Domain Controller Blocking Internet When Fortigate Is Installed. Has Internet When Fortigate Is Not Installed.

Question

Hi Everyone,

We have a Domain Controller that has Active Directory and serves as the DNS server. When this DC and all PC's are connected to a router, there's no issue with all PC's going online, as well as VOIP phones being on a separate router using a different subnet.

We wanted to add more security and installed a Fortigate 40F. The support team at Fortinet configured this for us and all PC's connected to a network switch and the switch going to the Fortigate 40F's LAN1 port. The VOIP's are connected to a separate switch with that switch going to the Fortigate's LAN2 port. LAN1 and LAN2 are on different subnets because we wanted to isolate the PC's from the VOIP's.

At first, all PC's and VOIP's had internet and then suddenly, they all lost internet. The Fortigate is configured correctly because there's no firewall policy in play so all traffic is allowed to go out.

Our DC has no policy to block internet.

The Fortigate's info is:

IP: (Default) 192.168.1.99

Sub: 255.255.255.0

Gateway: 192.168.1.99

DNS: 192.168.1.99

The Domain Controller's info is:

IP: 192.168.1.20

Sub: 255.255.255.0

Gateway: 192.168.1.99

DNS: 192.168.1.20/99

The hardware setup is

ISP's Modem > Fortigate 40F's WAN > Fortigate's LAN1 > Network Switch

Fortigate LAN2 > VOIP Network switch

Fortigate LAN3 > Netgear Router

Not sure if it's related; however, when we removed the Fortigate from the network to bring things back to just using the Netgear router, for some reason, the Netgear's router's IP changed to 10.0.0.1. We're not sure if this occurred after connecting the Netgear to the Fortigate's LAN3 port and letting it be on the same subnet as LAN1.

So we corrected if after removing the Fortigate from the network.

Also, both the Fortigate and Netgear have DHCP enabled. I read somewhere that the Fortigate's should have DHCP turned off and let the Netgear be the DHCP server; however, the Fortinet support person said leaving both DHCP is OK...

Any assistance is very much appreciated.

Thank you very much.

Answer 1

Thank you very much. All PC's are using the DC's IP: 192.168.1.20 as their DNS. The secondary DNS we added was for the Fortigate's: 192.168.1.99. We did also add 8.8.8.8 and still no luck.

This will not work. The router and public DNS servers know nothing of your domain. The domain controller and all members must use the static ip address of DC listed for DNS and no others such as router or public DNS.

If you need more detailed assitance then please run;

Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log (run on PDC emulator)
repadmin /showrepl >C:\repl.txt (run on any domain controller)
ipconfig /all > C:\%computername%.txt (run on EVERY domain controller)
ipconfig /all > C:\problemworkstation.txt (run on problem pc)

Also check the domain controller System and Replication (DFS or FRS) event logs for errors since last boot. Post the Event Source and Event IDs of any found. (no evtx files)

then put unzipped text files up on OneDrive and share a link.

Answer 2

A domain controller and all members must use the static ip address of DC listed for DNS and no others such as router or public DNS.

--please don't forget to upvote and Accept as answer if the reply is helpful--