New disgruntled SBS 2008 premium user

We got a Dell T310 PowerEdge with SBS 2008 Premium Wednesday Nov, 4th, 2009.
Started up the machine and went through the configuration.
The SBS2008 console came up and I tried the "Connect to Internet" and it
fails. They
want us to disable our NAS dhcp and I can't do that because it's our
security appliance.
Why don't they give you a choice?

The updates stopped on Nov 5th, 2009. I can't get anymore. It brings up an
error
code: code 80072EFD

In article <O#>,
says...
>
> We got a Dell T310 PowerEdge with SBS 2008 Premium Wednesday Nov, 4th, 2009.
> Started up the machine and went through the configuration.
> The SBS2008 console came up and I tried the "Connect to Internet" and it
> fails. They
> want us to disable our NAS dhcp and I can't do that because it's our
> security appliance.
> Why don't they give you a choice?

Why would you not be able to disable your DHCP on the NAS - it certainly
doesn't need it.

None of the firewalls we use have DHCP enabled on them?

If you didn't understand that SBS, to work properly, needs to be the
DHCP and DNS server then you should have researched a little more before
buying it.

You CAN force it to play nice without it being the DHCP/DNS server, but
you really don't want to do that - unless you know enough to manage SBS
2008 without using the wizards - and I would not even try that myself
for a customer install.



--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
(remove 999 for proper email address)

"john doe" <> wrote in message
news:O%...
> We got a Dell T310 PowerEdge with SBS 2008 Premium Wednesday Nov, 4th,
> 2009.
> Started up the machine and went through the configuration.
> The SBS2008 console came up and I tried the "Connect to Internet" and it
> fails. They
> want us to disable our NAS dhcp and I can't do that because it's our
> security appliance.
> Why don't they give you a choice?
>
> The updates stopped on Nov 5th, 2009. I can't get anymore. It brings up an
> error
> code: code 80072EFD
>
>
>


As others mentioned, you do not need DHCP on an edge device, such as a
firewall or security device. Keep in mind with Active Directory ("AD" which
is the core component with SBS), it relies on DNS. This means that AD
registers info in DNS that is important to "find" the domain. All clients
must only use the SBS as their DNS address in their NIC properties. This
includes the server. It must only point to itself for DNS.

If using any other address as a DNS address, such as an ISP's DNS, or the
router/firewall/security device's IP address, then I will guarantee my
yearly salary that you will have problems.

Also with DHCP, when a client receives an IP configuration from Microsoft
DHCP, it is designed to register that info into DNS. Microsoft DHCP works
hand in hand with Kerberos authentication to register this info into DNS
(using the default Secure Updates setting on the zone's properties). Routers
do not support this security feature.

If the router (NAS security device or whatever you want to call it) is
giving out DHCP, first, it's probably giving out some other DNS address to
the clients, so that won't work. Second, the device probably, more than
likely, does not support DNS DYnamic Updates, and if it does, it will not
support Kerberos authentication for security.

It's to your advantage to disable DHCP on that device, and let SBS handle
it. Otherwise, as said, you will have problems and probably be posting back
asking how to fix it.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

john doe wrote:
> We got a Dell T310 PowerEdge with SBS 2008 Premium Wednesday Nov, 4th, 2009.
> Started up the machine and went through the configuration.
> The SBS2008 console came up and I tried the "Connect to Internet" and it
> fails. They
> want us to disable our NAS dhcp and I can't do that because it's our
> security appliance.
> Why don't they give you a choice?
>
> The updates stopped on Nov 5th, 2009. I can't get anymore. It brings up an
> error
> code: code 80072EFD
>
>
>
While there is a way to use an external DHCP router, do yourself a huge
favor and don't be disgruntled and let the DHCP be running on the Server.

DNS/RWW, so many things will run better if you let the box do what it
wants to do.

"Frankster" <> wrote in message
news: ...
>
> "Ace Fekay [MCT]" <> wrote in message
> news:%...
>> "john doe" <> wrote in message
>> news:O%...
>>> We got a Dell T310 PowerEdge with SBS 2008 Premium Wednesday Nov, 4th,
>>> 2009.
>>> Started up the machine and went through the configuration.
>>> The SBS2008 console came up and I tried the "Connect to Internet" and it
>>> fails. They
>>> want us to disable our NAS dhcp and I can't do that because it's our
>>> security appliance.
>>> Why don't they give you a choice?
>>>
>>> The updates stopped on Nov 5th, 2009. I can't get anymore. It brings up
>>> an error
>>> code: code 80072EFD
>>>
>>>
>>>
>>
>>
>> As others mentioned, you do not need DHCP on an edge device, such as a
>> firewall or security device. Keep in mind with Active Directory ("AD"
>> which is the core component with SBS), it relies on DNS. This means that
>> AD registers info in DNS that is important to "find" the domain. All
>> clients must only use the SBS as their DNS address in their NIC
>> properties. This includes the server. It must only point to itself for
>> DNS.
>>
>> If using any other address as a DNS address, such as an ISP's DNS, or the
>> router/firewall/security device's IP address, then I will guarantee my
>> yearly salary that you will have problems.
>>
>> Also with DHCP, when a client receives an IP configuration from Microsoft
>> DHCP, it is designed to register that info into DNS. Microsoft DHCP works
>> hand in hand with Kerberos authentication to register this info into DNS
>> (using the default Secure Updates setting on the zone's properties).
>> Routers do not support this security feature.
>>
>> If the router (NAS security device or whatever you want to call it) is
>> giving out DHCP, first, it's probably giving out some other DNS address
>> to the clients, so that won't work. Second, the device probably, more
>> than likely, does not support DNS DYnamic Updates, and if it does, it
>> will not support Kerberos authentication for security.
>>
>> It's to your advantage to disable DHCP on that device, and let SBS handle
>> it. Otherwise, as said, you will have problems and probably be posting
>> back asking how to fix it.
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
>> 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>>
>> For urgent issues, please contact Microsoft PSS directly. Please check
>> http://support.microsoft.com for regional support phone numbers.
>>
>
> Can't dissagree with anything you've said. this is the way is was designed
> to work. Of course.
>
> However....
>
> Although the OP didn't say, perhaps what happened is that he had not got
> the authority to change the DHCP server machine for his entire corporate
> network? Who knows. Sometimes there may be orginizaion/polital issues
> with exactly who runs/operates DHCP servers on the network.
>
> There are still ways this can work without the DC (SBS or otherwise) being
> the DHCP server.
>
> Recently, I was on a client site for a "hit-n-run" problem fix and I
> discovered that the workstations were all using the consumer router's DHCP
> and DNS server. They had a 2000 DC server and all machines were members
> of the domain. I went to the DC and removed the "." zone (never should
> have been that way to begin with) and inserted a forwarding IP (the
> consumer router LAN IP) and as I attempted to configure the DHCP service
> on the DC (was never configured) I got a Windows error that would not
> allow me to configure it. I was faced with troubleshooting this (at a
> charge that I'm not sure they would want to accept) or fix this condition
> some other way. I chose to configure each workstation (only 5 of 'em) to
> "obtain IP address automatically" from the router, but then I assigned the
> DNS server manually (the IP of the DC). All worked out well. This should
> also work for an SBS installation - unless - they are relying on the SBS
> machine's functionality to assign incoming connection DHCP requests. Many
> orginizations do not use this feature of SBS. Just depends on the
> functionality required.
>
> Just some thoughts...
>
> -Frank


That was a good "however." :-)

As Susan and you mentioned, there are ways around it by either configuring
the DHCP service on the router to provide the SBS as DNS, and WINs (if using
WINS), but not all router DHCP services support WINS. One thing that many
don't support is Option 086 (Dynamic DNS Updates). One of the draw backs is
duplicate DNS registrations, that is if the administrator correctly provides
the internal DNS. Doing it manually on a client (I try to avoid 'manual'
tasks!), by putting in the SBS address for DNS, at least the client can
update its own IP, since it owns its own record, but if the router,
firewall, etc, is used, that may not be the case.

And yep, politics can surely be involved. Funny, (not laughing funny) how
politics plays a big role in IT, but then again, it's what keeps IT in
business.

Ace