Solved

Server can't access Internet while inside Domain

Posted on 2009-07-15
26
478 Views
Last Modified: 2012-06-27
We have a new server which cannot access the Internet when it's placed on the domain even though it has the same group policy setting as our other related servers, however it is able to access the Internet if we remove it from the domain and port it directly into the firewall and out to the router.  

We've run "netstat" on it to be sure that its attempting to communicate via port 80, and it is... We can't seem to figure out what other setting or conflict may be causing this issue only while its on the domain.

Also, we've had a third party company using livemeeting to get into the server to set it up for us.

Any ideas would be much appreciated... Also, if you want any further information please feel free to ask.
0
Comment
Question by:GFCU
  • 15
  • 5
  • 3
  • +1
26 Comments
 
LVL 4

Expert Comment

by:andrewc2189
ID: 24860438
What error do you receive when trying to access the internet? What are it's network settings? (could you go to start>run>type "ipconfig /all" and post the results?)

Just for clarification, it doesn't work when it is joined to the domain and I'm assuming running off the same switch as everyone else, but when hooked directly to the firewall when NOT joined to the domain it's ok? When it's not on the domain but on the same switch as everyone else, does it work? When it is not able to get on the internet, can it reach the rest of your domain ok?

I think we can get to the bottom of this, just need a little more information on your setup and the exact issue.
0
 
LVL 1

Author Comment

by:GFCU
ID: 24861280
Ok...

>>What error do you receive when trying to access the internet?<<
No error pops up, it simply acts as if it's trying to reach the site but can't (I'll post a screenshot of this below just in case). Basically what happens is that the page loading status bar just sits there and nothing happens.

>>What are it's network settings?<<
We're running a static network, and due to security purposes don't want to post our IP and adressing scheme etc. online... We have DNS and WINS running from the same server, gateway address is set to the firewall, and we're running gigabit NIC card. If there's any additional info i may be able to provide without posting actual figures please ask.

When the computer is added to the domain it is attached to the same switch as everyone else (correct)

So far, in order to access the Internet, we bypass the switch and go directly to the firewall, as well as removing it from the Domain.

We have tried removing it from the Domain and staying connected through the switch, but we cannot access the Internet that way either.

When it cannot access the Internet, it is still able to access the Domain and Intranet.

Internet-not-working.JPG
0
 
LVL 1

Author Comment

by:GFCU
ID: 24861301
Sorry caption on picture was wrong... the screenshot was an attempt to reach www.gmail.com, not that it matters really, but you get the picture... :-)
0
 
LVL 4

Expert Comment

by:andrewc2189
ID: 24861617
So is the new server a DC or just a file server? When you say you have "DNS and WINS running from the same server" does that mean the new server is a DNS/WINS server or does it point to an existing one?

When you have it out of the domain and plugged directly into the firewall, do you keep all the same statically set network configurations?
0
 
LVL 10

Expert Comment

by:Wolfhere
ID: 24861656
New server added to the DNS zone? Same gateway as DC?
0
 
LVL 1

Author Comment

by:GFCU
ID: 24862041
New server is not a Domain Controller... it's pointing to an existing DC.  

When it's plugged directly into the Firewall I believe it's changed from Static to Obtain Automatically.  (I'm not sure 100% on that and will have to wait until our network admin gets back from lunch).  I will have him check this post after he returns, because he knows the specifics of some of the tests or changes done between the two states (being inside the domain and being outside the domain).
0
 
LVL 1

Author Comment

by:GFCU
ID: 24862098
I apologize... I was mistaken earlier... when trying to access the Internet we do get an error that pops up, however it's generic... it just takes a while before it does so... I posted it here....
Error-Box.JPG
0
 
LVL 4

Expert Comment

by:andrewc2189
ID: 24862143
Ok, please let us know. The reason I asked that was because it seems as if it is not communicating with the external DNS server. Usually people have their system setup for clients to point to the internal DNS server (which you said you do) and then if the request is for an outside source it is setup to forward it to the external DNS server (this is setup on the internal dns server).

The one possibility is that for some reason your new server is able to resolve internal DNS but any request outside of that is not being forwarded. To test this I would say go to the new server when it is on the domain.

First clear the dns. start>run>cmd> ipconfig /flushdns & ipconfig /registerdns
 
Secondly, attempt to lookup a computer that is within your network  start>run>cmd> "nslookup nameofaserver"

this should resolve an ip since you said everything works internally.

Finally, try to do the same with an outside source "nslookup www.google.com"

If this does not resolve to an IP, we may have greatly narrowed down the issue.

 
0
 
LVL 1

Author Comment

by:GFCU
ID: 24862829
Ok... Network Admin is back...

Apparently we do not change the server to Obtain Automatically when connected to the Firewall directly.

We tried your recommendation and it did not work... I will post a screen shot of the results below.
part-1.JPG
part-2.JPG
0
 
LVL 1

Author Comment

by:GFCU
ID: 24862898
When we switch between being in the domain and outside the domain we change the server's IP to match the scheme for it to run on a DMZ port on the firewall so that it gets the internet.... I'm not sure if that helps your diagnosis or not... but I wanted to clarify...

This is the main reason for concern because we don't want our server sitting on the DMZ open to the world...
0
 
LVL 4

Expert Comment

by:andrewc2189
ID: 24863486
You're positive that has the correct DNS IP? You probably do, just thought I would ask. I don't like that it can't resolve the DNS server name. I believe on a healthy setup it would. Also, when you resolved the Internal Server Name, the Address: it kicks back shouldn't be the one of the DNS server but of the Internal Server Name.

I'm really just thinking out loud right now, I don't have a straight answer for you.

Does the proper name of the DNS server list itself when you run nslookup from another machine? (don't run it on the server itself)
0
 
LVL 1

Author Comment

by:GFCU
ID: 24868626
When I run nslookup from my local machine (which has internet access and is on the domain) I get the same message "***Can't find server name for address " " : Non-existent Domain "
                               "***Default Servers are not available"
                               "Server: Unknown"

0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 1

Author Comment

by:GFCU
ID: 24869122
Ohh.. by the way... your right... I typed in the text wrong... It is returning the IP address of the Internal server that it contacts... I accidentally typed DNS again in that Address: spot... so that portion is working properly...


So what we have is:
1. a problem with DNS communication because it can't read the DNS server name "Non-existent Domain" - (Server) "Name: Unknown"

2. Able to read the Internal Server Name and IP correctly and communicate with them...

3. The External website Name, IPs, and Aliases are read (Non-Authoritative Answer) and returned properly, but there is no communication.
0
 
LVL 1

Author Comment

by:GFCU
ID: 24869226
Although it does seem that something is wrong with DNS communication because of not returning the Server name, it does the same thing on our client machines and the internet and intranet communications both work fine... so I am tempted to think that #1 is not as big of a deal as the combination of #2 and #3...
0
 
LVL 4

Expert Comment

by:andrewc2189
ID: 24869289
I put in a request for more attention to your question. There has to be something, probably simple, that I'm just not seeing.
0
 
LVL 1

Author Comment

by:GFCU
ID: 24869333
Agreed... it just doesn't make sense why this is happening, so most likely its something tiny or simple that we're overlooking.  Thanks for your help thus far.
0
 
LVL 1

Author Comment

by:GFCU
ID: 24870134
New Update... We ran a tracert on the internet webpage request to google.com and it stopped at the firewall, so we've been looking at the firewall log as we attempt to access the Internet from the server and all requests are being denied.  For some reason (even though we have switched the settings and connection for the server back within the domain, the Gateway IP used to try and communicate to the internet is still pointing to a DMZ address even though we've changed it to our Domain Gateway IP physically...  It's also attempting to connect on some strange ports other than 80 in order to get to the site... Hopefully this helps with some diagnosis.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24876493
Hey,

It might be a long shot, but did you make sure that the Enhanced Internet Security is uninstalled on the server?? This can be done using the Add/Remov Windows Component.. I would normally suggest seeing a popup to appear but it might be that this is disabled in some way or just simply corrupt.

Also, is the server you are trying to access the internet with multihomed?? If so, check to see if the correct ip address is connecting to the external firewall.. And what settings did you set up for your internet Explorer?? are you using proxy for the internet connection? If not, make sure to tick off all boxes in the LAN settings on the internet explorer.. Also the "Automatically detect settings".
0
 
LVL 1

Author Comment

by:GFCU
ID: 24878356
EIS is uninstalled already.

Not using Multihome.

Not using a proxy.

Previously tried checking "Automatically detect settings" and no luck.

0
 
LVL 23

Expert Comment

by:rhandels
ID: 24878610
What happens if you try to telnet to port 80 on google??? What do you see on your firewall?? Are you able to access internal websites (if you have any).
0
 
LVL 1

Author Comment

by:GFCU
ID: 24879565
This makes no sense, but it seems that there is something wrong with the IP address that we were using, because we changed the IP address of the server and it now accesses the Internet just fine.  We also tried pinging the "old" IP now that it's setup on a new one (simply to be sure that something else is not using that same IP), and there was no response.

Any ideas as to why a certain IP may be restricted? We know the Firewall is not causing the issue, because we had added policies to specifically allow all access both in and out for that IP on the firewall... We cannot comprehend what may be causing this...
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24893454
It might be you have a routing problem, but then you should be able to see that when using tracert. Or, but that's rather a long shot, you have some issues with ARP that the switch is unable to access the default gateway, but then pinging would also be a non option..

0
 
LVL 1

Author Comment

by:GFCU
ID: 24894698
Well, pinging wasn't working either when we had the server set to that old IP... (well I need to rephrase that... It could ping inside the domain, but not things outside.)
0
 
LVL 1

Accepted Solution

by:
GFCU earned 0 total points
ID: 24894843
We've found the issue.  The ip that we are giving it within our domain is setup to NAT to a VPN Tunnel on our FW.  I am creating a new question.

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_24583970.html


0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now