Solved

SBS 2008 DNS won't forward

Posted on 2011-03-06
13
884 Views
Last Modified: 2012-06-27
OK, I'm getting realy desperate now - my client starts work in 4 or 5 hours, I'm 500 miles away from his shiny new SBS 2008 Server and the DNS has died!

Everything was fine - the new SBS 2008 server has been running on a seperate sub-net from the old SBS 2003 that it is replacing for a couple of weeks to prove stability.
Email has been flowing through exchange on the new box for a week (the 10 or so clients have been temporarily running OWA to deal with their their mail). This weekend saw the big switch-over.
Initially I moved one of the client workstations onto the SBS 2008 subnet (192.168.12.xx) to prove that the new PDC would accept clients ok and all was well - exchange hooked up, intrnet access was fine, the user's profile came across nicely using Forensit's Profile Wizard.

Before moving any more clients over, I decided to verify that the Company NAS device (a 4TB Buffalo Terastation) was going to play nicely as I've had problems with them before and sure enough it wouldn't let me reconfigure its LAN settings at all. Every user has their data files on this box and they all need access to it  to do their jobs.
So I decided that rather than move all 10 PCs and the Terastation from their 192.168.8.xx subnet over to the new 192.168.12.xx range, I would simply drop the SBS 2008 box onto 192.168.8.2, reconfigure the Netgear Firewall for a LAN address of 192.168.8.1 and away we should go. (previously the Netgear had run a multi-homed "LAN" address in the companies public IP range as the SBS 2003 box was in the old 2 NIC configuration. (Public IP-->SBS 2003-->192.168.8.100)

With me so far?

I ran the SBS 2008 Connect to the Internet wizard, reconfigured the Firewall to route my services from the public IP space to the SBS 2008 Box (email, RWW, OWA, Remote Admin etc), re-booted everything, sat back and hoped for the best.

That was about 8 hours ago!

Everything came back on-line nicely but the SBS 2008 box flatly refuses to talk to the internet - no email, no remote admin, no RDP, no IIS, no nothing.

I can still get at the box with Radmin via the old server (with its DHCP & DNS Disabled) and the only fault I can see (besides the total lack of traffic to or from the internet, is that the DNS forwarders which point to the ISPs DNS Servers will not Validate - they just time out. Root hints are set up too but the box won't resolve ANY external DNS queries.

I am no DNS expert (it normally just works for me) so I am asking for someone's help in diagnosing this before 07:30 today! ( it's now 03:15)

Help - please.

Pete
0
Comment
Question by:ogpete
  • 7
  • 6
13 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
DNS forwarders would rely on the connection to the Internet. You mention no other services are working either, incoming or outgoing. I would suspect more of a router or IP addressing issue. Can you ping an internet IP from the server to something like 4.2.2.2 to confirm connectivity?

Make sure you don't have a duplicate IP. No chance the IP you assigned the server is still in use.
With ipconfig verify the gateway address is correct
Flush the DNS cache with   ipconfig /flushdns

You may also have to re-run the "set up your Internet address" wizard to re-configure Exchange and more, and don't forget the "Fix my network" wizard it sometimes performs miracles.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
0
 

Author Comment

by:ogpete
Comment Utility
Thanks for the prompt response Rob,

I thought Router issues too at first; but the old SBS 2003 box still resolves addresses fine and I'm using Remote Admin through the same router so I know its connecting OK.

No I cannot ping anything beyond the Netgear Firewall from the new server - the only way I can talk to it is via the old SBS 2003 Box.

Duplicate IPs are a possibility I suppose, although the router's log shows all the machines that I know of, accounted for and all with DHCP assigned addresses from the new server (all bar one that does have an IP conflict or other TCP problem at 192.168.8.13) but I don't see this causing a problem for SBS on 192.168.8.2 - do you?

IPconfig /all shows the SBS box has 192.168.8.1 as its Gateway and It can ping the router on that address. (and vice-versa)

I'll try Flushing the DNS cache again - I've done it already a few times
I've re-run the CIW and the Internet Name Wizard to no avail
I'll try the Fix my Network wizard if I can find it.

Finally I'll run the BPA tool. If I can get it onto the machine...

I'll report back soon...

Thanks again.

Pete
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>" I cannot ping anything beyond the Netgear Firewall "
Then at least the primary issue is not DNS.

>>"all bar one that does have an IP conflict or other TCP problem "
No I don't see this as the likely problem, but IP conflicts cause all sorts of problems including locked switch ports.

Just to confirm. You can ping the Netgear, but not a public IP beyond it?
Can you reboot the Netgear?
Also, what model Netgear is it? Many routers have licensing limitations. For example they will allow 10 Internet connections, the 11th is blocked. I don't know of any Netgear's like that but Cisco, Sonicwall, Watchguard, and many others have this limitation. Rebooting the router resets the count.
0
 

Author Comment

by:ogpete
Comment Utility
Hi Rob,

>>>>" I cannot ping anything beyond the Netgear Firewall "
>>Then at least the primary issue is not DNS.

True, I cannot even ping machines by IP address...

>>>>"all bar one that does have an IP conflict or other TCP problem "
>>No I don't see this as the likely problem, but IP conflicts cause all sorts of problems >>including locked switch ports.

I'll have to wait for an employee to arrive in the morning and kill the ...13 machine to find out.

Yes, I can ping the netgear FVS338 but nothing beyond - not even by IP address.
The netgear can ping and resolve addresses on the LAN and Internet with no problem

I've rebooted the Netgear already - no change.

Its an FVS338 - its been running on this LAN for 6 months with no issues.

No licensing limitations that I know of.

Any more ideas?

Cheers,

Pete
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Could you post the results of    IPconfig /all    for us please (from the SBS 2008)
For comparison it would be good to have the old SBS as well.

I assume you can ping the old SBS from the new? But no other machines?
You haven't disabled IPv6 on the SBS 2008 have you?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Is the old SBS still a 2 NIC configuration?
If so how do you have this physically wired?

Old configuration would have been:

LAN clients (192.168.8.x) => switch => SBS LAN (192.168.8.x) == SBS WAN (not 192.168.8.x) => Netgear
Where in that lineup have you placed the new SBS? If on the LAN side of the old SBS it will not access the Internet, if on the WAN side it can't ping any LAN PC's or the old SBS.

Experts-Exchange is updating their database and blocking access freequently. I may not be able to repond again tonight.
0
 

Author Comment

by:ogpete
Comment Utility
Here's the IPconfig output:

SBS 2008 Box

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SABRE-X366
   Primary Dns Suffix  . . . . . . . : sabre-2010.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : sabre-2010.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-14-5E-1C-2E-44
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1f1f:f376:5a6e:1570%10(Preferred)
   Link-local IPv6 Address . . . . . : fe80::9097:b3e:547a:f1a9%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.8.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.8.1
   DHCPv6 IAID . . . . . . . . . . . : 251663454
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-1D-7D-C6-00-14-5E-1C-2E-44

   DNS Servers . . . . . . . . . . . : fe80::1f1f:f376:5a6e:1570%10
                                       192.168.8.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{A31F0319-5611-4E87-8E7C-E0A0A5EE5
246}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


SBS 2003 Box

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : sabre-ibm-x-232
   Primary Dns Suffix  . . . . . . . : sabre-tooling.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : sabre-tooling.local

Ethernet adapter Wide Area Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : 3Com EtherLink Server 10/100 PCI (3C980C-
TXM) #2
   Physical Address. . . . . . . . . : 00-04-75-86-C4-FB
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 92.54.150.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 92.54.150.1
   DNS Servers . . . . . . . . . . . : 192.168.8.100
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Netfinity 10/100 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-02-55-47-34-EA
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.8.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.8.100
   Primary WINS Server . . . . . . . : 192.168.81.2

Also, during EE's quick outage, I changed the SBS box's IP address to 192.168.8.255 and the router to 192.168.8.250 just for laughs - re-ran CIW and no difference.

If it's relevant, nslookup returns this:

C:\Users\PeterD>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  fe80::1f1f:f376:5a6e:1570

Pete
0
 

Author Comment

by:ogpete
Comment Utility
The new SBS box has been sat happily for a couple of weeks on 192.168.12.2 on the WAN side of the SBS 2003 box. - its services routed (NATed) through the firewall from the internet allowed it to send and receive mail, respond to Radmin, provide OWA & RWW etc. etc. but obviously not communicate with the other machines on the LAN.
When the time came to start the migration, I created an MX record pointed at the public IP address that I had routed to 192.168.12.2 and demoted the SBS2003 MX record to a low priority. I set up a conditional forwarder from the SBS2003 DNS to point to the WAN address of the SBS2008 box. This allowed my 10 clients to use OWA for SBS 2008 based email.

We ran things this way for a week with no problems.

Today I had someone link one of the Netgear firewall LAN ports (there are 8 of them) to the LAN main switch (Hub) and disabled the LAN NIC in the SBS 2003 box.  This effectively "bridged out" the SBS 2003 box, just leaving it accessible from the WAN) I still had full access  to the SBS 2008 box - mail, Radmin, IIS etc etc all worked OK.

Everything went kaput when I changed the SBS2008 and Netgear FVS338 LAN IPs onto the 192.168.8..xx subnet.

I hope this makes sense.

Thanks again for your efforts.

Pete

0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
OK I follow now. The IPconfig and the connections sound fine. I would say it is a router configuration issue. The port the SBS 2008 is on is not "talking" to the router or other PC's connected to the switch and other Netgear port. Having said that if that were the case RAdmin wouldn't work.

For the record changing LAN IP's on an SBS can be disastrous. Much easier with 2008, but I have seen a rebuild required with 2003. There are so many integrated services with SBS that sometimes when you change the LAN IP something in DNS, IIS, Exchange, DHCP, doesn't get changed.

Did you try the fix my network wizard?
0
 

Author Comment

by:ogpete
Comment Utility
Hello Rob,

Ok I'm back after a couple of hour's sleep - still none the wiser though.

Is the fix network Wizard the same thing as "Diagnose and Repair" in Network and Sharing Center?

Pete
0
 

Author Comment

by:ogpete
Comment Utility
Solved!

Eventually, after much head-scratching, the simple - but arcane solution revealed itself.
The Netgear Firewall had once had a VPN established to another similar device.
The source network for the VPN was set to 192.168.8.00/24. (the same subnet that I had moved my Server to when the trouble all started...)
Even though the VPN configuration was not active on this Firewall, there must have been residual data somewhere in the device that was confusing the SBS DNS because The Fix my Network and CIW wizards were continually complaining about unresponsive or non-existent DNS Servers and as soon as I removed the offending policies, everything lilt-up!

I cannot really claim to understand how inactive VPN Policies can have an effect like this but; there we go. "if it was simple - they'd all be doing it".

I'm awarding the points to RobWill for his careful and obviously knowledgeable contributions. Also my thanks for sharing the pain of the apparently intractable with me.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks for updating and glad to hear you were able to resolve. I suspect there was a routing conflict between the old VPN config and your current NAT config. Often VPN's are put on different subnets just to avoid that.
Cheers!
--Rob
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now