Slow Internet on Server 2003

[andyshriver]

My company recently purchased a Dell PE2900 loaded with Win2K3 Server. The machine has 2 NICs. The network is firewalled with a SonicWall configured as a DHCP server with NAT. I installed AD on the server and set up NAT through RRAS and Configured the DHCP scope, all using the wizard. One NIC is the LAN and the other NIC is connected to the firewall. Once a client receives the new IP address from the new server, it can browse the internet but very, very slowly. I am willing to bet that, even though the server has quad procs and 4GB RAM, I am probably asking too much of it by having it be a DC, DNS, server, DHCP server, NAT server and a file/data server, yes? The remote access is handled by a dedicated Citrix box, so that is not at issue here. Does anyone have a better idea as to how to configure this network to allow clients to authenticate to the network, taking full advantage of AD while being able to browse the internet with the speed to which our users are accustomed?

I thank you all in advance.

Andy

 

[LawnBoy]

...firewalled with a SonicWall configured as a DHCP server with NAT...
I installed AD on the server and set up NAT...

You're NATting twice?


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[technome]

I installed AD on the server and set up NAT through RRAS and Configured the DHCP scope, all using the wizard"
Why are you NATing through the OS ? the Sonicwall will do that.

Why are you using the second NIC? it will not provide you with anymore security unless you have ISA (or equal), if the Sonic is setup correctly.

"I am willing to bet that, even though the server has quad procs and 4GB RAM, I am probably asking too much of it by having it be a DC, DNS, server, DHCP server, NAT server and a file/data server, yes?"
Excluding the OS NATing (never used it), this server can handle the rest of the services without breaking a sweat unless you have a 1000 users.

Run Pathping from the server/and a wks to an external IP or web page, do you get packet losses? If so, note the interface the losses occur at.
As in Pathping yahoo.com

"The network is firewalled with a SonicWall configured as a DHCP server with NAT."
I assume by this, you do not have a static address and the Sonic is not providing DHCP for the network, but is managing the possibly changing public address?


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[ADB100]

even though the server has quad procs and 4GB RAM, I am probably asking too much of it by having it be a DC, DNS, server, DHCP server, NAT server and a file/data server, yes?

I still use a Dual P3 server with 2GB of RAM doing all the above (except NAT) and the performance is fine (ISP link is 8MB). I used to do NAT on the server (ISA Proxy & Firewall/NAT) but since I was NATing on the Internet Firewall/Router I disabled it, traffic to the Internet no longer flows through the server since it now only has one (active) NIC. ISA is still used for cacheing but it no longer performs NAT.

DHCP, DNS & AD shouldn't be too intensive for the server. I would ensure that no other DHCP or DNS servers exist on the network (SonicWall?) as it's likely they will conflict.

Andy

 

[andyshriver]

Awesome - those are great responses! I will clarify one thing, though. I am not NATing twice. Once I enabled NAT on the server, I disabled it on the firewall/router. I am not running ISA, though I sense I should be.

The trend that I am seeing is that NAT should be handled by the firewall, but I am supposing that the firewall doesn't have to be the DHCP server to be able to perform the translation, correct? As long as my DHCP scope points to the firewall as the default gateway and specifies DNS servers in this order - [IP address of my server[,[ISP's DNS Server IP #1[, [ISP's DNS Server IP #2] - name resolution should not be a problem, correct?

My conclusion is that, all of these factors being in the equation, I should have my server configured for AD, DNS & DHCP, in addition to the other mission-related tasks it needs to perform, correct? I will not use the 2nd NIC at all, as I understand that it will serve no usefull purpose at this time.

I look forward to hearing input from any or all of you, and I thank you all for your responses.

Cheers,
Andy

 

[ADB100]

You should only specify the Servers IP Address as the DNS server in the DHCP scope, the server will do recursive lookups for names it doesn't know about and then cache them (remember to remove the '.' zone if the server is configured as a DNS root server.

http://support.microsoft.com/kb/291382

If your clients don't use your server for DNS then AD will not work correctly.

HTH

Andy

 

[technome]

The trend that I am seeing is that NAT should be handled by the firewall, but I am supposing that the firewall doesn't have to be the DHCP server to be able to perform the translation, correct?"
That is correct

"those are great responses! I will clarify one thing, though. I am not NATing twice."
I did not figure you were doing it twice. I was wondering if you have a dynamic IP versus a static, if dynamic, thus the need to have the firewall take care of the possible changing ISP's IP.

Make sure your Sonicwall is setup correctly, if you have doubts call Sonicwall tech support and have them go over the setup.

For a little added security, place your ISP's DNS server's IPs in the forwarders. Place one or two other DNS server's IPs in there too, from another ISP. This way if your ISP plays with their DNS servers or changes their servers IP without notifying you, you will still have Internet access.
You do not want your server querying random DNS servers, as in recursive queries, as there are high-jacked/bogus DNS servers out there.

"My conclusion is that, all of these factors being in the equation, I should have my server configured for AD, DNS & DHCP, in addition to the other mission-related tasks it needs to perform, correct?"
I have benchmarked a server, as a workgroup and as a Active Directory FSMO. The benchmark results are the same, AD adds miniscule overhead until you have many users. On a typical FSMO I have SQL, AV, backup software, databases, accounting software, Anti malware programs, DNS, DHCP, WINS ect, no issues. Just do not use it as a workstation, do not place unecessary software on it such as demos, run unecessary serices or windows components, do not cruise the Internet from it; keep it simple, do not trash it up.


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[ADB100]

Why bother with the ISP DNS servers? Use the pre-configured root-servers (root hints).

Andy

 

[technome]

Because the root servers will allow the queries to ANY DNS server on the Internet, including DNS servers manned by hackers/malware distributors. Admittedly a low risk, but I am sure Andyshriver's ISP, or major IPS do not have this risk.


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[andyshriver]

This server will not be doing anything other than housing data and files and authenticating users (no more than 100, at the most). The users will have profiles and their user directories housed on this machine as well. The IP from my ISP is static, but I think I have something configured incorrectly. All machines and the firewall can all see each other, but none except the server can display webpages. The Server's NIC is configured with the correct subnet, the IP for the firewall as the default gateway and the IPs of my ISP’s DNS servers in the default DNS server fields. I wonder if I have misconfigured my DNS server service, DHCP or the server’s NIC. I did nothing to the firewall except disable the DHCP feature in it. Any thoughts?

 

[technome]

Run IPconfig /all at a workstation... do you get a default gateway and DNS servers listed ? If not, likely your DHCP does not have the scope options set properly for the 003 router (default gateway) and or 006 DNS servers (set as your server's IP).

Run NetDiag.exe and DcDiage.exe in verbose mode.

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[andyshriver]

Technome,
I am not running DHCP on my W2k3 server at this time. My SonicWall appliance is handing out leases and is doing NAT. The W2k3 server is running AD and DNS, is a file server and is the DC. Domain computers can authenticate to this machine (albeit slowly). I am not running RRAS. All computers, when logged onto the domain with Domain User accounts can access the Internet. Should I be doing something differently? Should I be running DHCP on my Win2K3 box instead of the SonicWall?

Thanks in advance.

Andy

 

[terry712]

i think you need to look at this at a more basic level first.

ie if pc is slow to authenticate - then this needs to be addressed before looking at speed of external web access.

it doesnt matter waht runs the dhcp - it's a basic function and as long as you configure the correct options on the service then it isnt going to matter

the pc is getting lease from sonic thing , the dns i assume being dished out by this box is the ip address of the server. the server hosts the internal domain and the dns server just has forwarders to isp sites ?

 

[andyshriver]

Terry - I apologize if I left out certain salient details. The problem with the PC being slow to authenticate had never been a problem prior to trying to join the PC to the domain. Essentially, prior to bringing the Win2K3 server into the mix, users on the LAN were authenticating to a Netware 3.12 server (as well as to local profiles on their W2Kpro or WinXPSP2pro workstations). From a TCP/IP perspective, the machines were peer-to-peer and getting their IP addresses from the SonicWall via DHCP. The external (registered) IP is static, along with the DNS servers at the ISP, so all of that info was (and still is) supplied by the DHCP scope in the SonicWall. The only current difference is that I have added the IP address of the W2K3 server to the ISP DNS addresses in the SonicWall DHCP scope. The DNS server portion of the W2K3 server has the ISP DNS addresses listed as forwarders. Could I be creating the potential for a bottleneck caused by too much traffic between DNS servers?

 

[pgaliardo]

Did you disable the second NIC on the server. I know Microsoft does not like multi-homed AD Servers. The NIC settings on the TCP/IP properties of the server should have it's own IP address as the primary DNS server. Make sure you don't have your ISP DNS servers in that list.

 

[andyshriver]

Pgaliardo - that may be part of the problem. I do have ISP DNS addresses listed as secondary DNS servers. I have the IP for the one active NIC (I disabled the other as soon as I first started configuring the server) listed as the primary DNS. I will delete all other DNS servers from the DNS tab of the TCP/IP properties for that NIC. The server sits on the network that consists of only one subnet (no routers - just switches for different "segments". Remote clients connect via Citrix Metaframe running on a Win2K server w/Terminal Server. This machine is on the same network and is NOT multihomed. SonicWall resides on the same segment as the servers and connects directly to the line from the ISP.

 

[terry712]

the only ref to the isp's to me is a dns forwarder

the clients should only point to the windoze box

 

[andyshriver]

OK - DHCP scope on the SonicWall should provide no DNS information except the IP address of the AD server. The AD server must have the ISP's DNS IPs listed as forwarders, yes? If so, then this is all beginning to make sense.