Solved

DNS server quesiton

Posted on 2013-12-13
13
978 Views
Last Modified: 2013-12-15
Hi
I have a Microsoft DNS (AD Integrated) server which I synchronize with a third party dns server.

MS DNS server FQDN dc.test.com 192.168.0.1
Third Party DNS server FQDN external.example.com 192.168.0.2

I want to point all my clients to the third party dns server.

What must I do so my third party dns server can all resolve everything in test.com zone?

Please advice
0
Comment
Question by:ciscosupp
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 12

Expert Comment

by:ibrahim52
ID: 39716054
Better to mention the Third party as PREFERRED in your current DHCP server. Now I don't know if it is your router or the Windows server itself. Otherwise if you have fixed desktops and not mobile users (laptops) you can specify the DNS manually for each user.
0
 

Author Comment

by:ciscosupp
ID: 39716064
don't understand what you mean
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39716091
You can have DNS forwarder set on AD integrated DNS server pointing to 3rd party dns server so that it can resolve internet queries for clients.

You should not point your clients to 3rd party DNS server, if you do so active directory will not be able to authenticate them.

To set DNS forwarder in AD integrated DNS server check below article
http://technet.microsoft.com/en-us/library/cc754941.aspx

let me know if this is what you are looking for ?

Mahesh
0
 

Author Comment

by:ciscosupp
ID: 39716119
Thanks MaheshPM
Basically my third party dns server is infoblox and all my domain controllers’ (single forest multiple domains) dns zones are synchronized to it so I want to use one centralized dns server which is my infoblox which should have answer to all my quires/domains.
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39716334
Active Directory DNS uses sub-domains inside the main domain zone, like:
_MSDCS.test.com as well as delegations.
Moreover, AD DNS is a multi-master model, meaining you can update any server and they will replicate within whole domain or even forest.

If you're dealing with multiple domains, you do not want to lose this advantage.

I am afraid it will not be easy to replicate the trick using external DNS.
Especially if your goal is quick response from Infoblox directly.

Here's what you would do and why it'll fail:
1. Secondary zones on Infoblox. Hard to manage (manual), will not contain sub-zones required for AD functionality like clients finding a DC to talk to.
2. Delegations on Infoblox, to each domain. Infoblox will redirect clients to NS records (DC), but only for zones delegated - not subdomains like _MSDCS. Hence AD functions fail.
3. Forwarders to each domain. Infoblox will dynamically request each domain and return to client. Less management than (3) but still manual management in case of changed NS IP. Forwarders are also slower than (1).

What value you expect to receive from using external component here?

It will be less scalable and higher maintenance, that's for sure. Even if you make it work.
You could use Infoblox as a Forwarder, in case AD clients are seeking non-AD components/entities. There go your UNIX machines, external realms where no trust exists, Internet etc. Anything that does not require self-updating and multi-master-replicating miracle of AD DNS.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39716444
Whatever you are trying to achieve is tends to single point of failure if 3rd party DNS server goes down.
Also probably your DNS dynamic update will also not work in that case.

The best practise is to have local AD integrated DNS for AD authentication since you have multiple domains and then forward queries to public DNS \ 3rd party DNS server for internet name resolution.

It's just like unnecessarily pointing clients to another DNS server, when their native DNS server is ready to service them directly and efficiently.
As per my understanding, you will not be benifitted by seperating DNS

Mahesh
0
 

Author Comment

by:ciscosupp
ID: 39716715
Thanks all I also don’t like this setup unfortunately its one of my clients.  :-(

I changed my third part dns server to same zone so basically its like a second dns server. The dns zone is synchronized between my MS dns and third party dns.
My only problem is when I point my clients to third party dns I cannot join client to domain what record am I missing.
please advice
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39716735
if you have created secondary zone of AD integrated zone of DC on 3rd party DNS server, it will probably don't allow you to join machine to domain because of secondary zone.

What you can do, instead of creating secondary zone, just create conditional forwarder on 3rd party DNS server pointing to each domain DCs and then try to join workstaions to domain.

It should work hopefully.

Mahesh
0
 

Author Comment

by:ciscosupp
ID: 39717344
I tried to creating a conditional forward but get error
The server forwarders cannot be updated.
The zone already exists.

As my third party dns server has the same zone.

Any advice what else can I try
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39718296
I told you to create conditional forwarder instead of secondary zone, means you need to delete secondary zone 1st, then only you can create conditional forwarder.

Even after deletion of secondary zone and creation of conditional forwarder if its not work then, you can do below
Point client machine to AD integrated DNS server, then join machine to domain, reboot and then change primary dns server on machine to 3rd party dns server and secondary to its own AD integrated DNS server

Lastly I suggest you, please convince your client that this is not best practise to skip AD integrated DNS server

Mahesh
0
 

Author Comment

by:ciscosupp
ID: 39718322
Thanks my last question. :-)

Third party dns has not a secondary zone it’s a a authoritative zone as I can do changes on it and it is synced to my ms dns and the zone also has SOA NS records for that ip. So basically my MS and third party dns server have identically the same records/zone but why can’t I join pc to domain when pointing to third party dns
0
 
LVL 2

Assisted Solution

by:CubeOver
CubeOver earned 250 total points
ID: 39718347
If you insist on having secondary zones then create them all, starting from the top level and then everything below:
First
_sites.test.com
_msdcs.test.com
_tcp.test.com
_udp.test.com
DomainDnsZones.test.com
ForestDnsZones.test.com

And then all child zones inside above as well.
See why it's easier to setup forwarding?
All zones must be there on InfobloxNot having a write access to DNS will not impede client functionality.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39718598
1st of all, zone created on 3rd party dns server is just standard primary zone and not an authoritative zone

Authoritative zone is the one which is on Domain controllers in each domain.

This zone on 3rd party dns server is not capable to do dynamic updates and also do not have any rights in active directory. That is why you are not able to join computers to domain when pointing to this dns server. Active directory changes cannot be replicated to this zone and vice versa.
Even if you create zone structure as suggested by "CubeOver" still its just a standard primary zone and will not make any difference.

That is why I suggested you to check conditional forwarder option so that request can be redirected to AD \ DNS server and then it might work
Also try to create prestaging computer accounts in  AD and check if it works

If none of the above works, then I don't see any option other than my previous comment. i.e. Point client machine to AD integrated DNS server, then join machine to domain, reboot and then change primary dns server on machine to 3rd party dns server and secondary to its own AD integrated DNS server
Again this will create DNS dynamic update issues most probably if you are using DHCP servers in your network
lastly you could go to AD integrated DNS option only as per MS best practises

Mahesh
0

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now