DNS server quesiton

Posted on 2013-12-13
Last Modified: 2013-12-15
I have a Microsoft DNS (AD Integrated) server which I synchronize with a third party dns server.

MS DNS server FQDN
Third Party DNS server FQDN

I want to point all my clients to the third party dns server.

What must I do so my third party dns server can all resolve everything in zone?

Please advice
Question by:ciscosupp
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
LVL 12

Expert Comment

ID: 39716054
Better to mention the Third party as PREFERRED in your current DHCP server. Now I don't know if it is your router or the Windows server itself. Otherwise if you have fixed desktops and not mobile users (laptops) you can specify the DNS manually for each user.

Author Comment

ID: 39716064
don't understand what you mean
LVL 37

Expert Comment

ID: 39716091
You can have DNS forwarder set on AD integrated DNS server pointing to 3rd party dns server so that it can resolve internet queries for clients.

You should not point your clients to 3rd party DNS server, if you do so active directory will not be able to authenticate them.

To set DNS forwarder in AD integrated DNS server check below article

let me know if this is what you are looking for ?

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39716119
Thanks MaheshPM
Basically my third party dns server is infoblox and all my domain controllers’ (single forest multiple domains) dns zones are synchronized to it so I want to use one centralized dns server which is my infoblox which should have answer to all my quires/domains.

Expert Comment

ID: 39716334
Active Directory DNS uses sub-domains inside the main domain zone, like: as well as delegations.
Moreover, AD DNS is a multi-master model, meaining you can update any server and they will replicate within whole domain or even forest.

If you're dealing with multiple domains, you do not want to lose this advantage.

I am afraid it will not be easy to replicate the trick using external DNS.
Especially if your goal is quick response from Infoblox directly.

Here's what you would do and why it'll fail:
1. Secondary zones on Infoblox. Hard to manage (manual), will not contain sub-zones required for AD functionality like clients finding a DC to talk to.
2. Delegations on Infoblox, to each domain. Infoblox will redirect clients to NS records (DC), but only for zones delegated - not subdomains like _MSDCS. Hence AD functions fail.
3. Forwarders to each domain. Infoblox will dynamically request each domain and return to client. Less management than (3) but still manual management in case of changed NS IP. Forwarders are also slower than (1).

What value you expect to receive from using external component here?

It will be less scalable and higher maintenance, that's for sure. Even if you make it work.
You could use Infoblox as a Forwarder, in case AD clients are seeking non-AD components/entities. There go your UNIX machines, external realms where no trust exists, Internet etc. Anything that does not require self-updating and multi-master-replicating miracle of AD DNS.
LVL 37

Expert Comment

ID: 39716444
Whatever you are trying to achieve is tends to single point of failure if 3rd party DNS server goes down.
Also probably your DNS dynamic update will also not work in that case.

The best practise is to have local AD integrated DNS for AD authentication since you have multiple domains and then forward queries to public DNS \ 3rd party DNS server for internet name resolution.

It's just like unnecessarily pointing clients to another DNS server, when their native DNS server is ready to service them directly and efficiently.
As per my understanding, you will not be benifitted by seperating DNS


Author Comment

ID: 39716715
Thanks all I also don’t like this setup unfortunately its one of my clients.  :-(

I changed my third part dns server to same zone so basically its like a second dns server. The dns zone is synchronized between my MS dns and third party dns.
My only problem is when I point my clients to third party dns I cannot join client to domain what record am I missing.
please advice
LVL 37

Expert Comment

ID: 39716735
if you have created secondary zone of AD integrated zone of DC on 3rd party DNS server, it will probably don't allow you to join machine to domain because of secondary zone.

What you can do, instead of creating secondary zone, just create conditional forwarder on 3rd party DNS server pointing to each domain DCs and then try to join workstaions to domain.

It should work hopefully.


Author Comment

ID: 39717344
I tried to creating a conditional forward but get error
The server forwarders cannot be updated.
The zone already exists.

As my third party dns server has the same zone.

Any advice what else can I try
LVL 37

Expert Comment

ID: 39718296
I told you to create conditional forwarder instead of secondary zone, means you need to delete secondary zone 1st, then only you can create conditional forwarder.

Even after deletion of secondary zone and creation of conditional forwarder if its not work then, you can do below
Point client machine to AD integrated DNS server, then join machine to domain, reboot and then change primary dns server on machine to 3rd party dns server and secondary to its own AD integrated DNS server

Lastly I suggest you, please convince your client that this is not best practise to skip AD integrated DNS server


Author Comment

ID: 39718322
Thanks my last question. :-)

Third party dns has not a secondary zone it’s a a authoritative zone as I can do changes on it and it is synced to my ms dns and the zone also has SOA NS records for that ip. So basically my MS and third party dns server have identically the same records/zone but why can’t I join pc to domain when pointing to third party dns

Assisted Solution

CubeOver earned 250 total points
ID: 39718347
If you insist on having secondary zones then create them all, starting from the top level and then everything below:

And then all child zones inside above as well.
See why it's easier to setup forwarding?
All zones must be there on InfobloxNot having a write access to DNS will not impede client functionality.
LVL 37

Accepted Solution

Mahesh earned 250 total points
ID: 39718598
1st of all, zone created on 3rd party dns server is just standard primary zone and not an authoritative zone

Authoritative zone is the one which is on Domain controllers in each domain.

This zone on 3rd party dns server is not capable to do dynamic updates and also do not have any rights in active directory. That is why you are not able to join computers to domain when pointing to this dns server. Active directory changes cannot be replicated to this zone and vice versa.
Even if you create zone structure as suggested by "CubeOver" still its just a standard primary zone and will not make any difference.

That is why I suggested you to check conditional forwarder option so that request can be redirected to AD \ DNS server and then it might work
Also try to create prestaging computer accounts in  AD and check if it works

If none of the above works, then I don't see any option other than my previous comment. i.e. Point client machine to AD integrated DNS server, then join machine to domain, reboot and then change primary dns server on machine to 3rd party dns server and secondary to its own AD integrated DNS server
Again this will create DNS dynamic update issues most probably if you are using DHCP servers in your network
lastly you could go to AD integrated DNS option only as per MS best practises


Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question