Solved

DNS resolution according to source ip

Posted on 2016-09-19
20
86 Views
Last Modified: 2016-10-07
Hello,

Our organisation has multiple DNS servers (Windows 2012 server) spread out across the globe. We also have multiple exchange servers in two different continents (E.g. North america & Europe). European users have their email hosted in on a server in Europe, North American users have their emails hosted on a server in North America.

If someone is in North America, we would like exchange requests to go to the North American Exchange server. If someone is in the UK, we would like exchange requests to go to Eurpean server. Mail server DNS name is mail.company.com.

How can this be achieved? Currently all requests go to one server only which then redirects request to the appropriate server. In our case, if someone is in North America, the request gets routed through European front end Exchange server and then to the appropriate North American back end mail server. quite a long distance (and slow response for somone who is physically in North America).

Any suggestions would be greatly appreciated.

Thanks in advance.
0
Comment
Question by:mbudman
  • 7
  • 5
  • 5
  • +3
20 Comments
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
Standard DNS servers cannot do what you ask (that is, change their response based on the client/requestor IP address).

Instead, what most companies will do is create duplicate DNS entries that can be used for testing and/or optimized use.

Say your Exchange frontend is at 10.0.0.1 and has a DNS entry of exchange.mydomain.com. Simply create a sub-domain (or alternative A record) that US users can use:
Either:
  us.exchange.mydomain.com
  -or-
  us-exchange.mydomain.com

(The former is a little harder, as you have to create the subdomain, the latter is just another DNS record in your existing zones). While you're at it, you might want to create the partner record for eu-exchange.mydomain.com as well...

It should then be reasonable for users in your US geographical area to use us-exchange, users on the other side of the pond to use eu-exchange, etc... Of course, when they're visiting the other side of the globe, their response times might be slower -- but that's already expected when you're travelling, isn't it! :)

I hope this helps.

Dan
IT4SOHO
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
what version of MS exchnage you are using?

If its exchange 2010 \ 2013, you could publish seperate URL for each location CAS servers
like
usmail.company.com
and
ukmail.company.com

You also need new SAN certificate which will add above two hostnames in addition to current hostnames

Point usmail.domain.com to CAS server public IP at US
and
Point ukmail.domain.com to CAS server public IP at UK

Also for outlook to connect to local CAS correctly at both regions, you need to enter above URLs in CAS virtual directories at respective location CAS servers
I believe you have two seperate DAGs and seperate set of CAS servers for both regions

Mahesh.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The point of the request is to be transparent to the user.
Though the suggestion should be using a subdomain rather an alternate host
that does not replicate among the DC

mail.myorganization.com is a subzone replicating/existing only on the dns servers of the local site.
that in US will contain
smtp IN A 10.0.0.5
autodiscover IN A 10.0.0.5

in the UK
SMTP IN A 10.15.0.5
autodiscover IN A 10.15.0.5

and your GPO will push out autodiscover.mail.myorganization.com
no matter the site you are on the above will resolve to the local ...

Do your exchanges replicate mailboxes amongs themselves?
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
For what it's worth, this will be possible in Windows Server 2016 by using DNS policies, as long as that feature is still present in the general release. For now, though, I agree with arnold's recommendation.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Using unix/linux DNS servers (ISC bind), these are called views where based on the requesting IP/range source of the request a view matching the criteria will be scanned for the answer.

Unfortunately, you are looking for SRV records that match the functionality of the AD/DC/GC lookups that then change based on sites .......

So your mailboxes do not replicate, but when user A has a planed trip from the home office to the other office, an admin "moves" their mailbox to the other office until they return?? i.e. move user from site A UK to Site B US/// and the mailbox follows ?
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
Mailboxes are only replicated amongst servers in same continent.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
So if person A is in the UK and travels to the US, when will their mailbox get to the US or is the only functionality you want ported to the local is to send emails out only with the user connecting to the HOme office to retrieve their email from their mailbox?
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
A couple of things:

This problem is for users connected to the private network (WAN) within the global organization.

We have each subnet defined in sites and services. DNS is set to round robin.

The scenario works fine when there is a physical machine attached to an ip address in a site's particular subnet.

However, if a site does not have a physical machine in their local subnet and it needs to go to another site, how can I force it to go to the correct site?

One solution I thought was defining a single ip address as a prefix in the particular site's valid subnet (/32), but you cannot define same prefix for multiple sites (AD-> sites and services).

A second solution would be to assign multiple ip addresses (in the same subnet) to a single server and then create a prefix in sites and services with /32 for the appropriate site.

Is it possible to perhaps create a DNS record on a Windows DNS server that does not replicate other DNS servers (DC's)?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You can create standard primary zone on each dns server (UK and US) pointing to domain.com and can have same host(A) record pointing to different IP in each server and this zone will not replicate between server
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
When the person is on a wan, to what end or on what frequency will you have the user call, identify their ip. Is a remote connection to a restricted VPN or a remote server at the site an option?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:mbudman
Comment Utility
Arnold,

The situation is when a person is remote and connects to the WAN via client to site VPN. There is no Split tunneling, and the user is connected to the closest site to their physical location. There might not necessarily be the server in the site that they are connecting to
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
Mahesh,

would you be able to explain in more detail how I can create a standard primary zone on each dns server (UK and US) pointing to domain.com and can have same host(A) record pointing to different IP in each server (so this zone will not replicate between servers)?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
you are using active directory integrated dns servers right..?

Suppose if you have two dns (DC) servers in US and two dns (DC) servers in UK

You need to create one standard primary zone on UK 1st DNS server as mail.domain.com and create blank host (A) record and point it to to UK mail server, ensure that you will not select "store this zone in active directory"
Then on UK 2nd server create secondary dns zone for mail.domain.com pointing to UK 1st server
This will ensure that zone will not replicated to US DNS servers

Same way you need to follow for US DNS (DC) servers

Under mail.domain.com zone, create black Host (A) record which will point to respective location mail servers

Other option:
You may create two DNS cutom / application partition and enlist US servers in one DNS partition and UK DNS servers in other partition, now you can create AD integrated DNS zone and keep replication scope for this zone to custom dns partition you made earlier, this will also ensure that zone will replicated among servers in same location only
Ex:
DC1 - US
DC2 - US
DC3 - UK
DC4 - UK

now from DC1, from elvated command prompt run belo commands:
dnscmd DC1 /CreateDirectoryPartition US.domain.com
dnscmd DC2 /EnlistDirectoryPartition US.domain.com

This will create custome directory partition which can replicate between only DC1 and DC2
Now while create zone named mail.domain.com and set its replication scope to this partition, check below link for screen shots and complete details

https://support.microsoft.com/en-in/kb/884116
https://ittrainingday.com/2013/11/15/creating-application-directory-partitions/

Then do same thing for UK DNS servers as well

This way you can keep mail.domain.com common and it will resolve to respective exchnage servers

Mahesh.
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
Hello Mahesh,

In my test envirnoment, for the 4 DC's that I have,  I created a new primary zone. I then defined an A record without name with specific ip address for that particular zone.

I then went on to a computer in that subnet for each DNS server that is geographically allocated and did an nslookup and ping test.

It resolved the ip address that I would like returned as I want it.

Does this make sense? Do I really need to specify a secondary zone?

In addition, in the Primary zone for domain.com, I also have an A record defined for mail.vasco.com (one single A record) which points to the exchange server (2013) in UK> This record of course is replicated.

Does the configuration as I described above make sens and should it work?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The security zone deals with replicating this information between/among DBS servers at the same location, or you would need to manually create this entry/Ies in every DNS server in this site.i.e dc1 dues, you build setup a replacement, unless you create this zone, it will be missing.

You would still have to keep track and add the other DCs to tge replication group...

Though I think you can define an AD integrated zone, and under the advanced tab select/limit replication to the local dire versus to all name servers in the OU.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
if location has more than one DCs, you need to create either standard primary zone on all those DCs and point host(A) record to required exchange server OR you could create one standard primary zone on one DC and then create secondary zone on other DCs in same location

If you don't do so, it will likely fail name resolution in between becauuse all servers in given location don't hav ethat record

In addition, in the Primary zone for domain.com, I also have an A record defined for mail.vasco.com (one single A record) which points to the exchange server (2013) in UK> This record of course is replicated.

U are talking about already replicated AD integrated zone across all locations?

Mahesh.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
another way around this is to have a proxy based upon geoip location.  i.e. haproxy http://www.haproxy.com/

internet - proxy -  NA mailbox store
                             - EU mailbox store

request comes from internet - haproxy check input ip address - does table lookup - user in US - redirected to NA mailbox store
0
 
LVL 1

Author Comment

by:mbudman
Comment Utility
Mahesh,

I followed your instructions and have encountered a problem.

When using OWA, even though I start out on the server I want (in appropriate geographical local), I am redirected to the remote server in the other continent. I am able to determine this because the local server is Exchange 2013 and one of the remote servers is Exchange 2010. The OWA interface is 2010. Bear in mind that the email data is only hosted on the local Exchage 2013 server.

I tried the suggestions listed in KB article:

https://support.microsoft.com/en-us/kb/2931385

but this does not resolve issue.

Any suggestions?

Thanks,

Mark
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Not sure how you tested this, if request goes to local DNS server and if it have only mail.domain.com pointing to local exchnage server, how can it will go to other location exchange server unless exchange level redirection is happening

When you are saying that owa interface is exchange 2010 but your mailbox on exchange 2013 server, this cannot happen
Exchange 2010 owa URL cannot access exchange 2013 mailbox
If you are accessing exchnage 2013 owa, but your mailbox on exchnage 2010, then exchange 2013 will automatically proxied request to exchnage 2010

Some where ther is miss understanding
If local dns server have only one dns record pointing to mail.domain.com (local exchange server), then it won't automatically redirect it to record which is unknown for him

You need to check where your mailbox is located and on which platform (exchange 2010 OR 2013), then you will come to know
Let me know if there are both dns records on local server pointing to both location exchnage servers, then it can go to remote exchange as well

Mahesh.
0
 
LVL 1

Author Closing Comment

by:mbudman
Comment Utility
Excellent information on how to resolve issue ate hand.

Thank you!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video discusses moving either the default database or any database to a new volume.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now