HTTP 403 Forbidden on DC/DNS Server 2012 R2
Hi All,
A company we use to host our websites recently retired some old servers, which in turn force me to change to new name server in my Go Daddy account. No big deal I have done this before.
Website in question is a public website, no logging in etc... From outside our network the website in question http://www.examplewebsite.com/ is totally accessible with no issues. Type into your browser, and away it goes, can ping the website as well no problem,
Inside my network is a different story: I can ping the website in question by DNS name with no problem, but if I go to the website and I get the 403 forbidden.
I have in house Server 2012 R2 that doubles as DC, and DNS server. I have always in my DNS had the website in question set with a static IP, because the website and my local domain are the same except the external is .com and internal is .local
I am not the greatest by any means no a lot about DNS, but I just opened DNS from the Server Manager, and found every instance I could that had the .com website address, and I modified the IP address with with the new IP address.
And now I get the 403 Forbidden when any PC inside my network tries to access the .com website.
I went back to double check my work, and I noticed that I think the Fully Qualified Domain Name for this website had changed to the website.com website.com website.com. 3 instances, Others ones had combination of website.com and website.local as the FQDN. All other websites come up fine.
Any help would be most appreciated.
Thanks
A company we use to host our websites recently retired some old servers, which in turn force me to change to new name server in my Go Daddy account. No big deal I have done this before.
Website in question is a public website, no logging in etc... From outside our network the website in question http://www.examplewebsite.com/ is totally accessible with no issues. Type into your browser, and away it goes, can ping the website as well no problem,
Inside my network is a different story: I can ping the website in question by DNS name with no problem, but if I go to the website and I get the 403 forbidden.
I have in house Server 2012 R2 that doubles as DC, and DNS server. I have always in my DNS had the website in question set with a static IP, because the website and my local domain are the same except the external is .com and internal is .local
I am not the greatest by any means no a lot about DNS, but I just opened DNS from the Server Manager, and found every instance I could that had the .com website address, and I modified the IP address with with the new IP address.
And now I get the 403 Forbidden when any PC inside my network tries to access the .com website.
I went back to double check my work, and I noticed that I think the Fully Qualified Domain Name for this website had changed to the website.com website.com website.com. 3 instances, Others ones had combination of website.com and website.local as the FQDN. All other websites come up fine.
Any help would be most appreciated.
Thanks
ASKER
The nslookup on the outside and inside are exactly the same.
ASKER
DickMare,
I went ahead and tried to do what you said anyway and deleted all references to website.com within my DNS server, and I still received the same 403 Forbidden. I could not even ping the website any longer. Could not perform a nslookup, So I Placed one A record for the site, and I can ping the site now and perform an nslookup. Not sure what else to do. And yes I cleared the DNS cache several times.
I went ahead and tried to do what you said anyway and deleted all references to website.com within my DNS server, and I still received the same 403 Forbidden. I could not even ping the website any longer. Could not perform a nslookup, So I Placed one A record for the site, and I can ping the site now and perform an nslookup. Not sure what else to do. And yes I cleared the DNS cache several times.
only other thing I can think of..
Are you using the same PC to test internal and external? If this is the case please ignore.
It could be browser issue..
DirkMare
Are you using the same PC to test internal and external? If this is the case please ignore.
It could be browser issue..
DirkMare
ASKER
Yes same PC
Do you have the .com setup in DNS as its own Forward Lookup Zone?
Typically with this sort of set up you would have a FLZ of domain.local and a FLZ of domain.com. Within the domain.com FLZ (which points to the new external IP) you would have an A record of www which points to the external IP as well.
Given that you have changed your name servers this may just be a case of the propagation taking its time, so assuming the above is in place then leave it a few days and try again.
Typically with this sort of set up you would have a FLZ of domain.local and a FLZ of domain.com. Within the domain.com FLZ (which points to the new external IP) you would have an A record of www which points to the external IP as well.
Given that you have changed your name servers this may just be a case of the propagation taking its time, so assuming the above is in place then leave it a few days and try again.
ASKER
I will look at it when I get in this morning. I know that it is not in the FWZ as I had removed them. Not a big deal to put them back in to FWZ.
ASKER
I placed the domain name and IP Address as an A record into the FWZ, restarted the server and still the same issue. Deleted it tried it again, cleared the cache and still no luck. Any other ideas?
Based on the description of your setup I would put the external domain.com FLZ back into the internal DNS, with the A record pointing to the external IP address of the website. That is needed as standard.
Once this is done, can you run an NSlookup for the websites external URL and see that it resolves and that your internal DC/DNS is listed as the authoritative server - post the NSlookup output here (minus sensitive details) if that is easier.
Once this is done, can you run an NSlookup for the websites external URL and see that it resolves and that your internal DC/DNS is listed as the authoritative server - post the NSlookup output here (minus sensitive details) if that is easier.
ASKER
I placed the A record back into the forward look up zone. I dont mind having this one website up here. It is manged by a large company elsewhere and dam it would be good for business for folks to go there lol.
This is what nslookup give me:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\Administrator.STA
Server: UnKnown
Address: 10.219.115.237
Name: www.starkauto.com
Address: 207.186.149.73
This is what I get when I attempt to access the website:
Info icon
The website declined to show this webpage
HTTP 403
Most likely causes:
•This website requires you to log in.
What you can try:
Go back to the previous page.
More information More information
This error (HTTP 403 Forbidden) means that Internet Explorer was able to connect to the website, but it does not have permission to view the webpage.
For more information about HTTP errors, see Help.
Just another FYI as maybe more information is better than less sometimes, I am also attaching 2 screen shots so you can see how I set this up:
1st-DNS-Snapshot.rtf
DNS-Snapshot.rtf
This is what nslookup give me:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\Administrator.STA
Server: UnKnown
Address: 10.219.115.237
Name: www.starkauto.com
Address: 207.186.149.73
This is what I get when I attempt to access the website:
Info icon
The website declined to show this webpage
HTTP 403
Most likely causes:
•This website requires you to log in.
What you can try:
Go back to the previous page.
More information More information
This error (HTTP 403 Forbidden) means that Internet Explorer was able to connect to the website, but it does not have permission to view the webpage.
For more information about HTTP errors, see Help.
Just another FYI as maybe more information is better than less sometimes, I am also attaching 2 screen shots so you can see how I set this up:
1st-DNS-Snapshot.rtf
DNS-Snapshot.rtf
The NSlookup doesn't list an authoritative DNS server associated with your domain, which could well be down to the lack of a PTR zone for that IP subnet (10.219.115.0 - assuming this is a /24 subnet) - So it would be worth adding one in for that.
I am getting a different external IP for the site which does not match the one provided, I get 92.123.140.35 - is this the old IP?... I suspect at this point that the propagation may be taking some time, which in turn could indicate an issue with the actual site for all users, including external ones once the propagation completes.
To check you can add a host record entry in the local PC hosts file for the external hostname which points the expected external IP and see if this works externally - if it this comes back with the same error as you have internally then I would talk to your DNS hosting provider asap
I am getting a different external IP for the site which does not match the one provided, I get 92.123.140.35 - is this the old IP?... I suspect at this point that the propagation may be taking some time, which in turn could indicate an issue with the actual site for all users, including external ones once the propagation completes.
To check you can add a host record entry in the local PC hosts file for the external hostname which points the expected external IP and see if this works externally - if it this comes back with the same error as you have internally then I would talk to your DNS hosting provider asap
ASKER
I am thinking that this has nothing to do with my internal DNS servers. I went out this morning and tried to perform a reverse DNS lookup on starkauto.com which has the IP address of 207.186.149.73. Every one of them fails telling me that the PTR record is missing. Since starkauto.com is an externally hosted website, and I have no idea who this company uses for an ISP my thought is that they have to handle this piece of the puzzle. Am I thinking the right way?
I think your internal DNS needs a PTR zone for the internal LAN - as a best practice and as this will solve the "server:unknown" issue.
It may be a subnet prioritisation thing but the IP I see when I do an NSLOOKUP is attached
Stark1.JPG
Stark2.JPG
It may be a subnet prioritisation thing but the IP I see when I do an NSLOOKUP is attached
Stark1.JPG
Stark2.JPG
ASKER
Ok and how do I add a new PTR Zone within my DNS server?
Internally, just create a new reverse lookup zone with the internal LAN IP subnet that is used by your DC's
This won't have an impact on your external website issues. I would assume this may be related to the fact that the website is not updated to the most recent IP change - which is why I recommend the host record test above.
The website name resolves as an Alias not an A-record and it appears that the hosting provider is these guys - http://www.cdkglobal.com/ - who specialise in Car dealership cloud based systems. Might be worth giving them a call
This won't have an impact on your external website issues. I would assume this may be related to the fact that the website is not updated to the most recent IP change - which is why I recommend the host record test above.
The website name resolves as an Alias not an A-record and it appears that the hosting provider is these guys - http://www.cdkglobal.com/ - who specialise in Car dealership cloud based systems. Might be worth giving them a call
ASKER
OK well tell me if I am right or wrong in this thought if you do not mind, I hate taking so much time from you.
1. If I have access on my internal network to virtually any website, except for this one, then why do I need internal records for one website?
2. Since this is a website that is externally hosted, and our only part that we handle is having Go Daddy as our registrar, I really am confused as to why I need these records
1. If I have access on my internal network to virtually any website, except for this one, then why do I need internal records for one website?
2. Since this is a website that is externally hosted, and our only part that we handle is having Go Daddy as our registrar, I really am confused as to why I need these records
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That was the ticket, deleted, flushed the cache, and the website is all back up. Thank you for your assistance.
No probs, glad it's working!
Remove all DNS entries for website.com flush DNS cache on server and workstations (or reboot) and run nslookup from your DNS server to see if it resolved correctly.
DIrkMare