Server 2008 R2 x64 - Having slow internet passthrough.

[brackenan]

Ok, here's the low-down.

Windows Server 2008 Enterprise R2 is DC, AD, DNS, and DHCP server and it's the only one I have.

I do have WSUS installed, but it's set to not download anything unless I specify it to.

This is a home network.

Internal Network Settings:
IP: 172.16.1.1
Mask: 255.255.0.0
DNS: loopback

External (Internet) Network Settings:
IP: 192.168.1.200
Mask: 255.255.255.0
DNS: 192.168.1.1

Now for my issue...

Even after a fresh, clean install and setting up Routing and Remote Access and NAT settings, dcpromo, my client computers' internet hangs for about 20 seconds on initial page loading, then it pops up.

However, if I set the clients to access my Internet via manual config, it loads instantly.

Also, I found a supposed "fix" for this on an alternate site that told me to set an option in Group Policy, but that only borked my internet up worse. Now, the clients can load any previously visited web pages with ease, but cannot load any other websites. Says page cannot be displayed. I undid the changes in Group Policy but it's still not working, even after gpupdate /force.



Can anyone help me?

(I hope this all made sense to someone lol)

 

[brackenan]

The Group Policy setting, btw, was whether to automatically detect proxy settings or not. The site said to uncheck the Auto-detect feature.

 

[imagoon]

Is there a reason you are using routing and remote access and not just using a proper router? I also see 2 private IP ranges indicating double NAT is likely going on.

Also RRAS is not really "supported" on a Domain Controller.

--edit--

I also see "DNS" 192.168.1.1 on there, that is also a "not supported" config for a Domain Controller. They should only have DNS settings in TCP/IP for Domain controlled DNS. Your delay could be a DNS loop timing out etc.

 

[brackenan]

Ok the double NAT would make sense.

But I'm curious, when I got my Networking Degree, my instructor told us to set up our network adapters as follows:

Example:

Internal:

IP:172.16.1.1
Mask: 255.255.0.0
Gateway: N/A
DNS: 127.0.0.1

External (for Internet access):

IP: 192.168.1.x
Mask: 255.255.255.0
Gateway: 192.168.1.1
DNS: 192.168.1.1

Is this incorrect? Should there be an alternate DNS setting as well looping back?

--edit--

Also, when using these settings with Server 2003, I never had any issues. So is Server 2008 R2 borked in some way?

 

[imagoon]

A windows DC (2000, 2003 or 2008) should never reference DNS servers in TCP/IP other than itself or other DC / Domain joined DNS. Basically 2008 isn't borked, it should never be that way from the beginning. I can get in to the detail if you want me to but there are lots of entries in the forum history about the issues it causes.

The DNS daemon on Windows server will handle the "outside/external" DNS. As for the lag, is this only on IE or does it happen on all apps? Try Firefox and if it connects right away it will likely me an IE discovery issue that needs to time out.

 

[brackenan]

Try Firefox and if it connects right away it will likely me an IE discovery issue that needs to time out.

I use Firefox exclusively. So it probably has to do with the double NAT and the DNS setting for my external adapter.

I'm still having the issue to where I cannot access other web pages, except ones I've previously visited. I've checked everywhere in the Group Policy settings, under IE settings, but nothing is configured. So in theory, it should work without a hitch.

I'd really hate to have to reinstall the OS to my server, but it really wouldn't be that big of a deal. There's not alot of stuff configured. But the real pain in reinstalling server would be my WSUS. I'm not too sure how to migrate those updates over. Do I just simply copy the folder the updates are stored in?

 

[seepy83]

Why are you dual-homing your server like that? Why are you using RRAS? Your topology stinks...

 

[FiLeZz]

you need to put the forwarder in the DNS manager for DNS on the server
in the DNS console.

It needs to know to point to another DNS to resolve external addresses.

 

[imagoon]

you need to put the forwarder in the DNS manager for DNS on the server
in the DNS console.

It needs to know to point to another DNS to resolve external addresses.

Not correct. It will use the roots if there is no forwarder.

 

[brackenan]

Why are you dual-homing your server like that? Why are you using RRAS? Your topology stinks...

First off, thanks for your criticism.

Second, I'm not a server genius.

Third, This is the way I was taught to configure a DC. It was to be used as a router as well in order to separate the networks in the classroom. Now, whether this is the "right" way or not in a home/workplace application, I really don't know.

To workaround (not necessarily fix) the issues I've been having, I've setup my dhcp to have my clients point directly to my Internet router, using the server as the alternate DNS. So far, everything is working as it should.

 

[brackenan]

My ideal network topology is as follows:

Internet

|
​

Wireless router

|
​

Server

/ \
​

Client1 Client2

--So is this not right?

--Edit--

Also, I know the server should take the place of my wireless router but my current situation doesn't allow me to do that.

 

[imagoon]

Ok now that we have an idea of what you are trying to do, are the clients in the class rooms supposed to use any of the DC functions? If yes, then you are going to have several issues with this setup.

Reason for issues:

DNS records that are required to resolve DC resources will only be on the DC. When the clients (and I mean when not if) decide to flip to the alternate DNS (secondary is a bad work, it infers that windows will chose the 'primary' if it is available which is not true at all) try to find the DC they may get information from the ISP DNS which will go "I have no idea what you are talking about." Thing is that Windows considers a "I have no idea" DNS response as valid and will not automatically check with the other DNS servers in the list. You clients will then fail randomly and have long delays accessing other resources.

You *MUST* only use DNS servers that have the entire Windows Domain information set only in DC joined computers. Servers and otherwise.

#2 DNS on Windows will register all the IP addresses on the RRAS interfaces. If some of those are inaccessible, you will again get time outs, and random failiures. Since you are splitting the clients it is nearly 100% chance that some of those clients will try to access the inaccessible IP address causing sporadic delays and many Event errors in the logs complaining about GPO errors and the like.

If these clients do not need access to the DC, then using a DC like this is not worth your effort and better alternate would be a small firewall like an SRX or the like to split the network while doing single NAT.

Also the person who taught you to set a DC up like really didn't know what they were doing. You are setting yourself up for a nightmare with that config.

*edit* also you really shouldn't ever put a DC "directly on the Internet." It will be "0wnED!" in a couple of days.

 

[brackenan]

Ok thanks for the info!

So now my question would be, if I were to setup my DC as my network topology shows, how would the clients reach the internet without using RRAS?

And just to clarify, this is being setup in my home.

As to exactly why my Instructor taught us that way, I'm not exactly sure. The lab was supposed to teach us how to setup a DC with client computers connecting to it, then using Routing and Remote Access on the DC to get internet access to the client computers. Very simply, client>server>internet.

I was attempting to replicate this topology in my home. I also am trying to utilize WSUS and WDS for ease of installing Windows to clients and get all the Windows updates without taking forever to download them to each client on my slow 1 meg internet.

--edit--

Also (as an FYI), all my clients are joined to my domain.

So now, if this is incorrect, then, being able to use my DC in this manner, what would be the best topology to use in a home or workplace environment?

 

[imagoon]

Typically you would use:

Internet  ---- router/firewall -----switch-------------------------|
					|                          |
					Server			Clients

Example [only for the theory]:

Internet IP
IP: 12.34.56.78
DNS: 12.34.56.79
Gateway: 12.34.56.1

router / firewall inside address:

IP: 192.168.1.1/24
DNS: <varies depending on device>

Server:
IP: 192.168.1.2 /24
DNS: 192.168.1.2
Gateway: 192.168.1.1

Client:
IP: 192.168.1.50-100 /24 (use DHCP for this part)
DNS: 192.168.1.2
Gateway: 192.168.1.1


The server will forward DNS requests to the internet as needed. You have zero need for RRAS in this setup.

As for WSUS you would simply use GPO to point your clients at "192.168.1.2" or "mydomainserver.home.net" or whatever you are using for a domain name.

Hopefully this makes sense.

 

[brackenan]

Internet  ---- router/firewall -----switch-------------------------|
                    |                          |
                    Server            Clients

I am now using this network topology, disabled Routing and Remote Access, and made sure my GPO was set right in order for WSUS to work correctly.

Everything is now working perfectly!!

My network setup is now:

Internet IP
<irrelevant>

router:
IP: 172.16.1.1/16

Server:
IP: 172.16.0.1/16
DNS: 172.16.0.1
Gateway: 172.16.1.1

Client:
IP: 172.16.1.20-100 /16 (use DHCP for this part)
DNS: 172.16.0.1
Gateway: 172.16.1.1

I am using the class B address in order to better troubleshoot any potential problems. My garage computer is set to 172.16.2.x. I know this may seem impractical but I'm trying to get used to large-scale networks. If only I had a Cisco switch, I'd setup vlans if I could lol! I've never setup vlans so I've always wanted to try and I've always got my eye out for any Cisco switches with that ability so I can learn how.

Thank you so much for the info!! I really appreciate it!! :biggrin:

--edit--

Also, with this setup, I could potentially use my router's DHCP to assign address, right? Rather than my server?

 

[imagoon]

You could use the routers DHCP but if your trying to learn, use windows DHCP. That is by far the most common DHCP server in a Windows centric environment. Adding vlans and routers is the next logical step. In classed convention it would be called subnetting a class b network. Classless it is just "subnetting."