How do I create a GPO to apply DNS changes for all workstations in my environment?

I have two Domain controllers that I use for DNS as primary and secondary. I've defined these two servers as DNS in my DHCP scope in which users pick up DHCP/DNS settings from. We've just implemented OpenDNS Umbrella web filtering tool in our environment. To make the web filtering tool work, two Virtual appliances have been deployed. These two appliances route local DNS queuries and point to the cloud. I've now set these two Virtual appliances as DNS servers in my DHCP scope. There is redundancy to where if one appliance fails, the other appliance will stay up. However, my boss wants more redundancy. He wants me to create a GPO to where if and when both virtual appliances fail, a GPO will switch all users DNS settings back to my Domain controllers. it will be great if this GPO can refresh user's workstation or reboot them, so it will roll back to the DCs if both the Virtual appliances fail. By the way, these Virtual appliances are Linux base.
jaedenoneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lruiz52Commented:
Why not keep using your dc/dns controllers as primary and secondary and set the virtual appliances as forwarders.
0
jaedenoneAuthor Commented:
The appliance needs to be define as DNS in the DHCP scope, as it routes DNS request from the Local DNS (Primary and secondary DCs) to the cloud. In other words, for the web filter policy to apply, all users need to point to the appliance IP as DNS servers.
0
David Johnson, CD, MVPOwnerCommented:
That is for OUTSIDE of your LAN, point the forwarders to the appliance and all WAN traffic will be filtered.  Otherwise you will break DNS Active Directory integration.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Raj-GTSystems EngineerCommented:
You can add your domain controllers as third and fourth DNS servers  via DHCP. The clients will only use this if both appliances fail for any reason.
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You must your AD DNS servers as DNS servers on all client machines.  This is to ensure AD DNS integration is correct and that all client registrations are there.  You must create forwarders on your AD DNS server (currently they must be using root hints) to forward all requests to to your virtual appliances.  With this configuration, all unresolved entries will be sent to your virtual appliance(s) to resolve.

This is how it should work.  If you deviate from this configuration, you will have issues in AD where servers will not be able to find DCs, failed logons, potential client server trust relationship, etc.
0
Raj-GTSystems EngineerCommented:
OpenDNS appliance will use an AD connector and forwarders to the local domain so AD will not break. I know this for sure because I am typing this from a domain joined Windows 7 machine (one of 3000), which uses a third party appliance as it's primary DNS server.
0
jaedenoneAuthor Commented:
To Raj-GT:

From your response, you seem to know alot about the Umbrella product. We have 300 AD users in our organization. My boss feels that the load will be heavy and thought that in some cases, both VAs can possibly fail, which will cause downtime to our users. He is just thinking of the worst case scenario. As a result, he wants me to come up with more redundancy. In the screenshot below, it shows our current DNS servers IP, in which I will change to the VAs IPs once we do the cutover to production. If I were to add both the VAs IP’s , and leave our current local DNS IPs (screenshot attached) defined in DHCP scope totaling 4 DNS servers, will that be a problem? Also, if there are four DNS servers defined (where I have the arrow pointed in the screenshot), if both VAs fail, will my users then pick up DNS from my local DNS servers (primary and secondary DCs) at that point? Will the web filtering policy still apply if I have 4 DNS servers defined in DHCP? If this can work, how can I put this scenario to the test?
Capture.JPG
0
Raj-GTSystems EngineerCommented:
What you are describing (having all four DNS server entries) will work providing you followed OpenDNS AD integration guide to setup the forwarders and AD Connectors in the appliance.  

Having said that, I don't think with 300 clients, you have anything to worry about in terms of overloading the AD DNS servers. A DNS query is minuscule compared to other network traffic and I have used a single DNS server to serve more than 600 AD clients without any issues.

If you are implementing OpenDNS appliance because you want high availability and worry about overloading AD DNS servers then I think you are overreacting. Like I said before, DNS queries are very light in terms of demands and the clients have redundancy built in by way of secondary servers. If you are however using the appliance for their web filtering, then I think using the it as a forwarder for AD DNS would be a better approach like others have suggested but you have to check with the vendor to see if they support that. I would personally prefer a proxy server or a transparent proxy at the Firewall level for web filtering, but I suppose you have other constrains like budget, deadlines etc.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jaedenoneAuthor Commented:
Raj-GT,

I always thought that you can only define up to two DNS servers under scope option. Here is my scenario in my test environment. I have IPs for both VAs, but have not included them yet in DHCP scope, until we are ready deploy to production. In testing, all I am doing is manually inputting the DNS settings in my computer to point to the VAs IP. When I do that, web filtering policy by OpenDNS Umbrella takes effect and works beautifully. When i set the adapter settings back to "Obtain DNS server address automatically", then my computer picks back up DNS settings from DHCP. When we go into production and roll this product out, I want to push to all client workstation by defining the VAs IP in the DHCP scope, along with having my current DNS servers defined as well (totaling 4 DNS servers). Not sure how familiar you are with the Umbrella product, but if I define all four IPs as DNS servers in the scope, will the web filtering policy work? Also, as a test, if I were to take both VAs down, will my clients still be able to browse the internet because the other two local DNS servers are still up? My take is they will be able to browse, however, policy will not work because I took down both the VAs. What I am trying to accomplish here is redundancy. Even though I already have two VAs in place, my boss is insecure and want it set up to where if both VAs fail, we can still pick up DNS from our local DNS servers (primary and secondary DCs). I cant really test this scenario out because it will require me to modify the scope, and we cannot do that until we do the cut-over to production.
0
Raj-GTSystems EngineerCommented:
As you can see from the attached, you can define more than 2 DNS servers in the DHCP scope. The clients will always try the servers in sequence - if the first one failed then the second, if that's not available then 3rd etc. it will not use it in a round-robin fashion. Providing you have tested and happy with the AD authentication part when using the VAs as primary everything should be fine. Obviously, the web filtering will only work when the client is using one of the VAs for DNS resolution.

For testing, I would suggest you manually add all 4 DNS entries to a client and see if it can resolve when the VAs are unavailable and disconnected from the network. If the test was successful, then you can modify the scope. You have to restart or 'release and renew the DHCP lease' from the client side for them to start using the new DNS entries. Perhaps, you can also use this method for testing. (Modify the scope > restart some of the clients > test )

Hope this helps.
DHCP.png
0
jaedenoneAuthor Commented:
Raj-GT,

What you mentioned I put to the test, and it works like a charm for testing! I think i got the concept down. Thanks for that. My only question left is, when I do the cut-over to production, do I also define all 4 DNS servers IP in the proper order in 006 DNS Servers under "Server Options" as well? Or, do I only need to define all 4 DNS servers under 006 DNS in "Scope Options" only? I plan to do the cut-over on a Friday evening, after business hours. Our DHCP lease time expires after 24 hours. So Im sure when all users authenticate back Monday, and if they do a Ipconfig /all, they will see all 4 DNS servers IP listed as DNS? Is it safe to say this will be the case?
Capture1.JPG
0
Raj-GTSystems EngineerCommented:
The scope option take precedence over server options and since you have multiple scopes I say go with the scope.
Good luck.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.