[SOLVED] 2008 R2 losing connectivity

[Mick]

I have a situation with a SBS 2008 R2 which is stumping me. This server is a DC and has seven workstation clients attached, all running Win 7 Pro - all up to date and patched. Just one of these clients is losing connectivity to certain (but not all) websites on a regular basis (i.e every two or three days). Typically, affected sites are those requiring log-ins, e.g. on-line banking services, so mostly they are HTTPS sites. The server itself also loses connectivity to these sites, so if I browse a site directly from the server, I get the same result. However, the other workstations are fine or, at least, have yet to report this as a problem.

I've cleared the situation by running a 'dnscmd /ClearCache' followed by 'dnscmd /StartScavenging' on the server and this does work....for a day or two, then we're back to square one. I've run BPA on the DNS server and all is clear. I've checked the settings on the affected client and it's getting its DNS direct from the server and nowhere else. I've used three different browsers - IE, FF and Opera. The whole rig is protected with Panda Endpoint, but I've also scanned with MBAM just in case...nothing found. I'm a bit stuck as to where to look next. The ClearCache routine does work, but it is obviously dealing with the effect rather than the cause. It's also a bit time -consuming. Any ideas/suggestions welcome.

 

[YeOldeStonecat]

Is DNS scaveging set on the server? Fire up DNSMGMT.MSC....right click and set the scavenging there...I do the default 7 day one.

Although I'll be honest...I don't think that's the problem here...the scavenging really helps internal resolution stay updated, and not get over bloated with stale records that cause a performance issue on a DC.

But let's check a few DNS related things first.
*In the servers TCP/IP properties, is it using itself for DNS..nothing else. Right?
*Client workstations..check to see that all are using the server for their DNS, nothing else. DHCP should be run from the server and should be handing out the LAN IP of the server for primary DNS. Secondary DNS should only be a second DC if the network is larger.
*DNS forwarding...in DNSMGMT.MSC on the server, right click the DNS server, properties..Forwarding tab..what are they set for? Typically the ISPs 2x DNS servers go here, although I prefer to use both OpenDNS servers instead...for added layer of security.

*What is running at the edge? (firewall)

*Does this client happen to be an accounting office or something where a lot of 'em are running that Trusteer Rapport browser plugin?

 

[Mick]

Thanks for the prompt response. I'll try and answer in sequence:

* Scavenging is set - to the 7 day default.

* TCP/IP Yes - server points solely to itself.

* DHCP is enabled on the server and running. All workstations are set to 'obtain automatically'. All have the DNS server IP set for DNS (and nothing else)

* There are no fowarders set. I was always told that 2008 could manage without, but maybe not...? I've used Google's DNS as a forwarder in some situations. Good idea?

* The firewall is handled by Panda Endpoint protection. Just to clarify, Panda (and all else) have all been working fine in this respect for many months - this (the problem) is a comparatively recent development, just happening over the past two or three weeks

* As it happens, the client that is affected is the accounts machine, although Rapport is not installed. I have a bit of a down on it!

Looking at the above, the forwarders sticks out as a potential problem. Would you agree?

 

[YeOldeStonecat]

Only for response time.
Whats the router? (edge device).
I just find it odd that httpS sites seem to be more affected?
What happens when you run ping tests to domains that you have an issue getting to?
if you restart the DNS Server service?

Any double NAT setup by accident? Does the router for their network pull the public IP address? Or does it have another private IP address on its WAN interface from some funky setup or the ISPs "gateway" is running NAT too?

 

[HCHTech]

What type of internet connection? You might check the MTU setting... If it's just that one computer, then something is funky there. Reset the TCP/IP stack, maybe even try a new NIC?

 

[Mick]

The router is a standard BT Business hub (with VDSL). I don't see anything odd about the set up - no double NAT taking place as far as I can see. They have a static public IP, which is where the router points. It's a small set up, with no other devices or DCs etc involved. The HTTPS thing may be a red herring. As stated, this is the 'accounts machine', so almost all the sites they visit are HTTPS, so that may just be a coincidence; I have not had the opportunity yet to test this out. Right now, things are working OK, so I'll need to wait until it goes fruit salad again before I can try pinging anything (or restarting the DNS service). I have now set forwarders to OpenDNS as suggested, on the grounds that it can't hurt.

@HCHTech: MTU is set at 1492 - which is what I'd expect. It's a relatively new machine - about three months old - so I doubt if it's the NIC, but I'll try your suggestions if nothing else works - thanks for the input.

 

[NETWizz]

I know this sounds absolutely insane, but I have seen this before, and it only impacted a single computer, which was running identical hardware and drivers as others... Heck, I even imaged the computer. It turned out to be a problem with a ProCurve 5308XL years ago. Restarting the switch resolved it.

I am NOT saying this is the problem only that I would try that, or flush the MAC address tables on the network, OR disconnect and reconnect the network cable to change the state to down/down then up/up on the switchport. I am NOT saying this will fix it, but it should take only a 5 minutes to try all this.

 

[Mick]

Got to say, I don't get how the switch would cause this, but if it isn't the things it oughta be, then it must be something it didn't oughta be! So - yeah - thanks for the advice (which I would not have considered in a month of Sundays) - will try this if (when) all else has failed.

 

[NETWizz]

Got to say, I don't get how the switch would cause this, but if it isn't the things it oughta be, then it must be something it didn't oughta be! So - yeah - thanks for the advice (which I would not have considered in a month of Sundays) - will try this if (when) all else has failed.

The easiest troubleshooting method on this is to move to a different port. I know it's crazy... but try it plz.

 

[Mick]

Will do - I'll post back here with the results.

 

[Mick]

Well - been a week now since I set forwarders on the DNS and...so far...seems to have done the trick. You live and learn - thanks to all.

 

[YeOldeStonecat]

I'm still thinking there is something else. DNS forwarders impact everyone on the LAN, not just a single workstation out of a bunch of 'em.

 

[Mick]

You may well be right, but if there is, I can't trace it so far. I am continuing to monitor the situation, so if it manifests again, time to take a closer look.