Solved

SBS 2008 DNS won't forward

Posted on 2011-03-06
13
895 Views
Last Modified: 2012-06-27
OK, I'm getting realy desperate now - my client starts work in 4 or 5 hours, I'm 500 miles away from his shiny new SBS 2008 Server and the DNS has died!

Everything was fine - the new SBS 2008 server has been running on a seperate sub-net from the old SBS 2003 that it is replacing for a couple of weeks to prove stability.
Email has been flowing through exchange on the new box for a week (the 10 or so clients have been temporarily running OWA to deal with their their mail). This weekend saw the big switch-over.
Initially I moved one of the client workstations onto the SBS 2008 subnet (192.168.12.xx) to prove that the new PDC would accept clients ok and all was well - exchange hooked up, intrnet access was fine, the user's profile came across nicely using Forensit's Profile Wizard.

Before moving any more clients over, I decided to verify that the Company NAS device (a 4TB Buffalo Terastation) was going to play nicely as I've had problems with them before and sure enough it wouldn't let me reconfigure its LAN settings at all. Every user has their data files on this box and they all need access to it  to do their jobs.
So I decided that rather than move all 10 PCs and the Terastation from their 192.168.8.xx subnet over to the new 192.168.12.xx range, I would simply drop the SBS 2008 box onto 192.168.8.2, reconfigure the Netgear Firewall for a LAN address of 192.168.8.1 and away we should go. (previously the Netgear had run a multi-homed "LAN" address in the companies public IP range as the SBS 2003 box was in the old 2 NIC configuration. (Public IP-->SBS 2003-->192.168.8.100)

With me so far?

I ran the SBS 2008 Connect to the Internet wizard, reconfigured the Firewall to route my services from the public IP space to the SBS 2008 Box (email, RWW, OWA, Remote Admin etc), re-booted everything, sat back and hoped for the best.

That was about 8 hours ago!

Everything came back on-line nicely but the SBS 2008 box flatly refuses to talk to the internet - no email, no remote admin, no RDP, no IIS, no nothing.

I can still get at the box with Radmin via the old server (with its DHCP & DNS Disabled) and the only fault I can see (besides the total lack of traffic to or from the internet, is that the DNS forwarders which point to the ISPs DNS Servers will not Validate - they just time out. Root hints are set up too but the box won't resolve ANY external DNS queries.

I am no DNS expert (it normally just works for me) so I am asking for someone's help in diagnosing this before 07:30 today! ( it's now 03:15)

Help - please.

Pete
0
Comment
Question by:ogpete
  • 7
  • 6
13 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35052413
DNS forwarders would rely on the connection to the Internet. You mention no other services are working either, incoming or outgoing. I would suspect more of a router or IP addressing issue. Can you ping an internet IP from the server to something like 4.2.2.2 to confirm connectivity?

Make sure you don't have a duplicate IP. No chance the IP you assigned the server is still in use.
With ipconfig verify the gateway address is correct
Flush the DNS cache with   ipconfig /flushdns

You may also have to re-run the "set up your Internet address" wizard to re-configure Exchange and more, and don't forget the "Fix my network" wizard it sometimes performs miracles.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35052434
0
 

Author Comment

by:ogpete
ID: 35052733
Thanks for the prompt response Rob,

I thought Router issues too at first; but the old SBS 2003 box still resolves addresses fine and I'm using Remote Admin through the same router so I know its connecting OK.

No I cannot ping anything beyond the Netgear Firewall from the new server - the only way I can talk to it is via the old SBS 2003 Box.

Duplicate IPs are a possibility I suppose, although the router's log shows all the machines that I know of, accounted for and all with DHCP assigned addresses from the new server (all bar one that does have an IP conflict or other TCP problem at 192.168.8.13) but I don't see this causing a problem for SBS on 192.168.8.2 - do you?

IPconfig /all shows the SBS box has 192.168.8.1 as its Gateway and It can ping the router on that address. (and vice-versa)

I'll try Flushing the DNS cache again - I've done it already a few times
I've re-run the CIW and the Internet Name Wizard to no avail
I'll try the Fix my Network wizard if I can find it.

Finally I'll run the BPA tool. If I can get it onto the machine...

I'll report back soon...

Thanks again.

Pete
0
The New “Normal” in Modern Enterprise Operations

DevOps for the modern enterprise offers many benefits — increased agility, productivity, and more, but digital transformation isn’t easy, especially if you’re not addressing the right issues. Register for the webinar to dive into the “new normal” for enterprise modern ops.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 35052893
>>" I cannot ping anything beyond the Netgear Firewall "
Then at least the primary issue is not DNS.

>>"all bar one that does have an IP conflict or other TCP problem "
No I don't see this as the likely problem, but IP conflicts cause all sorts of problems including locked switch ports.

Just to confirm. You can ping the Netgear, but not a public IP beyond it?
Can you reboot the Netgear?
Also, what model Netgear is it? Many routers have licensing limitations. For example they will allow 10 Internet connections, the 11th is blocked. I don't know of any Netgear's like that but Cisco, Sonicwall, Watchguard, and many others have this limitation. Rebooting the router resets the count.
0
 

Author Comment

by:ogpete
ID: 35052998
Hi Rob,

>>>>" I cannot ping anything beyond the Netgear Firewall "
>>Then at least the primary issue is not DNS.

True, I cannot even ping machines by IP address...

>>>>"all bar one that does have an IP conflict or other TCP problem "
>>No I don't see this as the likely problem, but IP conflicts cause all sorts of problems >>including locked switch ports.

I'll have to wait for an employee to arrive in the morning and kill the ...13 machine to find out.

Yes, I can ping the netgear FVS338 but nothing beyond - not even by IP address.
The netgear can ping and resolve addresses on the LAN and Internet with no problem

I've rebooted the Netgear already - no change.

Its an FVS338 - its been running on this LAN for 6 months with no issues.

No licensing limitations that I know of.

Any more ideas?

Cheers,

Pete
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35053154
Could you post the results of    IPconfig /all    for us please (from the SBS 2008)
For comparison it would be good to have the old SBS as well.

I assume you can ping the old SBS from the new? But no other machines?
You haven't disabled IPv6 on the SBS 2008 have you?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35053275
Is the old SBS still a 2 NIC configuration?
If so how do you have this physically wired?

Old configuration would have been:

LAN clients (192.168.8.x) => switch => SBS LAN (192.168.8.x) == SBS WAN (not 192.168.8.x) => Netgear
Where in that lineup have you placed the new SBS? If on the LAN side of the old SBS it will not access the Internet, if on the WAN side it can't ping any LAN PC's or the old SBS.

Experts-Exchange is updating their database and blocking access freequently. I may not be able to repond again tonight.
0
 

Author Comment

by:ogpete
ID: 35053279
Here's the IPconfig output:

SBS 2008 Box

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SABRE-X366
   Primary Dns Suffix  . . . . . . . : sabre-2010.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : sabre-2010.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-14-5E-1C-2E-44
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1f1f:f376:5a6e:1570%10(Preferred)
   Link-local IPv6 Address . . . . . : fe80::9097:b3e:547a:f1a9%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.8.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.8.1
   DHCPv6 IAID . . . . . . . . . . . : 251663454
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-1D-7D-C6-00-14-5E-1C-2E-44

   DNS Servers . . . . . . . . . . . : fe80::1f1f:f376:5a6e:1570%10
                                       192.168.8.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{A31F0319-5611-4E87-8E7C-E0A0A5EE5
246}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


SBS 2003 Box

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : sabre-ibm-x-232
   Primary Dns Suffix  . . . . . . . : sabre-tooling.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : sabre-tooling.local

Ethernet adapter Wide Area Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : 3Com EtherLink Server 10/100 PCI (3C980C-
TXM) #2
   Physical Address. . . . . . . . . : 00-04-75-86-C4-FB
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 92.54.150.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 92.54.150.1
   DNS Servers . . . . . . . . . . . : 192.168.8.100
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Netfinity 10/100 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-02-55-47-34-EA
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.8.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.8.100
   Primary WINS Server . . . . . . . : 192.168.81.2

Also, during EE's quick outage, I changed the SBS box's IP address to 192.168.8.255 and the router to 192.168.8.250 just for laughs - re-ran CIW and no difference.

If it's relevant, nslookup returns this:

C:\Users\PeterD>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  fe80::1f1f:f376:5a6e:1570

Pete
0
 

Author Comment

by:ogpete
ID: 35053318
The new SBS box has been sat happily for a couple of weeks on 192.168.12.2 on the WAN side of the SBS 2003 box. - its services routed (NATed) through the firewall from the internet allowed it to send and receive mail, respond to Radmin, provide OWA & RWW etc. etc. but obviously not communicate with the other machines on the LAN.
When the time came to start the migration, I created an MX record pointed at the public IP address that I had routed to 192.168.12.2 and demoted the SBS2003 MX record to a low priority. I set up a conditional forwarder from the SBS2003 DNS to point to the WAN address of the SBS2008 box. This allowed my 10 clients to use OWA for SBS 2008 based email.

We ran things this way for a week with no problems.

Today I had someone link one of the Netgear firewall LAN ports (there are 8 of them) to the LAN main switch (Hub) and disabled the LAN NIC in the SBS 2003 box.  This effectively "bridged out" the SBS 2003 box, just leaving it accessible from the WAN) I still had full access  to the SBS 2008 box - mail, Radmin, IIS etc etc all worked OK.

Everything went kaput when I changed the SBS2008 and Netgear FVS338 LAN IPs onto the 192.168.8..xx subnet.

I hope this makes sense.

Thanks again for your efforts.

Pete

0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 35053382
OK I follow now. The IPconfig and the connections sound fine. I would say it is a router configuration issue. The port the SBS 2008 is on is not "talking" to the router or other PC's connected to the switch and other Netgear port. Having said that if that were the case RAdmin wouldn't work.

For the record changing LAN IP's on an SBS can be disastrous. Much easier with 2008, but I have seen a rebuild required with 2003. There are so many integrated services with SBS that sometimes when you change the LAN IP something in DNS, IIS, Exchange, DHCP, doesn't get changed.

Did you try the fix my network wizard?
0
 

Author Comment

by:ogpete
ID: 35054238
Hello Rob,

Ok I'm back after a couple of hour's sleep - still none the wiser though.

Is the fix network Wizard the same thing as "Diagnose and Repair" in Network and Sharing Center?

Pete
0
 

Author Comment

by:ogpete
ID: 35056757
Solved!

Eventually, after much head-scratching, the simple - but arcane solution revealed itself.
The Netgear Firewall had once had a VPN established to another similar device.
The source network for the VPN was set to 192.168.8.00/24. (the same subnet that I had moved my Server to when the trouble all started...)
Even though the VPN configuration was not active on this Firewall, there must have been residual data somewhere in the device that was confusing the SBS DNS because The Fix my Network and CIW wizards were continually complaining about unresponsive or non-existent DNS Servers and as soon as I removed the offending policies, everything lilt-up!

I cannot really claim to understand how inactive VPN Policies can have an effect like this but; there we go. "if it was simple - they'd all be doing it".

I'm awarding the points to RobWill for his careful and obviously knowledgeable contributions. Also my thanks for sharing the pain of the apparently intractable with me.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35056781
Thanks for updating and glad to hear you were able to resolve. I suspect there was a routing conflict between the old VPN config and your current NAT config. Often VPN's are put on different subnets just to avoid that.
Cheers!
--Rob
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question