This post is a request for any assistance I can get.
It’s about a mistake or an oversight when setting up a Windows 2003 server running Active Directory (AD) and DNS. So if you know nothing about these things then please feel free to check out one of my other more regular posts – such as this one.
- o – o – o – o – o – o – o – o – o – o – o – o -
OK, on with the issue.
Please bear in mind that this used to work using a workaround despite the oversight. It stopped working when due to reasons beyond their control our hoster had to put us on another server and hence a different IP, but more on that in a moment.
We have a W2k3 Server running an AD Schema and all works just fine. The server is a fairly basic accounts and policies type box with nothing fancy on it. For sake of argument, lets call the schema name we picked as being ourdomain.org and the oversight being that we didn’t add in the MS recommended .local flag.
Skip forward a year or so and we’ve also registered a website with the same name as the schema – can you see where this is going yet?
Skip forward until very recently and we start to develop the website and all is working well except that the folks internally can’t reach the website. No problems thinks I and talk through them setting up an hosts entry pointing to the hosted server – and this nicely resolves the issue.
You might wonder why I didn’t just add an A record to the DNS setup? It’s a valid question but at the time I was away from all tech but my phone and this was the easiest & quickest fix available.
Then we get to last November (I’m pretty sure this is when our issue it started though at the moment it’s supposition) and our hoster falls prey to a hacker. No data is lost but the hacker decided to hose a whole bunch of file systems. The upshot being that our server required a bare metal restore but still had issues afterwards so ultimately we got moved to a new box and consequently a new IP.
So I think, simply change the IP and all will be well.
Not so.
I started off by just editing the hosts file on the server with the new IP and flushing the DNS cache – all appeared good as I can tracert to the new IP and ping it. Additionally an nslookup reveals that the ourdomain.org is being seen as the correct internal IP and that www.ourdomain.org is being seen as the correct external IP.
However, firefox can’t connect. Its status update flickers between ‘waiting for’ and ‘connecting to’ the domain, while IE8 says it “cannot display the webpage”.
Changing the servers secondary DNS settings to use say, OpenDNS.com’s DNS server makes no difference either. However, if I set both primary and secondary to use OpenDNS then we get straight through.
So, either there’s an isse with our DNS that is shafted in some way I can’t see or the hosters new security measures are denying us getting through or ?
So, is there a way to configure AD to force everyting but internal lookups to go through OpenDNS? Because using no configured internal DNS on the server, then a simple ping of an internal client ends up resolving to an external IP – can we say oops!
Any suggestions gratefully taken because I’m stumped.
This just in: I asked the hoster to check their firewall logs and whilst I’m not 100% satisfied that they are logging this aspect they tell me they can’t see our IP arriving. Which strikes me as odd as they should have my pings and tracert’s at the very least – but if they only checked for web traffic then it would efinitely (in my tired mind) point at an internal name resolution issue / clash.
Big kudos to anyone that can help solve this.
EDIT: Fixed it. Well sort of.
Basically the problem is the site has been developed using WordPress and that has “Canonical Redirects“. In short all requests for ‘www.whatever’ are being redirected to ‘whatever’ – i.e. no www. This has the effect for internal clients of getting to the site and then the site says ‘go and talk to your Domain Controller’ which in turn says ‘go to www’ and we end up in a vicious cycle.
So now I just need to find a way or a plugin or someone to turn off teh redirects for everything. I believe it can be done just the things I’ve tried this far haven’t worked!
For setting up OpenDNS for all external domains, here are the directions:https://store.opendns.com/setup/operatingsystem/w…
For the browser issues, keep in mind that browsers do their own DNS caching separate from the windows networking stack, so just because it works on commandline doesn't mean the browser will use new IP. Have you tried this from a client other than the AD server?
Travis – thanks for the link to the OpenDNS article. I hadn't spotted that one before.
As to have I tried from clients – yes, as it was they who flagged up the problem initially. Will go read the article and see if that will help fix our issue.
And has made no difference from the server – will have to wait to try from a client.
Travis – see the edit above. Turns out it isn't DNS so I'm not going barking mad after all. Thanks for your assist though.
So Stuart, I am to guess that setting your Forwarders to OpenDNS did nothing? But when you set a specific computer(s) to use OpenDNS (bypassing any in-house DNS) you could see the website fine? Also guessing you are doing both forward lookup and reverse lookup in house (or am I wrong here)?
Something you might want to do is turn on "Debug Logging" in DNS. You can do this by right-clicking on your DNS server and clicking "Properties" and then click on the "Debug Logging" tab. Once you have done that, try and go to the site you are having issues with and see what happens (might be best to do this when there are no / few users on the system as it will be easier to find your try). Do not forget to turn off "Debug Logging" once you are done with it.
Also, if you are running more then one DNS server, make sure they are replicating correctly and both have the same info.
Another thing to check is Scavenging of stale records. You might have a stale record in your DNS that is still pointing somewhere else.
Also something to look at might be the "DNS Server" in the event viewer (if you have not already) and see if you have any errors in there.
And worse comes to worse, just set it up as a Host (A) record and see if that fixes your issue.
Kevin – many thanks for the reply.
But apart from checking for stale records I've done / checked everything else. This really should just have been a simple IP change and away we go – which is why I keep thinking it's a hosting issue, but they don't see it that way.
The only other thing I can suggest you try and it will take some time, is build a virtual server using the exact same config (AD, DNS, Etc) as you have now, and then testing your issue with the VM system.
Nothing fancy is needed and it can be done with MS Virtual PC (I think that is the correct title of the program, it’s a free download from the MS Mothership). This is one of the few ways to test if it is fact on your side or their side.
Like I said, it will take some time. Depending on the speed of your host system, I would say maybe 3 or 4 good hours of work with lmited interruptions to get the VM system running & config’ed.
Anyway, that’s my two cents (or is it 4 now?) and most likely what I would do at this point.
Kevin
Thanks Kevin – I do appreciate the time taken to come and make these suggestions.
If I can find the time I wil do a VM setup but the thing that gets me is this did work and as far as I am aware stopped when the IP changed and the hoster beefed up their security. Though I can't be certain of this.
Kevin – see above post edit. It's not my DNS after all so I haven't completely lost it. Thanks for your assist though.
Stuart, glad to hear you are not going mad. :) I hope you are able to figure out the WordPress issue.