[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 249
  • Last Modified:

DNS Resolving Issues

I have been assigned to support a 50-user company currently running a workgroup. We have a cisco 2800 router connecting to our ISP. Connected between our internal network and the 2800 router is an ASA 5505 firewall. The firewall is issuing DHCP and I am not sure if it is providing DNS or if the ISP is providing DNS services (Any way to tell on this?). Anyway I promoted a standalone Windows 2003 SP2 server to a domain controller. This was an extra machine and there are no other domain controllers on the network. I implemented DNS on it and configured the DNS forwarding to point to the ISP's DNS servers. I tested a client machine and was able to join the domain no problem. But when I log into the domain, it takes over 10 minutes to log in! I'm pretty sure it's a dns issue but not sure where to begin. Any help asap would be appreciated. Maximum points assigned.

Oh, also, if do an IP CONFIG /ALL on the client machine the ISP DNS servers show up. I thought that the Domain Controller's address should show up since that is doing the forwarding. Is there some DNS setting in the ASA 5505 that may be overriding my Domain Controller's DNS? I don't know. Just thinking out loud.
0
schmad01
Asked:
schmad01
  • 4
  • 4
  • 3
  • +2
2 Solutions
 
KutyiCommented:
Setup DHCP on the server and assign the server as the DNS server for your clients.  Turn off the DHCP on the ASA5505.  The only DNS the clients should get should be the server.  The forwarders in DNS on the server should point to the ISP's DNS servers.  If you do not want to setup dhcp on the server then ensure that the DNS settings handed out by thwe ASA5505 is only the IP of your Domain Controller.

Hope this helps!.....:)
0
 
schmad01Author Commented:
I will check this tomorrow.  Actually it is tomorrow. I will check in the morning.  Thanks.
0
 
tigermattCommented:
In an Active Directory environment, both the workstation and server MUST be configured so that their only preferred DNS server is the DNS server on the Domain Controller. DNS is a critical component of Active Directory - without it, you WILL see very slow logons and numerous other problems if you don't get this sorted soon.

When firewalls are handing out the DHCP addresses, they will usually just hand out the IP of the firewall. The firewall will then run in DNS proxy mode - it will simply forward all incoming DNS requests to one of the ISP's DNS servers. There's such a limited variety of scope options available that you're better off turning off DHCP on the firewall and using DHCP from the server. That way, you can configure the IP address being handed out to be the IP of the server, and nothing else.

-tigermatt
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
WimDLCommented:
DNS settings for client machines are provided as part of DHCP. Ipconfig /all will tell you the IP address of the machine that handles DHCP requests. Change the DNS settings in DHCP so that your internal DNS server is the primary DNS server. Your ISP's DNS servers are probably also providing DNS resolution (because they show up at the moment as DNS servers) so you can specify one of them as a secondary DNS server (for fault tolerance). If your internal DNS server is only forwarding DNS requests, you won't gain much to reduce you logon times because your internal DNS server still has to contact your ISP's DNS server. It would be better to create a zone on your internal DNS server that can host all internal DNS records (quicker resolution) and to forward any DNS resolution requests for external names to your ISP.
0
 
KutyiCommented:
When you setup your DNS server, if you created it as an Active Directory Integrated Zone then you will have an internal zone already setup.  This ensures that when your server gets a DNS request any local request are responded to immediately whereas request outside the zone will then be forwarde to your ISP's servers.  Do not setup an external DNS as a secondary DNS as this will not gain you anything, let your server's DNS do the work.
0
 
mkaustubhCommented:
Yes , you are right that its a  DNS issue.
I guess this would help answer most of your questions..

http://support.microsoft.com/kb/291382

Now as per your network architecture we need to make a small test.
Take a client machine and point it to the DC for the DNS setttings in TCP/IP of the NIC properties.

Reason:
Your ISP does not has an answer to your zone and client would look for your zone for the AD autentication ,thus we need to point it to the local DNS server which in your case is your DC.

If this works then then follow what "KUTYI" says in FIRST responce{06.12.2008 at 11:16PM PDT}

Cheers!!
0
 
tigermattCommented:
There's no need to do a small test. There's no reason why the ISP's DNS servers should be present on any of the servers or workstations in their TCP/IP properties, at all, whether the stations are a member of the domain or not. There's no exception to this rule - point all the servers and workstations towards the IP of one or more DNS servers (preferred and alternate DNS servers) and you cannot go wrong. Doing anything different will cause numerous problems - one of which includes timeouts and slow network & domain performance.

Once all workstations are configured to use the server for DNS lookups and the server ONLY, you could then configure forwarders in the DNS server properties to send on requests for external domain names to one or more nameservers at the ISP. This isn't necessary, but is recommended. See http://technet2.microsoft.com/windowsserver/en/library/EE992253-235E-4FD4-B4DA-7E57E70AD3821033.mspx. Forwarders are the ONLY place where ISP or any other non-server based DNS server IP is set, anywhere on the network.

-tigermatt
0
 
schmad01Author Commented:
Yes, when I plug in the Domain Controller/ Dns server's address in the client's preferred dns settings, all is fine and fast. So, I am convinced that I do not need to turn off DHCP in my firewall, I just need to change the dns settings. So, where do you do that in an ASA 5505? Is there more than one place with this setting in the firewall?
0
 
tigermattCommented:
There's no reason why you should run DHCP on the firewall. It gives you such a restricted range of scope options that you are unable to effectively manage your network. To correctly do this you want to completely turn off DHCP on the firewall, install it on the server and set the DNS server addresses through there.
0
 
schmad01Author Commented:
Ok, I agree with those reasons. I just want to make sure that I do it correctly with no loose ends. I can get into the firewall with cisco's ASDM sofware. Now, how and where do I make these changes?
0
 
tigermattCommented:
I've got very little experience with Cisco equipment so I can't help there, I'm more the server/domain/DNS administrator. Perhaps there is something on the Cisco site which guides you through disabling DHCP?
0
 
KutyiCommented:
This is the command: hostname(config)# dhcpd dns xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is your servers IP)  You will need to get to the CLI to input this command OR browse the ASDM to find the appropriate spot.  You need to setup DHCP on your server and remove it from the firewall.  
0
 
schmad01Author Commented:
Thank you all very much.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now