SBS2008 No Internet Browsing, but receiving email

Hi - I have an SBS2008 server that currently is not able to browse the internet.  It CAN ping my firewall, but not the outside gateway.  Can't ping any name servers outside our network.  I can ping workstations within my domain. DHCP is handled by the SBS2008, and all the workstations can browse the internet fine.

I am also receiving email on the SBS.

Can't send email because it can't connect to a name server.  Any ideas?  This is incredibly frustrating.

Also, don't know if this is applicable, but I am having problems with restarting the server - many Exchange services are not starting...I have to start them manually to get exchange running.  I have looked through the services to see if anything is not running that should be, but I didn't see anything (maybe I've missed something though).

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanjay SantokiCommented:

The issue more likely related to the name resolution (DNS). You can check with the below things;

1. outgoing DNS traffic is allowed from within the firewall and antivirus.
2. Be sure your DNS server can contact root hint servers.

Sanjay Santoki
chrisrbloomAuthor Commented:
OK, here's some more information -

I was able to get it working again, but ONLY by plugging in the backup domain controller (which is also doing DNS)

We just moved into a new office and transferred the servers over.  I had left the BDC off the network because I was going to replace it anyway.

Now it seems everything is working fine.  However, what in the world would cause this to happen?  I would like to fix it...can anyone let me know if there is a setting somewhere that would do this?

Hypercat (Deb)Commented:
There are a couple of possibilities here, but when it comes down to it, I would check all of your DNS settings:

1.  On the SBS server itself, make sure it is pointing to itself as the primary DNS server.  You could have your other DNS server listed as a secondary, but that's not necessary.  Right now, it's probably best to have the SBS point only to itself.
2.  Make sure that the DNS settings on your SBS server do NOT have any forwarders set up.  If there are forwarders there, they're not working properly so they should be removed.
3.  Make sure your DNS server has the correct default gateway setting (i.e., the router's internal IP address).
4.  Make sure all of your workstations are pointing to the SBS server as primary DNS server and do NOT have any Internet-based DNS servers listed as either primary or secondary DNS server.
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

chrisrbloomAuthor Commented:
hypercat - sorry for the delay, we are completeing moving into our new office...this had to go to the back burner before coming back.

On #3 - I do have forwarders set up.  I have it going to the OpenDNS servers.  I opened it up on my DNS Server and they are not resolving.  I guess I thought that the forwarders is where the server got its outside DNS information I wrong there?  Where would the server get its internet DNS for the clients?

chrisrbloomAuthor Commented:
Another note -

I have my "backup server" listed as a secondary DNS for my SBS.  When I remove that from the DNS list (on my main network interface on the SBS machine), I can't browse the web on my SBS machine.  I add the "backup" machine back in, it works fine.

I'm not sure whats' going on here, but my dns is definitely messed up.
Hypercat (Deb)Commented:
You do not NEED forwarders to resolve Internet host names to IP addresses even though Microsoft always assume that you are going to use them. All you need are the root hints.  If you look in the DNS console, in the server Properties dialog box where you see the Forwarders tab, you'll also see a Root Hints tab.  The Root Hints are the ICANN servers that provide root name resolution for the Internet.  As long as the Root Hints tab is properly populated, you can safe remove the forwarders, especially since they aren't working. I would also recommend removing the secondary DNS from the NIC card settings on the SBS server. SBS is very finicky about this kind of thing, so it just may be interfering - especially if the DNS forwarders are not working in the first place. This should resolve your issues of browsing from the SBS server.
chrisrbloomAuthor Commented:
Thanks for the reply...I do understand what you are saying.

Right now, having the second DNS server in my NIC settings on the SBS server is the only way the server can browse the internet.  Without it, I'm down.  I will definitely remove it when I can get this problem fixed.

I think my problem is now NOT DNS related.  I say this because when I tried your suggestions, I lost all internet connectivity.  I tried the Internet Connection Wizard Repair tool and it told me several things:
1.  No internet access (although with the secondary DNS server still in there, it said the same thing but i could browse new websites)
2.  Windows SBS Sharepoint site does not exist.  Although I can log into our SBS sharepoint site just fine.
3.  Exchange SMTP connectors are invalid.  Not sure why, exchange seems to be working well
4.  Could not configure the router - which is OK, it's a SonicWall external router - I don't think SBS should be configuring it anyway, right?

I can nslookup anything on my domain just fine.  when I try to nslookup anything outside my domain, it times out:  DNS request timed out.  timeout was 2 seconds.

when I nslookup (this is my secondary dc), I get an answer no problem.

what in the world could be causing this?

Hypercat (Deb)Commented:
All of those things actually do point to a DNS issue.  

Let's check a few things to see if we can get any more info about what's going on. You need to be logged on as an administrator directly on the SBS server:

1.  Check the DNS event log on the SBS server and see if there are any errors there. If you find anything, post the error message here.
2.  Check the other event logs on the SBS server and see if there are any errors there that might be relevant to this problem. Post anything you find.
3.  Open a command prompt and run dcdiag. If there are any errors, or anything you thing is suspicious, post it here.
4.  From the command prompt, run dcdiag /test:dns and post the results.

I also just thought of another thing that I've run into a few times which seems to be an odd little quirk.  Check your NIC card properties to see if IPv6 is enabled.  If IPv6 is enabled, UNcheck it, save the changes and re-test your browsing to see if that makes a difference.  If IPv6 is NOT enabled, then check it and again test to see if it makes a difference.  In the end result, you will need to have IPv6 enabled, but I've seen browsing issues on a couple of SBS2008 servers where if you UNcheck IPv6, make sure you can browse and then re-check it, it will resolve the issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chrisrbloomAuthor Commented:
OK, I didn't see any suspicious errors in dcdiag - but maybe in dcdiag /test:dns.  Attached is the text file.  The server is complaining about missing AAAA records for my domain controllers.

Also, I did disable TCP/IP on the ipv6 interface, but it didn't seem to do any good.  I re-enabled it just to make sure I didn't go down too many rabit holes with no way to get back (or can't remember how to get back).

chrisrbloomAuthor Commented:
One other thing - I noticed I am seeing a problem in the Active Directory Certificate Services:

Some of my certificates show "unable to download".  I don't know how long this has been going on...could this be the cause of my problem?  See attached screen shot.

Thanks. SBS Console Shot of ADCS Snapin
Hypercat (Deb)Commented:
This missing AAAA records in the dcdiag dns test aren't significant - they have to do with IPv6 and from posts I've seen, and the fact that I get the same error on working DCs, I don't think you need to be concerned about that.  The root hints errors, however, might be an issue.  Because we're seeing these errors and behavior on the SBS server but when you have the other DC connected it seems to work, I'd like to see:

1.  ipconfig /all from both servers, and from one of your workstations.
2.  Do the same dcdiag /test:dns on the other server and post those results.
3.  Assuming DNS is AD-integrated (would be by default on SBS), try downloading and installed a new cache.dns file to replace the root hints.  

To do #3, go to:

From there, download the file named "named.cache" to your SBS server (you can just put it in the root of the C: drive for now). Then follow the steps in this Microsoft article, in the Resolution section:

See if that helps at all.
chrisrbloomAuthor Commented:
OK, attached are txt files of the results. SERENITY is the SBS DC and PEACE is the 2008Std BDC.

I did replace the root hints - but still not getting the SBS to work.  

For what it's worth, I did some research on my firewall - and it's logging an error from Serenity whenever I try to ping or nslookup outside:  (this is coming FROM my outside port, going TO Serenity):

ICMP Destination Unreachable, Code: 3

Try the same thing on PEACE, no errors are logged.

Thanks for the continued help.
Hypercat (Deb)Commented:
No text files were attached....
chrisrbloomAuthor Commented:
Sorry...I do that too often.  Here you go.
Hypercat (Deb)Commented:
That all looks OK. The only slightly weird thing I see is that Peace does not show an IPv6 address on its DNS server list.  Are you using IPv6 anywhere except on the two servers?

Peace is acting as though its DNS AD partition is not working properly. Can you resolve any external host names at all? If you do an nslookup to a particular external host, what happens?  By that, I mean:

nslookup - [ip address of your ISP's DNS server]

Then press enter.  You should see a response from that server. Then type a host name like "". See if that works.

Also, do you have a HOSTS file on this server that might be interfering? I'm really grasping at straws here, because I'm not seeing any indication of a problem.  I would tell you to simply uninstall and reinstall DNS, but because it's SBS I'm a little relucant to recommend that...
chrisrbloomAuthor Commented:
Peace is actually the one that I'm not having problems with (it's the Backup Domain Controller).  I see that there is no IPv6 listening, but I am listening on its IPv6 port (per the DNS/Properties tab).

I can nslookup an external address with Peace no problem.  That's weird how it's not showing an IPv6 address when I nslookup (answers from the IPv4 address) because when I do it from Serenity, the IPv6 address answers.  I have it listening on both ports.

Serenity is the one that's my SBS (Primary Domain Controller) that I can't nslookup anything outside our network.  In fact, if I REMOVE Peace from the DNS server list, I can't do much at all on basically, I'm using Peace as a crutch for DNS on my primary server.

Looking in my hosts file on Serenity - I see 2 entries:      localhost
::1                 localhost

I am really hesitant to remove and reinstall DNS from my primary domain controller (SBS) since it's also running exchange and IIS.  However, if there's no other option, maybe I'll give it a try.

Maybe I'll hire someone to come in and make this thier headache ;-)
Hypercat (Deb)Commented:
Sorry - I just got the names mixed up.  I checked the ipconfig on Serenity again and noticed that the IPv6 address is first on the DNS servers list.  I think this might be the problem, and wish I'd thought of it earlier.  Try this:

1.  Disable IPv6 in the properties of the NIC.
2.  Open an administrative command prompt and run:  ipconfig /flushdns.  Then run: ipconfig /registerdns.
3.  Check the ipconfig again.  If the IPv6 IP address is still listed as the first DNS server, then rerun the ipconfig /flushdns and ipconfig /registerdns again.  I've had this happen where it doesn't seem to work unless you run it a couple of times.

The objective is to completely REMOVE the IPv6 address from the NIC card configuration.  Once you've got that done, try browsing/resolving host names again and see if that makes a difference.
chrisrbloomAuthor Commented:
The problem WAS with DNS, however it was with my Firewall (Sonicwall TZ210) and a NAT rule for DNS being needed to properly forward the requests to the server.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.