Re: Web Site Mystery
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 30 Oct 2007 12:18:56 -0400
TheScullster <phil@xxxxxxxxxxxxxxx> wrote:
"Lanwench [MVP - Exchange]" wrote
Cool beans.
What an excellent expression! Not sure whether it has any bearing on
the matter in hand, but must make a note of it anyway.
Weird americanism, I think....I have no idea of its origins but I've always
liked it.
Although we have our own corporate domain europacrown.com, we do
not host our own web site at this location.
Instead, our parent company hosts our site along with their own.
So in our DNS setup, there is a pointer to the ip address of the
host server.
What's your AD domain name? If it matches your public domain name
(europacrown.com), you're using "split brain DNS" - and yes, you
need to have a host entry for www which points to the correct
public IP.
Our AD domain is europa.
That's the NetBIOS name - think of it as a nickname. The full name
has to end in dot-something. Run an ipconfig /all on your server and
you'll see the full name - or ping your server by its NetBIOS name
and it should reply with the FQDN (servername.domain.whatever)
From the ISA server I get europaem.europa.local
OK ....then this isn't a split-brain DNS situation.
How is your DNS set up? Post an unedited ipconfig /all and mention what your
forwarders are set up to do.
There is an entry in our DNS report which must point to the correct
public IP as the web site is accessible from any other browser
connection outside our LAN.
What do you get when you ping www.europacrown.com ? Does it return
the correct public IP? I get 216.17.30.189....
Interesting.
I believe that our firewall blocks attempts at external pings.
Outbound? That sucks. I'd turn that "feature" off. Pinging is a very
useful connectivity test. Blocking inbound ICMP is a Good Thing.
I'll talk to the firewall "management" about that one.
When I ping any other address it does resolve to an ip address but
returns "request timed out".
That's often useful anyway - could be that the remote host blocks
ping requests. Just to check name resolution, ping is still useful.
However, when I ping www.europacrown.com it returns "Ping request
could not find host www.europacrown.com. Please check the name and
try again".
If you use europacrown.com as your internal DNS domain name, you must
create a host record in your forward lookup zone for europacrown.com
- the name of the host would be www, and the IP address would be
216.17.30.189. Otherwise, when you go to www.europacrown.com, your
own DNS servers (which have been told "you're responsible for
everything on the europacrown.com domain") will not be able to find
the host internally, and will shrug and give up.
This is a major reason it is generally not recommended that you use
the same domain name for public & internal DNS. You can work around
this, but it isn't always graceful.
I believe that the .europa.local part of the FQDN confirms that the
above 2 paragraphs don't apply in this case?
Yep. But either you've got DNS problems, or your ISA box isn't configured
to let you find this website. I'm not an ISA person, so I'm not much help
there - but the fact that when you try to ping www.europacrown.com you can't
even find it, indicates a name resolution problem.
For some reason, attempts to access our company web site
www.europacrown.com don't work from our corporate network.
You might post the unedited output from an ipconfig /all from your
DC....
Does publishing this information to the world compromise the
security of our network?
No. Not unless you use public IPs on your network and have no
firewall or security in place - in which case you're already in mega
trouble :)
Would the ipconfig all info still be useful to help solve this?
Yes.
If so, do you require domain controller server, ISA/Exchange server,
second DC or all three?
Just your DC if that's the one you're doing your testing on....
I have tried the same from a dial-up connection without any
problems. Although it is not clear how long this has been an
issue, we recently promoted our a SQL server to act as a domain
controller and active directory backup.
Is it also running AD-integrated DNS?
Not sure on this one. It was deliberately introduced as a backup
both for AD and as a secondary DNS, if that answers the question.
You should check - it should be running AD-integrated DNS. Meaning,
it should be a replica of the DNS server config you have on your
first DC.
How do I confirm this?
Open it up and see what's in the forward lookup zone ....
Can anyone suggest ways of fault finding this issue please?
Windows server 2003 network
ISA server used as proxy
Checkpoint firewall
Thanks in anticipation
Phil
This is looking more and more like an internal conflict/resolution
issue to a network newbie.
Thanks for any further pointers you can give
Phil
Thanks for your help with all this Lanwench
Most welcome!
Phil
.
- Follow-Ups:
- Re: Web Site Mystery
- From: TheScullster
- Re: Web Site Mystery
- References:
- Web Site Mystery
- From: TheScullster
- Re: Web Site Mystery
- From: Lanwench [MVP - Exchange]
- Re: Web Site Mystery
- From: TheScullster
- Re: Web Site Mystery
- From: Lanwench [MVP - Exchange]
- Re: Web Site Mystery
- From: TheScullster
- Web Site Mystery
- Prev by Date: Re: Access Based Enumeration enabled
- Next by Date: Re: Auto-Updates for production servers
- Previous by thread: Re: Web Site Mystery
- Next by thread: Re: Web Site Mystery
- Index(es):
Relevant Pages
|
