Cannot find web server from DC

[Edwin]

Hi
I have a PDC running W2000 and a web server running W2k3. The web server
locates in the DMZ whereas the PDC is behind the firewall. When I tried to
search the web server from my PDC, it failed but it can find all other PCs
in the domain. The strange thing is that I can find the web server from any
other PCs in the domain, including the secondary DC, but just not from the
PDC. The web server can also find the PDC. We have checked the firewall
and we have not particulary blocked any ports from the PDC to the web
server.
What would be the possible reasons?

Edwin

 

[Dan DeStefano]

remember that in ad there is no longer a pdc/bdc dynamic, all domain
controllers are peers. the closest thing in ad are the fsmo roles, but they
can be transferred to other dc's.
as far as your problem, can you access the web server by its ip address? is
the dc multihommed? is it running dns? have you modified the hosts file? do
you have trouble accessing other web sites? trouble accessing other dmz
machines?

Dan

 

[Edwin]

Hi Dan
Thank you for your reply.
I can ping the IP of the web server. I can open the web page using the full
url from the PDC. What I can't is to browse the server in windows explorer.
The PDC is running dns. I do not have other machines inside DMZ. The
lmhost file in the PDC is not modified.
Any idea on what is happening?

Edwin

 

[Steve Foster [SBS MVP]]

Hi
I have a PDC running W2000 and a web server running W2k3. The web
server locates in the DMZ whereas the PDC is behind the firewall.
When I tried to search the web server from my PDC, it failed but it
can find all other PCs in the domain. The strange thing is that I
can find the web server from any other PCs in the domain, including
the secondary DC, but just not from the PDC. The web server can also
find the PDC. We have checked the firewall and we have not
particulary blocked any ports from the PDC to the web server.
What would be the possible reasons?

Edwin

What do you mean by "find"?

If the web server is in a firewall DMZ, the only things that should
work from anywhere are whatever you've configured to be allowed to the
DMZ in the firewall configuration (the usual choices would be port 80
and perhaps 443, possibly FTP, plus whatever management option you
desired [TS/VNC/pcAnywhere/etc]).

If anything is allowed from the internal network to the DMZ and vice
versa, that's not a DMZ. You might be calling it one, but the whole
point of a DMZ is to isolate servers from both internal and external
access and only allow the bare minimum of connectivity.

The net result of this is you would by default only expect the internal
workstations to be able to browse the web server via
IE/Opera/Mozilla/etc using the same URLs that would work for external
access.

If one internal device is unable to reach the web server using the same
methods that work on another internal device, I'd start looking for
variations in the configuration of those devices - ie checking IP
configuration, DNS settings, etc.

 

[Dan DeStefano]

o, so you cannot browse the web server's shares through network
neighborhood, right? do you have wins installed on the network? are both
machines configured as wins clients? getting cross-subnet browsing to work
reliably without wins can be an excercise in futility. i recommend
installing a wins server on your network (though try to avoid installing
wins on a rras server) and configuring all clients/servers to use it. unless
you are going to disable netbios over tcp/ip on your network, it is strongly
recommended that you deploy wins.

Dan

 

[Edwin]

Dan
I already have wins installed. Finally I add an entry in the lmhosts file
and it worked.

Thanks
Edwin

 

[Dan DeStefano]

you shouldnt have to add lmhosts entries if wins is set up properly and
clients are registering properly. is the web server multihommed? is it
registered in the wins database?

Dan