What happend to my Network

[zendawg]

Hi all,
I think I posted on the wrong forum first. So I am reposting. Sorry for the error.

Long time reader first time poster. here is my issue. I have two servers that I use in my lab for my educational pursuits.
*Server 1 is the PDC. It is running DHCP and DNS.
*Server 2 is also running Active Directory, WWW, and FPT, and has RRAS installed and is being used as a NAT Router. I lease static IP addressess from my ISP. I have the LAN NIC configured for the internal network. I have the external facing NIC populated with the public static IP. I have DNS forwarding set up on the Domain Controller.
Everything was working just great untli the other night. I get prompted to install some updates from Microsoft. I went to support.microsoft.com, and got them. I hate the auto updater. Now I can no longer access the internet on either of the 2 servers or anything that is connected to them. When I browse My Network Places from the DC I can see all of the computers located on the network. When I try and do so from the RRAS server I get just the local PC. I know that RRAS is working to some degree because I have RDP set up and I am remoted into the server right now, but I am doing so via RDP into my home PC that is on another subnet (192.168). I can no longer access ftp or

http://www internally

or externally. I uninstalled all of these updates that I had installed.
I checked the event viewer on the RRAS server and got the following error: Event ID 8032:
The Browser Service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip....the backup browser is stopping.

error: 8021:

The Browser service was unable to retrieve a list of servers from the Browser Master \\Homer on the network.

HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Regards,
The Colorado Techie

 

[WhoKilledKenny]

The browser service would not cause issue with Internet Access. More than likely the updates either locked down IE or somehow enabled the firewall settings on your computer(s). That is what I would check first.

Jesse Hamrick

http://www.powershellpro.com

 

[zendawg]

Ok, I can check that when I get home. I am getting the Event ID 8032 in the system event viewer like crazy. I agree that the Internet Issue is probably caused by those infernal updates. I did remove them, and I was not getting 8032 errors prior to installing the updates from what I recall. Think I should just demote the RRAS server and rebuild it? I have 2 NIC's on the DC, and I read that I should disable one of them.
Since RRAS is set up, and has a static IP, ICF should not be enabled. I am presently remoted into the RRAS Server via my home PC (192.168.x.x).When I check IP routing>general, both the internal NIC and external are operational and are showing incoming and outgoing bytes. ALso under the NAT Basic Firewall the WAN is translating inbound and outbound packets, but on the LAN 0.

 

[WhoKilledKenny]

This should help with the error:

http://support.microsoft.com/kb/q135404/

The other issue may be a mult-homed domain controller. If you have the option I would break-out the RRAS server on its own box. I would not recommend hanging a DC in your DMZ (or live connection to the internet). If that is not within your budget, I would attempt to disable NetBIOS on the NIC that is pointing to the Internet and remove Microsoft File and Print services from that NIC as well. Chances are, you are getting browser issues as the NetBIOS broadcasts are being sent out on both NICS; keep that traffic local.

Jesse Hamrick

http://www.powershellpro.com

 

[zendawg]

RRAS is on it's on it's own box. I made the mistake earlier of putting RRAS on the same PC as the DC. the DC is on a 10.x.x subnet. the WAN NIC on the RRAS Server is the only thing that is external. I disabled Net Bios on WINS. I am not using a WINS Server. I disabled file and printer sharing. I am rebooting the server as we speak. I rebooted and still nothing. If I just rebuild the RRAS server, will I encounter any BS from the DC? It is loaded with AD and is obviously a member of the domain. I will need to demote it first to avoid any issues? It just pisses me off that I load updates to help and it hoses my network

Frustrated Colorado Techie.

 

[pgaliardo]

*Server 2 is also running Active Directory,

It seems from this quote that the RRAS server is on a domain controller and not on it's own box.

Also, do you remember what updates exactly you installed? I agree with WhoKilledKenny that you enabled some kind of firewall on the box by installing the updates.

 

[zendawg]

They are two separate PC's the Domain Controller is running Active Directory, acting as the DHCP Server, and DNS Server. On the other PC AD is installed as well as RRAS.

Does Active Directory not need to be installed on a server if it is going to be used for the purposes of RRAS?

I do agree that the updates did do something to block internet access. What that something is I have yet to determine.

 

[WhoKilledKenny]

Does Active Directory not need to be installed on a server if it is going to be used for the purposes of RRAS?

No, RRAS does not require AD. In fact since you are using it as a router from you internal network to the Internet, I would not even make it a member of your AD Domain. I would install RRAS on a Stand-Alone (WorkGroup) Server, so that if it got hacked chances are it will not give away any secrets with regards to Active Directory.
No need to re-build RRAS. My suggestion - for installing an RRAS Server - is to remove AD (DCPROMO), Put the RRAS Server in its own workgroup (make sure you know the local admin password), Configure Routing (static or dynamic), Set the firewall, and set your NAT options.

Jesse Hamrick

http://www.powershellpro.com

 

[zendawg]

I am hosting an ftp and

http://WWW server

that is located on the DC. SO under the scenario that you proposed, this would still work?
RRAS box: The WAN NIC has the public IP and the LAN NIC would need to belong to the same subnet as the DC so that the two could communicate with one another. Or is the better solution to host

http://WWW and

FTP on the same box as RRAS and have it on its own workgroup.
Under the latter scenario I would still be able to provide internet access to the DC, and the computers attached to the switch that it is attached to?

Third possibility would be to make the RRAS server a member server and install IAS? Thoughts?

I really appreciate you insight into this.

Regards,
Colorado Techie.

 

[zendawg]

Additionally I am going to be adding an Exchange Server in the next few months. I may have access to an older watchguard firewall in the near future, or I might just use a LINUX box as a firewall

TIA

Colorado Techie

 

[WhoKilledKenny]

IIS on a Domain Controller - issue: ISUR account should be a local account. On a DC there are no local accounts. This forces the account to be a domain account which now allows anonymous access to your AD.
RRAS is a firewall, don't know why you would add another?

Simple rule of thumb. Anything internal to your network keep internal, i.e. Active Directory, Intranet Web servers, and Internal DNS.

Logical View of how I would design a simple network:
{Internal(AD,DNS,WINS,DHCP,Intranet)}--|--{Router/Firewall(RRAS)}--{External/DMZ(WebServers,FTP,OWA)}



Jesse Hamrick

http://www.powershellpro.com