We help IT Professionals succeed at work.

Need access to a domain controller without using normal DHCP and DNS.

w_marquardt
w_marquardt used Ask the Experts™
on
Hi, I have a client (School) where we have DNS running though OpenDNS to provide content filtering. Works great for that. We have all of the social media and more blocked. The problem is that I have a few users (teachers, administrators) where they need access to social media and other blocked sites. This is on a domain so DNS requests go first to the domain controller and are forwarded to the gateway.

In the past on windows 7 boxes, I was able to set the local computer on a fixed ip address and change the DNS to point to one of the outside servers like 1.1.1.1 or 8.8.8.8. I would set the hosts file to point to the server and the lmhosts file to identify the domain. (at least I think that's how it worked.)

On windows 10 pro, this doesn't seem to work. I have configured it the same way but in this configuration, it's not seeing the domain controller so it won't authenticate the username / password so access to server resources is not available. Is there a better configuration scheme that I can use to accomplish seeing the domain controller for authentication and resources as well as setting access to bypass the openDNS in the router?

Thanks in advance for the assist with this.

Regards,

Bill
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
DNS is a vital part of AD.  It's how resources are found - file shares, printers, group policies, etc - pointing to even one non-AD DNS server can result in slow logins and other odd errors that are intermittent.  If you want a reliable workstation, it's DNS must be set to the DNS of the AD DC(s).  You CANNOT have things point to external DNS servers and have RELIABLE connectivity.

If you need to allow select users to access sites, I would suggest you have the wrong solution in place (if they don't have a specific way to allow exceptions).  I would either: set up a pair DNS servers with a DIFFERENT forwarder that provides accurate AD lookups and when accessing external sites, uses a different DNS forwarder (this likely means FOUR internal DNS servers; 2 that forward to OpenDNS for most people that blocks social media and 2 that use a different forwarding provider like Quad9) OR I'd use a router/UTM based web filter - Untangle has a great one that should integrate to Active Directory and allow selected users to bypass the filter when configured properly.
kevinhsiehNetwork Engineer

Commented:
Contact OpenDNS support, because you're not doing it right. OpenDNS fully supports AD environments.

I believe they use a virtual appliance as an internal DNS proxy. Requests for AD resources go to your domain, and internet queries go to OpenDNS. This allows tracking and filtering based on internal IP, AD username, etc.
Commented:
The client didn't want to pay the additional for the AD support for just one client. I have brute forced the issue on that one computer so the problem is resolved.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
Can you be more specific?  What do you mean by "brute forced?"