We are a small, 300-seat organization with a mixed BYOD and Active Directory environment (Windows Server 2012 Standard, Windows 7 Enterprise) and we are having a very strange problem involving very specific-scope failures to resolve our organization's domain name on our domain-joined, company-controlled machines. For the purpose of this discussion, I'll use company.com instead of our domain name.
Background:
Active Directory Domain Controller is located at 172.16.1.3
The AD/DC machine is also running DHCP, DNS, and HTTP (IIS)
Our organizations websites at company.com and subdomain.company.com are hosted by IIS on the AD/DC machine
We have a split-DNS scenario in which the AD/DC server is used for internal DNS resolution but a different, off-site server provides DNS resolution for public queries
The IP address corresponding to company.com and subdomain.company.com is the public IP address used by a firewall at the edge of our network (both on the AD/DC DNS server and the off-site DNS server)
The firewall is correctly configured for NAT to pass HTTP and HTTPS requests it receives on its public IP address to the internal IP of the AD/DC server and reflects
Scenario 1:
A user on a domain-joined Windows 7 Enterprise machine is connected directly to our local network with local address 172.16.6.100 /16, issued by the DHCP server.
The DNS server entry is provided by DHCP (172.16.1.3)
This user is able to access the websites hosted at company.com and subdomain.company.com
Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the internal DNS server (172.16.1.3)
Scenario 2:
The same user on the same domain-joined Windows 7 Enterprise machine goes home and connects to the Internet using their residential ISP
The IP and DNS server entries for the client machine are provided by DHCP
This user can access any internet resources, such as google.com
This user cannot access the website at company.com or subdomain.company.com (a "host not resolved" error is returned)
When this user runs nslookup on company.com they DO receive the correct public IP address provided by DNS
HTTP/HTTPS requests to the IP address succeed and a webpage is returned properly by the server
This issue prevails across all web browsers
Using tracert company.com returns "unable to resolve target system name"
Using ping company.com returns "could not find host company.com"
When running Wireshark on the client before/during a failed request, no packets are sent by the client machine (either for DNS resolution or for an initial HTTP/ping/tracert request)
Restarting the DNS Client service does not resolve the problem
Stopping the DNS Client service does not resolve the problem
Using ipconfig /flushdns does not resolve this issue
Using route /f does not resolve this issue
Resetting the network connections using netsh int ip reset does not resolve this issue
Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the DNS server specified by the DHCP settings of the network used by the user
Scenario 3:
This same user on a personal (not domain-joined) Windows 7 Professional computer is able to access the websites at company.com and subdomain.company.com when connected to our local network
Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the internal DNS server (172.16.1.3)
Scenario 4:
This same user on a personal (not domain-joined) Windows 7 Professional computer is able to access the websites at company.com and subdomain.company.com when connected their home network
Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the DNS server specified by the DHCP settings of the network used by the user
Final Notes:
This issue seems to be generalized to affect all company-owned computers. We are using a common system image for all company-owned computers, which was just loaded in August. I have been scouring the internet in search of possible solutions and have come up empty handed so far -- I really appreciate any suggestions or advice you may have.
This is quite an interesting scenario. Looking at your scenario 3, user with personal computer can access the services but why is the DNS entry coming from your corporate IP and not users home DNS. Is the machine on company network?
Verify this:
When user tries to access service from home on company computer, is the IP details from home internet router or company network via VPN?
Related
Environment (User):
Windows 10 laptop
AzureAD joined
User in the office
Side note: Majority of our users are domain joined, this user travels alot, so we set him up as AzureAD to see how it would work.
Environment (Network)
Firewall controls DHCP, routing, etc.
DNS is running on DC (windows server 2016); DNS = 192.168.1.10
DC is hosted in Azure (connected to on-prem via VPN to firewall)
Problem:
This user cant ping host (A) records on the DNS server. The user can ping the FQDN though. e.g. can not ping servername, can ping servername.internal.company.com
This is breaking a service this user needs to run.
All the machines settings for DNS are correctly set (getting pulled through from the firewall). It just seems like the azuread joined device is not able to authenticate to the DC/DNS to retrieve details about a host name, but I find it really weird it can get responses back when using the FQDN of the server?
Can anyone please suggest why this user is getting blocked? I am thinking that becasue this is an AzureAD user their is an authentication issue, any help on the matter is greatly appreciated.Thanks!
recently I have faced the same problem with azure windows VM I have tried all the best possible afford to resolve the issue, but not success finally I have to change the VM IP with azure login panel after restart internet is working.
I'm hosting a website on Windows Server 2012 R2. I'm able to access the site with no problem via the assigned ip address and as long as I'm on my home network. However, when I try to access the site using a public ip address, it defaults to my NAS (MyBookLive).
Baffled.
Thanks.
This is intentional.
When a user connects to your ip address, any inbound requests are blocked for security. You would need to open ports on your home router (most likely 80 and 443) and direct the traffic to an internal ip address.
Even if you do this, it is very likely that it would not work. Most residential internet providers do not allow you to host web/mail servers on the internet. If someone compromises your webserver, they would have access to your entire network.
You are better off with a dedicated hosting provider (AWS, Amazon, Google Cloud).
I want to create a local network in my workplace which has around 20 computers. All of these are connected through a single computer(server), which is attached to a router with internet access. I want all the internet traffic from my 20 computers to route through this server such that the above 20 computers are not visible from the outside network.
So the current scenario is like this:
The server has a IP : 172.16.16.198
The computers connected to this server through the router also have the IP in the same network i.e. 172.16.16.xx
As such all the computers in my workplace are visible from any other computer in the organisation connected to the same network.
You can assume that the server is connected to some internet network within the organisation, hence the private IP address(172.16.16.198)
All systems are Windows based.
I have tried the following so far on one of the 20 computers:
Changed the DNS to the server's IP.
Changed the default gateway to server's IP.
Changed to static IP of 172.16.17.12(random but having the same subnet as the gateway)
The above approach didn't work. What can I do to meet my requirement?
PS: I am a newbie to networking so this might be a very fundamental mistake.
The first server NIC should be connected to the router and have an IP from the same network as the router:
172.16.16.198/24
The second server NIC should be connected to other computers with a switch and have an IP from the another private network, for example:
10.0.0.1/24
Choose proper gateway(in my case the first address worked i.e. xx.xx.xx.1) and the DNS can be set to the default DNS of first NIC.
Check if after those steps the internet works on server.
Share the server internet connection with other computers. Right click on the first NIC, Properties menu item, Share tab and check "Allow other users to use this connection". Select the name of network card with which internet has to be shared in drop down(eg NIC2). Click on Settings below to select all the services(eg. https,ftp,etc.) you want to share with the other network card.
I googled, followed all the instructions but still stuck, and unable to create a home ftp server.
My internet is from dsl modem -> vonage router -> wifi router
FileZilla server ip is 127.0.0.1 and it works fine when tried from command prompt. But I need it to be accessible from outside.
I enabled ftp on wifi router's web settings page using virtual server setting.
I am stuck at this point, I don't know what else to do further. Any help is greatly appreciated.
Also, if you are planning on accessing your server remotely, (not in your network) you will have to enable port forwarding on your router. (Use the ip address of the machine running the server and use port 21) Otherwise, you only be able to connect while in your LAN.
This pretty much summarizes your needs(via lifehacker.com)
If you're FTP'ing across your home
network (like from your upstairs PC to
your bedroom PC), you can reach the
server by using its internal network
address (most likely something like
192.168.xx.xx.) From the command line, type ipconfig to see what that address
is. If you want to log into your FTP
server over the internet, set up a
memorable URL for it and allow
connections from outside your network.
To do so, check out how to assign a
domain name to your home server and
how to access your home server behind
a router and firewall.
Original Article
How to assign a domain name to your home server
How to access a server behind a router and firewall
You need to be able to access your internal network from the internet. Consider using a service like dynDNS if your router supports it.
I tried putting my IP from whatismyip.com in the urlbase of Bugzilla but it did not work. I wasn't able to create a new account for my team mate, and he wasnt able to access the server by typing the my ip address in his browse. And surely, when I connect again, my IP address will change. Do we have to buy a www address to host Bugzilla?
You can setup a dynamic dns service, for example via http://www.dyndns.com or http://www.no-ip.com or http://freedns.afraid.org to solve the changing ip problem without buying a domain (or buying a domain as well, but it's not a requirement).
But the real problem is that your team mate cannot access the server via the current IP address which points to either a misconfiguration of the webserver (listening only on localhost?), to a firewall in between, or most likely, that port forwarding isn't set up in your router for requests coming to your external IP address to be forwarded to the machine where you have Bugzilla set up. Additionally, you must set the urlbase to your local IP address, not to the external IP address, as blak3r says.
Check http://www.portforward.com for instructions on how to do port forwarding. But don't forget that everything mentioned has to be working:
Web server listening to outside requests: This can be tested from the same internal network via the local network IP address (what you see typing in a command line console ipconfig in Windows and ifconfig in Linux). If you can connect from a different machine on the same network via the local IP address, this is solved.
Firewalls (in router and the webserver machine) accepting connections to the web server port: For firewalls in the web server, the same test as above covers it.
Port forwarding so the router forwards the requests received on the web server port to the web server machine: This gets tested in the same way as firewalls in the router, that is, you must have your friend (or yourself from the house of your friend) try to connect to the dyn dns name set up or to the external IP as reported by whatsmyip.org.
This is all assuming your test mate is not on your same network, if he is, just using the local IP address (shown via ipconfig or ifconfig) instead of the external IP address and making sure the first step is covered (web server listening to outside requests) should be enough and nothing else is needed!
You most likely do not have your port 80 forwarded to your machine which is the reason he cannot connect when using the IP that was returned from whatismyip.com.
Assuming you're on a windows box... do
Start->Run->cmd then type
ipconfig
If your address starts with 192...* or 10...* this is your Local Area Network (LAN) IP. If this is the case, then your isp provided you with a router. Look for a setting called port forwarding or "application setting" which allows you to forward all incoming traffic on your router to a particular IP address. Go into your router's configuration settings and make sure port 80 (and maybe 443 if you're using ssl are forwarded to your local ip).
The other problem you mentioned is you do not have a static IP. This is a common problem and no you do not need to buy an address. There are several sites which can provide you a free dynamic dns host. Try no-ip.org.