Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 506
  • Last Modified:

DNS resolution according to source ip

Hello,

Our organisation has multiple DNS servers (Windows 2012 server) spread out across the globe. We also have multiple exchange servers in two different continents (E.g. North america & Europe). European users have their email hosted in on a server in Europe, North American users have their emails hosted on a server in North America.

If someone is in North America, we would like exchange requests to go to the North American Exchange server. If someone is in the UK, we would like exchange requests to go to Eurpean server. Mail server DNS name is mail.company.com.

How can this be achieved? Currently all requests go to one server only which then redirects request to the appropriate server. In our case, if someone is in North America, the request gets routed through European front end Exchange server and then to the appropriate North American back end mail server. quite a long distance (and slow response for somone who is physically in North America).

Any suggestions would be greatly appreciated.

Thanks in advance.
0
mbudman
Asked:
mbudman
  • 7
  • 5
  • 5
  • +3
1 Solution
 
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Standard DNS servers cannot do what you ask (that is, change their response based on the client/requestor IP address).

Instead, what most companies will do is create duplicate DNS entries that can be used for testing and/or optimized use.

Say your Exchange frontend is at 10.0.0.1 and has a DNS entry of exchange.mydomain.com. Simply create a sub-domain (or alternative A record) that US users can use:
Either:
  us.exchange.mydomain.com
  -or-
  us-exchange.mydomain.com

(The former is a little harder, as you have to create the subdomain, the latter is just another DNS record in your existing zones). While you're at it, you might want to create the partner record for eu-exchange.mydomain.com as well...

It should then be reasonable for users in your US geographical area to use us-exchange, users on the other side of the pond to use eu-exchange, etc... Of course, when they're visiting the other side of the globe, their response times might be slower -- but that's already expected when you're travelling, isn't it! :)

I hope this helps.

Dan
IT4SOHO
0
 
MaheshArchitectCommented:
what version of MS exchnage you are using?

If its exchange 2010 \ 2013, you could publish seperate URL for each location CAS servers
like
usmail.company.com
and
ukmail.company.com

You also need new SAN certificate which will add above two hostnames in addition to current hostnames

Point usmail.domain.com to CAS server public IP at US
and
Point ukmail.domain.com to CAS server public IP at UK

Also for outlook to connect to local CAS correctly at both regions, you need to enter above URLs in CAS virtual directories at respective location CAS servers
I believe you have two seperate DAGs and seperate set of CAS servers for both regions

Mahesh.
0
 
arnoldCommented:
The point of the request is to be transparent to the user.
Though the suggestion should be using a subdomain rather an alternate host
that does not replicate among the DC

mail.myorganization.com is a subzone replicating/existing only on the dns servers of the local site.
that in US will contain
smtp IN A 10.0.0.5
autodiscover IN A 10.0.0.5

in the UK
SMTP IN A 10.15.0.5
autodiscover IN A 10.15.0.5

and your GPO will push out autodiscover.mail.myorganization.com
no matter the site you are on the above will resolve to the local ...

Do your exchanges replicate mailboxes amongs themselves?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
DrDave242Commented:
For what it's worth, this will be possible in Windows Server 2016 by using DNS policies, as long as that feature is still present in the general release. For now, though, I agree with arnold's recommendation.
0
 
arnoldCommented:
Using unix/linux DNS servers (ISC bind), these are called views where based on the requesting IP/range source of the request a view matching the criteria will be scanned for the answer.

Unfortunately, you are looking for SRV records that match the functionality of the AD/DC/GC lookups that then change based on sites .......

So your mailboxes do not replicate, but when user A has a planed trip from the home office to the other office, an admin "moves" their mailbox to the other office until they return?? i.e. move user from site A UK to Site B US/// and the mailbox follows ?
0
 
mbudmanAuthor Commented:
Mailboxes are only replicated amongst servers in same continent.
0
 
arnoldCommented:
So if person A is in the UK and travels to the US, when will their mailbox get to the US or is the only functionality you want ported to the local is to send emails out only with the user connecting to the HOme office to retrieve their email from their mailbox?
0
 
mbudmanAuthor Commented:
A couple of things:

This problem is for users connected to the private network (WAN) within the global organization.

We have each subnet defined in sites and services. DNS is set to round robin.

The scenario works fine when there is a physical machine attached to an ip address in a site's particular subnet.

However, if a site does not have a physical machine in their local subnet and it needs to go to another site, how can I force it to go to the correct site?

One solution I thought was defining a single ip address as a prefix in the particular site's valid subnet (/32), but you cannot define same prefix for multiple sites (AD-> sites and services).

A second solution would be to assign multiple ip addresses (in the same subnet) to a single server and then create a prefix in sites and services with /32 for the appropriate site.

Is it possible to perhaps create a DNS record on a Windows DNS server that does not replicate other DNS servers (DC's)?
0
 
MaheshArchitectCommented:
You can create standard primary zone on each dns server (UK and US) pointing to domain.com and can have same host(A) record pointing to different IP in each server and this zone will not replicate between server
0
 
arnoldCommented:
When the person is on a wan, to what end or on what frequency will you have the user call, identify their ip. Is a remote connection to a restricted VPN or a remote server at the site an option?
0
 
mbudmanAuthor Commented:
Arnold,

The situation is when a person is remote and connects to the WAN via client to site VPN. There is no Split tunneling, and the user is connected to the closest site to their physical location. There might not necessarily be the server in the site that they are connecting to
0
 
mbudmanAuthor Commented:
Mahesh,

would you be able to explain in more detail how I can create a standard primary zone on each dns server (UK and US) pointing to domain.com and can have same host(A) record pointing to different IP in each server (so this zone will not replicate between servers)?
0
 
MaheshArchitectCommented:
you are using active directory integrated dns servers right..?

Suppose if you have two dns (DC) servers in US and two dns (DC) servers in UK

You need to create one standard primary zone on UK 1st DNS server as mail.domain.com and create blank host (A) record and point it to to UK mail server, ensure that you will not select "store this zone in active directory"
Then on UK 2nd server create secondary dns zone for mail.domain.com pointing to UK 1st server
This will ensure that zone will not replicated to US DNS servers

Same way you need to follow for US DNS (DC) servers

Under mail.domain.com zone, create black Host (A) record which will point to respective location mail servers

Other option:
You may create two DNS cutom / application partition and enlist US servers in one DNS partition and UK DNS servers in other partition, now you can create AD integrated DNS zone and keep replication scope for this zone to custom dns partition you made earlier, this will also ensure that zone will replicated among servers in same location only
Ex:
DC1 - US
DC2 - US
DC3 - UK
DC4 - UK

now from DC1, from elvated command prompt run belo commands:
dnscmd DC1 /CreateDirectoryPartition US.domain.com
dnscmd DC2 /EnlistDirectoryPartition US.domain.com

This will create custome directory partition which can replicate between only DC1 and DC2
Now while create zone named mail.domain.com and set its replication scope to this partition, check below link for screen shots and complete details

https://support.microsoft.com/en-in/kb/884116
https://ittrainingday.com/2013/11/15/creating-application-directory-partitions/

Then do same thing for UK DNS servers as well

This way you can keep mail.domain.com common and it will resolve to respective exchnage servers

Mahesh.
0
 
mbudmanAuthor Commented:
Hello Mahesh,

In my test envirnoment, for the 4 DC's that I have,  I created a new primary zone. I then defined an A record without name with specific ip address for that particular zone.

I then went on to a computer in that subnet for each DNS server that is geographically allocated and did an nslookup and ping test.

It resolved the ip address that I would like returned as I want it.

Does this make sense? Do I really need to specify a secondary zone?

In addition, in the Primary zone for domain.com, I also have an A record defined for mail.vasco.com (one single A record) which points to the exchange server (2013) in UK> This record of course is replicated.

Does the configuration as I described above make sens and should it work?
0
 
arnoldCommented:
The security zone deals with replicating this information between/among DBS servers at the same location, or you would need to manually create this entry/Ies in every DNS server in this site.i.e dc1 dues, you build setup a replacement, unless you create this zone, it will be missing.

You would still have to keep track and add the other DCs to tge replication group...

Though I think you can define an AD integrated zone, and under the advanced tab select/limit replication to the local dire versus to all name servers in the OU.
0
 
MaheshArchitectCommented:
if location has more than one DCs, you need to create either standard primary zone on all those DCs and point host(A) record to required exchange server OR you could create one standard primary zone on one DC and then create secondary zone on other DCs in same location

If you don't do so, it will likely fail name resolution in between becauuse all servers in given location don't hav ethat record

In addition, in the Primary zone for domain.com, I also have an A record defined for mail.vasco.com (one single A record) which points to the exchange server (2013) in UK> This record of course is replicated.

U are talking about already replicated AD integrated zone across all locations?

Mahesh.
0
 
David Johnson, CD, MVPOwnerCommented:
another way around this is to have a proxy based upon geoip location.  i.e. haproxy http://www.haproxy.com/

internet - proxy -  NA mailbox store
                             - EU mailbox store

request comes from internet - haproxy check input ip address - does table lookup - user in US - redirected to NA mailbox store
0
 
mbudmanAuthor Commented:
Mahesh,

I followed your instructions and have encountered a problem.

When using OWA, even though I start out on the server I want (in appropriate geographical local), I am redirected to the remote server in the other continent. I am able to determine this because the local server is Exchange 2013 and one of the remote servers is Exchange 2010. The OWA interface is 2010. Bear in mind that the email data is only hosted on the local Exchage 2013 server.

I tried the suggestions listed in KB article:

https://support.microsoft.com/en-us/kb/2931385

but this does not resolve issue.

Any suggestions?

Thanks,

Mark
0
 
MaheshArchitectCommented:
Not sure how you tested this, if request goes to local DNS server and if it have only mail.domain.com pointing to local exchnage server, how can it will go to other location exchange server unless exchange level redirection is happening

When you are saying that owa interface is exchange 2010 but your mailbox on exchange 2013 server, this cannot happen
Exchange 2010 owa URL cannot access exchange 2013 mailbox
If you are accessing exchnage 2013 owa, but your mailbox on exchnage 2010, then exchange 2013 will automatically proxied request to exchnage 2010

Some where ther is miss understanding
If local dns server have only one dns record pointing to mail.domain.com (local exchange server), then it won't automatically redirect it to record which is unknown for him

You need to check where your mailbox is located and on which platform (exchange 2010 OR 2013), then you will come to know
Let me know if there are both dns records on local server pointing to both location exchnage servers, then it can go to remote exchange as well

Mahesh.
0
 
mbudmanAuthor Commented:
Excellent information on how to resolve issue ate hand.

Thank you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 5
  • 5
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now