SBS 2008 DNS won't forward
OK, I'm getting realy desperate now - my client starts work in 4 or 5 hours, I'm 500 miles away from his shiny new SBS 2008 Server and the DNS has died!
Everything was fine - the new SBS 2008 server has been running on a seperate sub-net from the old SBS 2003 that it is replacing for a couple of weeks to prove stability.
Email has been flowing through exchange on the new box for a week (the 10 or so clients have been temporarily running OWA to deal with their their mail). This weekend saw the big switch-over.
Initially I moved one of the client workstations onto the SBS 2008 subnet (192.168.12.xx) to prove that the new PDC would accept clients ok and all was well - exchange hooked up, intrnet access was fine, the user's profile came across nicely using Forensit's Profile Wizard.
Before moving any more clients over, I decided to verify that the Company NAS device (a 4TB Buffalo Terastation) was going to play nicely as I've had problems with them before and sure enough it wouldn't let me reconfigure its LAN settings at all. Every user has their data files on this box and they all need access to it to do their jobs.
So I decided that rather than move all 10 PCs and the Terastation from their 192.168.8.xx subnet over to the new 192.168.12.xx range, I would simply drop the SBS 2008 box onto 192.168.8.2, reconfigure the Netgear Firewall for a LAN address of 192.168.8.1 and away we should go. (previously the Netgear had run a multi-homed "LAN" address in the companies public IP range as the SBS 2003 box was in the old 2 NIC configuration. (Public IP-->SBS 2003-->192.168.8.100)
With me so far?
I ran the SBS 2008 Connect to the Internet wizard, reconfigured the Firewall to route my services from the public IP space to the SBS 2008 Box (email, RWW, OWA, Remote Admin etc), re-booted everything, sat back and hoped for the best.
That was about 8 hours ago!
Everything came back on-line nicely but the SBS 2008 box flatly refuses to talk to the internet - no email, no remote admin, no RDP, no IIS, no nothing.
I can still get at the box with Radmin via the old server (with its DHCP & DNS Disabled) and the only fault I can see (besides the total lack of traffic to or from the internet, is that the DNS forwarders which point to the ISPs DNS Servers will not Validate - they just time out. Root hints are set up too but the box won't resolve ANY external DNS queries.
I am no DNS expert (it normally just works for me) so I am asking for someone's help in diagnosing this before 07:30 today! ( it's now 03:15)
Help - please.
Pete
Everything was fine - the new SBS 2008 server has been running on a seperate sub-net from the old SBS 2003 that it is replacing for a couple of weeks to prove stability.
Email has been flowing through exchange on the new box for a week (the 10 or so clients have been temporarily running OWA to deal with their their mail). This weekend saw the big switch-over.
Initially I moved one of the client workstations onto the SBS 2008 subnet (192.168.12.xx) to prove that the new PDC would accept clients ok and all was well - exchange hooked up, intrnet access was fine, the user's profile came across nicely using Forensit's Profile Wizard.
Before moving any more clients over, I decided to verify that the Company NAS device (a 4TB Buffalo Terastation) was going to play nicely as I've had problems with them before and sure enough it wouldn't let me reconfigure its LAN settings at all. Every user has their data files on this box and they all need access to it to do their jobs.
So I decided that rather than move all 10 PCs and the Terastation from their 192.168.8.xx subnet over to the new 192.168.12.xx range, I would simply drop the SBS 2008 box onto 192.168.8.2, reconfigure the Netgear Firewall for a LAN address of 192.168.8.1 and away we should go. (previously the Netgear had run a multi-homed "LAN" address in the companies public IP range as the SBS 2003 box was in the old 2 NIC configuration. (Public IP-->SBS 2003-->192.168.8.100)
With me so far?
I ran the SBS 2008 Connect to the Internet wizard, reconfigured the Firewall to route my services from the public IP space to the SBS 2008 Box (email, RWW, OWA, Remote Admin etc), re-booted everything, sat back and hoped for the best.
That was about 8 hours ago!
Everything came back on-line nicely but the SBS 2008 box flatly refuses to talk to the internet - no email, no remote admin, no RDP, no IIS, no nothing.
I can still get at the box with Radmin via the old server (with its DHCP & DNS Disabled) and the only fault I can see (besides the total lack of traffic to or from the internet, is that the DNS forwarders which point to the ISPs DNS Servers will not Validate - they just time out. Root hints are set up too but the box won't resolve ANY external DNS queries.
I am no DNS expert (it normally just works for me) so I am asking for someone's help in diagnosing this before 07:30 today! ( it's now 03:15)
Help - please.
Pete
If none of the above uncovers any issues try the BPA:
http://www.microsoft.com/downloads/en/details.aspx?familyid=86a1aa32-9814-484e-bd43-3e42aec7f731&displaylang=en
http://www.microsoft.com/downloads/en/details.aspx?familyid=86a1aa32-9814-484e-bd43-3e42aec7f731&displaylang=en
ASKER
Thanks for the prompt response Rob,
I thought Router issues too at first; but the old SBS 2003 box still resolves addresses fine and I'm using Remote Admin through the same router so I know its connecting OK.
No I cannot ping anything beyond the Netgear Firewall from the new server - the only way I can talk to it is via the old SBS 2003 Box.
Duplicate IPs are a possibility I suppose, although the router's log shows all the machines that I know of, accounted for and all with DHCP assigned addresses from the new server (all bar one that does have an IP conflict or other TCP problem at 192.168.8.13) but I don't see this causing a problem for SBS on 192.168.8.2 - do you?
IPconfig /all shows the SBS box has 192.168.8.1 as its Gateway and It can ping the router on that address. (and vice-versa)
I'll try Flushing the DNS cache again - I've done it already a few times
I've re-run the CIW and the Internet Name Wizard to no avail
I'll try the Fix my Network wizard if I can find it.
Finally I'll run the BPA tool. If I can get it onto the machine...
I'll report back soon...
Thanks again.
Pete
I thought Router issues too at first; but the old SBS 2003 box still resolves addresses fine and I'm using Remote Admin through the same router so I know its connecting OK.
No I cannot ping anything beyond the Netgear Firewall from the new server - the only way I can talk to it is via the old SBS 2003 Box.
Duplicate IPs are a possibility I suppose, although the router's log shows all the machines that I know of, accounted for and all with DHCP assigned addresses from the new server (all bar one that does have an IP conflict or other TCP problem at 192.168.8.13) but I don't see this causing a problem for SBS on 192.168.8.2 - do you?
IPconfig /all shows the SBS box has 192.168.8.1 as its Gateway and It can ping the router on that address. (and vice-versa)
I'll try Flushing the DNS cache again - I've done it already a few times
I've re-run the CIW and the Internet Name Wizard to no avail
I'll try the Fix my Network wizard if I can find it.
Finally I'll run the BPA tool. If I can get it onto the machine...
I'll report back soon...
Thanks again.
Pete
>>" I cannot ping anything beyond the Netgear Firewall "
Then at least the primary issue is not DNS.
>>"all bar one that does have an IP conflict or other TCP problem "
No I don't see this as the likely problem, but IP conflicts cause all sorts of problems including locked switch ports.
Just to confirm. You can ping the Netgear, but not a public IP beyond it?
Can you reboot the Netgear?
Also, what model Netgear is it? Many routers have licensing limitations. For example they will allow 10 Internet connections, the 11th is blocked. I don't know of any Netgear's like that but Cisco, Sonicwall, Watchguard, and many others have this limitation. Rebooting the router resets the count.
Then at least the primary issue is not DNS.
>>"all bar one that does have an IP conflict or other TCP problem "
No I don't see this as the likely problem, but IP conflicts cause all sorts of problems including locked switch ports.
Just to confirm. You can ping the Netgear, but not a public IP beyond it?
Can you reboot the Netgear?
Also, what model Netgear is it? Many routers have licensing limitations. For example they will allow 10 Internet connections, the 11th is blocked. I don't know of any Netgear's like that but Cisco, Sonicwall, Watchguard, and many others have this limitation. Rebooting the router resets the count.
ASKER
Hi Rob,
>>>>" I cannot ping anything beyond the Netgear Firewall "
>>Then at least the primary issue is not DNS.
True, I cannot even ping machines by IP address...
>>>>"all bar one that does have an IP conflict or other TCP problem "
>>No I don't see this as the likely problem, but IP conflicts cause all sorts of problems >>including locked switch ports.
I'll have to wait for an employee to arrive in the morning and kill the ...13 machine to find out.
Yes, I can ping the netgear FVS338 but nothing beyond - not even by IP address.
The netgear can ping and resolve addresses on the LAN and Internet with no problem
I've rebooted the Netgear already - no change.
Its an FVS338 - its been running on this LAN for 6 months with no issues.
No licensing limitations that I know of.
Any more ideas?
Cheers,
Pete
>>>>" I cannot ping anything beyond the Netgear Firewall "
>>Then at least the primary issue is not DNS.
True, I cannot even ping machines by IP address...
>>>>"all bar one that does have an IP conflict or other TCP problem "
>>No I don't see this as the likely problem, but IP conflicts cause all sorts of problems >>including locked switch ports.
I'll have to wait for an employee to arrive in the morning and kill the ...13 machine to find out.
Yes, I can ping the netgear FVS338 but nothing beyond - not even by IP address.
The netgear can ping and resolve addresses on the LAN and Internet with no problem
I've rebooted the Netgear already - no change.
Its an FVS338 - its been running on this LAN for 6 months with no issues.
No licensing limitations that I know of.
Any more ideas?
Cheers,
Pete
Could you post the results of IPconfig /all for us please (from the SBS 2008)
For comparison it would be good to have the old SBS as well.
I assume you can ping the old SBS from the new? But no other machines?
You haven't disabled IPv6 on the SBS 2008 have you?
For comparison it would be good to have the old SBS as well.
I assume you can ping the old SBS from the new? But no other machines?
You haven't disabled IPv6 on the SBS 2008 have you?
Is the old SBS still a 2 NIC configuration?
If so how do you have this physically wired?
Old configuration would have been:
LAN clients (192.168.8.x) => switch => SBS LAN (192.168.8.x) == SBS WAN (not 192.168.8.x) => Netgear
Where in that lineup have you placed the new SBS? If on the LAN side of the old SBS it will not access the Internet, if on the WAN side it can't ping any LAN PC's or the old SBS.
Experts-Exchange is updating their database and blocking access freequently. I may not be able to repond again tonight.
If so how do you have this physically wired?
Old configuration would have been:
LAN clients (192.168.8.x) => switch => SBS LAN (192.168.8.x) == SBS WAN (not 192.168.8.x) => Netgear
Where in that lineup have you placed the new SBS? If on the LAN side of the old SBS it will not access the Internet, if on the WAN side it can't ping any LAN PC's or the old SBS.
Experts-Exchange is updating their database and blocking access freequently. I may not be able to repond again tonight.
ASKER
Here's the IPconfig output:
SBS 2008 Box
Windows IP Configuration
Host Name . . . . . . . . . . . . : SABRE-X366
Primary Dns Suffix . . . . . . . : sabre-2010.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sabre-2010.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-14-5E-1C-2E-44
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1f1f:f376:5a6e:1570%
Link-local IPv6 Address . . . . . : fe80::9097:b3e:547a:f1a9%1
IPv4 Address. . . . . . . . . . . : 192.168.8.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.8.1
DHCPv6 IAID . . . . . . . . . . . : 251663454
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-1D-7D-C6-00
DNS Servers . . . . . . . . . . . : fe80::1f1f:f376:5a6e:1570%
192.168.8.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{A31F0319-5611-4E87
246}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
SBS 2003 Box
C:\Documents and Settings\Administrator>ipc
Windows IP Configuration
Host Name . . . . . . . . . . . . : sabre-ibm-x-232
Primary Dns Suffix . . . . . . . : sabre-tooling.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : sabre-tooling.local
Ethernet adapter Wide Area Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink Server 10/100 PCI (3C980C-
TXM) #2
Physical Address. . . . . . . . . : 00-04-75-86-C4-FB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 92.54.150.2
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 92.54.150.1
DNS Servers . . . . . . . . . . . : 192.168.8.100
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Netfinity 10/100 Ethernet Adapter
Physical Address. . . . . . . . . : 00-02-55-47-34-EA
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.8.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.8.100
Primary WINS Server . . . . . . . : 192.168.81.2
Also, during EE's quick outage, I changed the SBS box's IP address to 192.168.8.255 and the router to 192.168.8.250 just for laughs - re-ran CIW and no difference.
If it's relevant, nslookup returns this:
C:\Users\PeterD>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: fe80::1f1f:f376:5a6e:1570
Pete
SBS 2008 Box
Windows IP Configuration
Host Name . . . . . . . . . . . . : SABRE-X366
Primary Dns Suffix . . . . . . . : sabre-2010.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sabre-2010.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-14-5E-1C-2E-44
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1f1f:f376:5a6e:1570%
Link-local IPv6 Address . . . . . : fe80::9097:b3e:547a:f1a9%1
IPv4 Address. . . . . . . . . . . : 192.168.8.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.8.1
DHCPv6 IAID . . . . . . . . . . . : 251663454
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-1D-7D-C6-00
DNS Servers . . . . . . . . . . . : fe80::1f1f:f376:5a6e:1570%
192.168.8.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{A31F0319-5611-4E87
246}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
SBS 2003 Box
C:\Documents and Settings\Administrator>ipc
Windows IP Configuration
Host Name . . . . . . . . . . . . : sabre-ibm-x-232
Primary Dns Suffix . . . . . . . : sabre-tooling.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : sabre-tooling.local
Ethernet adapter Wide Area Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink Server 10/100 PCI (3C980C-
TXM) #2
Physical Address. . . . . . . . . : 00-04-75-86-C4-FB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 92.54.150.2
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 92.54.150.1
DNS Servers . . . . . . . . . . . : 192.168.8.100
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Netfinity 10/100 Ethernet Adapter
Physical Address. . . . . . . . . : 00-02-55-47-34-EA
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.8.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.8.100
Primary WINS Server . . . . . . . : 192.168.81.2
Also, during EE's quick outage, I changed the SBS box's IP address to 192.168.8.255 and the router to 192.168.8.250 just for laughs - re-ran CIW and no difference.
If it's relevant, nslookup returns this:
C:\Users\PeterD>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: fe80::1f1f:f376:5a6e:1570
Pete
ASKER
The new SBS box has been sat happily for a couple of weeks on 192.168.12.2 on the WAN side of the SBS 2003 box. - its services routed (NATed) through the firewall from the internet allowed it to send and receive mail, respond to Radmin, provide OWA & RWW etc. etc. but obviously not communicate with the other machines on the LAN.
When the time came to start the migration, I created an MX record pointed at the public IP address that I had routed to 192.168.12.2 and demoted the SBS2003 MX record to a low priority. I set up a conditional forwarder from the SBS2003 DNS to point to the WAN address of the SBS2008 box. This allowed my 10 clients to use OWA for SBS 2008 based email.
We ran things this way for a week with no problems.
Today I had someone link one of the Netgear firewall LAN ports (there are 8 of them) to the LAN main switch (Hub) and disabled the LAN NIC in the SBS 2003 box. This effectively "bridged out" the SBS 2003 box, just leaving it accessible from the WAN) I still had full access to the SBS 2008 box - mail, Radmin, IIS etc etc all worked OK.
Everything went kaput when I changed the SBS2008 and Netgear FVS338 LAN IPs onto the 192.168.8..xx subnet.
I hope this makes sense.
Thanks again for your efforts.
Pete
When the time came to start the migration, I created an MX record pointed at the public IP address that I had routed to 192.168.12.2 and demoted the SBS2003 MX record to a low priority. I set up a conditional forwarder from the SBS2003 DNS to point to the WAN address of the SBS2008 box. This allowed my 10 clients to use OWA for SBS 2008 based email.
We ran things this way for a week with no problems.
Today I had someone link one of the Netgear firewall LAN ports (there are 8 of them) to the LAN main switch (Hub) and disabled the LAN NIC in the SBS 2003 box. This effectively "bridged out" the SBS 2003 box, just leaving it accessible from the WAN) I still had full access to the SBS 2008 box - mail, Radmin, IIS etc etc all worked OK.
Everything went kaput when I changed the SBS2008 and Netgear FVS338 LAN IPs onto the 192.168.8..xx subnet.
I hope this makes sense.
Thanks again for your efforts.
Pete
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Rob,
Ok I'm back after a couple of hour's sleep - still none the wiser though.
Is the fix network Wizard the same thing as "Diagnose and Repair" in Network and Sharing Center?
Pete
Ok I'm back after a couple of hour's sleep - still none the wiser though.
Is the fix network Wizard the same thing as "Diagnose and Repair" in Network and Sharing Center?
Pete
ASKER
Solved!
Eventually, after much head-scratching, the simple - but arcane solution revealed itself.
The Netgear Firewall had once had a VPN established to another similar device.
The source network for the VPN was set to 192.168.8.00/24. (the same subnet that I had moved my Server to when the trouble all started...)
Even though the VPN configuration was not active on this Firewall, there must have been residual data somewhere in the device that was confusing the SBS DNS because The Fix my Network and CIW wizards were continually complaining about unresponsive or non-existent DNS Servers and as soon as I removed the offending policies, everything lilt-up!
I cannot really claim to understand how inactive VPN Policies can have an effect like this but; there we go. "if it was simple - they'd all be doing it".
I'm awarding the points to RobWill for his careful and obviously knowledgeable contributions. Also my thanks for sharing the pain of the apparently intractable with me.
Eventually, after much head-scratching, the simple - but arcane solution revealed itself.
The Netgear Firewall had once had a VPN established to another similar device.
The source network for the VPN was set to 192.168.8.00/24. (the same subnet that I had moved my Server to when the trouble all started...)
Even though the VPN configuration was not active on this Firewall, there must have been residual data somewhere in the device that was confusing the SBS DNS because The Fix my Network and CIW wizards were continually complaining about unresponsive or non-existent DNS Servers and as soon as I removed the offending policies, everything lilt-up!
I cannot really claim to understand how inactive VPN Policies can have an effect like this but; there we go. "if it was simple - they'd all be doing it".
I'm awarding the points to RobWill for his careful and obviously knowledgeable contributions. Also my thanks for sharing the pain of the apparently intractable with me.
Thanks for updating and glad to hear you were able to resolve. I suspect there was a routing conflict between the old VPN config and your current NAT config. Often VPN's are put on different subnets just to avoid that.
Cheers!
--Rob
Cheers!
--Rob
Make sure you don't have a duplicate IP. No chance the IP you assigned the server is still in use.
With ipconfig verify the gateway address is correct
Flush the DNS cache with ipconfig /flushdns
You may also have to re-run the "set up your Internet address" wizard to re-configure Exchange and more, and don't forget the "Fix my network" wizard it sometimes performs miracles.