Small office with Domain, DNS problem

[Carl84]

Hi Everyone,

I am the IT-Admin at our small office. IT is not my main work tasks but an "extra" since we are a small office with only 9 people .

We have an HP Proliant Server(win2k3) acting as a DC running AD, a CISCO firewall and an HP router/switch.

Now to the problem. When everyone is at the office, all computer is connected to our domain but there's often one computer without internet access. When I diagnose the problem on the client it says DNS problem. I have added google's DNS 8.8.8.8 to the clients network settings and now it's working. I have heard that you never should add external DNS to a domain.

I just started working here a few weeks ago, so I did not set up the whole system. It is random clients that get the "No internet access".
Why do I have these DNS-problems?

 

[VirtualLarry]

I would think that you would and should use the AD server for DNS too.

Check and make sure that whatever is doing DHCP, has enough reservation slots for all of your workstations.

Are you using wireless at all? Possibly someone is taking up extra DHCP slots on a wireless connection? (Iphone, etc.)

 

[theevilsharpie]

The most common causes of intermittent DNS connectivity problems are clients having multiple DNS servers with at least one being external and having multiple A records for the same domain controller in your internal DNS.

 

[drebo]

Check how many inside hosts your Cisco firewall is licensed for.

 

[Carl84]

Thanks for your fast replies.

There is an Wireless router as well connecting 2 laptops and some smartphones.
In total there are not more than 15users and DHCP is ranged from .100-160.

The server is acting as a DNS, there is no DNS option for my Wifi-router(Linksys).

Multiple DNS-servers on one of the clients is what is currently making internet on that client work. Should I change it back and check that all computers are using only the DC as DNS?

 

[imagoon]

Thanks for your fast replies.

There is an Wireless router as well connecting 2 laptops and some smartphones.
In total there are not more than 15users and DHCP is ranged from .100-160.

The server is acting as a DNS, there is no DNS option for my Wifi-router(Linksys).

Multiple DNS-servers on one of the clients is what is currently making internet on that client work. Should I change it back and check that all computers are using only the DC as DNS?

Yes, or that client will eventually be unable to connect to the domain controller. There is likely errors to that effect in the event logs already. Verify the machine account is enabled and that the event log is not complaining about not being able to locate domain resources. After that you can do some nslookup work to see why the computer can't seem to resolve the outside worlds.

 

[dawks]

Yes, or that client will eventually be unable to connect to the domain controller. There is likely errors to that effect in the event logs already. Verify the machine account is enabled and that the event log is not complaining about not being able to locate domain resources. After that you can do some nslookup work to see why the computer can't seem to resolve the outside worlds.

Yup, Active Directory requires that client computers use the Domains own DNS servers to access Active Directory Services properly. So the ideal situation is to have clients request DNS from your DNS server, then have your DNS server forward requests to Google, OpenDNS, Verizon/Level3 or use root hints.

Configure the client to use your DNS server, reboot the client, flush the DNS cache (ipconfig/flushdns) and then try pinging.

 

[Carl84]

Not being able to connect to the internet has happened on visitors not part of the domain, using the wifi to connect.

On the DC I found some IPs in the DNS-forwarding list. I added 8.8.8.8 and 8.8.4.4 to the list and moved it all the way up. I changed the settings on one of the clients (the one with most frequent errors) back to obtain DNS automatically from server.

The computer unable to connect to internet was always the last computer started in the office. That made me think that there is some kind of limitation of users. Now with the google DNS active it works having all 9 computers and some smartphones connected. (knock on wood)

Will be interesting to see if this works out.
Thank you guys for your help. Do you have any idea what could have been wrong with our office setup?

 

[dawks]

Glad to hear its working now. I'd go with Drebos suggestion of checking the license limitation on the Cisco firewall. I had a sonicwall a few years back with a limitation of 25 computers/devices. Once I hit that limit, any other devices simply wouldn't be able to connect to the Internet. The sonicwall would just drop their packets.

That might explain your problem, especially when you say the one particularly troubled computer was the last to boot. And remember servers, smartphones on wifi, and even network printers will count towards that limit.

 

[Carl84]

Oh no. It happened again. :hmm: I tried to start the last computer(the worker is not in today) just to check and the same happens. This should then be a problem with the CISCO ASA 5505 firewall.

Is it difficult for a novice like me to change the limitations?

 

[theevilsharpie]

Is it difficult for a novice like me to change the limitations?

I believe you have to purchase a license from Cisco to enable more connections.

 

[drebo]

Oh no. It happened again. :hmm: I tried to start the last computer(the worker is not in today) just to check and the same happens. This should then be a problem with the CISCO ASA 5505 firewall.

Is it difficult for a novice like me to change the limitations?

Can you log in to the ASA at all?

If you can log in to the ASDM web-based interface, on the Home screen, check the "Licenses" tab. You'll see an entry for "Inside Hosts". Report back what that says.

If you can log in to the console, issue a "sh ver" command and report back what it states under "Inside Hosts".

To your question, applying a new license to an ASA is pretty easy. If you're unsure about it, it should be fairly cheap to hire a consultant to do it for you.

 

[Carl84]

theevilsharpie, drebo, thank you for your expertise! :awe:

I have the login details to the firewall but I can not download the ASDM-program without a license from Cisco from their website. Our previous network administrator created the set-up but he's not working with us anymore.

I think you guys are hitting the nail on its head, the firewall limitation sounds very plausible.

I do have a console cable but no computer with that kind of port. I guess it doesn't work with a normal network cable? :hmm:

Is it possible to download the ASDM-program from another place than Cisco?

 

[drebo]

ASDM should be loaded on the device already. It's a java program.

Open a web browser and go to the device's IP address (https://192.168.1.1 for example). It should give you the option of launching ASDM.

 

[Carl84]

Dredo, don't you need ASDM on the client visiting 192.168.1.1?
It doesn't open on the server nor on my laptop connected to the domain.

 

[drebo]

It may not be 192.168.1.1. It may be a different IP address. It depends on how it was configured. Show an output of "ipconfig" run on your laptop.

If ASDM is loaded on the ASA, it has everything you need to launch it, including the launcher. You don't need to download anything from cisco.com.

At this point, I'd seriously recommend calling a consultant in to do a once-over on the network as a whole. It should take, literally, 30 seconds to determine how many inside hosts for which your ASA is licensed. He'll also be able to tell you how much it would cost to upgrade. Shouldn't cost more than $150 for an hour of his time to do the upgrade and make sure nothing else is glaringly wrong. The upgrade itself should be about $250 to go from 10 inside hosts to 50 inside hosts. http://www.cdw.com/shop/products/Cisco-ASA-5505-Software-license/1672218.aspx?enkwrd=ALLPROD%3a%7cl-asa5505-10-50%7cAll%20Product%20Catalog

 

[theevilsharpie]

If you only have 15 users, I'd recommend replacing the ASA with something that you can manage yourself, (I can already tell that you're going to struggle with it, no offense.) since consulting fees can become expensive very quickly.

The ASA is little more than a packet filter, so if you wanted a direct replacement, something like a Netgear Prosafe VPN firewall would do. If you want something with more capability, look into low-end SonicWALL or Fortinet firewalls.