Domain PCs can not access every site through Windows 2003 Server

Hi,

I've been pullin my hair out for quite a while for this problem:
I have a Windows 2003 Server SE SP2 installed for a small LAN with 10 PCs.
The server is a Domain Controller and has Internet Connection Sharing and
Windows Firewall running. It has 2 NICs one for LAN and one for WAN.
The server has 'perfect' access to every page on the internet and the PCs
have 'perfect' access to the server (logon, file server, printer, local
websites on server, etc.), but the PCs can access only *a few* internet
websites (e.g. www.nu.nl), other websites (www.hotmail.com, www.google.com)
return 'Cannot display page' after a long timeout.

DHCP, DNS settings of PCs and server look fine. Ping and tracert from PCs to
websites are ok. The websites that can be viewed are displayed without delay,
but the rest seems to wait forever on a reply from the webserver.
I tried to switch off all firewalls (server and PCs) but this didn't help. I
assume there's something wrong with the NAT/ ICS, but so far I haven't found
a clue.

Any help is greatly appreciated.

Thanks.

Are you use ICS or NAT? It is recommended to use NAT on DC instead of ICS.
This link may help too.

Microsoft Windows New release IssuesNo ICS available after installing server
2003 SP1 · Windows Firewall running on DC - "Windows Firewall cannot run
because another program or service is ...
www.howtonetworking.com/main.htm


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"svdw" <(E-Mail Removed)> wrote in message
news:F501A3EA-3067-4B00-ADC4-(E-Mail Removed)...
> Hi,
>
> I've been pullin my hair out for quite a while for this problem:
> I have a Windows 2003 Server SE SP2 installed for a small LAN with 10 PCs.
> The server is a Domain Controller and has Internet Connection Sharing and
> Windows Firewall running. It has 2 NICs one for LAN and one for WAN.
> The server has 'perfect' access to every page on the internet and the PCs
> have 'perfect' access to the server (logon, file server, printer, local
> websites on server, etc.), but the PCs can access only *a few* internet
> websites (e.g. www.nu.nl), other websites (www.hotmail.com,
> www.google.com)
> return 'Cannot display page' after a long timeout.
>
> DHCP, DNS settings of PCs and server look fine. Ping and tracert from PCs
> to
> websites are ok. The websites that can be viewed are displayed without
> delay,
> but the rest seems to wait forever on a reply from the webserver.
> I tried to switch off all firewalls (server and PCs) but this didn't help.
> I
> assume there's something wrong with the NAT/ ICS, but so far I haven't
> found
> a clue.
>
> Any help is greatly appreciated.
>
> Thanks.
>

I didn't think that you could run ICS on a domain controller.

I any case, running ICS or RRAS/NAT on a DC is basically a bad idea. You
get all sorts of odd problems with multihomed DCs and DNS servers (except
with sbs, which is designed to handle it).

I would recommend using a separate device as your Internet router. You
can disable the DHCP and DNS relay on the router and let the DC handle that,
but let some other device look after the routing.


"Robert L (MS-MVP)" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Are you use ICS or NAT? It is recommended to use NAT on DC instead of ICS.
> This link may help too.
>
> Microsoft Windows New release IssuesNo ICS available after installing
> server 2003 SP1 · Windows Firewall running on DC - "Windows Firewall
> cannot run because another program or service is ...
> www.howtonetworking.com/main.htm
>
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
>
>
> "svdw" <(E-Mail Removed)> wrote in message
> news:F501A3EA-3067-4B00-ADC4-(E-Mail Removed)...
>> Hi,
>>
>> I've been pullin my hair out for quite a while for this problem:
>> I have a Windows 2003 Server SE SP2 installed for a small LAN with 10
>> PCs.
>> The server is a Domain Controller and has Internet Connection Sharing and
>> Windows Firewall running. It has 2 NICs one for LAN and one for WAN.
>> The server has 'perfect' access to every page on the internet and the PCs
>> have 'perfect' access to the server (logon, file server, printer, local
>> websites on server, etc.), but the PCs can access only *a few* internet
>> websites (e.g. www.nu.nl), other websites (www.hotmail.com,
>> www.google.com)
>> return 'Cannot display page' after a long timeout.
>>
>> DHCP, DNS settings of PCs and server look fine. Ping and tracert from PCs
>> to
>> websites are ok. The websites that can be viewed are displayed without
>> delay,
>> but the rest seems to wait forever on a reply from the webserver.
>> I tried to switch off all firewalls (server and PCs) but this didn't
>> help. I
>> assume there's something wrong with the NAT/ ICS, but so far I haven't
>> found
>> a clue.
>>
>> Any help is greatly appreciated.
>>
>> Thanks.
>>
>
>

Hi Robert,

I've tried the RRAS/NAT instead of ICS but I get exactly the same result.
I'll install an external router next to see if this solves the problem.

regards,
Sander

"Robert L (MS-MVP)" wrote:

> Are you use ICS or NAT? It is recommended to use NAT on DC instead of ICS.
> This link may help too.
>
> Microsoft Windows New release IssuesNo ICS available after installing server
> 2003 SP1 · Windows Firewall running on DC - "Windows Firewall cannot run
> because another program or service is ...
> www.howtonetworking.com/main.htm
>
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
>
>
> "svdw" <(E-Mail Removed)> wrote in message
> news:F501A3EA-3067-4B00-ADC4-(E-Mail Removed)...
> > Hi,
> >
> > I've been pullin my hair out for quite a while for this problem:
> > I have a Windows 2003 Server SE SP2 installed for a small LAN with 10 PCs.
> > The server is a Domain Controller and has Internet Connection Sharing and
> > Windows Firewall running. It has 2 NICs one for LAN and one for WAN.
> > The server has 'perfect' access to every page on the internet and the PCs
> > have 'perfect' access to the server (logon, file server, printer, local
> > websites on server, etc.), but the PCs can access only *a few* internet
> > websites (e.g. www.nu.nl), other websites (www.hotmail.com,
> > www.google.com)
> > return 'Cannot display page' after a long timeout.
> >
> > DHCP, DNS settings of PCs and server look fine. Ping and tracert from PCs
> > to
> > websites are ok. The websites that can be viewed are displayed without
> > delay,
> > but the rest seems to wait forever on a reply from the webserver.
> > I tried to switch off all firewalls (server and PCs) but this didn't help.
> > I
> > assume there's something wrong with the NAT/ ICS, but so far I haven't
> > found
> > a clue.
> >
> > Any help is greatly appreciated.
> >
> > Thanks.
> >
>
>
>

"svdw" <(E-Mail Removed)> wrote in message
news:7CA83469-D166-4D96-A0D8-(E-Mail Removed)...
> Hi Robert,
>
> I've tried the RRAS/NAT instead of ICS but I get exactly the same result.
> I'll install an external router next to see if this solves the problem.

That isn't going to help. It is just going to make a bigger mess.
Double-Nating isn't going to fix anything and you just end up creating a
pointless Back-to-Back DMZ that will only over complicate things and get in
the way.

There is absolutely nothing about NAT or ICS that is going to cause the
problem you are describing. You said you can Ping and Tracert to the sites
just fine. That means NAT and/or ICS is working perfectly fine. NAT/ICS
has absolutely *no* concept of Names, URLs, Scripting, or anything else
above the Layer3 IP# and the Layer4 Protocol. This is where remembering all
that boring OSI Layer Stuff from the old networking classes in school makes
a difference.

So whatever is happening is much higher up on the OSI Layers or even above
and beyond them.

So,...go back the beginning.
Using RRAS/NAT is a big step up from ICS and that is what you should use
instead of ICS.

Now when you ping those locations,...are you doing it by the Name or by the
IP#?...that is a big important difference.

If it is only by IP#, and it fails by Name it will still return an IP# even
if it fails. Take note of the IP# and post it here so I know what the names
resolve to. DNS is the problem in this case and that is where we need to
look.

If it pings fine by name then DNS works fine and your problem is most like
higher up on the food-change. At this point it would be caused by Browser
Security Settings or a Firewall on the LAN or a Personal firewall on the
machines themselves. With some third-party non-MS Personal Firewalls just
"turning them off" doesn't always get them out of the way, particularly if
they are screwed up and the only recourse is to remove them.

Viruses, Spyware, Trojans, Browser Hijacks (take your pick) are also all
things that can cause problems like this because they can intercept the GET
commands from the browser,...look for certain specific sites you are trying
to get to,... and alter the requested URL in the GET command which will
redirect the traffic to another website. These would be more less-likely
extreme cases of course, but not impossible.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

>> "svdw" <(E-Mail Removed)> wrote in message
>> news:F501A3EA-3067-4B00-ADC4-(E-Mail Removed)...
>> > Hi,
>> >
>> > I've been pullin my hair out for quite a while for this problem:
>> > I have a Windows 2003 Server SE SP2 installed for a small LAN with 10
>> > PCs.
>> > The server is a Domain Controller and has Internet Connection Sharing
>> > and
>> > Windows Firewall running. It has 2 NICs one for LAN and one for WAN.
>> > The server has 'perfect' access to every page on the internet and the
>> > PCs
>> > have 'perfect' access to the server (logon, file server, printer, local
>> > websites on server, etc.), but the PCs can access only *a few* internet
>> > websites (e.g. www.nu.nl), other websites (www.hotmail.com,
>> > www.google.com)

Hi Bill,

You can run ICS on a Win2003 Server, you can also run RRAS/NAT, but as you
mentioned, not with good results ;-)

Installed a seperate router in the network, disabled its' DHCP, set my
server as its' DMZ and now everything works perfectly!

Thanks!

regards,
Sander

"Bill Grant" wrote:

> I didn't think that you could run ICS on a domain controller.
>
> I any case, running ICS or RRAS/NAT on a DC is basically a bad idea. You
> get all sorts of odd problems with multihomed DCs and DNS servers (except
> with sbs, which is designed to handle it).
>
> I would recommend using a separate device as your Internet router. You
> can disable the DHCP and DNS relay on the router and let the DC handle that,
> but let some other device look after the routing.
>
>
> "Robert L (MS-MVP)" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Are you use ICS or NAT? It is recommended to use NAT on DC instead of ICS.
> > This link may help too.
> >
> > Microsoft Windows New release IssuesNo ICS available after installing
> > server 2003 SP1 · Windows Firewall running on DC - "Windows Firewall
> > cannot run because another program or service is ...
> > www.howtonetworking.com/main.htm
> >
> >
> > --
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on
> > http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on
> > http://www.HowToNetworking.com
> >
> >
> > "svdw" <(E-Mail Removed)> wrote in message
> > news:F501A3EA-3067-4B00-ADC4-(E-Mail Removed)...
> >> Hi,
> >>
> >> I've been pullin my hair out for quite a while for this problem:
> >> I have a Windows 2003 Server SE SP2 installed for a small LAN with 10
> >> PCs.
> >> The server is a Domain Controller and has Internet Connection Sharing and
> >> Windows Firewall running. It has 2 NICs one for LAN and one for WAN.
> >> The server has 'perfect' access to every page on the internet and the PCs
> >> have 'perfect' access to the server (logon, file server, printer, local
> >> websites on server, etc.), but the PCs can access only *a few* internet
> >> websites (e.g. www.nu.nl), other websites (www.hotmail.com,
> >> www.google.com)
> >> return 'Cannot display page' after a long timeout.
> >>
> >> DHCP, DNS settings of PCs and server look fine. Ping and tracert from PCs
> >> to
> >> websites are ok. The websites that can be viewed are displayed without
> >> delay,
> >> but the rest seems to wait forever on a reply from the webserver.
> >> I tried to switch off all firewalls (server and PCs) but this didn't
> >> help. I
> >> assume there's something wrong with the NAT/ ICS, but so far I haven't
> >> found
> >> a clue.
> >>
> >> Any help is greatly appreciated.
> >>
> >> Thanks.
> >>
> >
> >
>
>

Sander,

Thank you for update. Bill is right on this one. We don't recommend to
enable RRAS on the DC.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"svdw" <(E-Mail Removed)> wrote in message
news:7CA83469-D166-4D96-A0D8-(E-Mail Removed)...
> Hi Robert,
>
> I've tried the RRAS/NAT instead of ICS but I get exactly the same result.
> I'll install an external router next to see if this solves the problem.
>
> regards,
> Sander
>
> "Robert L (MS-MVP)" wrote:
>
>> Are you use ICS or NAT? It is recommended to use NAT on DC instead of
>> ICS.
>> This link may help too.
>>
>> Microsoft Windows New release IssuesNo ICS available after installing
>> server
>> 2003 SP1 · Windows Firewall running on DC - "Windows Firewall cannot run
>> because another program or service is ...
>> www.howtonetworking.com/main.htm
>>
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>>
>>
>> "svdw" <(E-Mail Removed)> wrote in message
>> news:F501A3EA-3067-4B00-ADC4-(E-Mail Removed)...
>> > Hi,
>> >
>> > I've been pullin my hair out for quite a while for this problem:
>> > I have a Windows 2003 Server SE SP2 installed for a small LAN with 10
>> > PCs.
>> > The server is a Domain Controller and has Internet Connection Sharing
>> > and
>> > Windows Firewall running. It has 2 NICs one for LAN and one for WAN.
>> > The server has 'perfect' access to every page on the internet and the
>> > PCs
>> > have 'perfect' access to the server (logon, file server, printer, local
>> > websites on server, etc.), but the PCs can access only *a few* internet
>> > websites (e.g. www.nu.nl), other websites (www.hotmail.com,
>> > www.google.com)
>> > return 'Cannot display page' after a long timeout.
>> >
>> > DHCP, DNS settings of PCs and server look fine. Ping and tracert from
>> > PCs
>> > to
>> > websites are ok. The websites that can be viewed are displayed without
>> > delay,
>> > but the rest seems to wait forever on a reply from the webserver.
>> > I tried to switch off all firewalls (server and PCs) but this didn't
>> > help.
>> > I
>> > assume there's something wrong with the NAT/ ICS, but so far I haven't
>> > found
>> > a clue.
>> >
>> > Any help is greatly appreciated.
>> >
>> > Thanks.
>> >
>>
>>
>>

Hi Phillip,

Thanks for your reply.

There's only one NAT in the network right now and that is the (external)
router. ICS, RRAS is disabled on the server (well actually the ICS service is
running for the Windows Firewall, which is configured, ICS itself is not
configured)
Server is acting as DC, DHCP & DNS

I knew that the problem that I described could not have been caused by NAT,
because google.nl could be reached, while google.com never answered. NAT
could not have caused this. But I could not find the problem or even a hint
what the problem could be. So solving it by adding an external router is good
enough for me right now.

This were my action/findings:
- The pring & tracert were done with IP & hostnames, both worked on
server/PCs.
- DNS requests provided good results on server/PCs
- routing tables looked ok on server/PCs
- Websites were opened with URLs and ip addresses on PCs, both showed the
same problem. Some worked (looked like the 'simpler pages'), some didn't
(caused time out)
- website interaction was mimicked through telnet session on PCs on
host:80, same result as browsers
- Server could access all pages without problems
- Switching firewall on/off on server/PCs did have no effect (I checked if
the firewall was really down)
- All systems are scanned for viruses on a avg daily basis, but have been
fully scanned additionally
- All systems were rebooted

Still no idea what the problem could have been. (but I have work around :-)

Thanks for all replies.

regards,
Sander

"Phillip Windell" wrote:

> "svdw" <(E-Mail Removed)> wrote in message
> news:7CA83469-D166-4D96-A0D8-(E-Mail Removed)...
> > Hi Robert,
> >
> > I've tried the RRAS/NAT instead of ICS but I get exactly the same result.
> > I'll install an external router next to see if this solves the problem.
>
> That isn't going to help. It is just going to make a bigger mess.
> Double-Nating isn't going to fix anything and you just end up creating a
> pointless Back-to-Back DMZ that will only over complicate things and get in
> the way.
>
> There is absolutely nothing about NAT or ICS that is going to cause the
> problem you are describing. You said you can Ping and Tracert to the sites
> just fine. That means NAT and/or ICS is working perfectly fine. NAT/ICS
> has absolutely *no* concept of Names, URLs, Scripting, or anything else
> above the Layer3 IP# and the Layer4 Protocol. This is where remembering all
> that boring OSI Layer Stuff from the old networking classes in school makes
> a difference.
>
> So whatever is happening is much higher up on the OSI Layers or even above
> and beyond them.
>
> So,...go back the beginning.
> Using RRAS/NAT is a big step up from ICS and that is what you should use
> instead of ICS.
>
> Now when you ping those locations,...are you doing it by the Name or by the
> IP#?...that is a big important difference.
>
> If it is only by IP#, and it fails by Name it will still return an IP# even
> if it fails. Take note of the IP# and post it here so I know what the names
> resolve to. DNS is the problem in this case and that is where we need to
> look.
>
> If it pings fine by name then DNS works fine and your problem is most like
> higher up on the food-change. At this point it would be caused by Browser
> Security Settings or a Firewall on the LAN or a Personal firewall on the
> machines themselves. With some third-party non-MS Personal Firewalls just
> "turning them off" doesn't always get them out of the way, particularly if
> they are screwed up and the only recourse is to remove them.
>
> Viruses, Spyware, Trojans, Browser Hijacks (take your pick) are also all
> things that can cause problems like this because they can intercept the GET
> commands from the browser,...look for certain specific sites you are trying
> to get to,... and alter the requested URL in the GET command which will
> redirect the traffic to another website. These would be more less-likely
> extreme cases of course, but not impossible.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> >> "svdw" <(E-Mail Removed)> wrote in message
> >> news:F501A3EA-3067-4B00-ADC4-(E-Mail Removed)...
> >> > Hi,
> >> >
> >> > I've been pullin my hair out for quite a while for this problem:
> >> > I have a Windows 2003 Server SE SP2 installed for a small LAN with 10
> >> > PCs.
> >> > The server is a Domain Controller and has Internet Connection Sharing
> >> > and
> >> > Windows Firewall running. It has 2 NICs one for LAN and one for WAN.
> >> > The server has 'perfect' access to every page on the internet and the
> >> > PCs
> >> > have 'perfect' access to the server (logon, file server, printer, local
> >> > websites on server, etc.), but the PCs can access only *a few* internet
> >> > websites (e.g. www.nu.nl), other websites (www.hotmail.com,
> >> > www.google.com)
>
>
>

"svdw" <(E-Mail Removed)> wrote in message
news:CDA9C7CE-F8CC-4574-B560-(E-Mail Removed)...
> Hi Phillip,
>
> Thanks for your reply.
>
> There's only one NAT in the network right now and that is the (external)
> router. ICS, RRAS is disabled on the server (well actually the ICS service
> is
> running for the Windows Firewall, which is configured, ICS itself is not
> configured)
> Server is acting as DC, DHCP & DNS

Where's the "router" come from? If the Server was setup for RRAS/NAT then
it had to have two nics and had to *be* the router unless you setup a back
to back DMZ.

Get rid of the second Nic in the server and disable (better yet, just
uninstall) RRAS.

> This were my action/findings:
> - The pring & tracert were done with IP & hostnames, both worked on
> server/PCs.
> - DNS requests provided good results on server/PCs
> - routing tables looked ok on server/PCs
> - Websites were opened with URLs and ip addresses on PCs, both showed the
> same problem. Some worked (looked like the 'simpler pages'), some didn't
> (caused time out)
> - website interaction was mimicked through telnet session on PCs on
> host:80, same result as browsers
> - Server could access all pages without problems
> - Switching firewall on/off on server/PCs did have no effect (I checked if
> the firewall was really down)
> - All systems are scanned for viruses on a avg daily basis, but have been
> fully scanned additionally

You'll just have to keep searching while keeping my earlier comments in
mind. There isn't anything more I can do (or probably anyone else either)
without being their in person to see it.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" wrote:

> "svdw" <(E-Mail Removed)> wrote in message
> news:CDA9C7CE-F8CC-4574-B560-(E-Mail Removed)...
> > Hi Phillip,
> >
> > Thanks for your reply.
> >
> > There's only one NAT in the network right now and that is the (external)
> > router. ICS, RRAS is disabled on the server (well actually the ICS service
> > is
> > running for the Windows Firewall, which is configured, ICS itself is not
> > configured)
> > Server is acting as DC, DHCP & DNS
>
> Where's the "router" come from? If the Server was setup for RRAS/NAT then
> it had to have two nics and had to *be* the router unless you setup a back
> to back DMZ.
The router is an external router incl. wifi access point. The server has 2
NICs, 1 is disabled right now, because I don't use it anymore. (it's kept as
spare).
Before, the server was the router, now it doesn't do any routing or NAT
anymore, all is done by the external router. The server's DHCP service now
refers to the external router in its config.

>
> Get rid of the second Nic in the server and disable (better yet, just
> uninstall) RRAS.
- 2nd NIC = disabled (but kept in as spare/backup)
- RRAS service = disabled

>
> > This were my action/findings:
> > - The pring & tracert were done with IP & hostnames, both worked on
> > server/PCs.
> > - DNS requests provided good results on server/PCs
> > - routing tables looked ok on server/PCs
> > - Websites were opened with URLs and ip addresses on PCs, both showed the
> > same problem. Some worked (looked like the 'simpler pages'), some didn't
> > (caused time out)
> > - website interaction was mimicked through telnet session on PCs on
> > host:80, same result as browsers
> > - Server could access all pages without problems
> > - Switching firewall on/off on server/PCs did have no effect (I checked if
> > the firewall was really down)
> > - All systems are scanned for viruses on a avg daily basis, but have been
> > fully scanned additionally
>
> You'll just have to keep searching while keeping my earlier comments in
> mind. There isn't anything more I can do (or probably anyone else either)
> without being their in person to see it.

Problem is solved with the external router, so I'm happy.
Thanks.

>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>