Link to home
Start Free TrialLog in
Avatar of Andrew Hamilton
Andrew HamiltonFlag for United States of America

asked on

Need DNS to prefer IP's on my site

I have multiple sites on my internal network all connected with IPSec tunnels.   Each site has a Windows domain controller.  In addition to the domain controller, each site also has a NAS which serves as a file server.   My issue is this.    I want to publish a specific DNS name within one of the internal zones.   Assign each site a version of this name that points to the local NAS device.      I have all the IP information defined in sites and services.   When I have the DNS name something like I want the systems to return the IP of the local device.  What I'm seeing is from corporate, when I reference the device I'm getting random responses from across all of the offices.    
  Is there a way to make DNS prefer IP's on the site I sit on instead of round robin looking through the list of available servers?
Avatar of masnrock
Flag of United States of America image

No. Your problem is that you literally have DNS entries that you don't want to replicate, which isn't possible.
If this is just your machine, put the IP to Name relationship in your local HOSTS file, save and restart. That works.
Avatar of Andrew Hamilton



  I need for this to work on a more global perspective.   In total we have 27 international locations.   This name is intended to be a shared resource that is initially replicated from corporate to their local NAS.  i.e. video's and other corporate content.  The preference is to have the data served locally from the device on their site instead of pulling in every time from corporate.
Then I think what Mansrock said is correct here.
I've already explained why it won't work from a DNS perspective: You literally cannot do it.

If you were going to try host files (Windows does check host files BEFORE DNS servers), you'd have to deploy a different host file to each site (presumably via GPO). That's going to get messy very fast, especially for either troubleshooting or systems that move across sites.
Avatar of noci

This can be easiliy solved when using bind.

Besides just DNS zone, bind can also handle so called views.
And views can be selected based on the source address of the system that does the DNS queries....

So in your case make zone f.e.   (and optionaly use a CNAME to the real system).
and put it in a view where one view would be selected by addresses from site A, and another view for addresses from site B etc. etc.
This whole stuff can be setup so all sites have the same configuration.

(or deploy an OpenVMS cluster with a DNS on board, that has exactly this functionality on board to choose nearest & surviving members from the cluster after a disaster.
You can probably accomplish this with DFS Namespace server. It is site aware and can direct each site to the local NAS.
You can only use DFS if the compute part is done by Windows. This means the NAS needs to be a Windows box or you need to attach the NAS storage to a Windows box (map, junction, storage spaces, VHDX etc.)

Is this the case/is this an option?

You can have multiple Host files, one per site, stored on DC DFS. You can then via GPOs assign a network host file. The GPOs can be linked to your AD sites.
I was under the impression that the namespace server and DFS folder hierarchy needs to be on windows and the folder targets can be any UNC path. Kinda old documentation but here's a snippet:
Link targets are typically shared folders or folders within shared folders. Link targets can be served by any network file system that is accessible by a UNC path, such as Server Message Block (SMB), NetWare Core Protocol (NCP) for NetWare, or Network File System (NFS) for UNIX. (The client computers must have the appropriate redirector installed to access link targets.) The UNC path can lead to shared folders in any workgroup, shared folders within the same domain as the namespace, shared folders in trusted domains, and shared folders in trusted forests.

Shared folders that are specified as link targets have no special settings that indicate that they are part of a DFS namespace. All existing shared folder permissions and NTFS permissions on the shared folder still apply when users access the shared folder through the namespace.

A link target can also be a DFS path in another namespace. For example, the Software link in \\\Public\Software might have a link target of \\Software\Public, which is a root within a stand-alone namespace. When using DFS paths as link targets, it is important to ensure that client failover works correctly. For more information, see “Linking to Different DFS Namespaces” later in this section.
 It's possible that this has changed in the newer versions of Windows.
When you open the DFS namespace wizard you have to type in a server name. You can only provide a server that has DFS namespace installed so you cannot simply enter the NAS UNC path.

User generated image

    I'm not familiar with DNS Views.   Is this something support with Microsoft DNS?
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This is a bit outside of the box, but rather than using DNS, have you considered using anycast addresses for the NAS units? Each unit would have a primary IP address that is unique to each site, but would also have a secondary address that is common to all and is advertised into the routing table. With this approach, you can advertise the common IP address across the organization and have each site automatically route to the closest unit. This approach also provides rudimentary failover. In the event that the local NAS is unavailable, the next closest unit will be used.
  With there being 27 different sites, transitioning from W2K12R2 to W2K16 is a fairly heavy lift.   Definitely not something I can do short term to address this need.      I appreciate the heads up however that the feature exists.  This knowledge and awareness will help drive the priority to get transitioned to W2K16 more quickly.


  I'm not familiar with anycast  or how to set it up.   I'll research it and see if this is a fit.  

No problem. If I may ask, what kind of NAS units are you using and what routing protocol? I may be able to offer a bit more clarity if I have that information.
Since you asked if you can make DNS prefer IP's in the same site, subnet prioritization (a.k.a. netmask ordering) may work for you.  If you're using anything other than class C networks at each site, you'll have to adjust the LocalNetPriorityNetMask registry value (under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters registry key) on each DNS server to match your netmask, otherwise you won't get expected results.

A couple links for reference:

  We are using Synology NAS unit's
I will review getting all of the DC's upgraded to W2K16 and implement DNS policies to do what I need.     While it's a big lift given the number of DC's in the field, I think that long term it checks most if not all of the boxes I need for functionality.  

Thanks all for you advise.