24268403.html?sfQueryTermInfo=1+10+chiefit+school+teacher
0
Chris DentPowerShell DeveloperCommented:

Morning guys,

Very much playing catch-up with both this and the other thread so apologies if I repeat anything (or everything).

Has anyone checked the Primary DNS Suffix for the server? The NS Record references "hcsserver." rather than "hcsserver.huntingtoncatholic.local" which is unexpected. You can see the Primary DNS Suffix if you run "ipconfig /all" on the server.

I wonder if you would mind dropping a few files in for us? That means generating a few of them first with the following commands (this will require the Windows Support Tools to be installed):

dnscmd hcsserver /ZoneExport huntingtoncatholic.local huntingtoncatholic.local.dns
dnscmd hcsserver /ZoneExport _msdcs.huntingtoncatholic.local huntingtoncatholic.local.dns

Those will save in this path on the server (even if you run the command remotely):

%SystemRoot%\System32\DNS\

The .dns files are text files (will open in Notepad). I would very much like to see those if possible (ideally as attachments). I would love to know where it thinks it's delegating to.

Then can you also attach this one from the server?

%SystemRoot%\System32\Config\netlogon.dns

Again, it's a text file. Don't change it where it is, take a copy of it and rename it to .txt. That file tells the server which entries it should be adding to the DNS zones for Active Directory.

Chris
0
Chris DentPowerShell DeveloperCommented:

There's a typo above, the second dnscmd I posted should have been:

dnscmd hcsserver /ZoneExport _msdcs.huntingtoncatholic.local _msdcs.huntingtoncatholic.local.dns

Or it'll just overwrite the first file I asked for which really won't help.

Sorry about that.

Chris
0
Robert EhingerIT specialistAuthor Commented:
To make sure I understand - these commands are entered on the command line -

dnscmd hcsserver /ZoneExport huntingtoncatholic.local huntingtoncatholic.local.dns
dnscmd hcsserver /ZoneExport _msdcs.huntingtoncatholic.local huntingtoncatholic.local.dns
0
Chris DentPowerShell DeveloperCommented:

Correct, except they should be:

dnscmd hcsserver /ZoneExport huntingtoncatholic.local huntingtoncatholic.local.dns
dnscmd hcsserver /ZoneExport _msdcs.huntingtoncatholic.local _msdcs.huntingtoncatholic.local.dns

Or the second command will overwrite the file we created with the first.

Chris
0
Robert EhingerIT specialistAuthor Commented:
Got it. I knew about the typo I just copied and pasted from the first post
0
ChiefITCommented:
@Chris:

I am not sure the NIC is set to register the DNS suffix properly. Look at the NIC configuration. I did notice the Suffix issues.

Also Chris, there was a second NIC aboard. It looked like one was used for the internet while the other was used for internal LAN. The author isn't the original admin. We may have disabled the LAN NIC and enabled the "internet" NIC. That may have messed up the DNS configuration. It stands to reason why the "internet" NIC was set to not register its DNS settings.

Thanks MUCH for your DNS expertise Chris. I can't tell you how much I appreciate the help.

John
0
Chris DentPowerShell DeveloperCommented:

Ahh yeah, I see it, missed that first time.

We could potentially wipe out DNS and have it rebuild it all, but I'd still like to see if we can see why it might be upset in the first place.

Chris
0
Robert EhingerIT specialistAuthor Commented:
As far as rebuilding DNS, FWIW, what we are no looking at is a reinstall of DNS with no real changes. I am attaching all of the files you wanted to view. I will also attach a screen shot of the current ipconfig /all and a previous screen shot of it. Thanks for the help. Hopefully we can get this resolved soon.
netlogon.txt
huntingtoncatholic.local.txt
-msdcs.huntingtoncatholic.local.txt
ipconfigall.bmp
ipconfig-all.bmp
0
Robert EhingerIT specialistAuthor Commented:
A couple of things - first for ChiefIT - in one post you mentioned "1) rogue DHCP server:
I have been reading over all of the info on both posts and find out that you may still have a rogue DHCP server. 192.168.0.1 is probably providing DHCP. " What am I missing? I don't see where you have found the rogue DHCP server? Maybe I have looked at this thing far too long and everything is running together.

Second, I am not the original admin on this and there is absolutely no documentation for this network. (Will be when I am done). In fact, software is scattered all over the place. It was a treasure hunt to finr the Server 2003 and XP installation disks. Anyway, the NIC that is currently enable is NIC #2. That is the same NIC that was being used when I first arrived on the scene. At that time both were enabled but only one was being used. I don't remember what the tcp/ip settings were on that NIC but I will look for them if that will help. In the registry the NICs are listed as 2 and 3.

Also, we really don't have a problem with the students accessing the Internet because we have filtering programs and antivirus installed. The problem now it that none of the updates are getting distributed to the clients due to the current situation.

So where do we go from here.
Thank you!
Robert
0
Robert EhingerIT specialistAuthor Commented:
One more very important item - I would really like to get this resolved soon so that I can use remote access to troubleshoot. I try to maintain this network and the PDs on a part time, pro bono basis and it would be great to finally have remote access to the network.

Thanks Guys!!
0
Chris DentPowerShell DeveloperCommented:

Sorry for the delay getting back, easter holidays...

Right...

Those zones you posted are suspiciously empty, although I do see why you're getting everything greyed out.

I'd like to take the following actions:

1. Open AD Users and Computers (hold onto this one for a few minutes)
2. Open the DNS Console
3. Expand Forward Lookup Zones
4. Delete _msdcs.huntingtoncatholic.local (in the DNS console)
5. Delete huntingtoncatholic.local
6. Stop the DNS Service (net stop dns)
7. In AD Users and Computers, select View / Advanced Features
8. Expand System
9. Expand MicrosoftDNS
10. If present, delete huntingtoncatholic.local
11. Start the DNS Service (net start dns)
12. Back in the DNS Console, right click on Forward Lookup Zones and select New Zone.
13. Select Primary and Store in Active Directory
14. Enter the name huntingtoncatholic.local
15. Enable Secure Dynamic Updates
16. Select the new zone
17. Verify you can see the zone. Verify that an NS Record exists pointing to hcserver.huntingtoncatholic.local
18. On the command line, run:

net stop netlogon && net start netlogon
ipconfig /registerdns

19. Verify an _msdcs folder has been created within the huntingtoncatholic.local zone.
20. Verify that a Host (A) record exists for hcserver
21. Select the _msdcs folder. Verify that an Alias (CNAME) record exists with a very long GUID name, pointing to hcserver

Once done, run DCDiag and NetDiag to get their opinion of the changes.

Any clients should register in this zone over time. But they are less critical than the server entries we forced to register above.

Chris
0
ChiefITCommented:
@Chris:

This is the part that was beside me. What is causing DNS not to populate with SRV records and HOST A records? I am missing the concept. We tried to get them to populate by registering DNS and restarting the netlogon service. I am just curious to see what I missed.
0
Robert EhingerIT specialistAuthor Commented:
Me too.
0
Chris DentPowerShell DeveloperCommented:

netlogon.dns contains interesting entries.

I would guess at some point that the domain was renamed, or at least a Primary DNS Suffix was added to the DC. If we take a look in netlogon.dns you'll see that each service record refers to "hcserver." rather than "hcserver.huntingtoncatholic.local.".

Can we head to that netlogon.dns file again, and replace the contents with the below?

If that has no effect, and if the NS record still creates with "hcserver." then we may want to follow the steps here to rename the DC, giving it a new fully-qualified domain name:

http://technet.microsoft.com/en-us/library/cc782761.aspx

If all else fails we can manually populate the service records, add a new DC, then see if that one behaves before potentially moving on and rebuilding the current DC.

Chris
HuntingtonCatholic.local. 600 IN A 192.168.0.3
gc._msdcs.HuntingtonCatholic.local. 600 IN A 192.168.0.3
ForestDnsZones.HuntingtonCatholic.local. 600 IN A 192.168.0.3
DomainDnsZones.HuntingtonCatholic.local. 600 IN A 192.168.0.3
TAPI3Directory.HuntingtonCatholic.local. 600 IN A 192.168.0.3
_ldap._tcp.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.pdc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.gc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 3268 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.gc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 3268 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.ffe7aca0-36e3-41db-80d3-9e66f4e3cfcb.domains._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
9223748e-b7e1-40e5-9622-2282914a4da6._msdcs.HuntingtonCatholic.local. 600 IN CNAME hcsserver.HuntingtonCatholic.local.
_kerberos._tcp.dc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_kerberos._tcp.Default-First-Site._sites.dc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.dc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.dc._msdcs.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_kerberos._tcp.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_kerberos._tcp.Default-First-Site._sites.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_gc._tcp.HuntingtonCatholic.local. 600 IN SRV 0 100 3268 hcsserver.HuntingtonCatholic.local.
_gc._tcp.Default-First-Site._sites.HuntingtonCatholic.local. 600 IN SRV 0 100 3268 hcsserver.HuntingtonCatholic.local.
_kerberos._udp.HuntingtonCatholic.local. 600 IN SRV 0 100 88 hcsserver.HuntingtonCatholic.local.
_kpasswd._tcp.HuntingtonCatholic.local. 600 IN SRV 0 100 464 hcsserver.HuntingtonCatholic.local.
_kpasswd._udp.HuntingtonCatholic.local. 600 IN SRV 0 100 464 hcsserver.HuntingtonCatholic.local.
t. 600 IN A 192.168.0.3
_ldap._tcp.t. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.t. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.ForestDnsZones.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.ForestDnsZones.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.DomainDnsZones.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.DomainDnsZones.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.TAPI3Directory.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.
_ldap._tcp.Default-First-Site._sites.TAPI3Directory.HuntingtonCatholic.local. 600 IN SRV 0 100 389 hcsserver.HuntingtonCatholic.local.

Open in new window

0
Chris DentPowerShell DeveloperCommented:

On reflection, it's extremely likely that the records will fail to register in my original steps because of the issue with the server name. It's very likely that the reason they failed to register for Chief (and Rob?) is that the server believes that it is "hcserver" not "hcserver.huntingtoncatholic.local", as such it won't find a correct zone to register records in.

The problem with the greyed out folders is part of this. The server doesn't contain a valid Host (A) record for "hcserver.", therefore it treats the NS records as a delegation rather than it being a local authority.

Chris
0
Robert EhingerIT specialistAuthor Commented:
OK, please be a bit patient here. First, do you want me to follow the steps from your post of 4/11/2009 and then replace the netlogon.dns file? Or just replace the netlogon.dns file?

Second, I will be out of town for the first three days this week so I may not get to it until Thursday. I will provide feedback as soon as I can. Please stay tuned.
0
Chris DentPowerShell DeveloperCommented:

Run through the steps above, 1 to 21, to replace the current zones. Then see if it still has greyed out folders in the forward lookup zone.

If we're clear of greyed out folders, and it created the _msdcs folder, check the name each of those point to. According to netlogon.dns they should all point to "hcsserver." initially.

If they do all point only to hcsserver, modify the netlogon.dns file as above. Then restart the NetLogon Service. Check the records in the _msdcs folder and see where they point to this time.

If we don't get that far, and just have greyed out folders I'd like to try renaming the DC. That carries a little more risk than the previous actions so ideally we want a backup first. I take it this is the only DC in the domain? And that you're not running Small Business Server?

Chris
0
Robert EhingerIT specialistAuthor Commented:
It is the only DC and we are running Windows Server 2003 Enterprise Edition.
0
Chris DentPowerShell DeveloperCommented:

Okay, that's good, SBS would have complicated things. What else does the server do?

Chris
0
ChiefITCommented:
Chris:

With that explaination, I understand how DNS wasn't populated. Rather than a fresh rebuild of the server, maybe a metadata cleanup and then rebuilding DNS could be a viable option. The metadata cleanup might clean out the metadata of the old domain name while the DNS rebuild would put them on the right track for cleaning DNS. The only question that keeps rolling through my head is what about the clients. Will they need to rejoin the domain?? Now, I am on the same page as you. Thanks for the explaination.
0
Robert EhingerIT specialistAuthor Commented:
The server hosts user accounts, manages printers, gives out DHCP, runs various networked applications and houses user data.
0
Chris DentPowerShell DeveloperCommented:

Hmm okay, so demoting it is pretty much out of the question then.

In that case, can you let us know how you get on with the above, then we might look at renaming the server which is much less destructive.

Chief: Metadata cleanup is normally taken care of by rendom /clean. However, we have no real evidence that the domain was renamed, only that it shares some of the symptoms associated with an incomplete rename so I'd be reluctant to run that without very good cause.

Chris
0
ChiefITCommented:
Chris:

Are the FSMO roles in order, or are they pointing to a domain that doesn't exist?
0
Chris DentPowerShell DeveloperCommented:

Won't be able to tell much until DNS is online. I think I'll pop together a zone file so even if the steps above get us nowhere we can encourage that component to work.

Chris
0
Chris DentPowerShell DeveloperCommented:

Here's the zone file. To use this zone you would have to do the following:

1. Delete any instances of huntingtoncatholic.local using the DNS Console.
2. Save the attached file to %SystemRoot%\System32\DNS\huntingtoncatholic.local.dns on hcsserver (removing it's .txt extension).
3. Run:

dnscmd hcsserver /ZoneAdd huntingtoncatholic.local /Primary /File huntingtoncatholic.local.dns /Load
dnscmd hcsserver /ZoneResetType huntingtoncatholic.local /DsPrimary /OverWrite_Ds

That will give you a new AD Integrated zone with Dynamic Updates disabled, a good enough beginning if nothing else above works.

Chris
huntingtoncatholic.local.dns.txt
0
Robert EhingerIT specialistAuthor Commented:
I followed all of the above steps and ended up using the info from the very last pos.
"That will give you a new AD Integrated zone with Dynamic Updates disabled, a good enough beginning if nothing else above works."

I still cannot add clients to the domain. I was able to add a printer to one of the clients already on the domainand the server still does not access the Internet. And we are still needing to use the static DNS addresses 208.67.222.222 and 208.67.220.220.

Here are some screen shots. Perhaps you can point my in the direction of out next step.

Thanks!!

Robert
dnsconsolerestart.bmp
dnstree.bmp
dhcp.bmp
tcpip.bmp
dns.bmp
ipsettings.bmp
wins.bmp
0
Robert EhingerIT specialistAuthor Commented:
Incidentally, I can ping the server IP and the router IP from the clients, even those that I cannot add to the domain.
0
Chris DentPowerShell DeveloperCommented:

Time zone differences are such a pain, trying to think of every test that might give us information.

From a client either joined to the domain or not, but must be using the server for DNS:

nslookup huntingtoncatholic.local
nslookup -q=srv _ldap._tcp.huntingtoncatholic.local

Both should return the hcsserver, by IP in the first, by name in the second.

When you're joining clients to the domain, are you typing "huntingtoncatholic.local", or the NetBIOS domain name?

Can you also give me the response returned when running this using the server:

nslookup www.google.com

If that fails to resolve, please remove all Forwarders configured on the server (DNS Server properties). Then select Root Hints from the server Properties. Select Copy From Server and enter the IP 198.41.0.4, that's one of the root servers and will have an accurate version of Root Hints.

Once done, right click on the DNS server and select Clear Cache, then run the query for google again.

If it still fails, open the Server Properties again, select Advanced and check that "Disable Recursion" is not ticked. If it's still failing after that we need to start checking the network layer, starting with what traffic is and isn't allowed through the Firewall.

Back on the AD side, can you run these on the server please:

dcdiag /c /v /f:dcdiag.log
netdiag /debug /L

NetDiag will be logging to netdiag.log because of the "/L" switch, it doesn't let you choose a file name. Both will log in the same folder as the commands ran from.

I would also like to see any error messages from the each of these Event Logs:

DNS Server
Directory Service
File Replication Service
System
Application

Save as CSV is probably our best bet for those.

Lets see where our FSMO roles think they are if we can. Please try running:

netdom query fsmo

If that one doesn't work, this longer method will, Start and Run can be used to open up ntdsutil (the first command), just make sure you grab the output from List Roles before closing it with Quit :)

ntdsutil
Roles
Connections
Connect To Server hcsserver
Quit
Select Operation Target
List Roles for Connected Server
Quit
Quit
Quit

And lets see if we can have some debugging from the NetLogon Service. First you need to run this command:

nltest /dbflag:0x2080ffff

Then as soon as you get the chance, reboot the server. After which we should find that %SystemRoot%\Debug\netlogon.dns has a fair bit of information in it. Once that's done, disable debugging again with:

nltest /dbflag:0x0

That's quite a lot, so lets see how much that tells us.

Chris
0
Robert EhingerIT specialistAuthor Commented:
I am attaching screen shots showing the results of
nslookup huntingtoncatholic.local
nslookup -q=srv _ldap._tcp.huntingtoncatholic.local

These were taken from a client that I have tried several times to get on the domain without success. It does access the Internet using the static DNS that I have mentioned before.

When I try joining clients to the domain, I am typing "huntingtoncatholic.local."
nslookup.bmp
nslookup2.bmp
nslookup3.bmp
0
Chris DentPowerShell DeveloperCommented:

That may well be caused by the yellow exclamation mark in the DNS console. I was hoping that the DNS event log would throw some light on the reason for that.

Chris
0
Robert EhingerIT specialistAuthor Commented:
The yellow exclamation point was from the query I ran that failed.
0
Robert EhingerIT specialistAuthor Commented:
OK, here are more results of tests run. Some of the event logs I just took screen shots because they showed the events since the 16th when I reinstalled DNS per your instructions from 4/14/09.
google.bmp
google2.bmp
dnsevents.bmp
dirservevents.bmp
filerepevents.bmp
sysevents.bmp
Applicationerrors.txt
dcdiag.log
NetDiag.log
Netlogon.log
forwarders.bmp
fsmo.bmp
0
Robert EhingerIT specialistAuthor Commented:
Did that info help any? Are we closer to a solution.
0
Chris DentPowerShell DeveloperCommented:

You have an interesting entry in NetLogon.log:

04/20 07:00:57 [DOMAIN] t: Adding new domain
04/20 07:00:57 [DOMAIN] (null): Setting our computer name to HCSSERVER hcsserver
04/20 07:00:57 [DOMAIN] (null): Setting DNS domain name to t
04/20 07:00:57 [DOMAIN] t: Setting Domain GUID to df903ad8-fe55-4dc9-9f81-867e32ff02ec

I had noticed entries for "t" in netlogon.dns which is part of what made me think a domain rename had gone bad at some point.

How do you feel about adding a new DC to this domain? It can run on a desktop machine, it's only going to be a temporary fixture.

Before doing that, we need to do a little work in DNS again. The huntingtoncatholic.local zone needs deleting again, then the one I posted above importing once more. However, this time we'll skip the step that makes it AD Integrated, that way we keep the valid NS and SOA records DCDiag is complaining about.

Chris
0
Robert EhingerIT specialistAuthor Commented:
No attempt to add anything to the domain has taken place since 4/16/09 unless someone is access things they shouldn't be.
All of the desktops are XP machines so what would be the process for doing this?

You lost me on the DNS work. What exactly are we going to do? I want to follow your instructions to the letter because I think I am to the point where I can't see the forest for the trees.

Thanks!

Robert
0
Chris DentPowerShell DeveloperCommented:

Sorry I can see why it's got a bit confused :)

We're running through these again:

1. Delete any instances of huntingtoncatholic.local using the DNS Console.
2. Save the attached file to %SystemRoot%\System32\DNS\huntingtoncatholic.local.dns on hcsserver (removing it's .txt extension).
3. Run:

dnscmd hcsserver /ZoneAdd huntingtoncatholic.local /Primary /File huntingtoncatholic.local.dns /Load

Last time we also ran this commend, we don't want to do that this time:

Don't run: dnscmd hcsserver /ZoneResetType huntingtoncatholic.local /DsPrimary /OverWrite_Ds

That leaves it with a nice shiny Standard Primary Zone.

The zone file is in this comment:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23907094.html?cid=1066#24139178

It won't drop down the comment until it's finished loading so don't be surprised if you don't see it right away (or just search for 24139178 on this page).

hehe might consider asking an Admin to strip off the .bmp attachments, they're huge. Would also be good to familiarise yourself with the .jpg option in mspaint, makes the attachments 10 times smaller :-D

Once we've got the zone back again it'd be lovely to try and get another DC running. Do you have a spare machine kicking around? And a copy of the Windows Server CD we can use?

Chris
0
Robert EhingerIT specialistAuthor Commented:
I do have the Windows CD but a spare machine may be a bit more difficult. I'll perform the steps above and see where that gers us. Meanwhile, I will see about a spare machine.
0
Chris DentPowerShell DeveloperCommented:

Otherwise we can use a virtual machine if you can run that anywhere?

Chris
0
Robert EhingerIT specialistAuthor Commented:
I will be looking at this issue again Thursday morning. I will provide feedback after that.
0
Robert EhingerIT specialistAuthor Commented:
I just performed the steps listed above and (to your surprise and joy) am attaching a couple of screen shots. I also went to a couple of the clients and did an nslookup, first with the static IPs we have been using and then with the static IP of the server. I did this on a client that is on the domain and one that I have not been able to add to the domain. I don't know if that information helps of not but I am including it as well. BTW - I used .jpg files this time

DNS.JPG
dns2.JPG
nslookupondomain.JPG
nslookupnotondomain.JPG
0
Robert EhingerIT specialistAuthor Commented:
If you think the next step is a virtual server then please send me the steps, as I've not done that before, and I will find a machine that we can use.
0
Chris DentPowerShell DeveloperCommented:

At the moment it's all still failing too much to get another server onto the domain.

Does that NSLookup Query work from the server itself?

If it does I would seriously consider replacing the network cabling for the server and potentially the network adapter (unless it has another one).

Chris
0
Chris DentPowerShell DeveloperCommented:

The time zone difference is making this really protracted, if you can get local (on-site) support for this I strongly urge you to seriously consider it. That can include MS Product Support as they will have someone quite near you :)

It's a bit harsh, but I think we're only really through an hour or so of troubleshooting if the time zone was the same or if I were on-site.

Chris
0
Robert EhingerIT specialistAuthor Commented:
There is a second NIC in the server that is currently disable. I have used it in the past to access the Internet but, to my knowledge, it has never been used to manage the network. SO, if I read your above suggestion correctly, I should replace the cabling form the server to the switches and maybe even from the router to the server? I can do that. I'll give you feedback.
0
Chris DentPowerShell DeveloperCommented:

That sounds like a good plan.

You'll need to reconfigure both Network Interfaces, removing the IP Address from the current interface and putting it on the new one. Then finish off by disabling the current interface.

From the switch to the server for the time-being. Can you browse the internet from the server? That would be a good indication that everything between the server and router is working.

Chris
0
Robert EhingerIT specialistAuthor Commented:
I can browse the Internet with the currently disabled NIC but not the one that we are now using.
0
Chris DentPowerShell DeveloperCommented:

Okay, then lets get shifted over if we can. I really hope it is a duff NIC at this stage. It won't be the end of this, but it would be a huge step in the right direction :)

Chris
0
Robert EhingerIT specialistAuthor Commented:
I'll let you know when it is done.
0
Chris DentPowerShell DeveloperCommented:

Great, thanks :)

Chris
0
Robert EhingerIT specialistAuthor Commented:
OK, I changed the cable but there seems to be no difference. I'll let you check out the screen shots to see if you see anything. Also, I thought I would give you a good physical description of our setup.

!) Comcast is out provider and we have an ethernet cable going from the cable modem to the Linksys router.
2) we then have an ethernet cable going from the router to port # 4x on a Catalyst 1900 switch.
3) An ethernet cable then runs from port 22x on the Catalyst 1900 switch to port #24 on a Baystack 450-24T switch.
5) finally an ethernet cable runs from port #21 on the Baystack 450-24T switch to NIC #1 on the server which is a HP Proliant DL380 G3.

I still get the same error when I try to add a client to the domain.

There is an iLO connector on the server.

Does this help at all?
nslookupserver.JPG
nslookuponnetwork.JPG
nslookup2.JPG
dns.JPG
dns2.JPG
dns3.JPG
dns4.JPG
dns5.JPG
0
Robert EhingerIT specialistAuthor Commented:
Is anybody still out there???

OK, here is what I tried today.

On a client that I have not been able to add to the domain -
First I set the forwarders on the server to Open DNS - 208.67.222.222 and 208.67.220.220. Then I went to the client and set the DNS server to automatic. I could not access the Internet and I could not get on the domain. I then changed the DNS server to static using the sever IP address 192.168.0.3. I still could not access the Internet and I could not get on the domain. In both cases I got the same error when trying to add the client to the domain - Domain controller for the domain huntingtoncatholic.local could not be contacted.

Then I changed the forwarders to the Comcast DNS - 68.87.72.130, 68.87.77.130 and 68.87.66.196. Then I went back to the client and set the DNS server to automatic. Again, I could not access the Internet and I could not get on the domain. I then changed the DNS server to static using the sever IP address 192.168.0.3. I still could not access the Internet and I could not get on the domain. And once again, in both cases I got the same error when trying to add the client to the domain - Domain controller for the domain huntingtoncatholic.local could not be contacted.

Now, with a client already on the domain - the only thing that changed was I lost access to the Internet. With either of the configurations above I was able to access the network and all of its resources.

I even tried setting the forwarders as Open DNS and using the static Open DNS servers on the client and still could not add it to the domain.

So, setting the forwarders to the Open DNS or the Comcast DNS does not affect network access on clients currently on the domain but I still can not add any additional clients. I do lose Internet access, though, unless I use Open DNS as static DNS servers on the clients.

Another thing, the router has dhcp disabled so there are no static DNS servers set.

Also, not surprisingly, if I set the DNS servers on the server to Open DNS I can access the Internet but nothing else changes.

Any suggestions??
0
Rick NicholsonIT ManagerCommented:
Hi Robert,

This is Rick - I've been following your thread over the past few months, hoping to learn something myself... I really admire your perseverence with this!

As Chris-Dent suggested back on 5/1, I really think you should start looking at local support resources.

Forgive me if you're already familiar with this info, but lots of nonprofits aren't aware of consultants/organizations that informally refer to themselves as "Nonprofit Technology Assistance Providers" or NTAPs. (I'm actually a self-employed NTAP, but, unfortunately I'm outside of Philly - not real close to you...)

The largest resource of this type that might be close to you is NPower Indiana in Indianapolis (http://www.npowerin.org). I understand that you're volunteering your time and that the school probably hasn't budgeted for outside tech support, but they may need to bite the bullet and pay a few hundred dollars for a few hours of consulting. No company - nonprofit or for-profit - should expect to run a computer network without an appropriate annual budget for support (and training, and hardware/software updates, etc...). If you call them, they also might be able to refer you to some more local consultants.

Another thing to check out would be two mailing lists for nonprofit techies at:

http://npogroups.org/lists/info/riders-tech
and
http://lists.compasspoint.org/lists/info/npo-techies

You could subscribe to these lists (they're pretty low volume, but widely read) and describe your situation - including the fact that you're a volunteer - and that you're looking for someone in your geographic area who could provide some low-cost/no-cost consulting.

Also, two websites that will show you, that as a nonprofit techie, you're part of a larger, actually pretty cool, tech community:

www.nten.org
www.techsoup.org

Hope this helps - feel free to keep in touch,
Rick (rick at dca dot net)
0
ChiefITCommented:
Robert:

This is what I am thinking. You may have something that is interfering with your router. I assume your router is 192.168.0.1. If this is true, that is the default IP for many Mass Storage devices as well as routers. So, this is what you do.

1) Download a program called ANGRYIPSCAN to scan your entire lan for IP conflicts.
2) Download DHCPloc.exe and see if you have a rogue DHCP server.
3) Make sure your router is getting an IP and using DHCP on the WAN side of the router.
4) Then, set your Forwarders IP address to your router's IP address, not an outside IP address.
5) Make sure your router is not providing DHCP to the WAN side of the router.
6) Make sure your router is NOT providing DNS to the inside of your LAN.
7) Go to your Servers DHCP snapin and configure DHCP scope options to ONLY list your DNS server as the DNS server for the LAN.
8) On your server, go to the C:\Windows\system32\drivers\ect\Host file, and remove all entries except the loopback address of 127....
9) On the client, make sure your don't have yoru HOST file configured as well.
10) Enable port 389 for all firewalls, if any software firewalls exist. If you wish for no software firewalls within the LAN, you can opt to disable them.
11) On a DHCP client, go to the command prompt and type:
IPconfig /flushdns
IPconfig /release
IPconfig /renew


If the problem still exists:
1) go to the command prompt of the server and type IPconfig /all, please provide that to us.
2) go to the command prompt of a troubled client and type IPconfig /all and provide that
3) type arp -a and provide that information.
4) you can retry to reset the winsock by going to the command prompt and typing "netsh winsock reset".

Check out this article I wrote to help you with DNS troubleshooting:

Read this article to get familiar with how a DNS query propogates through the LAN.
http://www.experts-exchange.com/articles/Networking/Protocols/DNS/DNS-TROUBLESHOOTING-MADE-EASY.html
0
Chris DentPowerShell DeveloperCommented:

It's got to be local to the server. Local network connections (client to server / sever to server) won't traverse the router / firewall, only the switch. Switching the network interface has had no impact, rather frustrating...

Does the access problem extend beyond DNS, does running "telnet <server> 389" successfully connect?

Chris
0
Chris DentPowerShell DeveloperCommented:

Hmmm actually... If other services work I strongly recommend we get a DNS server up elsewhere as soon as we can. Do you have any machines available that might be able to run a few things?

Chris
0
ChiefITCommented:
Hey Chris:

This is what I was thinking. It souds like a rogue DNS/DHCP server on the network. Some clients are having problems contacting the server for domain services, others are having problems with the internet. If the router is supplying DHCP and DNS, (and as you know the router doesn't hold the SRV records for DNS), then the router could be the one node on the network that is interfering with domain services.

I was also thinking we need to get to a standard where  you know the configuration is right. I looked at the SRV records above and they appear fine. DNS looks good but it appears like the clients are skipping the server. That is consistent with a domain rename of the server, configured Host files on the client, or incorrect preferred server list on the clients and server. I am still not certain all clients and servers are pointed to the internal DNS server for DNS. So, they may be skipping the SRV records all together.  
0
ChiefITCommented:
And YESS!!!

Let's Telnet or portquery to see if port 389 is blocked. I am still not certain that we don't have some sort of software firewall blockage. Port 389 is often blocked by software firewalls that are geared to home usage. It could also be an antivirus package that is blocking port 389. I have seen McAfee enterprise block port 389 as well as symantec and zone alarm. It would be a good idea to know what AV, AS and firewall packages we are looking at.

Robert, where are you located. I will be in Seattle within a week. For a non-profit, I wouldn't mind offering my service to you for free.



0
Chris DentPowerShell DeveloperCommented:

> I will be in Seattle within a week.

That would be a fine thing :)

Chris
0
Robert EhingerIT specialistAuthor Commented:
Unfortunately, I am in Indiana. Our weather right now would make someone from Settle feel right at home.

There is another thing we may want to consider. I had basically forgotten about these because I do almost all of the support in the building where the server is housed. The other building is connected via fiber optic cable and has its own stack of switches. It has two routers in different parts of the building that are used for wireless access. Is it possible that the configuration on one of both of these routers could be the problem? What should it be as far as the IP etc on them? I do not know if someone possible reset them at some point causing them to revert back to their default IP address. They are both Netgear routers.
0
ChiefITCommented:
Your netgear routers, by default, have an IP address of 192.168.1.1 (If I remember right). They also, by default, provide DHCP and therefore DNS. So, you may be looking at IP conflicts as well as a rogue node providing DHCP and DNS. I would focus on the routers as the culprite.

We must weed out:
IPconflicts (like something that has the same IP as your router or server)
Rogue DHCP servers (like a router or a mass storage device)
Rogue DNS servers (like a router or mass storage device)
and your clients pointing to anything other than your server for DNS.

It would help to get a network topology from you.
example:
WWW>>router1>>router2>>servers and clients
0
Robert EhingerIT specialistAuthor Commented:
Not exactly sure what you want but here is the setup as I understand it. Remember, this network was installed nearly ten years ago and no one who was involved is around any more and there doesn't seem to be any information left behind to draw from.

Comcast is the service provider. Their cable come into our server room in the middle school building and connects to the cable modem, which connects to the linksys router. The router is connected to a switch and then an Ethernet cable runs from the switch to the server.The linksys router is used for wireless access only. All client computers are cabled to ports in the wall in the labe and in the classrooms. There is an Actiontec router in the 6th grade classroom that is being used to extend the wireless network. Somewhere along the line fiber optic cable runs from the switch to the Primary School building. In the 2nd grade classroom you will find a netgear router that is connected to one of the ports in the wall. This is to be used mainly for wireless access in this part of the Primary Building but there is one client computer connected to it. All other client computers and printers are cabled directly to ports in the wall. In the comouter lab at the other end of the building there is another netgear router cabled to the wall with no clients connected. It is used strictly for wireless access in this part of the building.
We get wireless access to the network via the linksys and Actiontec routers in the Middle Building but from neither of the netgear routers in the Primary Building. This is leading me to believe that someone, somewhere along the line has messed with these routers and possibly reset them. I know that last year when this network was fully functional the IP address of the router in the 2nd grade classroom was something like 10.0.0.1. I do not know what it was on the other netgear router.

Another question - you mention that a mass storage device could also be a problem. We do have a 300GB USB external hard drive connected to the server. How could I tell if it is the problem?

Thanks!!
0
ChiefITCommented:
For mass storage, I was talking about a NAS (network accessible storage) server. NAS servers include SNAP servers, Buffalo Terastations, NetApps, and others that have their own IP address and are connected directly to the LAN through a LAN cable. They are accessed through their own website and usually have their own scaled down version of Linux/Unix on them. So, a USB drive is a local drive without its own website and its own LAN cable connection to the LAN. Consider that a LOCAL hard drive and not a NAS server. That USB drive will not be your problem.
____________________________________________________________________________
Routers can loose their settings all by themselves. I have seen this periodically with Linksys routers. If you ask me, I would definately concentrate my efforts to access these routers and make sure a couple settings are in tact.

(This will be strictly for the router that is coming right off the modem from your ISP.)
1) Make sure they are NOT supplying DHCP to the LAN
2) Make sure they are getting a DHCP address from your ISP
3) Make sure your router has a fixed IP on the LAN side of the router that is within your LAN's IP space

(Any secondary routers, (if used as a router), after that will be considered DOUBLE NATting). NAT means Network Address Translation. It means the your router gets one IP from the outside, then changes that to an inside IP for your lan to communicate with.

>>> Double NATting is often difficult to do for even some of the best Networking techs.<<<<

In your case, if you are trying to make everyone within the school on the same subnet, you may consider using ONE SINGLE enterprise router. That would be the router directly hooked up to the ISP's modem. Otherwise you may experience difficulty with multiple routers because of double NATting.

Your current configuration as I perceive it::
ISP>>Modem>>Outside NIC of the enterprise router>>Inside NIC to the enterprise router>>Server and some clients

From the inside nic of the enterprise router, you also have other routers that that are NATting to those clients as well. That breaks the LAN as one unit. So, it will look like this.

Inside nic of the enterprise router>>Ouside nic of the Internal-LAN router>>inside nic of the internal-LAN router>>segregated clients and servers that are having problems communicating.

In my opinion, you might consider taking out all routers, (except the enterprise router). Then, change your enterprise router's inside IP address to something OTHER THAN 192.168.1.1 to prevent from conflicts. Or you may have to figure out how to double NAT within the LAN.

The reason for changing your router's IP to something Other than 192.168.1.1 is because that IP is used a lot as the default IP for many routers and mass storage devices.

___________________________________________________________________

THE KEY TO YOUR SUCCESS:
KNOWING your network configuration very well is key to your success in fixing this issue. Multiple routers are very difficult to configure when they can block access and segregate some clients from the domain controllers and DNS servers. Your problem child clients are most likely behind a Internal LAN router that separates those clients from domain services, like authentication and DNS.

 


0
Robert EhingerIT specialistAuthor Commented:
The reason for multiple routers is 1) multiple building where wireless access is needed and 2) the size and configuration of the buildings making additional routers in each building necessary. I really wish you enterprise router suggestion was feasible but I really don't see how that would give us wireless access in both buildings.
0
Robert EhingerIT specialistAuthor Commented:
OK, rather than send you all the screen shots form today I am going to send those from the two netgear routers and from angryip.  I will mention, though, that when I tried to put the server IP address in the forwarders I got an error message that said, "The server forwarders cannot be updated. The IP address is invalid."
netgear.JPG
netgear1.JPG
netgearstatus.JPG
netgearstatus2.JPG
netgeatattached.JPG
2netgear.JPG
2netgear2.JPG
2netgearstatus.JPG
2netgearstatus2.JPG
AngryIP.txt
AngryIP2.txt
AngryIP3.txt
0
netcomsolCommented:
I just tuned in to your issue and i believe that you need to have DNS pointed to itself in the TCP/IP settings. so in DNS 1 i would put 127.0.0.1 and just hit apply and make sure that your Forwarders in your DNS settings are working fine. Just as a test to verify that it is DNS issues i would put in TCP/IP DNS section 4.2.2.1 and 4.2.2.2 just those and test and see if it works. My next step if it does not work would be to install mozilla firefox just to check if it might be an issue with IE.

Let me know ...
0
Robert EhingerIT specialistAuthor Commented:
I have been working diligently on this issue trying several different things. I think I am close to a solution and as soon as I resolve this problem I will post the results.
0
Robert EhingerIT specialistAuthor Commented:
We don't have this problem completely resolved because we still have some clients that can do everything but get out on the Internet but what we did find was #1 - the DNS zone was a primary zone and not an Active Directory integrated zone and #2 - ICS was running. Once we set the zone as an active directory integrated and stopped ICS service we were able to access all the resources of the network, add clients to the domain and access the Internet from the clients and the server with the exception of a couple of clients that are still giving us trouble. Any suggestions on that will be appreciated.

Thanks!
0
ChiefITCommented:
So, you have a few stragglers.

On the problem children machines, what is their IPconfig /all say? I am thinking you need to configure DHCP scope options to point your DHCP clients to their gateway and preferred DNS server.

Are these DHCP clients or DNS clients? If DHCP clients, you could renew their DHCP lease, by going to the command prompt and typing:

IPconfig /release
and
IPconfig /renew
0
ee_autoCommented:
Question PAQ'd, 500 points not refunded, and stored in the solution database.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.