I am unable to ping my new server

Khattab

Hi All,

I've got an existing Win2000 server domain. The server is on its last legs, and so we've bought a new server and installed win2003 server on it, promoted it to a domain controller and i hope to migrate all our data to this new server and **** the old win2000 domain controller. I also need to migrate all the AD settings, ISA Settings etc over to the new Domain Controller.

At the moment, the new win2003 DC can ping itself, and all the clients as well the old domain controller, but nothing is able to ping the win2003 domain controller, not by host name or by IP address.

I'm not very skilled when it comes to DNS and i suspect that is where i have messed up. I've really been thrown in the deepend here, and i dont have a life-jacket... so i would appreciate any help you guys could offer.

Thanks in advance,
O

Treg

Hmm, thats weird

If you can ping your other servers and clients from the Server but not from clients to the server, it could indicate that your clients are on seperate VLANS and that your server is not configured to the correct gateway (therefore doesnt know destination to return the ping).

This is a possibility, although a description of the infrastructure setup would help more .

I wouldent advise installing ISA on a production Domain Controller unless budgets are strict. You can introduce many security risks.

sprkymrk

If you can't ping by ip, it's not a dns problem (or at least that's not the only problem). Make sure the firewall is not enabled on the 2003 server. That would explain why you can ping out successfully, but not vice versa.

Are you saying this is an SBS server? (Since you mentioned ISA).

Khattab

Just for further info.....

The network consists of about 15 - 20 clients and one server which operates as the Domain Controller/file/print server and is also running ISA2000 - not SBS though!

It is a very basic set up - they arent running exchange or anything like that. It is running of a netgear wireless adsl modem/router, no other firewall is set.

Ohh, and one more thing... if i am pinging the hostname 2003 server from any of the clients or the old server, it doesnt recognise or resolve it to an IP, it says something to the effect of host not recognised or something like that.

If any other info is needed, please advise.

Thanks in advance!

theseman

Could be firewall of some sort on the server. Maybe windows firewall even? If it is, make sure that the checkbox for allow incoming echo requests is checked in the windows firewall settings.

Khattab

Okay, I just had a look at the 2003 server, and i checked to make sure the Microsoft ICF that comes with 2k3 is disabled, however.... I did find two things, and maybe you guys could shed some light as to whether they are the cause of the problems.

The first thing is that i realised that i had the 2003 server set up as DHCP, which was incorrect because the other server was operating as a DHCP - so i'm guessing this would have resulted in conflicted IP's? Not sure how this would have affected the network though??

The other thing i realised, I went into ISA2004 (btw, all i did was install ISA and have yet to set any rules/policies in there! anyways, under Firewall Policy) I noticed the Last Default Rule is set to:

Action: DENY
Protocols: ALL TRAFFIC
From/Listener: ALL NETWORKS
To: ALL NETWORKS
Condition: ALL USERS

I am unable to test the issue now, because i wont have access to the office until tomorrow night. Do you think this is the cause of the problems though? I'm not so sure this is the answer to my problems because when i was trying to ping the Win2003 server, the PC's and the other server wouldnt recognise the host name (which is why i thought it was a DNS issue).

I'm certain i have other little issues that i havent quite seen yet, but im sure will come up in the next few days....

tibul

yes if you have 2 authorized DHCP servers on the same network with the same IP range then they will conflict with each other, also it does seem like it could be something to do with the ISA service blocking the ping requests, can you access the server in any other way from a client?

sprkymrk

Under ISA 2000 (haven't checked 2004 yet) as soon as you install it, no inbound traffic is allowed until you specifically create an access rule for it. I will almost guarentee you that is the problem. You'll have to either remove ISA 2004 until you're readyy to configure it, or else go in and create the necessary access rules.

Everlife

sprkymrk wrote:

Under ISA 2000 (haven't checked 2004 yet) as soon as you install it, no inbound traffic is allowed until you specifically create an access rule for it. I will almost guarentee you that is the problem. You'll have to either remove ISA 2004 until you're readyy to configure it, or else go in and create the necessary access rules.

Yeppers, Sprkymrk is right. All inbound traffic is blocked by default in ISA2004.

Khattab

Okay... some progress at last....

The issue was infact the default ISA rule. I deleted ISA and that fixed the problem, but now i've run into another issue.

I was trying to migrate all FSMO rules from the current DC to the new one. I migrated RID, PDC and Infrastructre Manager role - then i restarted both DC's. When they restarted, i wanted to confirm that the roles actually migrated - so i went to the original DC and when i try to view who is the Operations master it says "ERROR". If i try to change the owner back to the original DC it gives an error (which i cant remember - sorry).

I ran a netdiag /test:dns on the new DC and it gave me an error message:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.

Any clues as to why i am getting this error and how i can fix it?

Thanks in advance

sprkymrk

I think you just failed to wait long enough before you pulled the plug. Replication takes time. I'm not sure if trying to change back immediately made it worse, or had no effect. Can you post some entries from the event logs?

Khattab

I've got the server plugged into the network - i'll leave it over night and check it out tomorrow...

Hopefully it would have replicated by then and it will allow me to swap the remainder of the FSMO roles.

I'll also have a look at eventviewer and paste some of the errors in there.

If all goes well and i can swap the remainder of the FSMO roles, is there anything i can do to force it to replicate (i.e hand over the roles) faster?

Also, once i swap over the FSMO roles, what else do i need to do? Do i then just disconnect the old domain controller from the domain and thats it? Or do i actually need to demote it? What are the remainder of the steps?

Thanks!

mharvey5

Windows 2003 server uses the same firewall setup as XP SP2 does. Try to stop the Windows Firewall service or you can go into the network properties and change the way it responces to ICMP traffic which is what Ping uses to get a responce back from a server or PC.

Khattab

I'm going to the office tonight - so i'll see how it all goes.

I asked a question in my last post and i was hoping someone could help out.....

Once i swap over the FSMO roles, what else do i need to do? Do i then just disconnect the old domain controller from the domain and thats it? Or do i actually need to demote it? What are the remainder of the steps?

Cheers

sprkymrk

You definately need to demote it and leave it on long enough for the other DC to know about it. If you just take it offline you'll have an orphan DC in AD.

blargoe

Definately demote it properly. You may need to go into AD Sites and Services later on and manually remove that object too.

Check out the MS knowledge base for more info on how to appropriately remove a domain controller.

Blargoe

Khattab

Things seem to be working rather well... I was able to swap all the FSMO rules without many problems. I had to fiddle with a few things though... i had to allow Dynamic Updates in DNS, i tried to manually replicate the sites, and when that failed, i restarted the NET LOGON service - and that got it working. I migrated all the FSMO rules, and set the new server as the Global Catalog Server. I then ran a netdiag and got no errors - so that is a good sign.

I have to migrate all the user profiles onto the new server, which i have yet to do... and copy over a few directories etc, so as soon as i do that, i'll demote the old DC.

I havent set up ISA 2004 yet, which i have to do in a couple of days, and i want to set up a VPN and configure the server so that i can remotely administer it. If anyone has any tips or random thoughts that could help me along the way - that would be great.

p.s - sprkymrky - thanks a million! You're advice was a life saver and really helped! Thanks again!!

sprkymrk

Your welcome.
Sounds like you handled it well.

Re remote administration:
Will this be remote as in "offsite" or remote as in "administer the server that is in the other room from my desk"? I am guessing the former.

I would set up a VPN that terminates at the ISA external interface and use it to tunnel an RDP session. Although it's not the "latest greatest", the MS PPTP VPN is still very secure, and coupled with RDP v5 running 128bit encryption that would be a quick, easy and secure way to go w/o having to use third party software.

Khattab

In order to dial into the VPN, the address needs to be the FQDN of the domain - is that right?

So i'm guessing i have to talk to the ISP and get them to register the external IP address of the router so that it points to mydomain.com ?

Please let me know if my understanding of this is correct - as i dont want to speak to the ISP until i know what exactly i am requesting from them?

sprkymrk

You can connect a VPN using an IP address.

Khattab

Okay, so for example - i know the external IP address by checking on www.whatismyip.com - so does that mean that when i want to dial into the VPN, i can simply type in that IP address?

Do i need to set up any sort of port forwarding or anything like that in order for it to work?

Sorry - i know i'm asking very basic questions, but thats only because i was able to find plenty of doco about setting up VPN's and how to configure it, but not much info at all about how to actually dial in except that i need the FQDN of the domain.

TechJunky

Yes, you want the IP address given by www.whatismyip.com not your internal ip address if you wish to connect from home, another building etc.

sprkymrk

Just to clarify - if you are "dialing in" to the VPN with a phone line, you need to set up a modem on your RAS server to accept incoming calls or else dial up your ISP, and on the client side you will use the modem to dial the RAS server or ISP. Once you have established connectivity, then you can use either the IP or FQDN of your VPN server.

If you already have an internet connection established (like a cable modem, hotel hotspot, whatever) the simply launch the VPN to connect to either the IP or FQDN of your VPN server.

As far as access rules, it depends on the VPN client you are using. I think the ISA server may have a wizard to publish a server and will configure the rules for you, but I could be mistaken as it has been 3 years since I touched one.

Technically, for a MS PPTP VPN you would need to allow port TCP 1723 and IP protocol 47 (GRE). For IPSec it would be IP protocol 50 and UDP 500 for ESP. I've seen the Cisco client also need UDP 10,000.

Khattab

sprkymrk - Thanks for all the detail you provided.

When i was refering to "dialing up" - the office actually has a cable internet connection, so i'll go about setting up the VPN the way you described.

Hopefully it will all be smooth sailing.... i think the thing i was most uncertain about was whether i needed to set up port forwarding on the router so that it can push the VPN traffic from the router to the server? Do i need to do that at all, or does the traffic automatically get redirected to the server?

sprkymrk

Khattab wrote:

Hopefully it will all be smooth sailing.... i think the thing i was most uncertain about was whether i needed to set up port forwarding on the router so that it can push the VPN traffic from the router to the server? Do i need to do that at all, or does the traffic automatically get redirected to the server?

You'll need to check your router config. I assume you mean that the router is where your public ip is pointing? Your VPN server is on a private ip, like 10.x.x.x. or 192.168.x.x?

What kind of router is it? NAT can cause problems with VPN tunnels.

Khattab

You'll need to check your router config. I assume you mean that the router is where your public ip is pointing? Your VPN server is on a private ip, like 10.x.x.x. or 192.168.x.x?

Thats correct... 192.168.x.x

The router is very low budget - its a crappy Netgear ADSL Modem/router (you know the ones you can buy for $150!!). Dont judge me, i didnt set it up (hehehe) - i only took this job on about a month ago.

I'm not sure if NAT is configured on the router, but my guess is that it isnt. If NAT isnt configured on the router - what do i need to do on the router side of things?

sprkymrk

I guarentee that NAT is setup by default and working on your router if you are using 192.168 internally. Best bet would be to look through the config for any default IPSec or PPTP rules. Otherwise try forwarding the approprate ports (1723 or 500 or whatever based on your implementation) to your internal VPN server.

Actually, I would **** the router all together and use a spare computer (an old P3 will do) and set up ISA on it to use as your border device. That's not the best solution in all cases, but in your case where funds might be limited it would make things a lot easier. I say that because I am not sure your VPN will work hitting your public ip and then being NAT'ed to a private IP to terminate the end point.

Your current computer that is running ISA - is it a border device or just a single-nic server sitting on your LAN?

Khattab

Your current computer that is running ISA - is it a border device or just a single-nic server sitting on your LAN?

Its currently just a single-nic server that sits on the LAN. If i were to set up the machine as a border device... are there any instructions available on the net that i could read to help me along the way?

Thanks again in advance, and enjoy the holidays!!

sprkymrk

Khattab wrote:

Your current computer that is running ISA - is it a border device or just a single-nic server sitting on your LAN?

Its currently just a single-nic server that sits on the LAN. If i were to set up the machine as a border device... are there any instructions available on the net that i could read to help me along the way?

Thanks again in advance, and enjoy the holidays!!

The technet site has a lot of ISA related stuff, but for a site dedicated to ISA and ISA alone, check out Tom Shinder's site at www.isaserver.org or checkout one of his excellent books on ISA server, which are worth every penny.

http://www.amazon.com/s/ref=nb_ss_gw/102-2279827-5592937?url=search-alias%3Dstripbooks&field-keywords=shinder+isa