Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 488
  • Last Modified:

Server can't access Internet while inside Domain

We have a new server which cannot access the Internet when it's placed on the domain even though it has the same group policy setting as our other related servers, however it is able to access the Internet if we remove it from the domain and port it directly into the firewall and out to the router.  

We've run "netstat" on it to be sure that its attempting to communicate via port 80, and it is... We can't seem to figure out what other setting or conflict may be causing this issue only while its on the domain.

Also, we've had a third party company using livemeeting to get into the server to set it up for us.

Any ideas would be much appreciated... Also, if you want any further information please feel free to ask.
0
GFCU
Asked:
GFCU
  • 15
  • 5
  • 3
  • +1
1 Solution
 
andrewc2189Commented:
What error do you receive when trying to access the internet? What are it's network settings? (could you go to start>run>type "ipconfig /all" and post the results?)

Just for clarification, it doesn't work when it is joined to the domain and I'm assuming running off the same switch as everyone else, but when hooked directly to the firewall when NOT joined to the domain it's ok? When it's not on the domain but on the same switch as everyone else, does it work? When it is not able to get on the internet, can it reach the rest of your domain ok?

I think we can get to the bottom of this, just need a little more information on your setup and the exact issue.
0
 
GFCUAuthor Commented:
Ok...

>>What error do you receive when trying to access the internet?<<
No error pops up, it simply acts as if it's trying to reach the site but can't (I'll post a screenshot of this below just in case). Basically what happens is that the page loading status bar just sits there and nothing happens.

>>What are it's network settings?<<
We're running a static network, and due to security purposes don't want to post our IP and adressing scheme etc. online... We have DNS and WINS running from the same server, gateway address is set to the firewall, and we're running gigabit NIC card. If there's any additional info i may be able to provide without posting actual figures please ask.

When the computer is added to the domain it is attached to the same switch as everyone else (correct)

So far, in order to access the Internet, we bypass the switch and go directly to the firewall, as well as removing it from the Domain.

We have tried removing it from the Domain and staying connected through the switch, but we cannot access the Internet that way either.

When it cannot access the Internet, it is still able to access the Domain and Intranet.

Internet-not-working.JPG
0
 
GFCUAuthor Commented:
Sorry caption on picture was wrong... the screenshot was an attempt to reach www.gmail.com, not that it matters really, but you get the picture... :-)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
andrewc2189Commented:
So is the new server a DC or just a file server? When you say you have "DNS and WINS running from the same server" does that mean the new server is a DNS/WINS server or does it point to an existing one?

When you have it out of the domain and plugged directly into the firewall, do you keep all the same statically set network configurations?
0
 
WolfhereCommented:
New server added to the DNS zone? Same gateway as DC?
0
 
GFCUAuthor Commented:
New server is not a Domain Controller... it's pointing to an existing DC.  

When it's plugged directly into the Firewall I believe it's changed from Static to Obtain Automatically.  (I'm not sure 100% on that and will have to wait until our network admin gets back from lunch).  I will have him check this post after he returns, because he knows the specifics of some of the tests or changes done between the two states (being inside the domain and being outside the domain).
0
 
GFCUAuthor Commented:
I apologize... I was mistaken earlier... when trying to access the Internet we do get an error that pops up, however it's generic... it just takes a while before it does so... I posted it here....
Error-Box.JPG
0
 
andrewc2189Commented:
Ok, please let us know. The reason I asked that was because it seems as if it is not communicating with the external DNS server. Usually people have their system setup for clients to point to the internal DNS server (which you said you do) and then if the request is for an outside source it is setup to forward it to the external DNS server (this is setup on the internal dns server).

The one possibility is that for some reason your new server is able to resolve internal DNS but any request outside of that is not being forwarded. To test this I would say go to the new server when it is on the domain.

First clear the dns. start>run>cmd> ipconfig /flushdns & ipconfig /registerdns
 
Secondly, attempt to lookup a computer that is within your network  start>run>cmd> "nslookup nameofaserver"

this should resolve an ip since you said everything works internally.

Finally, try to do the same with an outside source "nslookup www.google.com"

If this does not resolve to an IP, we may have greatly narrowed down the issue.

 
0
 
GFCUAuthor Commented:
Ok... Network Admin is back...

Apparently we do not change the server to Obtain Automatically when connected to the Firewall directly.

We tried your recommendation and it did not work... I will post a screen shot of the results below.
part-1.JPG
part-2.JPG
0
 
GFCUAuthor Commented:
When we switch between being in the domain and outside the domain we change the server's IP to match the scheme for it to run on a DMZ port on the firewall so that it gets the internet.... I'm not sure if that helps your diagnosis or not... but I wanted to clarify...

This is the main reason for concern because we don't want our server sitting on the DMZ open to the world...
0
 
andrewc2189Commented:
You're positive that has the correct DNS IP? You probably do, just thought I would ask. I don't like that it can't resolve the DNS server name. I believe on a healthy setup it would. Also, when you resolved the Internal Server Name, the Address: it kicks back shouldn't be the one of the DNS server but of the Internal Server Name.

I'm really just thinking out loud right now, I don't have a straight answer for you.

Does the proper name of the DNS server list itself when you run nslookup from another machine? (don't run it on the server itself)
0
 
GFCUAuthor Commented:
When I run nslookup from my local machine (which has internet access and is on the domain) I get the same message "***Can't find server name for address " " : Non-existent Domain "
                               "***Default Servers are not available"
                               "Server: Unknown"

0
 
GFCUAuthor Commented:
Ohh.. by the way... your right... I typed in the text wrong... It is returning the IP address of the Internal server that it contacts... I accidentally typed DNS again in that Address: spot... so that portion is working properly...


So what we have is:
1. a problem with DNS communication because it can't read the DNS server name "Non-existent Domain" - (Server) "Name: Unknown"

2. Able to read the Internal Server Name and IP correctly and communicate with them...

3. The External website Name, IPs, and Aliases are read (Non-Authoritative Answer) and returned properly, but there is no communication.
0
 
GFCUAuthor Commented:
Although it does seem that something is wrong with DNS communication because of not returning the Server name, it does the same thing on our client machines and the internet and intranet communications both work fine... so I am tempted to think that #1 is not as big of a deal as the combination of #2 and #3...
0
 
andrewc2189Commented:
I put in a request for more attention to your question. There has to be something, probably simple, that I'm just not seeing.
0
 
GFCUAuthor Commented:
Agreed... it just doesn't make sense why this is happening, so most likely its something tiny or simple that we're overlooking.  Thanks for your help thus far.
0
 
GFCUAuthor Commented:
New Update... We ran a tracert on the internet webpage request to google.com and it stopped at the firewall, so we've been looking at the firewall log as we attempt to access the Internet from the server and all requests are being denied.  For some reason (even though we have switched the settings and connection for the server back within the domain, the Gateway IP used to try and communicate to the internet is still pointing to a DMZ address even though we've changed it to our Domain Gateway IP physically...  It's also attempting to connect on some strange ports other than 80 in order to get to the site... Hopefully this helps with some diagnosis.
0
 
rhandelsCommented:
Hey,

It might be a long shot, but did you make sure that the Enhanced Internet Security is uninstalled on the server?? This can be done using the Add/Remov Windows Component.. I would normally suggest seeing a popup to appear but it might be that this is disabled in some way or just simply corrupt.

Also, is the server you are trying to access the internet with multihomed?? If so, check to see if the correct ip address is connecting to the external firewall.. And what settings did you set up for your internet Explorer?? are you using proxy for the internet connection? If not, make sure to tick off all boxes in the LAN settings on the internet explorer.. Also the "Automatically detect settings".
0
 
GFCUAuthor Commented:
EIS is uninstalled already.

Not using Multihome.

Not using a proxy.

Previously tried checking "Automatically detect settings" and no luck.

0
 
rhandelsCommented:
What happens if you try to telnet to port 80 on google??? What do you see on your firewall?? Are you able to access internal websites (if you have any).
0
 
GFCUAuthor Commented:
This makes no sense, but it seems that there is something wrong with the IP address that we were using, because we changed the IP address of the server and it now accesses the Internet just fine.  We also tried pinging the "old" IP now that it's setup on a new one (simply to be sure that something else is not using that same IP), and there was no response.

Any ideas as to why a certain IP may be restricted? We know the Firewall is not causing the issue, because we had added policies to specifically allow all access both in and out for that IP on the firewall... We cannot comprehend what may be causing this...
0
 
rhandelsCommented:
It might be you have a routing problem, but then you should be able to see that when using tracert. Or, but that's rather a long shot, you have some issues with ARP that the switch is unable to access the default gateway, but then pinging would also be a non option..

0
 
GFCUAuthor Commented:
Well, pinging wasn't working either when we had the server set to that old IP... (well I need to rephrase that... It could ping inside the domain, but not things outside.)
0
 
GFCUAuthor Commented:
We've found the issue.  The ip that we are giving it within our domain is setup to NAT to a VPN Tunnel on our FW.  I am creating a new question.

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_24583970.html


0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 15
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now