Help Trouble shooting remote Access - OWA and Remote work place

Hi,
1. We run a SBS 2003 R2 system, yesterday for some reason OWA ( & remote
work place stopped working)

2. Access to the Internet from inside the network still works fine, as well
as exchange ( I did not check to see if I could get to OWA from inside the
network - yet)

3. I rebooted the server wilth no avial as well as installing updates and
restarting - still no remote access

4. Server was never setup with public SSL key...so I always would get the
error message in IN re:The security certificate presented by this website was
not issued by a trusted certificate authority.

5. I still get the above message - so it does seem like I am connecting to
the box from the outside - then we just get the IE can not display web page

6. Any thoughts as to trouble shooting

7. It does not seem that VPN is allowing for connectivity as well.

Thank you
John

Any errors in the event logs on the server?

Any errors in the event logs on the server?

Maybe run a scan with the SBS 2003 BPA and fix any problems it finds.

Microsoft Windows Small Business Server 2003 Best Practices Analyzer
http://www.microsoft.com/downloads/details.aspx?familyid=3874527A-DE19-49BB-800F-352F3B6F2922&displaylang=en

Have you re-run CEICW?

--
Merv  Porter   [SBS-MVP]
============================

Like Merv said Re Run the CEICWand the VPN wizard (Set up Remote

Like Merv said Re Run the CEICW
and the VPN wizard (Set up Remote Connections)
In addition make sure your firewall has these ports forwarded to your SBS
25
443
444
4125
1723
and 3389 if you do remote maintenance.

The error you get that the certificate is not trusted is probably because
you are using the SBS Self Signed Certificate.
Look at the Certificate (and VIEW it) and check the date it may be expired.
if that is the case re run CEICW and re create the self signed certificate.
(you will have to re install the cert on Remote PC's that are using RPC over
HTTPS)

If you do not want to use the SBS Self Signed Certificate, you can purchase a
Third party Cert from Godaddy (the cheap one)
and then you will not get the error.

And of course like Merv Said Download and run the Best Practices Analyzer.

In addition Check to see if you can get to OWA and RWW Internally
If you cannot then there is something amiss in IIS
Open IIS and see if the sites are running.
(May even try running iisreset from a command prompt and see if that
restarts things.)

Russ



--
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
24hr SBS Remote Support - http://www.SBITS.Biz
Microsoft Online Services - http://www.microsoft-online-services.com

Hi Merv & Russ,I ran both the BPA and the CEICW tools1.

Hi Merv & Russ,


I ran both the BPA and the CEICW tools


1. The BPA did not really show any issues which seemed to be causing the
remote access errors

2. I Ran the connect to Internet wizzard - I got an error at the end of teh
wizzard....saying that email failed to be configured properly - I did not see
any thing which expanded to say why there was a problem

3. Other _ I was able to get to OWA from inside the network - just not
externally

4. Checked Event logs
1st - DNS error

Event Type:	Error
Event Source:	DNS
Event Category:	None
Event ID:	4015
Date:		1/24/2010
Time:		9:14:00 AM
User:		N/A
Computer:	APOLLO1
Description:
The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly. The extended error
debug information (which may be empty) is "". The event data contains the
error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 51 00 00 00               Q...

2nd DNS error

Event Type:	Error
Event Source:	DNS
Event Category:	None
Event ID:	4004
Date:		1/24/2010
Time:		9:14:00 AM
User:		N/A
Computer:	APOLLO1
Description:
The DNS server was unable to complete directory service enumeration of zone
..  This DNS server is configured to use information obtained from Active
Directory for this zone and is unable to load the zone without it.  Check
that the Active Directory is functioning properly and repeat enumeration of
the zone. The extended error debug information (which may be empty) is "".
The event data contains the error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..


3rd error

Event Type:	Error
Event Source:	DNS
Event Category:	None
Event ID:	4004
Date:		1/24/2010
Time:		9:14:00 AM
User:		N/A
Computer:	APOLLO1
Description:
The DNS server was unable to complete directory service enumeration of zone
_msdcs.apollosolar.local.  This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone
without it.  Check that the Active Directory is functioning properly and
repeat enumeration of the zone. The extended error debug information (which
may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..


4th error
Event Type:	Error
Event Source:	DNS
Event Category:	None
Event ID:	4004
Date:		1/24/2010
Time:		9:14:00 AM
User:		N/A
Computer:	APOLLO1
Description:
The DNS server was unable to complete directory service enumeration of zone
1.168.192.in-addr.arpa.  This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load the zone
without it.  Check that the Active Directory is functioning properly and

Please post the results of an ipconfig /all for the SBS server.

Please post the results of an   ipconfig /all  for the SBS server.

--
Merv  Porter   [SBS-MVP]
============================

Let's also take a look at the CEICW log file when CEICW fails....

Let's also take a look at the CEICW log file when CEICW fails....

C:\Program Files\Microsoft Windows Small Business Server\Support\icwlog.txt

First delete or rename icwlog.txt.  (This will allow a fresh copy of the
file to be created when you run CEICW).  Then re-run CEICW and post the
resultant icwlog.txt file for us to look at (just copy and paste into your
reply).


--
Merv  Porter   [SBS-MVP]
============================

Windows [Version 5.2.3790](C) Copyright 1985-2003 Corp.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd c:\

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : APOLLO1
Primary Dns Suffix  . . . . . . . : apollosolar.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : apollosolar.local

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.33
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-1C-23-BF-B8-FA
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.2
Primary WINS Server . . . . . . . : 192.168.1.2

Ethernet adapter Network Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 00-1C-23-BF-B8-FC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IP Address. . . : 169.254.163.7
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.2
Primary WINS Server . . . . . . . : 192.168.1.2

C:\>

1/24/2010 9:11 AMC:\Program Files\ Windows Small

1/24/2010 9:11 AM
C:\Program Files\Microsoft Windows Small Business
Server\Networking\ICW\wizemail.dll, version 5.2.2893.0
calling CEmailCommit::ValidatePropertyBag ().
calling pdispPPPBag->QueryInterface (IPropertyPagePropertyBag, 0x6e50c).
Call to pdispPPPBag->QueryInterface () returned ok.
calling ReadInt4 (0x1724750, DB5E5E45-3598-4F1D-8FF7-0ED35B9EB6A4).
Call to ReadInt4 () returned ok.
The out param of ReadInt4() is -1.
calling CValidatePropertyUtil.ValidatePropertyInteger ().
Call to CValidatePropertyUtil.ValidatePropertyInteger () returned ok.
Call to CEMailCommit::ValidatePropertyBag () returned ok.
calling CNetCommit::Commit (24266576).
calling CNetCommit::ValidatePropertyBag ().
Call to Querying for the property bag () returned ok.
Property bag is not dirty, skipping validation
calling CNetCommit::Common ().
calling CNetCommit::GetLanNicInfo ().
LAN NIC Guid: {693E7103-11EC-4B14-A01C-85DC96A98854}
Call to Converting LAN NIC Guid () returned ok.
Call to Getting IP address for the LAN NIC () returned ok.
Call to Reading in the LAN NIC info () returned ok.
Call to Fixing the TCP/IP NIC Binding order () returned ok.
Dhcp server is installed and not disabled
Call to Set DHCP Server to start up automatically () returned ok.
DNS server is installed and not disabled
Call to Changing startup type for DNS () returned ok.
Call to Clearing DNS server entries on the LAN NIC () returned ok.
Call to Setting DNS server IP for the LAN NIC () returned ok.
Call to Resetting DNS recursion timeout () returned ok.
Call to Resetting client dns query timouts in config.dat () returned ok.
Call to DsGetDcName for local domain name () returned ok.
Call to Disabling RRAS routing () returned ok.
calling CNetCommit::DoRouter ().
Call to Clearing the default gateway on the LAN NIC () returned ok.
Call to Setting default gateway on the LAN NIC () returned ok.
Call to Setting DNS forwarders () returned ok.
Call to Preparing DNS for DNS listener reset () returned ok.
Call to Resetting DNS listeners () returned ok.
URL to the router is http://192.168.1.1
Call to Adding routers IP address to the intranet zone () returned ok.
Call to CNetCommit::DoRouter () returned ok.
Call to Configuring for router connection () returned ok.
calling ConfigureIE ().
calling SetInternetOptions ((null), (null), (null)).
calling InternetSetOptionA (NULL, INTERNET_OPTION_PER_CONNECTION_OPTION).
Call to InternetSetOptionA () returned ok.
Call to SetInternetOptions () returned ok.
calling InternetSetOption_AutodialConnection ().
Call to InternetSetOption_AutodialConnection () returned ok.
calling InternetSetOption_AutodialMode (4).
Call to InternetSetOption_AutodialMode () returned ok.
calling InternetSetOption_DisableAutodial (0).
Call to InternetSetOption_DisableAutodial () returned ok.
Call to ConfigureIE () returned ok.
Call to Configuring IE for router connection () returned ok.
Call to Notifying client setup for Default gateway as the router () returned
ok.
calling RegisterMSBOExchangeBP (0).
Error 0x1 returned from call to RegisterMSBOExchangeBP().
Call to Unregistering the smtp sink () returned ok.
Call to GetLocalDomainName () returned ok.
Call to Reading in the local domain name () returned ok.
Local Domain Name is: apollosolar.local
Call to Enabling secure dynamic DNS updates () returned ok.
Call to Disabling RoundRobin for DNS server () returned ok.
Call to GetLocalDomainName () returned ok.
Call to Configuring DHCP options () returned ok.
Call to Disabling the RASUTO service () returned ok.
Call to Configuring w32time parameters for fulltime () returned ok.
Call to Configuring the time service () returned ok.
Call to Notifying RWW for ISA () returned ok.
Call to CNetCommit::Common () returned ok.
Call to CNetCommit::Commit () returned ok.
calling CRFireCommit::CommitEx (0x1724750).
calling CRFireCommit::ValidatePropertyBag (0x1724750).
Call to This is a Router Single Nic configuration only Web Publishing will
be configured, Basic Firewall will not be configured. () returned ok.
Call to Reading web publishing selection () returned ok.
Call to Reading OWA publishing selection () returned ok.
Call to Reading RUP publishing selection () returned ok.
Call to Reading Monitoring publishing selection () returned ok.
Call to Reading OMA publishing selection () returned ok.
Call to Reading RPC publishing selection () returned ok.
Call to Reading Companyweb publishing selection () returned ok.
Call to Reading ROOT publishing selection () returned ok.
Web publishing selections:
OWA publishing: 1
RUP publishing: 1
Monitoring publishing: 1
OMA publishing: 1
RPC publishing: 1
Companyweb publishing: 0
ROOT publishing: 0
Call to CRFireCommit::ValidatePropertyBag () returned ok.
Call to GetPrivateNICGuid () returned ok.
Call to GetIPAddress for private nic () returned ok.
Call to GetSubnetMask for private nic () returned ok.
RUP is published
Call to Fixing the inheritance for root dir () returned ok.

You've got 2 NICs in the SBS server. Do you use both of them?

You've got 2 NICs in the SBS server.  Do you use both of them?  or is this
just a single NIC SBS with the NIC connecting to a port on a switch or the
router?

If a single NIC, turn off DHCP service on the router and re-run CEICW to
allow SBS to handle DHCP service for the internal LAN.  It may be best to
turn off the second NIC in the BIOS or at least disable it in Device
Manager.

If a 2 NIC SBS setup, you are not getting an IP address on your second NIC
(the one that goes to the router or broadband modem).  Use Static IP
addresses for both SBS NICs and set up per the following diagram:

Two Nics, a dynamic IP address, ISA and a router
(the diagram applies with or without ISA installed)
http://www.smallbizserver.net/Default.aspx?tabid=266&PageID=352&articleType=ArticleView&articleId=74

Then turn off DHCP service on the router and re-run CEICW to allow SBS to
handle DHCP service for the internal LAN and set up for 2 NIC operation.

--
Merv  Porter   [SBS-MVP]
============================

If you are trying to do a two nic server the second nic does not havea valid ip.

If you are trying to do a two nic server the second nic does not have
a valid ip.

If my post ever makes it the second nic should be disabled as it lookslike you

If my post ever makes it the second nic should be disabled as it looks
like you are trying to do a one nic server. That guess is based on the
fact the lan nic has a gateway and the dns and wins is pointing to the
same nic.