Solved

DNS Resolving Issues

Posted on 2008-06-12
13
239 Views
Last Modified: 2010-04-21
I have been assigned to support a 50-user company currently running a workgroup. We have a cisco 2800 router connecting to our ISP. Connected between our internal network and the 2800 router is an ASA 5505 firewall. The firewall is issuing DHCP and I am not sure if it is providing DNS or if the ISP is providing DNS services (Any way to tell on this?). Anyway I promoted a standalone Windows 2003 SP2 server to a domain controller. This was an extra machine and there are no other domain controllers on the network. I implemented DNS on it and configured the DNS forwarding to point to the ISP's DNS servers. I tested a client machine and was able to join the domain no problem. But when I log into the domain, it takes over 10 minutes to log in! I'm pretty sure it's a dns issue but not sure where to begin. Any help asap would be appreciated. Maximum points assigned.

Oh, also, if do an IP CONFIG /ALL on the client machine the ISP DNS servers show up. I thought that the Domain Controller's address should show up since that is doing the forwarding. Is there some DNS setting in the ASA 5505 that may be overriding my Domain Controller's DNS? I don't know. Just thinking out loud.
0
Comment
Question by:schmad01
  • 4
  • 4
  • 3
  • +2
13 Comments
 
LVL 14

Expert Comment

by:Kutyi
ID: 21776319
Setup DHCP on the server and assign the server as the DNS server for your clients.  Turn off the DHCP on the ASA5505.  The only DNS the clients should get should be the server.  The forwarders in DNS on the server should point to the ISP's DNS servers.  If you do not want to setup dhcp on the server then ensure that the DNS settings handed out by thwe ASA5505 is only the IP of your Domain Controller.

Hope this helps!.....:)
0
 

Author Comment

by:schmad01
ID: 21776356
I will check this tomorrow.  Actually it is tomorrow. I will check in the morning.  Thanks.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21776357
In an Active Directory environment, both the workstation and server MUST be configured so that their only preferred DNS server is the DNS server on the Domain Controller. DNS is a critical component of Active Directory - without it, you WILL see very slow logons and numerous other problems if you don't get this sorted soon.

When firewalls are handing out the DHCP addresses, they will usually just hand out the IP of the firewall. The firewall will then run in DNS proxy mode - it will simply forward all incoming DNS requests to one of the ISP's DNS servers. There's such a limited variety of scope options available that you're better off turning off DHCP on the firewall and using DHCP from the server. That way, you can configure the IP address being handed out to be the IP of the server, and nothing else.

-tigermatt
0
 
LVL 4

Expert Comment

by:WimDL
ID: 21776378
DNS settings for client machines are provided as part of DHCP. Ipconfig /all will tell you the IP address of the machine that handles DHCP requests. Change the DNS settings in DHCP so that your internal DNS server is the primary DNS server. Your ISP's DNS servers are probably also providing DNS resolution (because they show up at the moment as DNS servers) so you can specify one of them as a secondary DNS server (for fault tolerance). If your internal DNS server is only forwarding DNS requests, you won't gain much to reduce you logon times because your internal DNS server still has to contact your ISP's DNS server. It would be better to create a zone on your internal DNS server that can host all internal DNS records (quicker resolution) and to forward any DNS resolution requests for external names to your ISP.
0
 
LVL 14

Expert Comment

by:Kutyi
ID: 21776413
When you setup your DNS server, if you created it as an Active Directory Integrated Zone then you will have an internal zone already setup.  This ensures that when your server gets a DNS request any local request are responded to immediately whereas request outside the zone will then be forwarde to your ISP's servers.  Do not setup an external DNS as a secondary DNS as this will not gain you anything, let your server's DNS do the work.
0
 
LVL 2

Expert Comment

by:mkaustubh
ID: 21778015
Yes , you are right that its a  DNS issue.
I guess this would help answer most of your questions..

http://support.microsoft.com/kb/291382

Now as per your network architecture we need to make a small test.
Take a client machine and point it to the DC for the DNS setttings in TCP/IP of the NIC properties.

Reason:
Your ISP does not has an answer to your zone and client would look for your zone for the AD autentication ,thus we need to point it to the local DNS server which in your case is your DC.

If this works then then follow what "KUTYI" says in FIRST responce{06.12.2008 at 11:16PM PDT}

Cheers!!
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 58

Accepted Solution

by:
tigermatt earned 400 total points
ID: 21779991
There's no need to do a small test. There's no reason why the ISP's DNS servers should be present on any of the servers or workstations in their TCP/IP properties, at all, whether the stations are a member of the domain or not. There's no exception to this rule - point all the servers and workstations towards the IP of one or more DNS servers (preferred and alternate DNS servers) and you cannot go wrong. Doing anything different will cause numerous problems - one of which includes timeouts and slow network & domain performance.

Once all workstations are configured to use the server for DNS lookups and the server ONLY, you could then configure forwarders in the DNS server properties to send on requests for external domain names to one or more nameservers at the ISP. This isn't necessary, but is recommended. See http://technet2.microsoft.com/windowsserver/en/library/EE992253-235E-4FD4-B4DA-7E57E70AD3821033.mspx. Forwarders are the ONLY place where ISP or any other non-server based DNS server IP is set, anywhere on the network.

-tigermatt
0
 

Author Comment

by:schmad01
ID: 21780526
Yes, when I plug in the Domain Controller/ Dns server's address in the client's preferred dns settings, all is fine and fast. So, I am convinced that I do not need to turn off DHCP in my firewall, I just need to change the dns settings. So, where do you do that in an ASA 5505? Is there more than one place with this setting in the firewall?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21780547
There's no reason why you should run DHCP on the firewall. It gives you such a restricted range of scope options that you are unable to effectively manage your network. To correctly do this you want to completely turn off DHCP on the firewall, install it on the server and set the DNS server addresses through there.
0
 

Author Comment

by:schmad01
ID: 21780659
Ok, I agree with those reasons. I just want to make sure that I do it correctly with no loose ends. I can get into the firewall with cisco's ASDM sofware. Now, how and where do I make these changes?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21780766
I've got very little experience with Cisco equipment so I can't help there, I'm more the server/domain/DNS administrator. Perhaps there is something on the Cisco site which guides you through disabling DHCP?
0
 
LVL 14

Assisted Solution

by:Kutyi
Kutyi earned 100 total points
ID: 21780769
This is the command: hostname(config)# dhcpd dns xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is your servers IP)  You will need to get to the CLI to input this command OR browse the ASDM to find the appropriate spot.  You need to setup DHCP on your server and remove it from the firewall.  
0
 

Author Closing Comment

by:schmad01
ID: 31466835
Thank you all very much.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now