Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Replace Active Directory for DNS replacement

Posted on 2014-01-02
Medium Priority
Last Modified: 2014-01-03
I'm looking for recommendations.

I'm currently running a Microsoft Active Directory based internal network with the MS servers providing DNS resolution for both internal and Internet names.  We use a split-DNS zone for the public domain name (e.g., "" , as well as a private DNS zone for AD (e.g., "mycompany.local")

I have 1 remote branch with a single Domain Controller - which is also the sole DNS entry for the local devices.  If that DC is offline, there is *no* DNS resolution for the branch, and "the Internet is down".

I can't add a public DNS to those users' configuration, because then they start having AD issues with the local/corporate network, as well as access to services like Exchange for email.

I think the best solution is a 2nd DC/DNS server at that location - it can be PC-class hardware for all I care; just something to add a 2nd DNS entry in case the primary DNS is unavailable.

Are there alternative configurations to this?

Get rid of Active Directory?  What are the alternatives in the non-MS realm?
Question by:snowdog_2112
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
LVL 35

Assisted Solution

by:Seth Simmons
Seth Simmons earned 1000 total points
ID: 39752322
it's always a best practice to have redundant domain controllers in each site for situations like this

on the one hand, adding a cheap box with linux configured with bind to pull dns from the domain controller solves most of the dns part, but you will still experience logon failures and/or delays because of the domain controller being down at that site

better off with a second domain controller for complete redundancy

Accepted Solution

Brad Held earned 1000 total points
ID: 39752342
I agree that a second DC would be best in this site, particularly if wan traffic to the central office is undesirable.

Option 1: add a secondary DC/DNS server at the site, configure the clients to use the secondary DC as secondary DNS

Option 2: Add a dc from another site as secondary dns for clients

One of the issues with using say Bind is the stickiness for the clients to hang on to the secondary once the secondary responds which means the client won't automatically fail back to the primary
LVL 79

Expert Comment

ID: 39752451
Adding to the above comments deals with does the remote location use the DHCP on the DC or does the router/fireweall allocate IPs?
Presumably there is a VPN between the two locations.

One option is to publish via DHCP assignment both the local and the remote DNS server.
the difficulty deals with the DNS queries will be "load balanced" between the local and the remote DNS.

This way if you loose the local DC on the remote site, the logins/etc. will be slower because the requests have to be sent through the VPN to the remaining DC.

Depending on your AD DC setup, you could require the remote branch sistems to always query the local DC for data before sending requests to the HQ DC.
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

LVL 21

Expert Comment

by:Jeremy Weisinger
ID: 39752543
@Arnold "the difficulty deals with the DNS queries will be "load balanced" between the local and the remote DNS."

Maybe I'm misunderstanding you but the DNS client in Windows does not load balance queries. It will only use the secondary if the primary is unreachable. And it will only switch back to the primary (or continue down the list of DNS servers) if the secondary is unreachable or at DHCP refresh, NIC status change, or a reboot.
LVL 79

Expert Comment

ID: 39752566
Prior experts comments addressed the preferred route of having redundancy via two DCs at each location.

My addition was to deal with the situation as is where there is only one system available as a DC at the remote location and how to mitigate the loss of said system while maintaining the functionality of the remote systems. login, access to the internet, etc.

With the current setup which is all or none, the bandwidth cost of DNS queries going through the VPN will still provide some reasonable fall back position.

Possibly using/setting up a virtual VM DC (which must never be restored from snapshot/backup) on one of the "workstations" at the remote office could provide "additional" fault tolerance.

Author Comment

ID: 39754243
Great comments folks - thank you so much!

What would you all recommend if we were to GET RID of Active Directory at that location?

Assuming we are open to removing AD at the branch, and still have AD at the datacenter (yes, there is a tunnel between locations) for services like Exchange.

In terms of options, then:

1. Keep AD, and add redundancy to DNS at the branch (a 2nd DC or simple DNS with zone replication to the DC)

2. Get rid of AD and allow zone transfers from the datacenter DNS servers for internal DNS zones.

3.  Something else altogether?  Something completely non-Microsoft?

We can configure DNS zone transfers from the datacenter, but the question then becomes user authentication.  There aren't really any local "shares" at that location - mostly PC's accessing resources at the Datacenter or Internet.
LVL 35

Expert Comment

by:Seth Simmons
ID: 39754294
you still need domain controller(s) to authenticate, processing of group policies, etc.
having none there - as i stated earlier - will cause problems when accessing resources
adding an additional domain controller at that location is the simplest way to go.  if that tunnel between locations goes down, then you have a problem

Author Comment

ID: 39754502
That is my feeling as well.

I am looking to justify the current situation (with an added AD/DNS server) essentially by proving every *other* solution is not viable, if that makes sense.

"We could do 'X', but these are the disadvantages.  We could do 'Y' but then we have these other disadvantages".


Author Closing Comment

ID: 39754571
There certainly is something to be said for Windows reluctance to effectively use the two DNS servers in its own configuration (whether round-robin, failover/failback, or user-definable) is a concern.

Given that, it seems a second DC is the best solution - even with the added cost of the OS.  That cost will be saved in administration and productivity over time.

Thanks for all the thoughtful input!!

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question