[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SBS2008 No Internet Browsing, but receiving email

Posted on 2011-10-24
18
Medium Priority
?
451 Views
Last Modified: 2012-05-12
Hi - I have an SBS2008 server that currently is not able to browse the internet.  It CAN ping my firewall, but not the outside gateway.  Can't ping any name servers outside our network.  I can ping workstations within my domain. DHCP is handled by the SBS2008, and all the workstations can browse the internet fine.

I am also receiving email on the SBS.

Can't send email because it can't connect to a name server.  Any ideas?  This is incredibly frustrating.

Also, don't know if this is applicable, but I am having problems with restarting the server - many Exchange services are not starting...I have to start them manually to get exchange running.  I have looked through the services to see if anything is not running that should be, but I didn't see anything (maybe I've missed something though).

Thanks
0
Comment
Question by:chrisrbloom
  • 10
  • 7
18 Comments
 
LVL 11

Expert Comment

by:Sanjay Santoki
ID: 37019281
Hello,

The issue more likely related to the name resolution (DNS). You can check with the below things;

1. outgoing DNS traffic is allowed from within the firewall and antivirus.
2. Be sure your DNS server can contact root hint servers.

Thanks,
Sanjay Santoki
0
 
LVL 3

Author Comment

by:chrisrbloom
ID: 37019408
OK, here's some more information -

I was able to get it working again, but ONLY by plugging in the backup domain controller (which is also doing DNS)

We just moved into a new office and transferred the servers over.  I had left the BDC off the network because I was going to replace it anyway.

Now it seems everything is working fine.  However, what in the world would cause this to happen?  I would like to fix it...can anyone let me know if there is a setting somewhere that would do this?

Thanks.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 37019786
There are a couple of possibilities here, but when it comes down to it, I would check all of your DNS settings:

1.  On the SBS server itself, make sure it is pointing to itself as the primary DNS server.  You could have your other DNS server listed as a secondary, but that's not necessary.  Right now, it's probably best to have the SBS point only to itself.
2.  Make sure that the DNS settings on your SBS server do NOT have any forwarders set up.  If there are forwarders there, they're not working properly so they should be removed.
3.  Make sure your DNS server has the correct default gateway setting (i.e., the router's internal IP address).
4.  Make sure all of your workstations are pointing to the SBS server as primary DNS server and do NOT have any Internet-based DNS servers listed as either primary or secondary DNS server.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:chrisrbloom
ID: 37037968
hypercat - sorry for the delay, we are completeing moving into our new office...this had to go to the back burner before coming back.

On #3 - I do have forwarders set up.  I have it going to the OpenDNS servers.  I opened it up on my DNS Server and they are not resolving.  I guess I thought that the forwarders is where the server got its outside DNS information from...am I wrong there?  Where would the server get its internet DNS for the clients?

Thanks.
0
 
LVL 3

Author Comment

by:chrisrbloom
ID: 37037990
Another note -

I have my "backup server" listed as a secondary DNS for my SBS.  When I remove that from the DNS list (on my main network interface on the SBS machine), I can't browse the web on my SBS machine.  I add the "backup" machine back in, it works fine.

I'm not sure whats' going on here, but my dns is definitely messed up.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 37039259
You do not NEED forwarders to resolve Internet host names to IP addresses even though Microsoft always assume that you are going to use them. All you need are the root hints.  If you look in the DNS console, in the server Properties dialog box where you see the Forwarders tab, you'll also see a Root Hints tab.  The Root Hints are the ICANN servers that provide root name resolution for the Internet.  As long as the Root Hints tab is properly populated, you can safe remove the forwarders, especially since they aren't working. I would also recommend removing the secondary DNS from the NIC card settings on the SBS server. SBS is very finicky about this kind of thing, so it just may be interfering - especially if the DNS forwarders are not working in the first place. This should resolve your issues of browsing from the SBS server.
0
 
LVL 3

Author Comment

by:chrisrbloom
ID: 37039767
Thanks for the reply...I do understand what you are saying.

Right now, having the second DNS server in my NIC settings on the SBS server is the only way the server can browse the internet.  Without it, I'm down.  I will definitely remove it when I can get this problem fixed.

I think my problem is now NOT DNS related.  I say this because when I tried your suggestions, I lost all internet connectivity.  I tried the Internet Connection Wizard Repair tool and it told me several things:
1.  No internet access (although with the secondary DNS server still in there, it said the same thing but i could browse new websites)
2.  Windows SBS Sharepoint site does not exist.  Although I can log into our SBS sharepoint site just fine.
3.  Exchange SMTP connectors are invalid.  Not sure why, exchange seems to be working well
4.  Could not configure the router - which is OK, it's a SonicWall external router - I don't think SBS should be configuring it anyway, right?

I can nslookup anything on my domain just fine.  when I try to nslookup anything outside my domain, it times out:  DNS request timed out.  timeout was 2 seconds.

when I nslookup google.com 192.168.40.11 (this is my secondary dc), I get an answer no problem.

what in the world could be causing this?



0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 2000 total points
ID: 37040540
All of those things actually do point to a DNS issue.  

Let's check a few things to see if we can get any more info about what's going on. You need to be logged on as an administrator directly on the SBS server:

1.  Check the DNS event log on the SBS server and see if there are any errors there. If you find anything, post the error message here.
2.  Check the other event logs on the SBS server and see if there are any errors there that might be relevant to this problem. Post anything you find.
3.  Open a command prompt and run dcdiag. If there are any errors, or anything you thing is suspicious, post it here.
4.  From the command prompt, run dcdiag /test:dns and post the results.

I also just thought of another thing that I've run into a few times which seems to be an odd little quirk.  Check your NIC card properties to see if IPv6 is enabled.  If IPv6 is enabled, UNcheck it, save the changes and re-test your browsing to see if that makes a difference.  If IPv6 is NOT enabled, then check it and again test to see if it makes a difference.  In the end result, you will need to have IPv6 enabled, but I've seen browsing issues on a couple of SBS2008 servers where if you UNcheck IPv6, make sure you can browse and then re-check it, it will resolve the issue.
0
 
LVL 3

Author Comment

by:chrisrbloom
ID: 37041448
OK, I didn't see any suspicious errors in dcdiag - but maybe in dcdiag /test:dns.  Attached is the text file.  The server is complaining about missing AAAA records for my domain controllers.

Also, I did disable TCP/IP on the ipv6 interface, but it didn't seem to do any good.  I re-enabled it just to make sure I didn't go down too many rabit holes with no way to get back (or can't remember how to get back).

Thanks.
DCDIAG-testdns.txt
0
 
LVL 3

Author Comment

by:chrisrbloom
ID: 37041932
One other thing - I noticed I am seeing a problem in the Active Directory Certificate Services:

Some of my certificates show "unable to download".  I don't know how long this has been going on...could this be the cause of my problem?  See attached screen shot.

Thanks. SBS Console Shot of ADCS Snapin
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 37045970
This missing AAAA records in the dcdiag dns test aren't significant - they have to do with IPv6 and from posts I've seen, and the fact that I get the same error on working DCs, I don't think you need to be concerned about that.  The root hints errors, however, might be an issue.  Because we're seeing these errors and behavior on the SBS server but when you have the other DC connected it seems to work, I'd like to see:

1.  ipconfig /all from both servers, and from one of your workstations.
2.  Do the same dcdiag /test:dns on the other server and post those results.
3.  Assuming DNS is AD-integrated (would be by default on SBS), try downloading and installed a new cache.dns file to replace the root hints.  

To do #3, go to:

ftp://ftp.internic.net/domain/

From there, download the file named "named.cache" to your SBS server (you can just put it in the root of the C: drive for now). Then follow the steps in this Microsoft article, in the Resolution section:

http://support.microsoft.com/kb/249868/

See if that helps at all.
0
 
LVL 3

Author Comment

by:chrisrbloom
ID: 37046398
OK, attached are txt files of the results. SERENITY is the SBS DC and PEACE is the 2008Std BDC.

I did replace the root hints - but still not getting the SBS to work.  

For what it's worth, I did some research on my firewall - and it's logging an error from Serenity whenever I try to ping or nslookup outside:  (this is coming FROM my outside port, going TO Serenity):

ICMP Destination Unreachable, Code: 3

Try the same thing on PEACE, no errors are logged.

Thanks for the continued help.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 37047611
No text files were attached....
0
 
LVL 3

Author Comment

by:chrisrbloom
ID: 37048086
Sorry...I do that too often.  Here you go.
Peace-dcdiag-test-dns.txt
Peace-ipconfig.txt
Serenity-ipconfig.txt
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 37065605
That all looks OK. The only slightly weird thing I see is that Peace does not show an IPv6 address on its DNS server list.  Are you using IPv6 anywhere except on the two servers?

Peace is acting as though its DNS AD partition is not working properly. Can you resolve any external host names at all? If you do an nslookup to a particular external host, what happens?  By that, I mean:

nslookup - [ip address of your ISP's DNS server]

Then press enter.  You should see a response from that server. Then type a host name like "www.google.com". See if that works.

Also, do you have a HOSTS file on this server that might be interfering? I'm really grasping at straws here, because I'm not seeing any indication of a problem.  I would tell you to simply uninstall and reinstall DNS, but because it's SBS I'm a little relucant to recommend that...
0
 
LVL 3

Author Comment

by:chrisrbloom
ID: 37066167
Peace is actually the one that I'm not having problems with (it's the Backup Domain Controller).  I see that there is no IPv6 listening, but I am listening on its IPv6 port (per the DNS/Properties tab).

I can nslookup an external address with Peace no problem.  That's weird how it's not showing an IPv6 address when I nslookup (answers from the IPv4 address) because when I do it from Serenity, the IPv6 address answers.  I have it listening on both ports.

Serenity is the one that's my SBS (Primary Domain Controller) that I can't nslookup anything outside our network.  In fact, if I REMOVE Peace from the DNS server list, I can't do much at all on Serenity...so basically, I'm using Peace as a crutch for DNS on my primary server.

Looking in my hosts file on Serenity - I see 2 entries:
127.0.0.1      localhost
::1                 localhost

I am really hesitant to remove and reinstall DNS from my primary domain controller (SBS) since it's also running exchange and IIS.  However, if there's no other option, maybe I'll give it a try.

Maybe I'll hire someone to come in and make this thier headache ;-)
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 37066289
Sorry - I just got the names mixed up.  I checked the ipconfig on Serenity again and noticed that the IPv6 address is first on the DNS servers list.  I think this might be the problem, and wish I'd thought of it earlier.  Try this:

1.  Disable IPv6 in the properties of the NIC.
2.  Open an administrative command prompt and run:  ipconfig /flushdns.  Then run: ipconfig /registerdns.
3.  Check the ipconfig again.  If the IPv6 IP address is still listed as the first DNS server, then rerun the ipconfig /flushdns and ipconfig /registerdns again.  I've had this happen where it doesn't seem to work unless you run it a couple of times.

The objective is to completely REMOVE the IPv6 address from the NIC card configuration.  Once you've got that done, try browsing/resolving host names again and see if that makes a difference.
0
 
LVL 3

Author Closing Comment

by:chrisrbloom
ID: 37540598
The problem WAS with DNS, however it was with my Firewall (Sonicwall TZ210) and a NAT rule for DNS being needed to properly forward the requests to the server.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question