DNS server quesiton

I have a Microsoft DNS (AD Integrated) server which I synchronize with a third party dns server.

MS DNS server FQDN dc.test.com
Third Party DNS server FQDN external.example.com

I want to point all my clients to the third party dns server.

What must I do so my third party dns server can all resolve everything in test.com zone?

Please advice
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
1st of all, zone created on 3rd party dns server is just standard primary zone and not an authoritative zone

Authoritative zone is the one which is on Domain controllers in each domain.

This zone on 3rd party dns server is not capable to do dynamic updates and also do not have any rights in active directory. That is why you are not able to join computers to domain when pointing to this dns server. Active directory changes cannot be replicated to this zone and vice versa.
Even if you create zone structure as suggested by "CubeOver" still its just a standard primary zone and will not make any difference.

That is why I suggested you to check conditional forwarder option so that request can be redirected to AD \ DNS server and then it might work
Also try to create prestaging computer accounts in  AD and check if it works

If none of the above works, then I don't see any option other than my previous comment. i.e. Point client machine to AD integrated DNS server, then join machine to domain, reboot and then change primary dns server on machine to 3rd party dns server and secondary to its own AD integrated DNS server
Again this will create DNS dynamic update issues most probably if you are using DHCP servers in your network
lastly you could go to AD integrated DNS option only as per MS best practises

ibrahim52Team LeaderCommented:
Better to mention the Third party as PREFERRED in your current DHCP server. Now I don't know if it is your router or the Windows server itself. Otherwise if you have fixed desktops and not mobile users (laptops) you can specify the DNS manually for each user.
ciscosuppAuthor Commented:
don't understand what you mean
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

You can have DNS forwarder set on AD integrated DNS server pointing to 3rd party dns server so that it can resolve internet queries for clients.

You should not point your clients to 3rd party DNS server, if you do so active directory will not be able to authenticate them.

To set DNS forwarder in AD integrated DNS server check below article

let me know if this is what you are looking for ?

ciscosuppAuthor Commented:
Thanks MaheshPM
Basically my third party dns server is infoblox and all my domain controllers’ (single forest multiple domains) dns zones are synchronized to it so I want to use one centralized dns server which is my infoblox which should have answer to all my quires/domains.
Active Directory DNS uses sub-domains inside the main domain zone, like:
_MSDCS.test.com as well as delegations.
Moreover, AD DNS is a multi-master model, meaining you can update any server and they will replicate within whole domain or even forest.

If you're dealing with multiple domains, you do not want to lose this advantage.

I am afraid it will not be easy to replicate the trick using external DNS.
Especially if your goal is quick response from Infoblox directly.

Here's what you would do and why it'll fail:
1. Secondary zones on Infoblox. Hard to manage (manual), will not contain sub-zones required for AD functionality like clients finding a DC to talk to.
2. Delegations on Infoblox, to each domain. Infoblox will redirect clients to NS records (DC), but only for zones delegated - not subdomains like _MSDCS. Hence AD functions fail.
3. Forwarders to each domain. Infoblox will dynamically request each domain and return to client. Less management than (3) but still manual management in case of changed NS IP. Forwarders are also slower than (1).

What value you expect to receive from using external component here?

It will be less scalable and higher maintenance, that's for sure. Even if you make it work.
You could use Infoblox as a Forwarder, in case AD clients are seeking non-AD components/entities. There go your UNIX machines, external realms where no trust exists, Internet etc. Anything that does not require self-updating and multi-master-replicating miracle of AD DNS.
Whatever you are trying to achieve is tends to single point of failure if 3rd party DNS server goes down.
Also probably your DNS dynamic update will also not work in that case.

The best practise is to have local AD integrated DNS for AD authentication since you have multiple domains and then forward queries to public DNS \ 3rd party DNS server for internet name resolution.

It's just like unnecessarily pointing clients to another DNS server, when their native DNS server is ready to service them directly and efficiently.
As per my understanding, you will not be benifitted by seperating DNS

ciscosuppAuthor Commented:
Thanks all I also don’t like this setup unfortunately its one of my clients.  :-(

I changed my third part dns server to same zone so basically its like a second dns server. The dns zone is synchronized between my MS dns and third party dns.
My only problem is when I point my clients to third party dns I cannot join client to domain what record am I missing.
please advice
if you have created secondary zone of AD integrated zone of DC on 3rd party DNS server, it will probably don't allow you to join machine to domain because of secondary zone.

What you can do, instead of creating secondary zone, just create conditional forwarder on 3rd party DNS server pointing to each domain DCs and then try to join workstaions to domain.

It should work hopefully.

ciscosuppAuthor Commented:
I tried to creating a conditional forward but get error
The server forwarders cannot be updated.
The zone already exists.

As my third party dns server has the same zone.

Any advice what else can I try
I told you to create conditional forwarder instead of secondary zone, means you need to delete secondary zone 1st, then only you can create conditional forwarder.

Even after deletion of secondary zone and creation of conditional forwarder if its not work then, you can do below
Point client machine to AD integrated DNS server, then join machine to domain, reboot and then change primary dns server on machine to 3rd party dns server and secondary to its own AD integrated DNS server

Lastly I suggest you, please convince your client that this is not best practise to skip AD integrated DNS server

ciscosuppAuthor Commented:
Thanks my last question. :-)

Third party dns has not a secondary zone it’s a a authoritative zone as I can do changes on it and it is synced to my ms dns and the zone also has SOA NS records for that ip. So basically my MS and third party dns server have identically the same records/zone but why can’t I join pc to domain when pointing to third party dns
CubeOverConnect With a Mentor Commented:
If you insist on having secondary zones then create them all, starting from the top level and then everything below:

And then all child zones inside above as well.
See why it's easier to setup forwarding?
All zones must be there on InfobloxNot having a write access to DNS will not impede client functionality.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.