Cannot resolve our ISP's own server names, have to run "Connect to Internet" Wizard from SBS Console. This keeps happening.

This is SBS 2011. Our ISP is Shaw Cable.

We have a weird problem as below -
 We cannot open the URL in a browser, and we cannot ping
We cannot ping all of our ISP pop3 servers, such as

If we run "Connect to Internet" wizard from SBS Console, the above problems will all be gone. But, the problems will come back again in a day or two, so we will have to run the wizard again and again.

We have no problem with our own domain emails ( and we have no problem with browsing any other web sites.

This is a DNS issue that is only related to our ISP name resolving. But I do not know where to start to troubleshoot.

Please help!

Y YconsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nslookup is a good tool to use for DNS issues.  You can attach to different servers and query for various DNS names.  

Is your forwarding configured correctly on your DNS server?  Typically an ISP will provide 2 or more DNS server IP addresses to be set on your DNS server as forwarders.  So your local machines look to the local DNS server for local DNS lookups (your internal domain) and then any requests that the local DNS server isn't authoritative for get forwarded on to the forwarders.
Asif BacchusI.T. ConsultantCommented:
If the problem is limited to domains, then there is no need to keep running the CIECW.  The problem more likely lies somewhere in DNS.  FinServCo made a great point about the DNS forwarders, that's where I would start too.

I have a few clients using Shaw and their DNS can be flaky from time to time.  After confirming your DNS setup, I would contact their tech support department and see if they have something on their end that is blocking your IP (which I assume is static?).  Shaw's routers are infamous for seemingly blocking their own clients' IPs.  I've seen it before where their systems assume that checking email frequently is actually an attack from within their own network and then they block the IP address until it's renewed (likely why CIECW fixes the problem temporarily).  If Shaw cannot find a problem on their end, post back here.
I've run into issues with our ISP where they've given us the order of preference for setting forwarders.  Then, when we've had problems, it's usually been the first server and when I changed the order it went away.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Y YconsultantAuthor Commented:
FinServCo -
Unlike the previous versions, SBS 2011 stopped using DNS Forwarders. In stead, it uses root hints.
I guess I will have to add the forwarders back if I have no other choices.

Asif Bacchus -
Initially I thought Shaw blocked us and we were blocked a few times in the past month . But I do not think this is the case this time. Reasons are
1. Our server is behind our firewall. Running CEICW would not affect the public IP
2. When the problem happened, I tried to ping Shaw server from our firewall, it all worked fine. (name resolved successfully)
I think the default is to use root hints.  You could also try the Best Practice Analyzer.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Y YconsultantAuthor Commented:
Yes, the default is to use root hints. This is not like the previous versions anymore.
Y YconsultantAuthor Commented:
FinServCo -
I just ran BPA and found this. And I have deployed the solution accordingly. Will keep you guys posted...

Issue: The DNS parameter MaxCacheTTL is not set.

Impact: When name resolution is provided by root hints, Windows Server  2008 DNS Servers and Windows Server 2008 R2 DNS Servers may fail to resolve queries for the names of some top-level domains. If this occurs, the problem will continue until you clear the DNS Server cache or restart the DNS Server service. You may experience the problem with domains such as .co, .uk, .cn, and .br. However, the problem is not limited to those domains.

Resolution: For more information, see "Windows Server 2008 DNS Servers may fail to resolve queries for some top-level domains" at
Asif BacchusI.T. ConsultantCommented:
Umm, I think I'd like to correct you all on something here... SBS 2011 (basically Server 2008 R2) absolutely still uses forwarders and you *SHOULD* be using forwarders so that you do NOT run into the MaxCacheTTL issue with root hints.  Deploying the MaxCacheTTL fix is still not the worst idea since when forwarders are not available, windows will fall back to root hints.

To configure forwarders, open your DNS MMC, right-click on the server and go to properties.  Then select the Forwarders tab and click the edit button.  Fill in your desired forwarders (if more than one, also check the order is correct) and click OK.  The default option, that you may be referring to, is the check box located next to the edit button that says "Use root hints if no forwarders are available".  That should remain checked, but as the text suggests, Windows prioritizes forwarders over root hints.

As a side note, does you firewall provide DNS services also?  Are you using it as a DNS relay back to your server or is your server solely handling DNS?  For example, in my setups, I always use a BSD box as a firewall and let it handle DNS.  Then I point my forwarders to my BSD firewall which has its DNS servers set to my ISP/Google/etc.  I find BSD and *nix handle DNS better than windows.  I bring this up because if you are using a similar setup, then the problem may not be with the DNS on your SBS box at all, but rather on your firewall device.  In any case, you should still be using forwarders instead of root hints.

Sorry for the slight tangent, but I think it's important information as you continue to troubleshoot.
Cris HannaSr IT Support EngineerCommented:
Is your SBS box fully up to date as I'm reasonably sure the MaxCache reg change was included in an update rollup.  Rather than using your ISPs DNS servers as the forwarders, use Google's and
Asif BacchusI.T. ConsultantCommented:
@Cris, yup the update was related to KB 2615570 and applies to Server 2008 R2 so it also applies to SBS 2011.  Good call suggesting using Google's DNS since it also rules out any problems with Shaw's DNS servers being the issue.
Y YconsultantAuthor Commented:
Thank you very much for all your inputs regarding this issue.
After running BPA and fixing MaxCacheTTL in registry, the problem has never came back yet. So running BPA is the key to fix the problem.

I am not sure why SBS2011 started using root hints to replace forwarders. Since root hints is the default, I would stick with it and did not try forwarders.

Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.