Guest TheScullster Posted October 29, 2007 Posted October 29, 2007 Hi all Not sure this is the correct group but here goes........... Although we have our own corporate domain europacrown.com, we do not host our own web site at this location. Instead, our parent company hosts our site along with their own. So in our DNS setup, there is a pointer to the ip address of the host server. For some reason, attempts to access our company web site http://www.europacrown.com don't work from our corporate network. I have tried the same from a dial-up connection without any problems. Although it is not clear how long this has been an issue, we recently promoted our a SQL server to act as a domain controller and active directory backup. Can anyone suggest ways of fault finding this issue please? Windows server 2003 network ISA server used as proxy Checkpoint firewall Thanks in anticipation Phil
Guest Lanwench [MVP - Exchange] Posted October 30, 2007 Posted October 30, 2007 Re: Web Site Mystery TheScullster <phil@dropthespam.com> wrote: > Hi all > > Not sure this is the correct group but here goes........... microsoft.public.windows.server.dns is probably a more logical one, but this works. > > Although we have our own corporate domain europacrown.com, we do not > host our own web site at this location. > Instead, our parent company hosts our site along with their own. > So in our DNS setup, there is a pointer to the ip address of the host > server. What's your AD domain name? If it matches your public domain name (europacrown.com), you're using "split brain DNS" - and yes, you need to have a host entry for www which points to the correct public IP. What do you get when you ping http://www.europacrown.com ? Does it return the correct public IP? I get 216.17.30.189.... > For some reason, attempts to access our company web site > http://www.europacrown.com don't work from our corporate network. You might post the unedited output from an ipconfig /all from your DC.... > > I have tried the same from a dial-up connection without any problems. > Although it is not clear how long this has been an issue, we recently > promoted our a SQL server to act as a domain controller and active > directory backup. Is it also running AD-integrated DNS? > > Can anyone suggest ways of fault finding this issue please? > Windows server 2003 network > ISA server used as proxy > Checkpoint firewall > > Thanks in anticipation > > Phil
Guest TheScullster Posted October 30, 2007 Posted October 30, 2007 Re: Web Site Mystery "Lanwench [MVP - Exchange]" wrote Lanwench Thanks for your input. First let me say that I am somewhat out of my depth with all this but will reply to your points to see if we can get to the bottom of this. >> >> Although we have our own corporate domain europacrown.com, we do not >> host our own web site at this location. >> Instead, our parent company hosts our site along with their own. >> So in our DNS setup, there is a pointer to the ip address of the host >> server. > > What's your AD domain name? If it matches your public domain name > (europacrown.com), you're using "split brain DNS" - and yes, you need to > have a host entry for www which points to the correct public IP. Our AD domain is europa. There is an entry in our DNS report which must point to the correct public IP as the web site is accessible from any other browser connection outside our LAN. > > What do you get when you ping http://www.europacrown.com ? Does it return the > correct public IP? I get 216.17.30.189.... > > Interesting. I believe that our firewall blocks attempts at external pings. When I ping any other address it does resolve to an ip address but returns "request timed out". However, when I ping http://www.europacrown.com it returns "Ping request could not find host http://www.europacrown.com. Please check the name and try again". >> For some reason, attempts to access our company web site >> http://www.europacrown.com don't work from our corporate network. > > You might post the unedited output from an ipconfig /all from your DC.... Does publishing this information to the world compromise the security of our network? > >> >> I have tried the same from a dial-up connection without any problems. >> Although it is not clear how long this has been an issue, we recently >> promoted our a SQL server to act as a domain controller and active >> directory backup. > > Is it also running AD-integrated DNS? Not sure on this one. It was deliberately introduced as a backup both for AD and as a secondary DNS, if that answers the question. >> >> Can anyone suggest ways of fault finding this issue please? >> Windows server 2003 network >> ISA server used as proxy >> Checkpoint firewall >> >> Thanks in anticipation >> >> Phil > > > This is looking more and more like an internal conflict/resolution issue to a network newbie. Thanks for any further pointers you can give Phil
Guest Andrew Morton Posted October 30, 2007 Posted October 30, 2007 Re: Web Site Mystery TheScullster wrote: > Although we have our own corporate domain europacrown.com, we do not > host our own web site at this location. > Instead, our parent company hosts our site along with their own. > So in our DNS setup, there is a pointer to the ip address of the host > server. > > For some reason, attempts to access our company web site > http://www.europacrown.com don't work from our corporate network. > I have tried the same from a dial-up connection without any problems. > Although it is not clear how long this has been an issue, we recently > promoted our a SQL server to act as a domain controller and active > directory backup. > > Can anyone suggest ways of fault finding this issue please? > Windows server 2003 network > ISA server used as proxy > Checkpoint firewall If you can connect to the web server using its actual IP address, then it sounds like you need to set up NAT loopback on whichever device is doing your NAT. From outside your network, the server's IP address is 216.17.30.189, but inside the network its IP address may be something like 10.20.1.1. From outside the network, clients use the 216.17.30.189 address, and your NAT device translates that to 10.20.1.1 on its internal interface. From inside your network, clients try to use the address 216.17.30.189 (which they found from DNS) which goes to your NAT device, but it doesn't "know" to translate that back to 10.20.1.1 /when the request comes from the internal interface/. When you use a dial-up connection, you are making the request from outside your network. HTH Andrew
Guest Lanwench [MVP - Exchange] Posted October 30, 2007 Posted October 30, 2007 Re: Web Site Mystery TheScullster <phil@dropthespam.com> wrote: > "Lanwench [MVP - Exchange]" wrote > Lanwench > > Thanks for your input. > First let me say that I am somewhat out of my depth with all this but > will reply to your points to see if we can get to the bottom of this. Cool beans. > >>> >>> Although we have our own corporate domain europacrown.com, we do not >>> host our own web site at this location. >>> Instead, our parent company hosts our site along with their own. >>> So in our DNS setup, there is a pointer to the ip address of the >>> host server. >> >> What's your AD domain name? If it matches your public domain name >> (europacrown.com), you're using "split brain DNS" - and yes, you >> need to have a host entry for www which points to the correct public >> IP. > > Our AD domain is europa. That's the NetBIOS name - think of it as a nickname. The full name has to end in dot-something. Run an ipconfig /all on your server and you'll see the full name - or ping your server by its NetBIOS name and it should reply with the FQDN (servername.domain.whatever) > There is an entry in our DNS report which must point to the correct > public IP as the web site is accessible from any other browser > connection outside our LAN. > >> >> What do you get when you ping http://www.europacrown.com ? Does it return >> the correct public IP? I get 216.17.30.189.... >> >> > > Interesting. > I believe that our firewall blocks attempts at external pings. Outbound? That sucks. I'd turn that "feature" off. Pinging is a very useful connectivity test. Blocking inbound ICMP is a Good Thing. > When I ping any other address it does resolve to an ip address but > returns "request timed out". That's often useful anyway - could be that the remote host blocks ping requests. Just to check name resolution, ping is still useful. > However, when I ping http://www.europacrown.com it returns "Ping request > could not find host http://www.europacrown.com. Please check the name and > try again". If you use europacrown.com as your internal DNS domain name, you must create a host record in your forward lookup zone for europacrown.com - the name of the host would be www, and the IP address would be 216.17.30.189. Otherwise, when you go to http://www.europacrown.com, your own DNS servers (which have been told "you're responsible for everything on the europacrown.com domain") will not be able to find the host internally, and will shrug and give up. This is a major reason it is generally not recommended that you use the same domain name for public & internal DNS. You can work around this, but it isn't always graceful. > > >>> For some reason, attempts to access our company web site >>> http://www.europacrown.com don't work from our corporate network. >> >> You might post the unedited output from an ipconfig /all from your >> DC.... > > Does publishing this information to the world compromise the security > of our network? No. Not unless you use public IPs on your network and have no firewall or security in place - in which case you're already in mega trouble :) > >> >>> >>> I have tried the same from a dial-up connection without any >>> problems. Although it is not clear how long this has been an issue, >>> we recently promoted our a SQL server to act as a domain controller >>> and active directory backup. >> >> Is it also running AD-integrated DNS? > > Not sure on this one. It was deliberately introduced as a backup > both for AD and as a secondary DNS, if that answers the question. You should check - it should be running AD-integrated DNS. Meaning, it should be a replica of the DNS server config you have on your first DC. > >>> >>> Can anyone suggest ways of fault finding this issue please? >>> Windows server 2003 network >>> ISA server used as proxy >>> Checkpoint firewall >>> >>> Thanks in anticipation >>> >>> Phil >> >> >> > > This is looking more and more like an internal conflict/resolution > issue to a network newbie. > Thanks for any further pointers you can give > > Phil
Guest Lanwench [MVP - Exchange] Posted October 30, 2007 Posted October 30, 2007 Re: Web Site Mystery Andrew Morton <akm@in-press.co.uk.invalid> wrote: > TheScullster wrote: >> Although we have our own corporate domain europacrown.com, we do not >> host our own web site at this location. >> Instead, our parent company hosts our site along with their own. >> So in our DNS setup, there is a pointer to the ip address of the host >> server. >> >> For some reason, attempts to access our company web site >> http://www.europacrown.com don't work from our corporate network. >> I have tried the same from a dial-up connection without any problems. >> Although it is not clear how long this has been an issue, we recently >> promoted our a SQL server to act as a domain controller and active >> directory backup. >> >> Can anyone suggest ways of fault finding this issue please? >> Windows server 2003 network >> ISA server used as proxy >> Checkpoint firewall > > If you can connect to the web server using its actual IP address, > then it sounds like you need to set up NAT loopback on whichever > device is doing your NAT. Hmmm - no; I think you'll want to read the OP's reply to me....the issue seems to be with the DNS config. > > From outside your network, the server's IP address is 216.17.30.189, > but inside the network its IP address may be something like > 10.20.1.1. Actually, inside the network, www doesn't appear to exist at all. The website is hosted externally, remember. > From outside the network, clients use the 216.17.30.189 > address, and your NAT device translates that to 10.20.1.1 on its > internal interface. From inside your network, clients try to use the > address 216.17.30.189 (which they found from DNS) which goes to your > NAT device, but it doesn't "know" to translate that back to 10.20.1.1 > /when the request comes from the internal interface/. > When you use a dial-up connection, you are making the request from > outside your network. Yep. > > HTH > > Andrew
Guest Andrew Morton Posted October 30, 2007 Posted October 30, 2007 Re: Web Site Mystery Lanwench [MVP - Exchange] wrote: > Actually, inside the network, www doesn't appear to exist at all. The > website is hosted externally, remember. That part isn't clear to me - might it be that their LAN is part of the parent company's WAN, which also contains the web servers? OP: is that how it is? Andrew
Guest TheScullster Posted October 30, 2007 Posted October 30, 2007 Re: Web Site Mystery "Lanwench [MVP - Exchange]" wrote > > Cool beans. What an excellent expression! Not sure whether it has any bearing on the matter in hand, but must make a note of it anyway. >> >>>> >>>> Although we have our own corporate domain europacrown.com, we do not >>>> host our own web site at this location. >>>> Instead, our parent company hosts our site along with their own. >>>> So in our DNS setup, there is a pointer to the ip address of the >>>> host server. >>> >>> What's your AD domain name? If it matches your public domain name >>> (europacrown.com), you're using "split brain DNS" - and yes, you >>> need to have a host entry for www which points to the correct public >>> IP. >> >> Our AD domain is europa. > > That's the NetBIOS name - think of it as a nickname. The full name has to > end in dot-something. Run an ipconfig /all on your server and you'll see > the full name - or ping your server by its NetBIOS name and it should > reply with the FQDN (servername.domain.whatever) From the ISA server I get europaem.europa.local > >> There is an entry in our DNS report which must point to the correct >> public IP as the web site is accessible from any other browser >> connection outside our LAN. >> >>> >>> What do you get when you ping http://www.europacrown.com ? Does it return >>> the correct public IP? I get 216.17.30.189.... >>> >>> >> >> Interesting. >> I believe that our firewall blocks attempts at external pings. > > Outbound? That sucks. I'd turn that "feature" off. Pinging is a very > useful connectivity test. Blocking inbound ICMP is a Good Thing. I'll talk to the firewall "management" about that one. > > >> When I ping any other address it does resolve to an ip address but >> returns "request timed out". > > That's often useful anyway - could be that the remote host blocks ping > requests. Just to check name resolution, ping is still useful. >> However, when I ping http://www.europacrown.com it returns "Ping request >> could not find host http://www.europacrown.com. Please check the name and >> try again". > > If you use europacrown.com as your internal DNS domain name, you must > create a host record in your forward lookup zone for europacrown.com - > the name of the host would be www, and the IP address would be > 216.17.30.189. Otherwise, when you go to http://www.europacrown.com, your own DNS > servers (which have been told "you're responsible for everything on the > europacrown.com domain") will not be able to find the host internally, and > will shrug and give up. > > This is a major reason it is generally not recommended that you use the > same domain name for public & internal DNS. You can work around this, but > it isn't always graceful. I believe that the .europa.local part of the FQDN confirms that the above 2 paragraphs don't apply in this case? >> >> >>>> For some reason, attempts to access our company web site >>>> http://www.europacrown.com don't work from our corporate network. >>> >>> You might post the unedited output from an ipconfig /all from your >>> DC.... >> >> Does publishing this information to the world compromise the security >> of our network? > > No. Not unless you use public IPs on your network and have no firewall or > security in place - in which case you're already in mega trouble :) Would the ipconfig all info still be useful to help solve this? If so, do you require domain controller server, ISA/Exchange server, second DC or all three? >> >>> >>>> >>>> I have tried the same from a dial-up connection without any >>>> problems. Although it is not clear how long this has been an issue, >>>> we recently promoted our a SQL server to act as a domain controller >>>> and active directory backup. >>> >>> Is it also running AD-integrated DNS? >> >> Not sure on this one. It was deliberately introduced as a backup >> both for AD and as a secondary DNS, if that answers the question. > > You should check - it should be running AD-integrated DNS. Meaning, it > should be a replica of the DNS server config you have on your first DC. How do I confirm this? >> >>>> >>>> Can anyone suggest ways of fault finding this issue please? >>>> Windows server 2003 network >>>> ISA server used as proxy >>>> Checkpoint firewall >>>> >>>> Thanks in anticipation >>>> >>>> Phil >>> >>> >>> >> >> This is looking more and more like an internal conflict/resolution >> issue to a network newbie. >> Thanks for any further pointers you can give >> >> Phil > Thanks for your help with all this Lanwench Phil
Guest TheScullster Posted October 30, 2007 Posted October 30, 2007 Re: Web Site Mystery "Andrew Morton" wrote >> Actually, inside the network, www doesn't appear to exist at all. The >> website is hosted externally, remember. > > That part isn't clear to me - might it be that their LAN is part of the > parent company's WAN, which also contains the web servers? > > OP: is that how it is? > No, ours is a stand-alone LAN, our parent company's is also stand-alone, with the web hosting by a third party. Phil
Guest Lanwench [MVP - Exchange] Posted October 30, 2007 Posted October 30, 2007 Re: Web Site Mystery TheScullster <phil@dropthespam.com> wrote: > "Lanwench [MVP - Exchange]" wrote > >> >> Cool beans. > > What an excellent expression! Not sure whether it has any bearing on > the matter in hand, but must make a note of it anyway. Weird americanism, I think....I have no idea of its origins but I've always liked it. > >>> >>>>> >>>>> Although we have our own corporate domain europacrown.com, we do >>>>> not host our own web site at this location. >>>>> Instead, our parent company hosts our site along with their own. >>>>> So in our DNS setup, there is a pointer to the ip address of the >>>>> host server. >>>> >>>> What's your AD domain name? If it matches your public domain name >>>> (europacrown.com), you're using "split brain DNS" - and yes, you >>>> need to have a host entry for www which points to the correct >>>> public IP. >>> >>> Our AD domain is europa. >> >> That's the NetBIOS name - think of it as a nickname. The full name >> has to end in dot-something. Run an ipconfig /all on your server and >> you'll see the full name - or ping your server by its NetBIOS name >> and it should reply with the FQDN (servername.domain.whatever) > > From the ISA server I get europaem.europa.local OK ....then this isn't a split-brain DNS situation. How is your DNS set up? Post an unedited ipconfig /all and mention what your forwarders are set up to do. > >> >>> There is an entry in our DNS report which must point to the correct >>> public IP as the web site is accessible from any other browser >>> connection outside our LAN. >>> >>>> >>>> What do you get when you ping http://www.europacrown.com ? Does it return >>>> the correct public IP? I get 216.17.30.189.... >>>> >>>> >>> >>> Interesting. >>> I believe that our firewall blocks attempts at external pings. >> >> Outbound? That sucks. I'd turn that "feature" off. Pinging is a very >> useful connectivity test. Blocking inbound ICMP is a Good Thing. > > I'll talk to the firewall "management" about that one. > >> >> >>> When I ping any other address it does resolve to an ip address but >>> returns "request timed out". >> >> That's often useful anyway - could be that the remote host blocks >> ping requests. Just to check name resolution, ping is still useful. >>> However, when I ping http://www.europacrown.com it returns "Ping request >>> could not find host http://www.europacrown.com. Please check the name and >>> try again". >> >> If you use europacrown.com as your internal DNS domain name, you must >> create a host record in your forward lookup zone for europacrown.com >> - the name of the host would be www, and the IP address would be >> 216.17.30.189. Otherwise, when you go to http://www.europacrown.com, your >> own DNS servers (which have been told "you're responsible for >> everything on the europacrown.com domain") will not be able to find >> the host internally, and will shrug and give up. >> >> This is a major reason it is generally not recommended that you use >> the same domain name for public & internal DNS. You can work around >> this, but it isn't always graceful. > > I believe that the .europa.local part of the FQDN confirms that the > above 2 paragraphs don't apply in this case? Yep. But either you've got DNS problems, or your ISA box isn't configured to let you find this website. I'm not an ISA person, so I'm not much help there - but the fact that when you try to ping http://www.europacrown.com you can't even find it, indicates a name resolution problem. > > >>> >>> >>>>> For some reason, attempts to access our company web site >>>>> http://www.europacrown.com don't work from our corporate network. >>>> >>>> You might post the unedited output from an ipconfig /all from your >>>> DC.... >>> >>> Does publishing this information to the world compromise the >>> security of our network? >> >> No. Not unless you use public IPs on your network and have no >> firewall or security in place - in which case you're already in mega >> trouble :) > > Would the ipconfig all info still be useful to help solve this? Yes. > If so, do you require domain controller server, ISA/Exchange server, > second DC or all three? Just your DC if that's the one you're doing your testing on.... > >>> >>>> >>>>> >>>>> I have tried the same from a dial-up connection without any >>>>> problems. Although it is not clear how long this has been an >>>>> issue, we recently promoted our a SQL server to act as a domain >>>>> controller and active directory backup. >>>> >>>> Is it also running AD-integrated DNS? >>> >>> Not sure on this one. It was deliberately introduced as a backup >>> both for AD and as a secondary DNS, if that answers the question. >> >> You should check - it should be running AD-integrated DNS. Meaning, >> it should be a replica of the DNS server config you have on your >> first DC. > > How do I confirm this? Open it up and see what's in the forward lookup zone .... > >>> >>>>> >>>>> Can anyone suggest ways of fault finding this issue please? >>>>> Windows server 2003 network >>>>> ISA server used as proxy >>>>> Checkpoint firewall >>>>> >>>>> Thanks in anticipation >>>>> >>>>> Phil >>>> >>>> >>>> >>> >>> This is looking more and more like an internal conflict/resolution >>> issue to a network newbie. >>> Thanks for any further pointers you can give >>> >>> Phil >> > > Thanks for your help with all this Lanwench Most welcome! > > > Phil
Guest TheScullster Posted October 31, 2007 Posted October 31, 2007 Re: Web Site Mystery "Lanwench [MVP - Exchange]" wrote snip.........snip...........everything except Cool Beans. Lanwench Thanks for all the help - you were right of course! Turned out to be a DNS conflict. Apparently our support company setup webmail access and used "europacrown.com" within the configuration. When browsing to the site, the webmail incidence of the term would be found and the browser wouldn't bother looking outside for any more (layman's version). This has now been resolved Thanks again Phil
Guest Lanwench [MVP - Exchange] Posted November 1, 2007 Posted November 1, 2007 Re: Web Site Mystery TheScullster <phil@dropthespam.com> wrote: > "Lanwench [MVP - Exchange]" wrote > > snip.........snip...........everything except Cool Beans. > > Lanwench > > Thanks for all the help - you were right of course! > Turned out to be a DNS conflict. > Apparently our support company setup webmail access and used > "europacrown.com" within the configuration. > When browsing to the site, the webmail incidence of the term would be > found and the browser wouldn't bother looking outside for any more > (layman's version). > > > This has now been resolved > > Thanks again > > Phil Excellent - glad to hear you figured it out.
Recommended Posts