Home Forums DHCP and DNS issues

Hi,

I offloaded the DHCP role from our router to our SBS Essentials 2011 using Sandeep's video. It all seemed to go well. One machine is giving me some problems though. I should note that this machine was having issues before the DHCP role was switched to the server.

The machine is called "Antec1200". It is running Windows 7 Pro x64, and is hosting multiple VM's, all of which work flawlessly and can be pinged, etc. The problem is, I can't reach or ping Antec1200 computer from the other computers on the network.

I looked at the Control Panel -> Network and Internet -> Network and Sharing Center. It shows it's connected to "Multiple networks" - 2 to be exact.

1. Gobruins.local (this seems right because it is our local domain).

2. Unidentified network (public network). And to the right of this entry, I see "VMware Network Adapter VMnet1" and "VMWare Network Adapter VMnet8". These adapters also show up in the Device Manager as well, and they also sport IP addresses that don't jibe with our network. They seem to use pools like 192.168.206 and 192.168.40, when all our PC use the 192.168.1.xxx pool.

I think #2 is the source of the problem. Can anyone tell me what this network entry is/does? Is this something that's necessary to host the VM's? It seems unlikely because all the VM's use "bridged" mode. Is these entries are not needed, how do I go about deleting them safely?

Thanks.

VMWare creates it's' own virtual network adapters, these are the the unidentified networks in 2.

You may have to search for the server as either
\\server
\\antec1200 OR
\\192.168.1.x

I don't see how the virtual NICs would block the actual NIC. You should just be able to disable them.

What are you pinging? IP, computer name, FQDN?

If you want the answer fast and Sandeep isn't around, just go to www.experts-exchange.com. You can get a 30-day trial. If you ask the question and choose the following topic areas:

OS --> VMWare
DNS
Misc Networking

you will likely get answers within 20 minutes

Also, can you post your server and the bad computers' ipconfig /all

Wendell and Bert are right. Those two NICs are from the two other networking types in VMWare. One is for the Internal Network and the other is NAT from VMWare's networking options. Bridged doesn't create a new NIC. Make sure the NIC is set to a Work or Home network.

Also make sure pinging is enabled in Windows Firewall:
Control Panel > System and security > Windows Firewall > Advanced settings (Left) > Inbound rules > New rule > custom rule > Protocol and ports: Protocol: ICMPv4 >
Choose Specific ICMP types > Check the box echo request

Also, if you check DHCP on the SBS 2011 VM, can you see the Antec 1200 computer in the DHCP lease list?

Yep, it's on the list as 192.168.1.110

Pinging \\Antec1200 or 192.18.1.110 gets timed out. Pinging any other computer from any other computer seems to work fine. For example, pinging the Server from Antec1200 seems to work.

Under the VM virtual adapter properties, static IP's are specified, instead of "Obtain IP address automatically". And these static addresses are 192.168.253.x and 192.168.43.x, rather than lying in the 192.168.1.x pool like the rest of our PC's. I dunno if this makes any difference.

I'll see if I can post a screenshot of the Ipconfig /all

It doesn't. Don't worry about those. Did you try adjusting the firewall settings?

Ok, I'm surmising that it has something to do with a PC hosting VM's. There is one more PC that we can't ping and have trouble accessing, and it too hosts VM's.

In the Server Manager consoled, I notice that both these troubled machines have multiple entries in the DNS Server->Forward Lookup Zones: One entry for the physical NIC, and two more for the VM virtual adapters.

EDIT: I don't think this is the issue. None of the PC's that host VM's here in my home lab are exhibiting this problem.

Sorry - that didn't seem to help. Antec1200 still can't be seen on the network, nor can it be pinged.

I did note that the VMWare virtual NIC's are bound to a "Public" network. This public network is greyed out, so I can't change it to Home or Work. I've tried changing it using this:

http://support.microsoft.com/kb/2578723

It seems to change, but it doesn't stick. I'll plug away some more...

So you can't even ping the IP? Are you trying to ping Antec1200 or 192.168.x.x? If you can't even ping the IP, that's a firewall issue.

Correct. The Antec1200's IP address is 192.168.1.110. Pinging "Antec1200" returns nothing. Pinging 192.168.1.110 returns nothing.

I'll try turning the firewall off completely, just to see what develops.

Well, you're right on the money as usual. Completely disabling the firewall for Domain Networks allowed access to the Antec1200 computer.

Good job, Sandeep. This, though, is where group policy which keeps your firewall on and blocks Domain Networks can be an issue. I suppose you can give the option to turn off the firewall or make it customizable from the server. I had this problem once.

Now here's an interesting question that popped up in my mind...

Let's say the server (and not the router) is handling the DHCP stuff. But, someone hops onto our wireless network casually but doesn't join the domain. Who hands out the IP address to this wireless client?

Whatever device handing out IP addresses is where the potential intruder gets their address from.

However, just getting an IP address means nothing.

JamesNT

So then the server will issue the IP address, even if the wireless client doesn't sign onto the domain?

Correct.

JamesNT

You know - I like you. I've read threads where people aren't enamored with your approach or whatever, but you seem like a shoot-from-the-hip kind of guy. And I appreciate that.

Thanks, man. That means a lot.

People aren't enamored by my approach because they fail to realize, and fail horribly I might add, that there are three ruling forces to this universe that we will all obey sooner or later:

--Statistics

--Logistics

--Economics

Accept that fact and life is so much simpler. I know accepting that fact has worked wonders for me.

JamesNT

Gianni,

As James says, whatever is connected and giving out IPs is your DHCP. If you have a peer-to-peer network, the router could still give out IPs. A computer with a DHCP server could give out IPs.

A domain basically takes a network and usually centralizes the data at the server. A domain is for handling permissions, resources and policies making use of DNS. Single authentication. Two computers on a domain are more likely to have access to each other, while two computers joined to a private network but not on a domain will likely not have access to each other unless one PC goes out of its way to provide permissions as would happen in a P2P.

Think of Starbucks. Starbucks provides Wi Fi access for its customers. It provides an IP address to wireless hardware and does not require a password, mainly because the wireless router is not connected to a network that would need to be protected. But, there is no domain there. Anyone else should not be able to access your device through the router unless the other person is 14 or under in which case, they could likely steal everything on your laptop in minutes.

So, when connecting to a network at Starbucks or some such other place, be sure to click PUBLIC NETWORK when Windows 7 asks what kind of network you are connecting to.

JamesNT

Also, try to use a VPN if you have access to one. Switching to public won't protect you from packet sniffers which is the most common way to steal logins. Or remote into the computer at the office/at home.

I doubt most people will have a VPN set up.

However, remote desktop is encrypted so try to do everything from there.

JamesNT

At the risk of sounding like a broken record, if you use static IPS and turn off DHCP, you have now eliminated 98% of the folks who shouldn't be on your network. It also helps to run a non-default private network.

For those of us who travel with network analysis tools on our devices, this only makes us smile, because it is the first indication that there is intelligent life running the network. Not that I would then kick-off a network scan & probe, or anything like that - oh no.

For that 98%, wireless or even physical access is now useless to them; but then it is always that 2%.

I prefer DHCP reservations and mac address filtering over static IPs. Static IPs require configuring each client individually which can be annoying to manage remotely or even onsite if the practice is large enough.

Also requires the person at the practice to know how to setup a static IP/what their subnet is/whether or not an address is taken.

I am with Sandeep. I basically use DHCP for my clients and for all other hardware, DHCP with reservations. Reservations allow machines to always have the same IP but allow you the luxury of DHCP supply subnets, gateways and DNS. Plus, it shows up on your server.

Indy knows more than I, but I don't see how DHCP from your server makes your network any more vulnerable especially when it is limited to the private scope.