[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 609
  • Last Modified:

SonicWall 2040, Active Directory, and DNS

I have a PDC running DNS that is behind a Sonicwall 2040 firewall. I have configured my Sonicwall to be the DHCP. This works very well (internet speeds are terrific and hardly any latency). However some of my computers on the network cannot access the PDC! The computers will logon and they do not get access to profiles, startup scripts, etc... After hours of playing with the settings and calling tech support I found that if I installed DHCP on the PDC and disabled the DHCP on the firewall all the clients have access to Active Directory. However... although this works it is extremly inefficient WAN-wise compared to the DHCP being on the Firewall. Browsing sites lag anywhere from 3-8 seconds to load, even on simple sites such as Google. We rely heavily on internet applications and although this setup works for now it is far from desired. Calling sonicwall tech support left me empty handed and scouring the web for answers has turned up empty. I'm thinking this could be a configuration error on either the firewall, DNS, or AD. I can ping all network adapters on the PDC using the IP address however when I try to ping the hostname it fails (when the DHCP is on the firewall). I have not been able to pinpoint the cause and the event logs are empty. Has anyone had experience with something like this or have any suggestions? I can post more technical info or screenshots if needed.

Many Thanks for those who help!
0
SuperGhosty
Asked:
SuperGhosty
  • 6
  • 6
1 Solution
 
magicommincCommented:
what DHCP options does Sonicwall 2040 assign to client? are they different than the PDC assigned?
>I can ping all network adapters on the PDC using the IP address however when I try to ping the hostname it fails (when the DHCP is on the firewall).
obviously, name resolve is missing on client, can you post "ipconfig /all" from your client when DHCP is on firewall?
"network adapters" --- do you have multiple NICs on your PDC?
0
 
SuperGhostyAuthor Commented:
Here is my "ipconfig /all" (I put the '##' there) and yes we have multiple NICs on the PDC as you can see below:



Windows IP Configuration

   Host Name . . . . . . . . . . . . : THEORY
   Primary Dns Suffix  . . . . . . . : think.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : think.local


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter
   Physical Address. . . . . . . . . : 00-02-B3-D4-EC-##
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.10.1.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.1.1
   DNS Servers . . . . . . . . . . . : 10.10.1.70
   NetBIOS over Tcpip. . . . . . . . : Disabled



Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter #2
   Physical Address. . . . . . . . . : 00-02-B3-D4-EE-##
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.10.1.71
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.10.1.70
   NetBIOS over Tcpip. . . . . . . . : Disabled



Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connection
   Physical Address. . . . . . . . . : 00-0B-DB-91-78-##
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.10.1.73
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.10.1.70
   NetBIOS over Tcpip. . . . . . . . : Disabled



Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter #3
   Physical Address. . . . . . . . . : 00-02-B3-D4-6F-##
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.10.1.72
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.10.1.70
   NetBIOS over Tcpip. . . . . . . . : Disabled

0
 
SuperGhostyAuthor Commented:
Ok I just realized something... On the Firewall the DHCP settings for my network contain a "DNS" tab. In this tab the DNS servers are automatically loaded with my WAN DNS. Should the DHCP DNS server point to my PDC's DNS? Is this why the computers would return "network path not found"? I feel like this could be it however I cant test until after hours when everyone has gone home!
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
magicommincCommented:
That should be it. However......
If you simply change the DNS tab on your Sonicfirewall to your PDC's DNS, that will resolve your "network path not found" problem, BUT may bring back "extremly inefficient WAN-wise compared to the DHCP being on the Firewall".
I suspect that your don't have proper DNS forwarder configured in your PDC's DNS. Can you verify that?

I don't see any external IP (WAN DNS) in you "ipconfig /all", I guess this "ipconfig /all" mst be obtained when you are using PDC as DHCP server.
You don't have to wait until after hour to test this change, you can grab a desktop PC and mannally assign the IP and DNS (your PDC) and test out.
0
 
SuperGhostyAuthor Commented:
Well I did manage to configure the DNS settings to point to the internal DNS server and it worked. All clients can now access the PDC again. However as you noted above the WAN is slow to connect. My IP Forwarder is pointed to the firewall at 10.10.1.1. Could it be a problem with my access rules on the firewall? Perhaps I'm not letting the proper traffic come through? I'm rather new to setting up firewalls as far as network services go. I currently only have an exchange server allowed from WAN and all traffic through LAN to ANY (for now):

Current WAN to LAN access list:
Priority    Source              Destination                   Service                                      Action
------------------------------------------------------------------------------------------------------------------
1            ANY                   WAN Primary IP            143,110,25 (Exchange)               Allow
2            ANY                   ANY                             ANY                                          Deny


And for the IP Config i posted above, it was the ipconfig when the DHCP was on the PDC. Also you mentioned you did not see any External IP (WAN DNS) on the ipconfig /all - Even now that I have the DHCP on the firewall I have not changed any TCP settings. The gateway on one of my NICs points to the firewall and the other 3 are blank gateways (as you can see above in the ipconfig /all). Any suggestions, need more info, or a screenshot?

Thank you very much for the help
0
 
magicommincCommented:
Glad to help.
I think the main problem is DNS forwarder -- check your PDC's DNS configure, make sure it has a forwarder point to your WAN DNS IP address. can you confirm this first?
0
 
magicommincCommented:
from you MMC DNS console-->right click 10.10.1.70-->properties-->Forwarders tab-->check enable forwarders-->add IP address of your WAN DNS.
0
 
SuperGhostyAuthor Commented:
I checked the forwarder and it was only forwarding to my Firewall DNS. However we have two WAN providers that are combined through the firewall. Do I simply add both primary DNS to the forwarder?

Thanks!
0
 
magicommincCommented:
Does your firewall also function as DNS server or it is just another forwarder?
yes, you can simply add both your ISP's DNS record.
You can verify this--> from your PC, dos prompt, nslookup--> server "WAN DNS IP" -->www.yahoo.com, see you get any reply.
0
 
SuperGhostyAuthor Commented:
I just tried it out with the main WAN DNS moved up to the top and thats what it was! MANY MANY Thanks for the help I couldn't have done it without you!

Hey if you send me your email or a contact address I wanna send you something as a thanks for helping out, I hope thats not against EE's policy but I really appreciate it! A hundred times over thank you!!
0
 
magicommincCommented:
I am glad to help out.
I am new to this site too, start to participate two weeks ago, don't know much about the policy, are you in US? I am in California.
0
 
SuperGhostyAuthor Commented:
I'm in California as well, Antelope Valley to be more precise. Feel free toe mail me: denny@advancedclutch.com

thanks again!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now