Best practice for using backup external DNS servers in an Active Directory environment


We have our server infrastructure in an externally hosted IaaS environment and normally this works really well.

However, occasionally we have a problem with the dedicated data link to our IaaS which then completely cripples us.

The problem is that we have a number of external services (such as Office 365) which will continue to be accessible in this scenario (via a separate Internet Breakout), however, currently this doesn't work, as whenever we lose access to the DNS servers, we lose DNS any so therefore any ability to contact Office 365.

This wasn't a problem previously as we had a backup DNS server (also a DC) outside of the IaaS environment, however we want to decommission this server now and the ideal would be not to replace it.

I recently started to decommission this local server and thought I would mitigate this problem by adding a couple of Google DNS servers after the primary and secondary (the primary and secondary are IaaS DC's running DNS).

My understanding was that the Google DNS would only be queried if the primary and secondary addresses didn't respond, however, in practice it doesn't seem to have worked like this and there have been a number of problems that seem to be internal DNS name resolution issues.

I have now temporarily reverted back to the old configuration, but am still keen to get rid of this on-site hardware.

What am I doing wrong?  Am I misunderstanding how DNS works in this situation?

How can I mitigate for the situation where the link to IaaS goes down without needing local hardware and without losing access to our external systems that should still be accessible from the Internet breakout regardless of whether access to IaaS is available?

I hope this question is clear?  Please ask for separate clarification if not!

FriendlyITInfrastructure TeamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
it is quite clear and that is one of the problems with IAAS .. works great when the link is up but when the link goes down it is like someone cut the cable to your DNS server (local).  Suggest you have a local RODC at minimum

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FriendlyITInfrastructure TeamAuthor Commented:
Why Read Only?
FriendlyITInfrastructure TeamAuthor Commented:
...also is there no other way that avoids hardware onsite?
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

David Johnson, CD, MVPOwnerCommented:
It can be a full DC and DNS .. and as i said that is one of the pitfalls of IAAS.. you have to always have connectivity with the host.
FriendlyITInfrastructure TeamAuthor Commented:
Are there no cloud services that we could use as backup given that we will still have a working Internet breakout in this scenario?
David Johnson, CD, MVPOwnerCommented:
but you won't be able to reach them since the first thing that is going to happen is a dns lookup.. which in a domain looks for the ip addresses in the network adapter dns settings. if there is no response from the dns server (which translates human readable words into ip addresses) then you cannot connect to anything.
FriendlyITInfrastructure TeamAuthor Commented:
An excellent point.  Thanks for the advice.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.