Solved

Loss of internet when rebooting old Domain controller

Posted on 2014-03-06
18
342 Views
Last Modified: 2014-03-06
I have replaced and old 2003 DC with a Server 2008 box a few years back and moved all the FMSO roles over to the 2008 box. Now we have noticed if we reboot the 2003 DC everyone losses internet.

We don't use DHCP and all of the computers have been setup with static IPs.
The nic's of the computers are configured so the Default GW is the main switch's IP, and the DNS 1 is the 2008 box and DNS 2 is the old 2003 box.

I did a route print on both servers, and did notice that the metrics on the 2008 box were much much higher than the 2003 box, like 306 an 276 for the route metrics.

Any idea's?
0
Comment
Question by:nicolausj
  • 10
  • 4
  • 4
18 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39909460
I would remove the DNS reference to the old DC on all your computers, then demote the old DC and remove it from AD.

If the hardware is adequate, I'd take the now-demoted server and set it up as a second 2008 DC, with DNS.  If the hardware is not adequate, I'd build a new secondary DC.

(I would then put DHCP on both DCs, each with its own complimentary zone, and configure all your computers to be DHCP clients, but this is optional.)
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39909461
Does the DNS Server on the Windows 2008 box have it's conditional forwarder pointed at the 2003 server by any chance?
0
 
LVL 3

Author Comment

by:nicolausj
ID: 39909474
No DNS forward on the 2008 Box to the 2003 box that I know of. How would I would I check?
0
 
LVL 3

Author Comment

by:nicolausj
ID: 39909482
Nope, No conditional forwards.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39909488
What about forwarders on the server properties itself?
(You should be able to open properties on the server object within the DNS Manager, and check the Forwarder tab.)
0
 
LVL 3

Author Comment

by:nicolausj
ID: 39909497
paulmacd, I was actually wrong about the 2003 box being in the dns for the computers, I just have the 1 DNS IP for the 2008 box on all the computers.

I do want to get rid of the old server, but until I can shut it down without losing internet for my users I can't really demote it.
0
 
LVL 3

Author Comment

by:nicolausj
ID: 39909514
SOA is the 2008 box, the first name server listed is the 2003 box, followed by the 2008.
The first host (A) record is the 2003 box followed by the 2008.

Not sure if thats what you are looking for Razmus.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39909551
Is the old DC a proxy for your web browsers?  That would explain the problem.

If the old DC is turned off, can you still PING or TRACERT to an Internet host (www.google.com, say)?
0
 
LVL 3

Author Comment

by:nicolausj
ID: 39909590
hum... I don't know. Is there a way to check without shutting the server down? Otherwise I will have to test it tomorrow night when no one is here.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 29

Expert Comment

by:Rich Weissler
ID: 39909616
I made a mistake in my rush initially... and said conditional forwarders instead of forwards for the DNS server.  Conditional forwarders show up in the DNS manager in the tree structure.  The forwarders show up as a property of the server:
Forwarder Confirmation paneConfirm in the properties on the 2008 server, that this pane is either blank (and is using root hints), or is pointed to your ISP's name server... but if it's pointed at the 2003 server, that could be a source of the problem.
(That assumes that 'Internet unavailable' also means that clients are simply not able to resolve internet names.)
Paulmacd's suggestion to confirm you can ping IP addresses on the internet while the 2003 box is down is also a good one, and will help narrow the symptoms of the problem!
(I'm focusing on DNS and name resolution, because it is far easier to believe the problem caused by a missing DC is name resolution than internet connectivity.  The latter is not impossible, there would just have to be more that we don't know about yet... proxy or NAT (internet connection sharing) going through the DC, for example.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39909627
How to configure Internet Explorer to use a proxy server.  Of course, you want to clear out the old DC's information if it's in there.
0
 
LVL 3

Author Comment

by:nicolausj
ID: 39909631
paulmacd if I do a tracert for www.google.ca with the old box running, should I not see it first hit the server, then our firewall?

With the box running still the first hop is to our main switch, then our firewall then it times out.
0
 
LVL 3

Author Comment

by:nicolausj
ID: 39909667
Razmus, there was a pointer on the new server to the old one... I will test it over the weekend and see what happens.

Thanks both of you and for your quick responses
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39909711
A tracert would resolve www.gooogle.ca first, and then ping all the points in between, starting with your firewall.  If you can tracert with the old DC turned off, you'll know your problem isn't with DNS.
0
 
LVL 3

Author Comment

by:nicolausj
ID: 39909720
After taking the Forwarding ip now staff are telling me they cannot surf the internet.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 39909782
... just like they would when the 2003 machine was down.
Find the value in the 2003 server, which should be in a similar spot... it'll likely be the DNS server for your ISP.  Put THAT value in the Forwarders on the 2008 server.  (OR worst case... plug in the value 8.8.8.8 temporarily.  That'll be one of the public google dns servers, as I recall.)
0
 
LVL 3

Author Comment

by:nicolausj
ID: 39909811
alright, thanks
0
 
LVL 3

Author Closing Comment

by:nicolausj
ID: 39909840
Thanks for the speedy response!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now