Jump to content



Photo

[Input Req]Redesigning My Network

Answered Go to the full post

  • Please log in to reply
25 replies to this topic

#1 pairughdocks

pairughdocks

    Neowinian

  • Joined: 06-June 09
  • Location: /bin/bash

Posted 05 January 2014 - 19:16

I am the System's Administrator of an EMS organization and we employ approximately 50-60 members. Some quick overviews on the existing network..

 

  1. The router is a Linksys E900 SOHO Router that has been working out surprisingly well for the last year or two.
  2. The router then feeds to a unmanaged 3Com SuperStack Switch (sorry for the typo)
  3. The Wireless Access Point is a Linksys WAP4400N Level 2 AP
  4. The Windows 2008 R2 Server runs: Active Directory, DNS, DHCP, File Services, Print Services, and Network Services (VPN-PPTP)
  5. The client workstations (4) are all running Windows 7 Pro with a fairly restrictive GPO
  6. At any given time I may have up to 15 wireless devices connected (primarily: iPhones/iPads, android devices, and laptops Mac/Windows)

I just purchased a Dell PowerEdge 6850 with 24GB of RAM and 4x3.0GHZ Dual Core Processors as an upgrade from our old PowerEdge SC440 with 4GB RAM and 1x2.8GHZ Core2Duo Processor. I plan on using the old server as an Untangle Web Filter (which I have running on a MUCH older machine and isn't worth mentioning). The new server I am looking to run as many items in a VM as possible without degrading the network. I want my VM's to backup weekly so we have a minimal chance of a data loss and guaranteed "restore points" that I can rely on should something need migrated or catastrophically fail. 

 

I guess what I'm asking is realistically, how would you deploy this network, I would like to almost totally "redo" it, the only thing I am limited by is where the computers physically are. The reason is some of the computers are logging on VERY slow (5-10 minute) times, while other's are zipping right into the AD. So between that and the new hardware coming it will give me some time to re-do some things.

 

Any insight/pro-tips would be incredibly helpful. Thanks!

 

Edit: Point of interest, I am debating "UniFi" as the wireless management solutions, but I would like to use my existing access points? I'm not sure if that is even a possibility? I haven't done as much research as should have since I have had limited time lately



Best Answer +BudMan , 06 January 2014 - 19:23

I wouldn't be so worried about printer stuff, but this points to something out of whack.

An Warning Event occurred. EventID: 0x00001695

Time Generated: 01/06/2014 13:40:52

Event String:

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'eatvac.org.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). Go to the full post



#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 January 2014 - 19:42

"The reason is some of the computers are logging on VERY slow (5-10 minute) times"

What are you clients dns - you have something WRONG if it takes more than a few seconds to login.

No you can not use Unifi with other AP.

Managed switch doing what? Do you have actual vlans, is your wireless isolated from your wired for example?

#3 OP pairughdocks

pairughdocks

    Neowinian

  • Joined: 06-June 09
  • Location: /bin/bash

Posted 05 January 2014 - 19:48

"The reason is some of the computers are logging on VERY slow (5-10 minute) times"

What are you clients dns - you have something WRONG if it takes more than a few seconds to login.

No you can not use Unifi with other AP.

Managed switch doing what? Do you have actual vlans, is your wireless isolated from your wired for example?

 

  1. No the DNS settings are all the same on each machine
  2. I guess that rules out UniFi for now
  3. No I do not have actual Vlans (that was a typo, and I will fix that, it is UNmanaged)
  4. The Wireless is on the same 192.168.1.x network - no separation. 


#4 TPreston

TPreston

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 18-July 12
  • Location: Ireland
  • OS: Windows 8.1 Enterprise & Server 2012R2/08R2 Datacenter
  • Phone: Nokia Lumia 1520

Posted 05 January 2014 - 20:03

Some recommendations
Get rid of the unmanaged junk if you can replace it with some real cisco gear which can be found cheaply online.
Get 2 or 3 .Net cards from smartcard focus and implement smart card login its very simple.
Switch to SSTP for the VPN (TMG can do this)
Two servers + Starwind ISCSI = cheap failover clustering
As for wireless if you can get some cisco gear go for WPA 2 enterprise PEAP with optional smart card login (instead of mschap 2)
If you do plan on using vlans don't get it confused with trunking just use static vlans ie switchport access vlan x

Great project for learning.

#5 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 January 2014 - 20:12

"No the DNS settings are all the same on each machine"

Which is what? Members of AD should ONLY - and I mean ONLY being pointing at your AD dns.. If they point to your router for example then its the reason for your issue with slow login.

If your looking to updated your network then yeah I would go with a managed switch and a min isolate your wired from your wireless network.

#6 OP pairughdocks

pairughdocks

    Neowinian

  • Joined: 06-June 09
  • Location: /bin/bash

Posted 05 January 2014 - 21:38

"No the DNS settings are all the same on each machine"

Which is what? Members of AD should ONLY - and I mean ONLY being pointing at your AD dns.. If they point to your router for example then its the reason for your issue with slow login.

If your looking to updated your network then yeah I would go with a managed switch and a min isolate your wired from your wireless network.

 

 

The workstation computers are pointing to the AD server (192.168.1.2) as their only DNS server. nslookup resolves forward and reverse lookups appropriately.



#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 January 2014 - 23:13

Then it makes no sense that it should take 5 to 10 minutes to log in, you need to run dcdiag and find out what is taking so long - clearly something is wrong.

#8 +Nik L

Nik L

    Where's my pants?

  • Tech Issues Solved: 2
  • Joined: 14-January 03

Posted 05 January 2014 - 23:39

Then it makes no sense that it should take 5 to 10 minutes to log in, you need to run dcdiag and find out what is taking so long - clearly something is wrong. 

 

I know toss all about networks, but I had this at work when someone's profile was pulling down each time with all his files.

 

Like I said, I know toss about it, and not my dept.



#9 OP pairughdocks

pairughdocks

    Neowinian

  • Joined: 06-June 09
  • Location: /bin/bash

Posted 06 January 2014 - 16:45

I've attached my DCDiag output, lots of passes - yet everything but one or two workstations log in fine, and everything resolves via Nslookup, and on the internet? Now I'm REALLY confused.

Attached Files



#10 TPreston

TPreston

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 18-July 12
  • Location: Ireland
  • OS: Windows 8.1 Enterprise & Server 2012R2/08R2 Datacenter
  • Phone: Nokia Lumia 1520

Posted 06 January 2014 - 17:10

......................... THOR failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\THOR
Skipping all tests, because server THOR is not responding to directory
service requests.

That's a bad thing, Not diagnostics. I suspect you disabled a critical service on the dc when doing your hardening by linking the gpo to the domain not an ou.

If this is the case make some OU's like

CORPNET.LOCAL
---DOMAIN CONTROLLERS
---CORPNET COMPUTERS*
--------CLIENTS*
--------SERVERS*
---CORPNET USERS*
--------DOMAIN ADMINISTRATORS*
--------SERVICE ACCOUNTS*
--------LOCAL ADMINISTRATORS*

And link the gpos where marked instead of the entire domain

#11 OP pairughdocks

pairughdocks

    Neowinian

  • Joined: 06-June 09
  • Location: /bin/bash

Posted 06 January 2014 - 17:25

......................... THOR failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\THOR
Skipping all tests, because server THOR is not responding to directory
service requests.

That's a bad thing, Not diagnostics. I suspect you disabled a critical service on the dc when doing your hardening by linking the gpo to the domain not an ou.

If this is the case make some OU's like

CORPNET.LOCAL
---DOMAIN CONTROLLERS
---CORPNET COMPUTERS*
--------CLIENTS*
--------SERVERS*
---CORPNET USERS*
--------DOMAIN ADMINISTRATORS*
--------SERVICE ACCOUNTS*
--------LOCAL ADMINISTRATORS*

And link the gpos where marked instead of the entire domain

 

I will absolutely look into that, most of the restrictions, however, are basic ones such as "no run box," "no task manager," nothing really involving services or anything but I will look into it. I've also been researching the *._msdcs.eatvac.org could not be resolved to an IP address error" and seeing that a lot of other users have had a similar problem. Thank you for the prompt reply!

 

Edit: I've also attached my GPO

Attached Files



#12 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 06 January 2014 - 17:42

yeah clearly
"Skipping all tests, because server THOR is not responding to directory"

Is not a good sign ;)

Also your AD domain resolves on the public net, not a FAN of doing this at all.. Can cause all kinds of grief.. Would normally suggest use of AD domain that is not a global TLD, something like .lan or .local .adnet - something that is not active tld on the public net.

;; QUESTION SECTION:
;eatvac.org. IN A

;; ANSWER SECTION:
eatvac.org. 86400 IN A 74.208.159.244

What does your DC point to for dns?? Should be pointing to itself or another AD dns server in your network. Should not be pointing to isp or public or router, etc.

#13 OP pairughdocks

pairughdocks

    Neowinian

  • Joined: 06-June 09
  • Location: /bin/bash

Posted 06 January 2014 - 18:39

It has been setup with a botched tld for awhile now... at the time I wasn't aware that use eatvac.local would be a best practice, I got a good head smack for that one. The DC (thor) is pointing to 192.168.1.2 (proper IP) forward and reverse. Attached both logs from DNS. Then to circumvent the issue we were having with www.eatvac.org not being accessible internally I just added a www host to point to our webserver IP.

Attached Files



#14 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 06 January 2014 - 18:51

what is this?
(same as parent folder) Host (A) 74.208.159.244 static

You have eatvac.org pointing to that public IP?

You need to address this
"Skipping all tests, because server THOR is not responding to directory"

That clearly is not good ;)

#15 OP pairughdocks

pairughdocks

    Neowinian

  • Joined: 06-June 09
  • Location: /bin/bash

Posted 06 January 2014 - 19:01

The same as parent folder I replaced that with 192.168.1.2 - that should not have been, only "supply, support, test, internal, and www" should have pointed to our webhost IP. Same as parent folder is now 192.168.1.2 (HUGE OVERSIGHT, thanks for catching that, because I wouldn't have noticed it :() - now I released and renewed DHCP on my workstations, and for DNS I did a flush and register, and now logons seem to be improved tremendously. HOWEVER, this still does not resolve the "Skipping all tests.. error" - which you would think would be causing more problems?

 

Edit: I believe I resolved it by making some slight changes here and there and now I pass. I am getting TONS of errors now though about a printer (that is currently offline, so maybe that's why?)

Attached Files