Setting Static IPs of Clients in a Windows Domain

phuschnickens

Visited a new client a couple days ago with a Windows domain setup with about 15 workstations. They want to be able to remote desktop to all 15 workstations so their IT guy (who admittedly says he isn't an IT guy and has no idea what he's doing) setup each workstation with a static IP using the TCP/IP settings on each workstation. The reason they sought an IT guy is because they are having really poor network performance - mostly noticed when surfing the web. My instinct tells me that assigning static IPs in the manner he did is a horrible idea and that they should all be setup to "Obtain automatically" from the DHCP server (in this case the DC). Then in the DHCP server settings each workstation should be setup with a reservation tied to each NIC's MAC address.

Am I correct? Anybody think that his setup could be causing the network issues which are related to DNS lookup issues?

Sidenote: They have an Untangled box operating as a firewall which is port forwarding to each workstation.

Thanks in advance!

Ryder

Static IP in that environment should not cause network performance issue, not in my experience. I am sure some of the guys that do this more often than I do will chime in soon.

kryyst

Setting a static IP won't effect network performance - unless they are static IP's that are within a DHCP range that haven't been reserved and there are other dhcp devices that are competing with those static IP's in which case you could get weird network issues.

The things I'd check are making sure that those machines are using the right DNS settings because crappy DNS servers will slow their internet traffic down for sure. 4.2.2.1/4.2.2.2 or OpenDNS 208.67.220/208.67.222.222 probably being the best DNS servers in North America right now - far better than using their ISP's DNS servers.

The other possibility is that someone(s) on their network has a virus or malware that is just causing a lot of traffic overhead.

From there if they are using DSL for internet make sure that the gateway device (the router that the modem is connected to) has the MTU set to 1492.

Those would be the top things I would check. Probably start with MTU, then DNS, then DHCP/Static then malware. Not because of a priority thing but from easiest to hardest to check.

ardichoke

What's the reason for having an MTU of 1492?

kryyst

1492 is the recommend MTU for DSL. Larger then 1492 - 1500 for example which is what many routers use out of the box sends packets that are to large and can cause problems. You can go smaller then 1492 and in VPN cases you often need to but as a general rule if you are using DSL you should be using an MTU of 1492. It's actually recommend that every computer in a network have that setup but I've never found that to be needed.

Check out http://www.dslreports.com/faq/5793 this will show you how to check your MTU settings and it could be you should actually have it lower then 1492 - but as I said - generally 1492 is what you want for DSL.

ardichoke

Huh... I now have another avenue to explore for why Pidgin started dropping connection to GTalk since I flashed my router with DD-WRT. I left the MTU set to "automatic" and who knows what that results in

Thrax

And most Cable connections require an MTU of 1500.

phuschnickens

Well, they are on a cable connection so I'll verify that the MTU is 1500 for their gateway device. I believe their modem is also a router with DHCP set to off so I guess I'll check that and then I'll check the Untangled box (firewall) which is next in line.

Is there any reason I should not change all workstation IP addresses to dynamic then do the ip reservation assigning on the server? Isn't that one of the reasons god invented servers -- central management.

Oh and I'll also check on their DNS servers. Set them up as forwarders in the DNS panel of the server, right?

_k

You can leave static on the workstations and then set static on the DHCP server with reservations for the specific devices, that would simply cut out some of the work for you.

What I used to do is leave all the computers dynamic and then when other network devices needed to be placed on the network or moved they were always assigned at the device with a static and we had reserved ranges on the DHCP server they went into. This made it easier for multiple people to manage and then you could consume a specific IP before the device arrived, as soon as it was ordered, and just need the MAC to put into the reservation then it can be deployed without any major issues.

Network slow for some people or wonky things going on with a computer and connections, DNS. If they are running their own DNS, gpupdate if all of the settings on the server are good. Otherwise start changing settings.

phuschnickens

Cool. I'll check it out.

kryyst

The simple way is setup a DHCP scope say 192.168.1.100-192.186.1.250 then just any machines with a static IP you make sure it's below the ip scope and then you never run the risk of interfering with the two. I've found that's easier then working with DHCP reservations.

Also in a small environment if the computers have a naming scheme you don't need the IP and dhcp is fine. Setup printers/network devices with a static ip below the scope and then just let computers grab from DHCP. Then you can ping the computer name and not care about what IP it has at the time. Just use a logical name. Like 'bob_computer' or something to that effect.

phuschnickens

Right but what about remote desktop-ing from the outside world a la:

"access.officedomain.com:3390" -- bob's pc
"access.officedomain.com:3391" --mary's pc
"access.officedomain.com:3392" -- jack's pc

The ports to be setup on the firewall to forward:
3390 to 3389 on 192.168.1.101 (Bob)
3391 to 3389 on 192.168.1.102 (Mary)
3392 to 3389 on 192.168.1.103 (Jack)

So I'd much prefer a DHCP setup for the workstations but you can see why either a DHCP reservation or a static IP is likely needed. On my office's small network of 10ish devices all workstations are DHCP and the IP addresses pretty much never change so it's not an issue but I am here to update firewall rules if they do change. However, with the job we are discussing it's important that I can "set it and forget it" as they will not have an IT guy on site who can monitor and tweak settings in the event that an IP does renew with a different address.

phuschnickens

Oh and why the f did someone setup their network with 192.168.168.0 and subnet 255.255.255.0. If I'm not mistaken there is no issue with that setup but I don't think I've ever seen it before.

AlexDeGruven

If it's a SoHo router, then it will likely be using affinity (reassigning the same IP as long as it's available), which will only get stomped on if a device is offline AND the DHCP table has no more unclaimed entries.

I don't set up anything special and all of my devices (and VMs, even) get their same IPs back after reboots.

kryyst

Why who knows, maybe because they once heard about 192.168.x.x and missunderstood. But as far as it being wrong - no nothing wrong just odd. Maybe they thought they were being clever so people couldn't guess it or something who knows.

OH if you need to rdp into those machines then yes you'd need to know what their ip's are. Mind you a better way would be to setup a VPN tunnel to the router and then once that's established you could start the rdp session to the machine's name.

kryyst

@AlexDeGruven the reason your machines keep their ip's is because of the way DHCP works. A machine grabs an ip and a lease - generally 7 days. After 7 days it'll try and grab it's current IP and generally will especially in soho where you don't have a lot of competing environments.

phuschnickens

Wow, VPN tunnel then RDP? Sounds fancy. I should definitely learn about that.