none
DHCP Clients get no internet.

    Question

  • Ok, I was able to connect a new 2008 ENT x64 server to the network and dcpromo it using the original active directory. Afterwards, I transferred the operations master roles. I then dcpromo'd the old 2008 x86 server, changed IP's on the new server nic, and switched hardware. I brought it up and everything went smoothly. Almost!!!
     
    The server connects to the net using a static IP, and there is a second nic for my private network 192.168.x.x I get full connectivty to the net at the server. My clients get full network connectivity via the DHCP role installed on the server. BUT, none of my clients can stay connected to the internet through the same connection.
     
    • Server NIC - External
    • Static IP - External
    • Subnet - External
    • GW - External
    • DNS1 - 192.168.0.2
    • Server NIC - Internal
    • IP - 192.168.0.2
    • 255.255.255.0
    • DNS 127.0.0.1
    • Client NIC - DHCP
    • IP 192.168.x.x
    • 255.255.255.0
    • GW 192.168.0.2
    • DNS 192.168.0.2

    All clients are Windows Vista. At login, sometimes I get connectivity for a few seconds, and then it disconnects from the web, but not the network.

     
    Server passes DCDIAG, and native DNS testing.
     
    DCDIAG Results
     
    Directory Server Diagnosis
    Performing initial setup:
       Trying to find home server...
       Home Server = AMOS2K8
       * Identified AD Forest.
       Done gathering initial info.
    Doing initial required tests
       Testing server: Default-First-Site\AMOS2K8
          Starting test: Connectivity
             ......................... AMOS2K8 passed test Connectivity
    Doing primary tests
       Testing server: Default-First-Site\AMOS2K8
          Starting test: Advertising
             ......................... AMOS2K8 passed test Advertising
          Starting test: FrsEvent
             ......................... AMOS2K8 passed test FrsEvent
          Starting test: DFSREvent
             ......................... AMOS2K8 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... AMOS2K8 passed test SysVolCheck
          Starting test: KccEvent
             ......................... AMOS2K8 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... AMOS2K8 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... AMOS2K8 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... AMOS2K8 passed test NCSecDesc
          Starting test: NetLogons
             ......................... AMOS2K8 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... AMOS2K8 passed test ObjectsReplicated
          Starting test: Replications
             ......................... AMOS2K8 passed test Replications
          Starting test: RidManager
             ......................... AMOS2K8 passed test RidManager
          Starting test: Services
             ......................... AMOS2K8 passed test Services
          Starting test: SystemLog
             ......................... AMOS2K8 passed test SystemLog
          Starting test: VerifyReferences
             ......................... AMOS2K8 passed test VerifyReferences

       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
       Running partition tests on : AmosPC
          Starting test: CheckSDRefDom
             ......................... AmosPC passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... AmosPC passed test CrossRefValidation
       Running enterprise tests on : AmosPC.local
          Starting test: LocatorCheck
             ......................... AmosPC.local passed test LocatorCheck
          Starting test: Intersite
             ......................... AmosPC.local passed test Intersite
     
     have also cleared the DNS and updated the records afterwards, but I still get the same results. I get a fully configured IP address with no internet access.
     
    The server can ping anything internal or external.
    but clients can only ping internal by name and IP.
    The client cannot ping the external server address.
     
    I have DHCP, DNS, and RAS (Now called NAP Routing). I have not "intentionally" turned on any policies. I have tried turning off the firewall, and GPO, but nothing changed, so I set them back to default. I tried allowing exceptions for programs in the firewall also, but nothing is changing the situation. And I have uninstalled and reinstalled DHCP. No Such Luck. That was what made me start seeking assistance.
     
    Side Note: I have an old server that I upgraded from 2003 to 2008 ENT, and it worked flawlessly. I ran the setup for X64 edition on tested new hardware, and have not been able to connect any clients, even newly created ones to the internet, but everyone gets on the internal network.
     
    So, in essence, I have a server that connects clients, but withholds internet access from all users. I am looking for any keys, policies, ports, or controls to turn this feature on. All Vista clients (about ten) have the same issue even when using different login credentials.
     
    Thanks in advance for any help that you might offer.
    Tuesday, April 15, 2008 6:15 AM

Answers

  •  

    Microsoft Network Engineers worked 5 Hours on the issue with success at 1AM. 

    Thanks MS. And Thanks to all who contributed to getting this to work.

    Wednesday, April 16, 2008 6:39 AM

All replies

  •     You really should not be using your DC as a router. Run the DC with one NIC and use another server for NAT. This will cause you grief. Only SBS should run in that config. (It is designed to run that way).

     

    Set the clients to use the DC for DNS but the NAT router for their gateway. Set the DNS on the DC to forward to a public DNS service. 

     

    Wednesday, April 16, 2008 4:29 AM
  • First, Thanks for your response.

     

    Secondly, I only have the budget for a single server, which has been the standard for many years. I have not needed, or had to justify the cost of two servers. Since Windows 2000, one server with two nics has been Microsofts default config. It was only recently that they changed to teaching two servers is better than one. I still have the Networking Essentials, WIndows Server MCSE, and Network+ manuals stating the exact configuration in which I have the server setup. NO offense intended.

     

    Having said that, is there any information on setting up a single domain controller in a single forest with a single domain in Windows Server 2008 Enterprise x64 available anywhere?

     

    The server is set to forward to my isp's public DNS, and my clients are recieving ip, dns, and gateway information from the dhcp. The issue is that although they access the network and resolve internally, no client can get out to the network.

     

    I have now been on the phone with senior engineers from MS for about 4 hours, and they are working to resolve the issue with me. I will post back to the forum with a full update as to the outcome of this situation.

     

    And just to be clear, you are right about the configuration, if you have multiple servers. That is just not an avenue I want to battle with accounting about any more.

    Wednesday, April 16, 2008 5:13 AM
  •  

    Microsoft Network Engineers worked 5 Hours on the issue with success at 1AM. 

    Thanks MS. And Thanks to all who contributed to getting this to work.

    Wednesday, April 16, 2008 6:39 AM
  • Hey AmosPC,

    Having the exact same problem.  What did MS help you do to fix it?
    Sunday, June 01, 2008 9:54 PM
  • AmosPC,

    Hey, I'm having the same issue. How was it solved?
    Thursday, June 05, 2008 6:16 PM
  • What was the answer to this one. I have the same problum and realy need to fix it.

    Please Help.

    Thanks

     

    Saturday, April 10, 2010 7:21 PM
  • This thread is almost three years old. And unfrotunate that the original poster in the thread did not provide the solution.

    IMHO, using a DC as a NAT device, makes it a Multihomed DC, which can be extrememly problematic for AD functionality. This is due to the way AD works and the additional records that are registered into DNS due to the mutlihoming. Instead of me getting into the details in the post, you can read all about the specifics, implications and how to properly configure a multihomed DC in the following link:

    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, and/or PPPoE adapters 
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

    Regarding two DCs in any given AD domain, I look at this as a requirement. Two DCs provide fault tolerance for all domain objects. If one goes down, you still have the other and it's a simple matter of transferring roles, making some simple adjustments, metadata cleanupr, and rebuilding the old one. But I can understand in many cases the budget does not allow purchasing additional servers. I just hope these budgets allowed for a backup solution in case the single DC is lost.

    However, my take on having a multihomed DC controlling internet access as the NAT dervice on the network, is I wouldn't want my DC, whether it's an SBS or non-SBS, to be directly exposed to the internet. That's inviting trouble possibly compromising your DC and company data to some hacker/attacker. Sure, some may even suggest to install ISA or TMG on it, but it's highly recommended to NOT install ISA or TMG on a DC, due to firewall functinality, etc.

    I think in situations with tight budgets may just have enough wiggle room to purchase a router/firewall device to handle the NAT requirements, as well as provide security for the network, especially the DC. This way you can disable the outer NIC, allow the DC to do it's job efficiently, and allow the firewall device to handle and control internet traffic. How much is a router/firewall device? If you are in the US, you can pick up a decent Linksys with wireless N for less than USD $150, or even cheaper for the lower end models. I can't really see this as a budget breaker unless there are some politics involved from the exec side who do not understand IT.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, January 23, 2011 6:52 PM
  • Thanks for the long feed back,  but on the short note of firewalls, i have the whole network proctect by smoothwall and untrangle, so there is  no treat to domain pc, on the grounds of backup  i'm runing naslite storage system and on all the files on the network are backup to this system.

     

     

    Regards

    WinGovo

    Monday, January 24, 2011 7:51 PM
  • Hello WinGovo,

    My post was primarly commenting on multihomed domain controllers, which I gathered you have from reading your post. It's not a recommended configuration. My blog that I posted has more specifics on it and why not to multihome a DC.

    I apologize if I mis-read your post.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, January 24, 2011 8:59 PM