Jump to content

Web Site Mystery

Guest TheScullster

By Guest TheScullster
in Windows 2003 Server

 Share

Recommended Posts

Guest TheScullster

Guest TheScullster

Posted
Posted

Hi all

 

Not sure this is the correct group but here goes...........

 

Although we have our own corporate domain europacrown.com, we do not host

our own web site at this location.

Instead, our parent company hosts our site along with their own.

So in our DNS setup, there is a pointer to the ip address of the host

server.

 

For some reason, attempts to access our company web site http://www.europacrown.com

don't work from our corporate network.

I have tried the same from a dial-up connection without any problems.

Although it is not clear how long this has been an issue, we recently

promoted our a SQL server to act as a domain controller and active directory

backup.

 

Can anyone suggest ways of fault finding this issue please?

Windows server 2003 network

ISA server used as proxy

Checkpoint firewall

 

Thanks in anticipation

 

Phil

  • Replies 11
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Web Site Mystery

 

TheScullster <phil@dropthespam.com> wrote:

> Hi all

>

> Not sure this is the correct group but here goes...........

 

microsoft.public.windows.server.dns is probably a more logical one, but this

works.

>

> Although we have our own corporate domain europacrown.com, we do not

> host our own web site at this location.

> Instead, our parent company hosts our site along with their own.

> So in our DNS setup, there is a pointer to the ip address of the host

> server.

 

What's your AD domain name? If it matches your public domain name

(europacrown.com), you're using "split brain DNS" - and yes, you need to

have a host entry for www which points to the correct public IP.

 

What do you get when you ping http://www.europacrown.com ? Does it return the

correct public IP? I get 216.17.30.189....

 

> For some reason, attempts to access our company web site

> http://www.europacrown.com don't work from our corporate network.

 

You might post the unedited output from an ipconfig /all from your DC....

>

> I have tried the same from a dial-up connection without any problems.

> Although it is not clear how long this has been an issue, we recently

> promoted our a SQL server to act as a domain controller and active

> directory backup.

 

Is it also running AD-integrated DNS?

>

> Can anyone suggest ways of fault finding this issue please?

> Windows server 2003 network

> ISA server used as proxy

> Checkpoint firewall

>

> Thanks in anticipation

>

> Phil

Guest TheScullster

Guest TheScullster

Posted
Posted

Re: Web Site Mystery

 

 

"Lanwench [MVP - Exchange]" wrote

 

 

 

Lanwench

 

Thanks for your input.

First let me say that I am somewhat out of my depth with all this but will

reply to your points to see if we can get to the bottom of this.

>>

>> Although we have our own corporate domain europacrown.com, we do not

>> host our own web site at this location.

>> Instead, our parent company hosts our site along with their own.

>> So in our DNS setup, there is a pointer to the ip address of the host

>> server.

>

> What's your AD domain name? If it matches your public domain name

> (europacrown.com), you're using "split brain DNS" - and yes, you need to

> have a host entry for www which points to the correct public IP.

 

Our AD domain is europa.

There is an entry in our DNS report which must point to the correct public

IP as the web site is accessible from any other browser connection outside

our LAN.

>

> What do you get when you ping http://www.europacrown.com ? Does it return the

> correct public IP? I get 216.17.30.189....

>

>

 

Interesting.

I believe that our firewall blocks attempts at external pings.

When I ping any other address it does resolve to an ip address but returns

"request timed out".

However, when I ping http://www.europacrown.com it returns "Ping request could not

find host http://www.europacrown.com. Please check the name and try again".

 

>> For some reason, attempts to access our company web site

>> http://www.europacrown.com don't work from our corporate network.

>

> You might post the unedited output from an ipconfig /all from your DC....

 

Does publishing this information to the world compromise the security of our

network?

>

>>

>> I have tried the same from a dial-up connection without any problems.

>> Although it is not clear how long this has been an issue, we recently

>> promoted our a SQL server to act as a domain controller and active

>> directory backup.

>

> Is it also running AD-integrated DNS?

 

Not sure on this one. It was deliberately introduced as a backup both for

AD and as a secondary DNS, if that answers the question.

>>

>> Can anyone suggest ways of fault finding this issue please?

>> Windows server 2003 network

>> ISA server used as proxy

>> Checkpoint firewall

>>

>> Thanks in anticipation

>>

>> Phil

>

>

>

 

This is looking more and more like an internal conflict/resolution issue to

a network newbie.

Thanks for any further pointers you can give

 

Phil

Guest Andrew Morton

Guest Andrew Morton

Posted
Posted

Re: Web Site Mystery

 

TheScullster wrote:

> Although we have our own corporate domain europacrown.com, we do not

> host our own web site at this location.

> Instead, our parent company hosts our site along with their own.

> So in our DNS setup, there is a pointer to the ip address of the host

> server.

>

> For some reason, attempts to access our company web site

> http://www.europacrown.com don't work from our corporate network.

> I have tried the same from a dial-up connection without any problems.

> Although it is not clear how long this has been an issue, we recently

> promoted our a SQL server to act as a domain controller and active

> directory backup.

>

> Can anyone suggest ways of fault finding this issue please?

> Windows server 2003 network

> ISA server used as proxy

> Checkpoint firewall

 

If you can connect to the web server using its actual IP address, then it

sounds like you need to set up NAT loopback on whichever device is doing

your NAT.

 

From outside your network, the server's IP address is 216.17.30.189, but

inside the network its IP address may be something like 10.20.1.1. From

outside the network, clients use the 216.17.30.189 address, and your NAT

device translates that to 10.20.1.1 on its internal interface. From inside

your network, clients try to use the address 216.17.30.189 (which they found

from DNS) which goes to your NAT device, but it doesn't "know" to translate

that back to 10.20.1.1 /when the request comes from the internal interface/.

 

When you use a dial-up connection, you are making the request from outside

your network.

 

HTH

 

Andrew

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Web Site Mystery

 

TheScullster <phil@dropthespam.com> wrote:

> "Lanwench [MVP - Exchange]" wrote

> Lanwench

>

> Thanks for your input.

> First let me say that I am somewhat out of my depth with all this but

> will reply to your points to see if we can get to the bottom of this.

 

Cool beans.

>

>>>

>>> Although we have our own corporate domain europacrown.com, we do not

>>> host our own web site at this location.

>>> Instead, our parent company hosts our site along with their own.

>>> So in our DNS setup, there is a pointer to the ip address of the

>>> host server.

>>

>> What's your AD domain name? If it matches your public domain name

>> (europacrown.com), you're using "split brain DNS" - and yes, you

>> need to have a host entry for www which points to the correct public

>> IP.

>

> Our AD domain is europa.

 

That's the NetBIOS name - think of it as a nickname. The full name has to

end in dot-something. Run an ipconfig /all on your server and you'll see the

full name - or ping your server by its NetBIOS name and it should reply with

the FQDN (servername.domain.whatever)

> There is an entry in our DNS report which must point to the correct

> public IP as the web site is accessible from any other browser

> connection outside our LAN.

>

>>

>> What do you get when you ping http://www.europacrown.com ? Does it return

>> the correct public IP? I get 216.17.30.189....

>>

>>

>

> Interesting.

> I believe that our firewall blocks attempts at external pings.

 

Outbound? That sucks. I'd turn that "feature" off. Pinging is a very useful

connectivity test. Blocking inbound ICMP is a Good Thing.

 

> When I ping any other address it does resolve to an ip address but

> returns "request timed out".

 

That's often useful anyway - could be that the remote host blocks ping

requests. Just to check name resolution, ping is still useful.

> However, when I ping http://www.europacrown.com it returns "Ping request

> could not find host http://www.europacrown.com. Please check the name and

> try again".

 

If you use europacrown.com as your internal DNS domain name, you must create

a host record in your forward lookup zone for europacrown.com - the name of

the host would be www, and the IP address would be 216.17.30.189. Otherwise,

when you go to http://www.europacrown.com, your own DNS servers (which have been

told "you're responsible for everything on the europacrown.com domain") will

not be able to find the host internally, and will shrug and give up.

 

This is a major reason it is generally not recommended that you use the same

domain name for public & internal DNS. You can work around this, but it

isn't always graceful.

>

>

>>> For some reason, attempts to access our company web site

>>> http://www.europacrown.com don't work from our corporate network.

>>

>> You might post the unedited output from an ipconfig /all from your

>> DC....

>

> Does publishing this information to the world compromise the security

> of our network?

 

No. Not unless you use public IPs on your network and have no firewall or

security in place - in which case you're already in mega trouble :)

>

>>

>>>

>>> I have tried the same from a dial-up connection without any

>>> problems. Although it is not clear how long this has been an issue,

>>> we recently promoted our a SQL server to act as a domain controller

>>> and active directory backup.

>>

>> Is it also running AD-integrated DNS?

>

> Not sure on this one. It was deliberately introduced as a backup

> both for AD and as a secondary DNS, if that answers the question.

 

You should check - it should be running AD-integrated DNS. Meaning, it

should be a replica of the DNS server config you have on your first DC.

>

>>>

>>> Can anyone suggest ways of fault finding this issue please?

>>> Windows server 2003 network

>>> ISA server used as proxy

>>> Checkpoint firewall

>>>

>>> Thanks in anticipation

>>>

>>> Phil

>>

>>

>>

>

> This is looking more and more like an internal conflict/resolution

> issue to a network newbie.

> Thanks for any further pointers you can give

>

> Phil

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Web Site Mystery

 

Andrew Morton <akm@in-press.co.uk.invalid> wrote:

> TheScullster wrote:

>> Although we have our own corporate domain europacrown.com, we do not

>> host our own web site at this location.

>> Instead, our parent company hosts our site along with their own.

>> So in our DNS setup, there is a pointer to the ip address of the host

>> server.

>>

>> For some reason, attempts to access our company web site

>> http://www.europacrown.com don't work from our corporate network.

>> I have tried the same from a dial-up connection without any problems.

>> Although it is not clear how long this has been an issue, we recently

>> promoted our a SQL server to act as a domain controller and active

>> directory backup.

>>

>> Can anyone suggest ways of fault finding this issue please?

>> Windows server 2003 network

>> ISA server used as proxy

>> Checkpoint firewall

>

> If you can connect to the web server using its actual IP address,

> then it sounds like you need to set up NAT loopback on whichever

> device is doing your NAT.

 

Hmmm - no; I think you'll want to read the OP's reply to me....the issue

seems to be with the DNS config.

>

> From outside your network, the server's IP address is 216.17.30.189,

> but inside the network its IP address may be something like

> 10.20.1.1.

 

Actually, inside the network, www doesn't appear to exist at all. The

website is hosted externally, remember.

> From outside the network, clients use the 216.17.30.189

> address, and your NAT device translates that to 10.20.1.1 on its

> internal interface. From inside your network, clients try to use the

> address 216.17.30.189 (which they found from DNS) which goes to your

> NAT device, but it doesn't "know" to translate that back to 10.20.1.1

> /when the request comes from the internal interface/.

> When you use a dial-up connection, you are making the request from

> outside your network.

 

Yep.

>

> HTH

>

> Andrew

Guest Andrew Morton

Guest Andrew Morton

Posted
Posted

Re: Web Site Mystery

 

Lanwench [MVP - Exchange] wrote:

> Actually, inside the network, www doesn't appear to exist at all. The

> website is hosted externally, remember.

 

That part isn't clear to me - might it be that their LAN is part of the

parent company's WAN, which also contains the web servers?

 

OP: is that how it is?

 

Andrew

Guest TheScullster

Guest TheScullster

Posted
Posted

Re: Web Site Mystery

 

 

"Lanwench [MVP - Exchange]" wrote

>

> Cool beans.

 

What an excellent expression! Not sure whether it has any bearing on the

matter in hand, but must make a note of it anyway.

>>

>>>>

>>>> Although we have our own corporate domain europacrown.com, we do not

>>>> host our own web site at this location.

>>>> Instead, our parent company hosts our site along with their own.

>>>> So in our DNS setup, there is a pointer to the ip address of the

>>>> host server.

>>>

>>> What's your AD domain name? If it matches your public domain name

>>> (europacrown.com), you're using "split brain DNS" - and yes, you

>>> need to have a host entry for www which points to the correct public

>>> IP.

>>

>> Our AD domain is europa.

>

> That's the NetBIOS name - think of it as a nickname. The full name has to

> end in dot-something. Run an ipconfig /all on your server and you'll see

> the full name - or ping your server by its NetBIOS name and it should

> reply with the FQDN (servername.domain.whatever)

 

From the ISA server I get europaem.europa.local

>

>> There is an entry in our DNS report which must point to the correct

>> public IP as the web site is accessible from any other browser

>> connection outside our LAN.

>>

>>>

>>> What do you get when you ping http://www.europacrown.com ? Does it return

>>> the correct public IP? I get 216.17.30.189....

>>>

>>>

>>

>> Interesting.

>> I believe that our firewall blocks attempts at external pings.

>

> Outbound? That sucks. I'd turn that "feature" off. Pinging is a very

> useful connectivity test. Blocking inbound ICMP is a Good Thing.

 

I'll talk to the firewall "management" about that one.

>

>

>> When I ping any other address it does resolve to an ip address but

>> returns "request timed out".

>

> That's often useful anyway - could be that the remote host blocks ping

> requests. Just to check name resolution, ping is still useful.

>> However, when I ping http://www.europacrown.com it returns "Ping request

>> could not find host http://www.europacrown.com. Please check the name and

>> try again".

>

> If you use europacrown.com as your internal DNS domain name, you must

> create a host record in your forward lookup zone for europacrown.com -

> the name of the host would be www, and the IP address would be

> 216.17.30.189. Otherwise, when you go to http://www.europacrown.com, your own DNS

> servers (which have been told "you're responsible for everything on the

> europacrown.com domain") will not be able to find the host internally, and

> will shrug and give up.

>

> This is a major reason it is generally not recommended that you use the

> same domain name for public & internal DNS. You can work around this, but

> it isn't always graceful.

 

I believe that the .europa.local part of the FQDN confirms that the above 2

paragraphs don't apply in this case?

 

>>

>>

>>>> For some reason, attempts to access our company web site

>>>> http://www.europacrown.com don't work from our corporate network.

>>>

>>> You might post the unedited output from an ipconfig /all from your

>>> DC....

>>

>> Does publishing this information to the world compromise the security

>> of our network?

>

> No. Not unless you use public IPs on your network and have no firewall or

> security in place - in which case you're already in mega trouble :)

 

Would the ipconfig all info still be useful to help solve this?

If so, do you require domain controller server, ISA/Exchange server, second

DC or all three?

>>

>>>

>>>>

>>>> I have tried the same from a dial-up connection without any

>>>> problems. Although it is not clear how long this has been an issue,

>>>> we recently promoted our a SQL server to act as a domain controller

>>>> and active directory backup.

>>>

>>> Is it also running AD-integrated DNS?

>>

>> Not sure on this one. It was deliberately introduced as a backup

>> both for AD and as a secondary DNS, if that answers the question.

>

> You should check - it should be running AD-integrated DNS. Meaning, it

> should be a replica of the DNS server config you have on your first DC.

 

How do I confirm this?

>>

>>>>

>>>> Can anyone suggest ways of fault finding this issue please?

>>>> Windows server 2003 network

>>>> ISA server used as proxy

>>>> Checkpoint firewall

>>>>

>>>> Thanks in anticipation

>>>>

>>>> Phil

>>>

>>>

>>>

>>

>> This is looking more and more like an internal conflict/resolution

>> issue to a network newbie.

>> Thanks for any further pointers you can give

>>

>> Phil

>

 

Thanks for your help with all this Lanwench

 

 

Phil

Guest TheScullster

Guest TheScullster

Posted
Posted

Re: Web Site Mystery

 

 

"Andrew Morton" wrote

>> Actually, inside the network, www doesn't appear to exist at all. The

>> website is hosted externally, remember.

>

> That part isn't clear to me - might it be that their LAN is part of the

> parent company's WAN, which also contains the web servers?

>

> OP: is that how it is?

>

 

No, ours is a stand-alone LAN, our parent company's is also stand-alone,

with the web hosting by a third party.

 

Phil

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Web Site Mystery

 

TheScullster <phil@dropthespam.com> wrote:

> "Lanwench [MVP - Exchange]" wrote

>

>>

>> Cool beans.

>

> What an excellent expression! Not sure whether it has any bearing on

> the matter in hand, but must make a note of it anyway.

 

Weird americanism, I think....I have no idea of its origins but I've always

liked it.

>

>>>

>>>>>

>>>>> Although we have our own corporate domain europacrown.com, we do

>>>>> not host our own web site at this location.

>>>>> Instead, our parent company hosts our site along with their own.

>>>>> So in our DNS setup, there is a pointer to the ip address of the

>>>>> host server.

>>>>

>>>> What's your AD domain name? If it matches your public domain name

>>>> (europacrown.com), you're using "split brain DNS" - and yes, you

>>>> need to have a host entry for www which points to the correct

>>>> public IP.

>>>

>>> Our AD domain is europa.

>>

>> That's the NetBIOS name - think of it as a nickname. The full name

>> has to end in dot-something. Run an ipconfig /all on your server and

>> you'll see the full name - or ping your server by its NetBIOS name

>> and it should reply with the FQDN (servername.domain.whatever)

>

> From the ISA server I get europaem.europa.local

 

OK ....then this isn't a split-brain DNS situation.

 

How is your DNS set up? Post an unedited ipconfig /all and mention what your

forwarders are set up to do.

 

>

>>

>>> There is an entry in our DNS report which must point to the correct

>>> public IP as the web site is accessible from any other browser

>>> connection outside our LAN.

>>>

>>>>

>>>> What do you get when you ping http://www.europacrown.com ? Does it return

>>>> the correct public IP? I get 216.17.30.189....

>>>>

>>>>

>>>

>>> Interesting.

>>> I believe that our firewall blocks attempts at external pings.

>>

>> Outbound? That sucks. I'd turn that "feature" off. Pinging is a very

>> useful connectivity test. Blocking inbound ICMP is a Good Thing.

>

> I'll talk to the firewall "management" about that one.

>

>>

>>

>>> When I ping any other address it does resolve to an ip address but

>>> returns "request timed out".

>>

>> That's often useful anyway - could be that the remote host blocks

>> ping requests. Just to check name resolution, ping is still useful.

>>> However, when I ping http://www.europacrown.com it returns "Ping request

>>> could not find host http://www.europacrown.com. Please check the name and

>>> try again".

>>

>> If you use europacrown.com as your internal DNS domain name, you must

>> create a host record in your forward lookup zone for europacrown.com

>> - the name of the host would be www, and the IP address would be

>> 216.17.30.189. Otherwise, when you go to http://www.europacrown.com, your

>> own DNS servers (which have been told "you're responsible for

>> everything on the europacrown.com domain") will not be able to find

>> the host internally, and will shrug and give up.

>>

>> This is a major reason it is generally not recommended that you use

>> the same domain name for public & internal DNS. You can work around

>> this, but it isn't always graceful.

>

> I believe that the .europa.local part of the FQDN confirms that the

> above 2 paragraphs don't apply in this case?

 

Yep. But either you've got DNS problems, or your ISA box isn't configured

to let you find this website. I'm not an ISA person, so I'm not much help

there - but the fact that when you try to ping http://www.europacrown.com you can't

even find it, indicates a name resolution problem.

>

>

>>>

>>>

>>>>> For some reason, attempts to access our company web site

>>>>> http://www.europacrown.com don't work from our corporate network.

>>>>

>>>> You might post the unedited output from an ipconfig /all from your

>>>> DC....

>>>

>>> Does publishing this information to the world compromise the

>>> security of our network?

>>

>> No. Not unless you use public IPs on your network and have no

>> firewall or security in place - in which case you're already in mega

>> trouble :)

>

> Would the ipconfig all info still be useful to help solve this?

 

Yes.

> If so, do you require domain controller server, ISA/Exchange server,

> second DC or all three?

 

Just your DC if that's the one you're doing your testing on....

>

>>>

>>>>

>>>>>

>>>>> I have tried the same from a dial-up connection without any

>>>>> problems. Although it is not clear how long this has been an

>>>>> issue, we recently promoted our a SQL server to act as a domain

>>>>> controller and active directory backup.

>>>>

>>>> Is it also running AD-integrated DNS?

>>>

>>> Not sure on this one. It was deliberately introduced as a backup

>>> both for AD and as a secondary DNS, if that answers the question.

>>

>> You should check - it should be running AD-integrated DNS. Meaning,

>> it should be a replica of the DNS server config you have on your

>> first DC.

>

> How do I confirm this?

 

Open it up and see what's in the forward lookup zone ....

>

>>>

>>>>>

>>>>> Can anyone suggest ways of fault finding this issue please?

>>>>> Windows server 2003 network

>>>>> ISA server used as proxy

>>>>> Checkpoint firewall

>>>>>

>>>>> Thanks in anticipation

>>>>>

>>>>> Phil

>>>>

>>>>

>>>>

>>>

>>> This is looking more and more like an internal conflict/resolution

>>> issue to a network newbie.

>>> Thanks for any further pointers you can give

>>>

>>> Phil

>>

>

> Thanks for your help with all this Lanwench

 

Most welcome!

>

>

> Phil

Guest TheScullster

Guest TheScullster

Posted
Posted

Re: Web Site Mystery

 

 

"Lanwench [MVP - Exchange]" wrote

 

snip.........snip...........everything except Cool Beans.

 

Lanwench

 

Thanks for all the help - you were right of course!

Turned out to be a DNS conflict.

Apparently our support company setup webmail access and used

"europacrown.com" within the configuration.

When browsing to the site, the webmail incidence of the term would be found

and the browser wouldn't bother looking outside for any more (layman's

version).

 

 

This has now been resolved

 

Thanks again

 

Phil

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Web Site Mystery

 

TheScullster <phil@dropthespam.com> wrote:

> "Lanwench [MVP - Exchange]" wrote

>

> snip.........snip...........everything except Cool Beans.

>

> Lanwench

>

> Thanks for all the help - you were right of course!

> Turned out to be a DNS conflict.

> Apparently our support company setup webmail access and used

> "europacrown.com" within the configuration.

> When browsing to the site, the webmail incidence of the term would be

> found and the browser wouldn't bother looking outside for any more

> (layman's version).

>

>

> This has now been resolved

>

> Thanks again

>

> Phil

 

Excellent - glad to hear you figured it out.

 Share
Go to topic listing
×
×
  • Create New...