Hello,
I know the subject line is a bit simplistic but I couldn't fit the whole thing in. Here goes:
I'm currently upgrading an NT4 domain to Windows 2003 AD.
Here is the setup before upgrading:
1 x NT4 PDC (File and Print) called NTSERVER
1 x NT4 BDC (Exchange 5.5) called GPO
1 x NT4 Member (MS Proxy 2.0) called MSPROXY
I added a temporary NT4 BDC, promoted it to a PDC and Upgraded it to Windows 2003 with Active Directory. I added two Freshly installed Windows 2003 AD Domain Controllers (One called FILESRV1 and the other called EXCHANGE) and moved the FSMO and Global Catalog roles to FILESRV1. I ran DCPROMO on the upgraded NT4 PDC to remove it from the domain. I added a thrid Windows 2003 server, called WEBFILTER, as a member in the domain.
So here's my setup now:
FILESRV1 - win2k3 First DC running DHCP, DNS, WINS
EXCHANGE - win2k3 DC (will have Exchange 2003 installed soon)
WEBFILTER - win2k3 member
NTSERVER - nt4 BDC
GPO - nt4 BDC running Exchange 5.5
Before I installed DHCP all clients had static IP addresses.
I configured DHCP with the correct AD DNS domain name, local DNS server, WINS and Default Gateway (The firewall does NOT block any outbound traffic) and authorised it in AD and activated the scope. I configured each client to use DHCP and they all got a valid IP address.
All clients still had Internet connectivity and access to resources still on the NT4 servers. All the clients had the address for the MSPROXY server in the Internet Explorer setting for 'Use Proxy Server'. Nothing strange here.
Here's where it gets strange.
I wanted to decommision the MSPROXY server and move to ISA 2004 with Surfcontrol Webfilter installed. With MSPROXY still running and the clients still pointing to it in Internet Explorer I installed ISA 2004 on the w2k3 memeber server WEBFILTER. This server only has one network card (I only need ISA so I can installed Surfcontrol) but because it is behind a firewall I don't need the firewalling function of ISA 2004. I had no problems installing ISA 2004 and, after adding a rule allowing all traffic outbound and enabling the cache, I could browse the Internet using the WEBFILTER as the proxy. I installed Surfcontrol on the ISA 2004 server with no problems and configured it to block Adult/Porn websites. This worked perfectly, when trying to access a website designated as Adult I got the Surfcontrol Deny page. So I confirmed that when Internet explorer is set to use the new ISA 2004 server as it's proxy requests ARE being sent to it because I get the Surfcontrol deny page when trying to access any adult site from any client.
So what's the problem? Well I then wanted to decommission the old MSPROXY server so I shut the server down (without removing it from the domain or anything in case it was required for some other service). Now all internet web access stopped. No matter how the clients (or servers for that matter) were configured they could not browse the web. The only way to restore Web access is to start the Proxy 2 server. Below are the combinations I've tried:
On the new w2k3 DC (Static IP address with default gateway of firewall and DNS server set to itself):
With MSPROXY (Proxy 2.0) server off I can ping a domain name and it resolves the name and pings the external server with a reply. With Internet Explorer proxy unset (ie directly out) I get page cannot be displayed, With Proxy set to ISA server I get an ISA server error page saying access denied.
This is the same for every machine on the network.
With MSPROXY server on but services off I still can't browse (but can ping out and resolve DNS names) but I CAN browse from the console of MSPROXY when it's Internet Explorer is set not to use a proxy server.
I've checked the Firewall and confirmed that there is a Rule which allows all triffic from the LAN to the WAN (which is bourne out by the fact that I can resolve DNS, ping, send SMTP mail, telnet and the like).
I flushed the DNS resolver cache and the arp cache on machines with no effect.
When the services of MSPROXY are started again, Web access is available to all, even if they don't use a proxy and even if they use the ISA 2004 (WEBFILTER) server as a proxy.
I know this is a bit long winded but I wanted to give as much information as possible.
Thanks for taking the time to read this and any suggestions will be greatly appreciated.
Regards,
Oscar McMahon
I know the subject line is a bit simplistic but I couldn't fit the whole thing in. Here goes:
I'm currently upgrading an NT4 domain to Windows 2003 AD.
Here is the setup before upgrading:
1 x NT4 PDC (File and Print) called NTSERVER
1 x NT4 BDC (Exchange 5.5) called GPO
1 x NT4 Member (MS Proxy 2.0) called MSPROXY
I added a temporary NT4 BDC, promoted it to a PDC and Upgraded it to Windows 2003 with Active Directory. I added two Freshly installed Windows 2003 AD Domain Controllers (One called FILESRV1 and the other called EXCHANGE) and moved the FSMO and Global Catalog roles to FILESRV1. I ran DCPROMO on the upgraded NT4 PDC to remove it from the domain. I added a thrid Windows 2003 server, called WEBFILTER, as a member in the domain.
So here's my setup now:
FILESRV1 - win2k3 First DC running DHCP, DNS, WINS
EXCHANGE - win2k3 DC (will have Exchange 2003 installed soon)
WEBFILTER - win2k3 member
NTSERVER - nt4 BDC
GPO - nt4 BDC running Exchange 5.5
Before I installed DHCP all clients had static IP addresses.
I configured DHCP with the correct AD DNS domain name, local DNS server, WINS and Default Gateway (The firewall does NOT block any outbound traffic) and authorised it in AD and activated the scope. I configured each client to use DHCP and they all got a valid IP address.
All clients still had Internet connectivity and access to resources still on the NT4 servers. All the clients had the address for the MSPROXY server in the Internet Explorer setting for 'Use Proxy Server'. Nothing strange here.
Here's where it gets strange.
I wanted to decommision the MSPROXY server and move to ISA 2004 with Surfcontrol Webfilter installed. With MSPROXY still running and the clients still pointing to it in Internet Explorer I installed ISA 2004 on the w2k3 memeber server WEBFILTER. This server only has one network card (I only need ISA so I can installed Surfcontrol) but because it is behind a firewall I don't need the firewalling function of ISA 2004. I had no problems installing ISA 2004 and, after adding a rule allowing all traffic outbound and enabling the cache, I could browse the Internet using the WEBFILTER as the proxy. I installed Surfcontrol on the ISA 2004 server with no problems and configured it to block Adult/Porn websites. This worked perfectly, when trying to access a website designated as Adult I got the Surfcontrol Deny page. So I confirmed that when Internet explorer is set to use the new ISA 2004 server as it's proxy requests ARE being sent to it because I get the Surfcontrol deny page when trying to access any adult site from any client.
So what's the problem? Well I then wanted to decommission the old MSPROXY server so I shut the server down (without removing it from the domain or anything in case it was required for some other service). Now all internet web access stopped. No matter how the clients (or servers for that matter) were configured they could not browse the web. The only way to restore Web access is to start the Proxy 2 server. Below are the combinations I've tried:
On the new w2k3 DC (Static IP address with default gateway of firewall and DNS server set to itself):
With MSPROXY (Proxy 2.0) server off I can ping a domain name and it resolves the name and pings the external server with a reply. With Internet Explorer proxy unset (ie directly out) I get page cannot be displayed, With Proxy set to ISA server I get an ISA server error page saying access denied.
This is the same for every machine on the network.
With MSPROXY server on but services off I still can't browse (but can ping out and resolve DNS names) but I CAN browse from the console of MSPROXY when it's Internet Explorer is set not to use a proxy server.
I've checked the Firewall and confirmed that there is a Rule which allows all triffic from the LAN to the WAN (which is bourne out by the fact that I can resolve DNS, ping, send SMTP mail, telnet and the like).
I flushed the DNS resolver cache and the arp cache on machines with no effect.
When the services of MSPROXY are started again, Web access is available to all, even if they don't use a proxy and even if they use the ISA 2004 (WEBFILTER) server as a proxy.
I know this is a bit long winded but I wanted to give as much information as possible.
Thanks for taking the time to read this and any suggestions will be greatly appreciated.
Regards,
Oscar McMahon