Thursday, July 12, 2007

Another Microsoft Conundrum Solved

Here's the scenario:

1. Windows MMIII Server running IIS, multi-homed with 2 NICs, some web sites running on IP Addresses on one NIC, others running on IP Addresses on the other. This was originally set up so that password-protected web sites could be authenticated through a WebSense LDAP call. This server hosts our Intranet web sites.

2. No longer using WebSense and the Networking group wants to replace and get rid of old routers and switches.

3. The server will now run all web sites through one NIC.

Here's what I did:

1. Deleted the IP Address of the NIC which was routed through WebSense. After doing that, I deactivated the NIC.

2. Entered the IP Addresses from the now-deactivated NIC onto the other.

3. Changed the subnet mask and the default router on the one working NIC. Turned off Routing and Remote Access because the static routes that service handled were no longer needed.

4. Restarted the Server.

At this point, I expected everything to route where it was supposed to and we could call it a night after 15 minutes work. Ah, but that was not to be. Computers in the same subnet as the server could access the web sites correctly. But, those which were in other subnets (across the router) could not get the web sites.

I went through and double-checked the IP Addresses, subnet mask, and default gateway on the server. All was correct. I also ran route print to make sure there wasn't anything hanging on from the old routing. There wasn't. I also restarted the server numerous times. (Microsoft Troubleshooting Lesson 1: Always reboot first before doing anything else.)

The networking guys checked, rechecked and checked again all the routing info in the routers and switches which the server's traffic would have to cross.

The interesting twist on this, by the way, was that the server's non HTTP traffic going across the router worked just fine. It could get its dynamic content from the 2 database servers which are each in a different subnet, and it could make the AD LDAP calls for authentication.

Total mystery.

We spend the better part of 2 1/2 hours checking, rechecking, adjusting and changing settings trying to get this server to give it's web pages to everyone needing access to them. No luck.

Finally, one of the networking guys, who was very frustrated, suggest we remove all the IP Addresses off the working NIC and reenter them.

I did that and everything started working. I didn't even have to restart the server again.

So, if anyone out there needs to "un-multi-home" a Windows server, don't just enter the old IP Addresses on the other NIC, remove all the IP Addresses and start over.

One more piece of advice: Remember which was the first IP address you entered on the working NIC and don't take that one off. In our scenario, that was the only IP address which seemed able to communicate across routers. There is something about the first NIC and the first IP Address entered on that NIC that's magical. I'm thinking about my other experience with that IP/NIC problem.

No comments:

Post a Comment