Interesting Domain problem - browsing the Internet

[Kelvarr]

I have a problem that I can't quite figure out.

Fresh Windows 10 Pro install. When the PC is not joined to the domain, everything works fine. When the PC is joined to the domain, I cannot access ANY Google sites at all, but can access pretty much any other site I've tested. This affects all browsers.

Things I've tried

• Changing Gateway address
• Changing IP address
• Changing PC name
• Changing DNS to Google Public
• Disabling Firewall (there isn't any Anti-Virus or Anti-Malware installed currently)
• Unjoining/Re-joining domain
• Changing OU's on AD
• Clearing Chrome cache
• ipconfig /flushdns
• Enabled proxy
• Disabled proxy
• Setting SiteName key in Registry to try to force a different DC (Didn't work, as "DynameSiteName" key is present, applying to the IPaddress/16 space - forcing it to use the local DC)

I just don't know what else it could be. Here's the thing...the 4 other PCs that are right around it, at the same site, same address space, same gateway, same domain, etc.........they can ALL access Google sites without issues.

Anybody have any clues? I've been banging my head against this for far too long.

 

[Dead Parrot]

Do you have an edge device with logging? Be interesting to see what traffic comes from the trouble PC when you try a Google site. If your DNS is local, check those logs as well.

Is the image for the trouble PC the same as the ones that work?

Did the PC get updates before testing? Maybe one got botched.

What do the event logs on the PC show? Any weird messages about the PC in the DC?

Have you tried a reinstall of Win 10?

Is the trouble PC the same brand/model/feature set as the four that work?

 

[xx0xx]

I would be curious to see what happens when you try to traceroute or ping google.com from the affected PC. Also curious what happens if you ping/traceroute 8.8.8.8

Does the PC have multiple ways to connect (NIC, Wireless, etc), if so maybe try a different one of those and see if there's a difference.

Was any other software installed after the fresh Windows 10 install? Especially anything that could affect networking or mess with a hosts file?

 

[Kelvarr]

Do you have an edge device with logging? Be interesting to see what traffic comes from the trouble PC when you try a Google site. If your DNS is local, check those logs as well.

We have an edge device. I do not know what level of logging it has

Is the image for the trouble PC the same as the ones that work?

No. The trouble PC was installed from scratch off of a USB key

Did the PC get updates before testing? Maybe one got botched.

Possible, but the curious thing is that when I am not joined to the domain, one can successfully browse to Google sites

What do the event logs on the PC show? Any weird messages about the PC in the DC?

None that are obvious to me. If you know of anything specific I should be looking for or can run, I'm open for suggestions.

Have you tried a reinstall of Win 10?

No, but again, this machine was literally built from bare metal off a USB ISO a couple of hours before I noticed this happening.

Is the trouble PC the same brand/model/feature set as the four that work?

No it is not. The trouble PC is a Dell All-In-One 9010. The four that work are HP Pro 3500 Series

 

[Kelvarr]

I would be curious to see what happens when you try to traceroute or ping google.com from the affected PC. Also curious what happens if you ping/traceroute 8.8.8.8

Does the PC have multiple ways to connect (NIC, Wireless, etc), if so maybe try a different one of those and see if there's a difference.

Was any other software installed after the fresh Windows 10 install? Especially anything that could affect networking or mess with a hosts file?

The only thing that might affect networking/etc would be Windows Update. Assigning an IP and joining the domain was pretty much the first thing I did.
No multiple ways that I'm aware of. I don't believe it has wireless.

I believe tracert stopped at the first hop. Just not responding. Ping fails.

 

[dbwillis]

"Assigning an IP and joining the domain was pretty much the first thing I did"

Why did you have to assign an IP? (by assign I assume you mean static IP, not DHCP)

 

[Nicklebon]

I would be curious to see what happens when you try to traceroute or ping google.com from the affected PC. Also curious what happens if you ping/traceroute 8.8.8.8

You're getting way ahead. Start by getting local IP and route information using ipconfig. Make sure you have the IP address you expect to have. If so, ping default route. Then use netstat -rn to look at the route table. Check for multiple default routes. If that checks out ping your nameserver. If that works use nslookup and look up www.google.com. Does it resolve correctly? If you don't know how to do any of that post the output here.

 

[Kelvarr]

"Assigning an IP and joining the domain was pretty much the first thing I did"

Why did you have to assign an IP? (by assign I assume you mean static IP, not DHCP)

Correct. We use static IP's at the current moment (previous leadership was adamantly AGAINST use of DHCP).
We are in the middle of a network refresh, and one of the objectives is to remedy that.

 

[Kelvarr]

You're getting way ahead. Start by getting local IP and route information using ipconfig. Make sure you have the IP address you expect to have. If so, ping default route. Then use netstat -rn to look at the route table. Check for multiple default routes. If that checks out ping your nameserver. If that works use nslookup and look up www.google.com. Does it resolve correctly? If you don't know how to do any of that post the output here.

I could get to everthing local. I did ping and tracert 8.8.8.8, and it was successful. I did the same thing against www.google.com, and it timed out.
I thought about the routing after I eventually got this resolved (next post). I could ping the DNS.

 

[Kelvarr]

So I finally figured this out, sort-of. By "figured out", I mean I at least got it to work, which is good enough for now.

So we utilize a proxy server. However, the way it is set up, if we don't enter a proxy, we have full, unfiltered access to the internet (normally). Most/all PC's are configured to use the proxy.
In this case, I apparently forgot to configure the proxy on this machine (we currently don't have it set up by GPO, but it is on our list of things to do). Once I configured the proxy, everything started working as expected.

It was surprising to me though, because it should have been the other way around. Other machines (IT staff in particular) bypass the proxy all the time, and we don't have any issues accessing Google, so I don't know what is different about this particular setup.

We just had a change in management, and that previous management worked with the proxy (and didn't share info/responsibility) with the rest of IT...which means we have some investigating into our proxy and routing to do.

At any rate, I wanted to post that the issue is resolved.

 

[Dead Parrot]

Was typing when your post came up. Glad it is mostly fixed. Good luck with the management issues, those are rarely fun.

Might check the device manager for yellow !. Dell computers often need some obscure device driver.

 

[Cmustang87]

So I finally figured this out, sort-of. By "figured out", I mean I at least got it to work, which is good enough for now.

So we utilize a proxy server. However, the way it is set up, if we don't enter a proxy, we have full, unfiltered access to the internet (normally). Most/all PC's are configured to use the proxy.
In this case, I apparently forgot to configure the proxy on this machine (we currently don't have it set up by GPO, but it is on our list of things to do). Once I configured the proxy, everything started working as expected.

It was surprising to me though, because it should have been the other way around. Other machines (IT staff in particular) bypass the proxy all the time, and we don't have any issues accessing Google, so I don't know what is different about this particular setup.

We just had a change in management, and that previous management worked with the proxy (and didn't share info/responsibility) with the rest of IT...which means we have some investigating into our proxy and routing to do.

At any rate, I wanted to post that the issue is resolved.

If the web proxy is inline, it can still proxy traffic transparently. If you are putting a new machine on the network with an IP address it's possible the web proxy doesn't have an exception in place for it.