Skip to content

Networking Fixes

DNS Issues

Clients not resolving internal DNS

  1. Check the client is pointed at the correct DNS server: 
    ipconfig /all
nslookup internal.host.domain.com
  2. Flush the DNS cache on the client: 
    ipconfig /flushdns
  3. On the DNS server, verify the zone and record exist: 
    Get-DnsServerZone
Get-DnsServerResourceRecord -ZoneName "domain.com" -Name "internal.host"

DNS lookup slow / timeout

Check if the forwarder is responding:

nslookup google.com 8.8.8.8  # test forwarder directly
nslookup google.com           # test via local DNS

If local DNS is slow, check forwarder config on the DNS server:

Get-DnsServerForwarder
Set-DnsServerForwarder -IPAddress 1.1.1.1, 8.8.8.8

DHCP Issues

Clients getting APIPA (169.254.x.x)

  • Client not reaching DHCP server — check switch/VLAN connectivity
  • DHCP server service stopped: Get-Service DHCPServer
  • DHCP scope exhausted — check lease usage: 
    Get-DhcpServerv4ScopeStatistics -ScopeId 10.0.0.0
  • IP helper / relay agent not configured on the router/switch for cross-subnet DHCP

Duplicate IP conflicts

# Find all leases for a given IP
Get-DhcpServerv4Lease -ScopeId 10.0.0.0 | Where-Object { $_.IPAddress -eq "10.0.0.55" }

# Check ARP for which MAC has the IP
arp -a 10.0.0.55

VPN

Split tunnel not routing corporate traffic

Verify the pushed routes are in the routing table after connection:

route print

If routes are missing, check the VPN profile or pushed routes from the VPN server. For Always On VPN check the device tunnel is up:

Get-VpnConnection -AllUserConnection
Get-NetIPInterface | Where-Object { $_.InterfaceAlias -like "*VPN*" }

VPN connects but can't reach internal resources

  1. DNS not resolving internally — verify the VPN DNS server is being used: 
    ipconfig /all
nslookup internal.host.domain.com
  2. Firewall blocking VPN client subnet — check firewall rules on internal servers/DCs

Certificate Errors

Site showing untrusted certificate

# Check what cert is being served
openssl s_client -connect hostname:443 -servername hostname </dev/null 2>/dev/null | \
    openssl x509 -noout -dates -subject -issuer

Common causes: - Expired certificate — check -enddate - Wrong CN/SAN — subject must match the hostname - Missing intermediate CA — check issuer chain: openssl s_client -showcerts - Clock skew on client — w32tm /query /status

Renew an IIS certificate (Windows)

# List certs expiring in next 30 days
Get-ChildItem Cert:\LocalMachine\My |
    Where-Object { $_.NotAfter -lt (Get-Date).AddDays(30) } |
    Select-Object Subject, NotAfter, Thumbprint

Firewall Blocking Traffic

Identify what's being blocked (Windows)

Enable firewall logging then inspect:

Set-NetFirewallProfile -Profile Domain,Private,Public `
    -LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log" `
    -LogMaxSizeKilobytes 4096 -LogDroppedPackets True

Look for DROP entries in C:\Windows\System32\LogFiles\Firewall\pfirewall.log.

Quick test: disable firewall temporarily (for diagnosis only)

Set-NetFirewallProfile -Profile Domain -Enabled False
# ... test ...
Set-NetFirewallProfile -Profile Domain -Enabled True