Recommended Posts

I am the System's Administrator of an EMS organization and we employ approximately 50-60 members. Some quick overviews on the existing network..

 

  1. The router is a Linksys E900 SOHO Router that has been working out surprisingly well for the last year or two.
  2. The router then feeds to a unmanaged 3Com SuperStack Switch (sorry for the typo)
  3. The Wireless Access Point is a Linksys WAP4400N Level 2 AP
  4. The Windows 2008 R2 Server runs: Active Directory, DNS, DHCP, File Services, Print Services, and Network Services (VPN-PPTP)
  5. The client workstations (4) are all running Windows 7 Pro with a fairly restrictive GPO
  6. At any given time I may have up to 15 wireless devices connected (primarily: iPhones/iPads, android devices, and laptops Mac/Windows)

I just purchased a Dell PowerEdge 6850 with 24GB of RAM and 4x3.0GHZ Dual Core Processors as an upgrade from our old PowerEdge SC440 with 4GB RAM and 1x2.8GHZ Core2Duo Processor. I plan on using the old server as an Untangle Web Filter (which I have running on a MUCH older machine and isn't worth mentioning). The new server I am looking to run as many items in a VM as possible without degrading the network. I want my VM's to backup weekly so we have a minimal chance of a data loss and guaranteed "restore points" that I can rely on should something need migrated or catastrophically fail. 

 

I guess what I'm asking is realistically, how would you deploy this network, I would like to almost totally "redo" it, the only thing I am limited by is where the computers physically are. The reason is some of the computers are logging on VERY slow (5-10 minute) times, while other's are zipping right into the AD. So between that and the new hardware coming it will give me some time to re-do some things.

 

Any insight/pro-tips would be incredibly helpful. Thanks!

 

Edit: Point of interest, I am debating "UniFi" as the wireless management solutions, but I would like to use my existing access points? I'm not sure if that is even a possibility? I haven't done as much research as should have since I have had limited time lately

Link to comment
https://www.neowin.net/forum/topic/1195363-input-reqredesigning-my-network/
Share on other sites

"The reason is some of the computers are logging on VERY slow (5-10 minute) times"

What are you clients dns - you have something WRONG if it takes more than a few seconds to login.

No you can not use Unifi with other AP.

Managed switch doing what? Do you have actual vlans, is your wireless isolated from your wired for example?

  On 05/01/2014 at 19:42, BudMan said:

"The reason is some of the computers are logging on VERY slow (5-10 minute) times"

What are you clients dns - you have something WRONG if it takes more than a few seconds to login.

No you can not use Unifi with other AP.

Managed switch doing what? Do you have actual vlans, is your wireless isolated from your wired for example?

 

  1. No the DNS settings are all the same on each machine
  2. I guess that rules out UniFi for now
  3. No I do not have actual Vlans (that was a typo, and I will fix that, it is UNmanaged)
  4. The Wireless is on the same 192.168.1.x network - no separation. 

Some recommendations

Get rid of the unmanaged junk if you can replace it with some real cisco gear which can be found cheaply online.

Get 2 or 3 .Net cards from smartcard focus and implement smart card login its very simple.

Switch to SSTP for the VPN (TMG can do this)

Two servers + Starwind ISCSI = cheap failover clustering

As for wireless if you can get some cisco gear go for WPA 2 enterprise PEAP with optional smart card login (instead of mschap 2)

If you do plan on using vlans don't get it confused with trunking just use static vlans ie switchport access vlan x

Great project for learning.

"No the DNS settings are all the same on each machine"

Which is what? Members of AD should ONLY - and I mean ONLY being pointing at your AD dns.. If they point to your router for example then its the reason for your issue with slow login.

If your looking to updated your network then yeah I would go with a managed switch and a min isolate your wired from your wireless network.

  On 05/01/2014 at 20:12, BudMan said:

"No the DNS settings are all the same on each machine"

Which is what? Members of AD should ONLY - and I mean ONLY being pointing at your AD dns.. If they point to your router for example then its the reason for your issue with slow login.

If your looking to updated your network then yeah I would go with a managed switch and a min isolate your wired from your wireless network.

 

 

The workstation computers are pointing to the AD server (192.168.1.2) as their only DNS server. nslookup resolves forward and reverse lookups appropriately.

  Quote
Then it makes no sense that it should take 5 to 10 minutes to log in, you need to run dcdiag and find out what is taking so long - clearly something is wrong. 

 

I know toss all about networks, but I had this at work when someone's profile was pulling down each time with all his files.

 

Like I said, I know toss about it, and not my dept.

......................... THOR failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\THOR

Skipping all tests, because server THOR is not responding to directory

service requests.

That's a bad thing, Not diagnostics. I suspect you disabled a critical service on the dc when doing your hardening by linking the gpo to the domain not an ou.

If this is the case make some OU's like

CORPNET.LOCAL

---DOMAIN CONTROLLERS

---CORPNET COMPUTERS*

--------CLIENTS*

--------SERVERS*

---CORPNET USERS*

--------DOMAIN ADMINISTRATORS*

--------SERVICE ACCOUNTS*

--------LOCAL ADMINISTRATORS*

And link the gpos where marked instead of the entire domain

  On 06/01/2014 at 17:10, TPreston said:

......................... THOR failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\THOR

Skipping all tests, because server THOR is not responding to directory

service requests.

That's a bad thing, Not diagnostics. I suspect you disabled a critical service on the dc when doing your hardening by linking the gpo to the domain not an ou.

If this is the case make some OU's like

CORPNET.LOCAL

---DOMAIN CONTROLLERS

---CORPNET COMPUTERS*

--------CLIENTS*

--------SERVERS*

---CORPNET USERS*

--------DOMAIN ADMINISTRATORS*

--------SERVICE ACCOUNTS*

--------LOCAL ADMINISTRATORS*

And link the gpos where marked instead of the entire domain

 

I will absolutely look into that, most of the restrictions, however, are basic ones such as "no run box," "no task manager," nothing really involving services or anything but I will look into it. I've also been researching the *._msdcs.eatvac.org could not be resolved to an IP address error" and seeing that a lot of other users have had a similar problem. Thank you for the prompt reply!

 

Edit: I've also attached my GPO

East_Allen_EMS_GPO.zipFetching info...

yeah clearly

"Skipping all tests, because server THOR is not responding to directory"

Is not a good sign ;)

Also your AD domain resolves on the public net, not a FAN of doing this at all.. Can cause all kinds of grief.. Would normally suggest use of AD domain that is not a global TLD, something like .lan or .local .adnet - something that is not active tld on the public net.

;; QUESTION SECTION:

;eatvac.org. IN A

;; ANSWER SECTION:

eatvac.org. 86400 IN A 74.208.159.244

What does your DC point to for dns?? Should be pointing to itself or another AD dns server in your network. Should not be pointing to isp or public or router, etc.

It has been setup with a botched tld for awhile now... at the time I wasn't aware that use eatvac.local would be a best practice, I got a good head smack for that one. The DC (thor) is pointing to 192.168.1.2 (proper IP) forward and reverse. Attached both logs from DNS. Then to circumvent the issue we were having with www.eatvac.org not being accessible internally I just added a www host to point to our webserver IP.

Forward_Lookup_DNS.txtFetching info...

Reverse_Lookup_DNS.txtFetching info...

what is this?

(same as parent folder) Host (A) 74.208.159.244 static

You have eatvac.org pointing to that public IP?

You need to address this

"Skipping all tests, because server THOR is not responding to directory"

That clearly is not good ;)

The same as parent folder I replaced that with 192.168.1.2 - that should not have been, only "supply, support, test, internal, and www" should have pointed to our webhost IP. Same as parent folder is now 192.168.1.2 (HUGE OVERSIGHT, thanks for catching that, because I wouldn't have noticed it :() - now I released and renewed DHCP on my workstations, and for DNS I did a flush and register, and now logons seem to be improved tremendously. HOWEVER, this still does not resolve the "Skipping all tests.. error" - which you would think would be causing more problems?

 

Edit: I believe I resolved it by making some slight changes here and there and now I pass. I am getting TONS of errors now though about a printer (that is currently offline, so maybe that's why?)

DCDIAG_01-06-14_RESOLVED.txtFetching info...

I wouldn't be so worried about printer stuff, but this points to something out of whack.

An Warning Event occurred. EventID: 0x00001695

Time Generated: 01/06/2014 13:40:52

Event String:

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'eatvac.org.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

No errors left :) everything seems to be good now. MUCH QUICKER (even than before) log ons! BudMan, +2 to you! I guess now I just have to review some of the proposed network solutions for redesign. Unfortunately we can't do much with CISCO since our budget does not allow for such equipment.

Well there are plenty of budget managed/smart switches on the market that would allow for vlans. How many ports do you need? You could always go with a smaller ported managed/smart switch as your core and then just use dumb switches in the closets or to add port count.

You could go with something something like a router distro, pfsense, m0n0wall, smoothwall, ipcop on some old pc hardware to give you a decent firewall/router at your edge vs some soho wireless thing. A e900 is something you would run in your house if you ask me, not a place of business.

You would be amazed at what you can accomplish on a shoestring budget ;) A cheap PC hardware with bit of ram and you could run content filtering with squid, ntop for reporting, snort for IDS, etc. Could run a captive portal for your guest wireless, using WPA enterprise for your normal wireless, etc. etc.

  • Like 1

The E900 was a serious quick fix when our original router took a dive. I'm looking at a NetGear FVS338 or FVS538 VPN/Firewall combo to allow for IPsec VPN as opposed to PPTP via Server 2008 which we have right now. When the new server arrives it will be a virtual Server 2008 installation and the old server will be an Untagle server more than likely running web filtering, and reporting. I love that it integrates with AD but I would like a free alternative so I can have users authenticate via their AD credentials and have their activity logged. I also would like to segment our Wifi and have a guest network so when we have "company" they don't have access to internal resources etc... Basically popping up our internet terms of service upon connection. I will definitely look into some of the router distros you mentioned as I have never heard of some of those and I'm sure you wouldn't mention them if they weren't looking into ;)

 

Edit: It looks like m0n0wall will be the winner for router distro :D

pfsense is a fork of m0n0wall - m0n0wall rocks it for router/firewall. Pfsense adds some bells and whistles is all.

It would be a fine choice to be sure.

If you ask me ipsec is dying as a road warrior solution to vpn access - I would look more to openvpn to be honest. It can run over 1 port (443 SSL for example) which is pretty much ALWAYS open no matter your location. Can even work over a proxy, for example to get ipsec vpn to work at a hotel quite often you have to request that type of connection.

Openvpn has released clients for both android and ios devices that works great. My ipad for example - click, click and vpn'd into my home network from anywhere there is wifi connectivity since when do they block 443.. While ipsec vpns use ESP protocol 50 and 51 AH and ISAKMP.. Its a fairly complicated solution that is not always available. There are better solutions to be sure.

My only concern with OpenVPN is it can not run as a server on Windows (so it seems), but I do agree with the logic... lots to think about there.

 

Edit: I'm dumb... http://forums.openvpn.net/topic7806.html

 

Smh... I'm going insane with all of this ;)

Who told you that?

https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide

But I would not suggest running it on a "server" inside your network be it linux, bsd or windows or OS X. The VPN endpoint belongs on the edge of the network - not some box "inside" the network.

No what I am saying it run it on the edge ;) With pfsense for example its click, click and up and running - one of those bells and whistles I was saying that m0n0wall does not have ;)

post-14624-0-83922700-1389047748.png

Whatever you pick for your router distro - it supporting the vpn server would be a nice bell or whistle ;)

You can run into problems with a vpn endpoint inside a NAT as an endpoint. For starters that server inside your network is NOT the gateway of your other devices on your network. So you might need to NAT your vpn clients into your lan network. Or create other routes, be it on your other edge router or the other hosts in your network. Or use tap vs tun interface where you bridge the remote clients into your network.. Now your sending broadcast traffic over a wan connection, etc. etc.

Its nothing that can not be worked out - but it is much simpler if the vpn endpoint is at your networks edge/gateway anyway.

Ah, I see! Hmm, I was really liking m0n0wall, which would be an IPsec VPN on the edge, but pfsense does look like it will integrate the VPN much easier. My users are absolutely TERRIFIED of technology so OpenVPN would make their connecting in a bit easier. I hope you are getting paid for schooling me in Windows networking... if not, I'll send cookies or something. I learned more today than I have in classes.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Windows 11 finally gets redesigned Start menu and more in builds 26200.5641 and 26120.4250 by Taras Buria Apple is not the only company with big software announcements today. Microsoft is dropping two preview builds for Windows 11 users, which introduce major changes to the Start menu. Those in the Dev Channel can download build 26200.5641 (KB5060824) and try the much-improved Start menu and other changes. Windows Insiders in the Beta Channel receive build 26120.4250 with the same changelog. The new Start menu features several changes that make it easier to launch your favorite app. It no longer uses a two-page view, focusing on a single scrollable view instead. At the top, you have your pins, then the Recommended section (you can now turn it off completely), and a list of all apps presented as a grid or categories. Also, the Start menu is now more adaptive, which means users with bigger displays will have a larger Start menu to display more apps (up to eight columns of pinned apps, six recommendations, and four category columns). Finally, it has a new button that lets you expand or collapse the Phone Link pane. By the way, you can check out this article if you want to take a look at other Start menu variants that Microsoft considered when working on the new Start menu. Other changes in build 26200.5641 include the ability to select what widgets appear on the lock screen and the so-called Screen Curtain for Narrator. The latter blacks out the display, keeping the content of the screen available only to those using the Narrator. You can turn on or off the Screen curtain by pressing Caps Lock + Ctrl + C. Also, Narrator now has a new welcome experience that guides users through its features and recent changes. The Settings page is getting two sections fused into one: Searching in Windows and Search Permissions are now just Search in the Privacy & Security section. The gamepad keyboard now has improved navigation and improved focus handling for child keys, flyout menus, word suggestions, language switching, settings, etc. It also works on the lock screen when you have to enter your PIN. Here are other fixes that Microsoft is rolling out gradually to Windows Insiders: [General] This build should fix an underlying issue in the previous flight which was causing input to not work for some Insiders, including when typing into Search, and with the Chinese pinyin IME candidate window, clipboard history, and the emoji panel. [Recall (Preview)] The following fixes are rolling out for Recall on Copilot+ PCs: Fixed an issue causing Recall to crash for some Insiders in the last couple flights. [Taskbar] Fixed an issue where in some cases taskbar icons might appear small even though the setting to show smaller taskbar buttons was configured as “never”. [File Explorer] Fixed an issue where restoring a File Explorer search result from Recall would open File Explorer but not show your search string. [Windowing] Fixed an issue where ALT + Tabbing out of a full screen game could lead to other windows freezing (like Windows Terminal). [Login and lock] Fixed an issue causing the lock screen to crash for some Insiders in the previous flight. [Graphics] Fixed an issue causing some displays to be unexpectedly green after the latest flights. [Settings] Fixed an underlying issue which could lead to the Settings window hanging and no longer responding to input or resizing unless you closed and reopened it. Fixed an issue in System > Display, where if UAC was set to Always Notify and you tried to click the button to do color calibration for your display and cancelled, it would crash Settings. Fixed an issue in System > Display, where a chevron might display for Brightness even if there were no additional settings to display. Fixed an issue where if you changed to a custom mouse cursor in Accessibility > Mouse pointer and touch, it could make Settings crash. There is also a single fix that is rolling out to everyone right here, right now: [General] We fixed the issue where you might see severe discoloration when connecting your PC to some older Dolby Vision displays. Here are the known bugs in both Dev and Beta Channels: After you do a PC reset under Settings > System > Recovery, your build version may incorrectly show as Build 26100 instead of Build 26120. This will not prevent you from getting future Beta Channel updates, which will resolve this issue. [NEW] Some Windows Insiders may experience a rollback trying to install this update with a 0x80070005 in Windows Update. We’re working on a fix for the next flight. [Start menu] The following are known issues for Windows Insiders with the new Start menu: [NEW] Using touch to navigate the new Start menu may not work reliably. For example, it currently does not support the swipe-up gesture. [NEW] Drag and drop capabilities are limited from “All” to “Pinned.” [NEW] In some cases, duplicate entries may appear in folders on the Start menu. [Xbox Controllers] Some Insiders are experiencing an issue where using their Xbox Controller via Bluetooth is causing their PC to bugcheck. Here is how to resolve the issue. Open Device Manager by searching for it via the search box on your taskbar. Once Device Manager is open, click on “View” and then “Devices by Driver”. Find the driver named “oemXXX.inf (XboxGameControllerDriver.inf)” where the “XXX” will be a specific number on your PC. Right-click on that driver and click “Uninstall”. [Click to Do (Preview)] The following known issues will be fixed in future updates to Windows Insiders: Windows Insiders on AMD or Intel-powered Copilot+ PCs may experience long wait times on the first attempt to perform intelligent text actions in Click to Do after a new build or model update. [Improved Windows Search] [REMINDER] For improved Windows Search on Copilot+ PCs, it is recommended that you plug in your Copilot+ PC for the initial search indexing to get completed. You can check your search indexing status under Settings > Privacy & security > Searching Windows. [File Explorer] The following are known issues for AI actions in File Explorer: Narrator scan mode may not work properly in the action result canvas window for the Summarize AI action for Microsoft 365 files when reading bulleted lists. As a workaround, you can use Caps + Right key to navigate. [Widgets] Until we complete support for pinning in the new widgets board experience, pinning reverts you back to the previous experience Note that the Dev build has two more known issues: The option to reset your PC under Settings > System > Recovery will not work on this build. We’re investigating an issue causing a small number of Insiders to experience repeated bugchecks with KERNEL_SECURITY_CHECK_FAILURE after upgrading to most current Dev Channel builds. You can find the official announcement for the Dev build here and for the Beta build here.
    • Apple Intelligence can now analyze your iPhone's screen, offers live translation by Aditya Tiwari Alongside iOS 26, iPadOS 26, macOS 26, watchOS 26, tvOS 26, and new AirPods features, Apple announced some stuff for Apple Intelligence at WWDC 2025. A highlight of the latest announcements is that developers can now access Apple's on-device foundation models, which power Apple Intelligence, to enhance their apps. Apple's Foundation Models framework enables developers to create AI-powered features and experiences that can also operate offline. "The framework has native support for Swift, so app developers can easily access the Apple Intelligence model with as few as three lines of code," Apple said, adding that the access is offered free of charge. Apple has introduced several new features for the general public. For starters, the new Live Translation feature works across Messages, FaceTime, and phone calls, using "Apple-built models that run entirely on device" to translate messages from one language to another. In other words, the feature can translate written text in Messages into the recipient's preferred language and display translated live captions while still hearing the speaker’s voice in FaceTime. Meanwhile, the translated text is spoken aloud on regular phone calls throughout the conversation. Visual Intelligence can now access a user's iPhone screen to answer questions and take action on the content being viewed on the screen across apps. Users can ask ChatGPT for details on specific objects and what they're looking at on their screen to learn more. They can also search Google, Etsy, and other supported apps to find similar images and products. Visual Intelligence can also identify events displayed on the screen and suggest adding them to the user's calendar. The updated Genmoji feature lets users mix emojis and combine them with text descriptions to generate something new. They can change expressions and adjust personal attributes, such as hairstyle, to match the latest look when making Genmojis inspired by their friends and family members. Image Playground has been updated to support new styles generated by ChatGPT, such as oil paintings or vector art. When users have a specific idea in mind, they can use the "Any Style" option. Apple Intelligence also powers the Shortcuts app, using on-device processing or Private Cloud Compute to generate responses that feed into the rest of the shortcut while maintaining privacy. For instance, Apple explained that "a student can build a shortcut that uses the Apple Intelligence model to compare an audio transcription of a class lecture to the notes they took, and add any key points they may have missed." Apple is integrating its AI features into more apps with subsequent OS updates. The Wallet app can now summarize order tracking details from emails sent by merchants and delivery carriers. It lets users check their full order details, progress notifications, and other details. In Messages, Apple Intelligence can suggest where a poll might come in handy, and users can create backgrounds to fit their chats using Image Playground. The new Apple Intelligence features are available for testing on iPhone, iPad, Mac, Apple Watch, and Apple Vision Pro through the Apple Developer Program. By the end of the year, Apple's AI suite will support more languages, including Danish, Dutch, Norwegian, Portuguese (Portugal), Swedish, Turkish, Chinese (traditional), and Vietnamese. You can read about Apple Intelligence in the official announcement post on Apple Newsroom.
    • Absolutely. Glass widgets, tabs, docks, Rainmeter, MicaForEveryone (gorgeous full glass explorer windows), etc. some of us never left the glass ecosphere. I actually hope this encourages MS to put those Acrylic/Mica/Glass hooks back into the OS as an option. It doesn't have to be the default, but some of us would love the choice.
    • I had deleted the folder after installing the update and then re-created the inetpub folder. Ran the script today even though the folder exists, it does some minor changes to the permissions and to the order of some.
  • Recent Achievements

    • Rookie
      CHUNWEI went up a rank
      Rookie
    • Enthusiast
      the420kid went up a rank
      Enthusiast
    • Conversation Starter
      NeoToad777 earned a badge
      Conversation Starter
    • Week One Done
      VicByrd earned a badge
      Week One Done
    • Reacting Well
      NeoToad777 earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      476
    2. 2
      +FloatingFatMan
      267
    3. 3
      ATLien_0
      258
    4. 4
      Edouard
      200
    5. 5
      snowy owl
      178
  • Tell a friend

    Love Neowin? Tell a friend!