• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2740
  • Last Modified:

Microsoft DNS - different response based on AD site?

I am trying to create a CNAME record in DNS that points to our internal SMTP servers.  The purpose of this record is to give it to our app developers so they can use it to find an SMTP server when they need to send e-mail from one of their apps.  We have several offices and I always want the app to connect to the SMTP server in the same office that the app is running in.

So for example, assuming the CNAME record is smtp-out.company.com, if the app is running in Office 1, I would want the CNAME record to point to office1-smtp.company.com and if the app is running in Office 2, it should point to office2-smtp.company.com.

I do this both for performance and availability reasons.  Sometimes the link between offices might be temporarily unavailable, so in that case if an app in Office 1 tries to connect to the SMTP server in Office 2, it would fail.

Essentially what I want are DNS "views" where the response is determined by the IP address of the client.  It doesn't seem like MS DNS supports this, but I'm curious if there are any workarounds as I'm sure this is a fairly common use case.

Our active directory is segmented into different sites which align with our different offices, so I could determine responses either by IP address directly, or by associated AD site.
1 Solution
Cliff GaliherCommented:
There is no good way to do this with Active Directory integrated DNS, and frankly doing so would go against several RFC standards as it is. BIND can do views, but the introduction of that feature was controversial and I land on the side of "don't use it." But that is all an aside, since MS DNS can't do it anyways.

Given the reasons you want to do this, the truly scalable way to do this is to have the app developers code the application to use the APIs in Exchange to find the appropriate Hub Transport server for their location. Exchange is very scalable in this regard and this also future-proofs the application. It allows for architectural changes, both in your network if you add another Exchange server, and in Exchange itself as Microsoft changes internal workings, such as the role changes in Exchange 2013.

I think pursuing anything less will prove fragile, if you can find a way to get it to work at all. ...maybe updating hosts files per PC...

I think the answer to your problem is too simple.
Just put the correct entry you want to the host files of your developers Computers for each site.

For Site1 put the following entry to your host file:
"IP_Address_1"    smtp-out.company.com  
e.g.          smtp-out.company.com    

For Site2:
"IP_Address_2"     smtp-out.company.com  
e.g.           smtp-out.company.com    

With Regards,
Does each site have at least one local DNS server? If so, there's a possible workaround. It's a little kludgy and requires a bit of manual configuration up front, but it should work.

Assuming the name of the CNAME record will be smtp-out.company.com, go to each site's local DNS server and create a new forward lookup zone with that name. Make it a standard primary (not AD-integrated) zone.

Within the zone, create a CNAME record. Leave the name of the record blank, and for the target FQDN, supply the FQDN of the local SMTP server for that site (office1-smtp.company.com, for example). Now whenever a machine in Office 1 tries to resolve smtp-out.company.com, it'll resolve to office1-smtp.company.com's IP address.

Do the same on the other sites' local DNS servers. If there are multiple local DNS servers at a site, you can configure zone transfers to replicate the new zone to the other servers in the site and nowhere else. This way, only machines in Office 1 will resolve the name to office1-smtp, machines in Office 2 will resolve to office2-smtp, and so on.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

FWestonAuthor Commented:
Thanks DrDave, can't believe I didn't think of that myself.  I didn't realize MS DNS would allow you to create a CNAME record at the zone apex but since it does this should work for what I want to do.
Cliff GaliherCommented:
I did mention host files at the end of my first comment. That is, of course, not at all scalable, and would only work if there are a handful of machines. It also makes performing any topology changes a nightmare.

Regarding local DNS servers, the downside to that approach is that domain-joined machines need to point to a DNS server that has the active directory zones and associated service records or things start working very poorly. So for non-integrated DNS servers, you end up configuring a dizzying number of zone transfers and AD replication becomes a real concern.

Both options are technically achievable, but as I had mentioned before, any workarounds are extremely fragile and in both instances I think the harm outweighs the benefit. Just wanted to follow up to provide a bit perspective on the suggestions. Sometimes just because something *can* be done doesn't mean it should be. Ultimately though, it is a matter of weighing the pros and cons, and that isn't my decision to make I suppose.
FWestonAuthor Commented:
cgaliher, I think you misunderstood DrDave's suggestion.  He was not suggesting using a non-AD integrated DNS server.  He was merely suggesting adding additional DNS zones to the already existing AD-integrated DNS servers.

The AD DNS would function exactly as before.

I've used this trick before where I needed a single DNS server to return a different value for a specific hostname but not be authoritative for the rest of that DNS zone and it works well.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now