How to correctly set up a dns client on a network with active directory?

m2_viktor2015-12-17 03:13:19

Domain Name System

m2_viktor, 2015-12-17 03:13:19

The organization has two branches. In the first, AD and DNS are raised. The second branch does not have its own AD and DNS.
Between VPN branches. All machines in the second branch are members of the first branch's domain. And the administrator of the second branch specified in the settings of the dns-clients primary dns - corporate server, secondary dns - 8.8.8.8 Also, forwarding is configured on the corporate dns. I am not strong in theory, but I know that such a configuration entails serious problems. I even found an article on the MS site https://technet.microsoft.com/en-us/library/cc7545... Where it is described that this can become a problem. But the administrator of the second one explains this configuration by the fact that if the channel between the branches falls, then the clients will be able to resolve the addresses of external resources just at the expense of secondary dns - 8.8.8.8 in the dns-client settings.
As a correct answer to the question, I want to see a detailed description of why an external server cannot act as secondary dns, and a link to the MS article that confirms this, to support this point of view with an official source.

Answer the question

In order to leave comments, you need to log in

6 answer(s)

m2_viktor, 2015-12-17
@m2_viktor

Raised server 2008 and 2 machines with windows xp on virtual machines. Added clients to the domain. In the dns-client settings, I specified primary - ip server 2008, secondary 8.8.8.8. At the same time disabled Netbios over TCP / IP. So that the names are not resolved in this way.
1. Next, using the smb protocol, I turned from winxpvm1 to winxpvm2, successfully
2. Disconnected server 2008 from the network, performed ipconfig / flushdns on winxpvm1 and ping winxpvm2 no longer resolved.
3. It was still possible to contact via smb, but after restarting winxp1, I contacted winxpvm1 \\winxpvm2 and got: "windows cannot find winxp2"
4. returned server 2008 to the network, waited 10 minutes
5. result in the screenshot: as you can see, the dns-client no longer wants to access primary-dns, but only accesses secondary, despite the fact that primary is closer in metric and available.
6. After another 5-10 minutes, winxpvm2 resolved with winxpvm1.
In general, ylebedev, SyavaSyava, Maksim, you did not write anything from what you asked, but perhaps it will be useful to you.

Sergey, 2015-12-18
@Yestestvenno

m2_viktor @m2_viktor
I agree with MS on this issue https://technet.microsoft.com/ru-ru/library/cc7545...
m2_viktor :
Quote:
Do not configure clients to use AD DS-integrated DNS servers at the same time , and the DNS servers of your ISP. Instead, configure clients to use only AD DS-integrated DNS servers, and in turn configure those DNS servers to forward queries to the ISP's DNS servers.
Written yesterday
In fact, you have already found the answer to your question, the only problem is that you are arguing with the admin about using an external DNS as a backup DNS that knows nothing about your internal services
. I agree with you that using such a solution as the admin suggests you causes problems when breaking connection with your DNS
I will now say something that you will not like at all: You are wrong and the admin
is wrong (I may be wrong too ) on MS where it is said that your admin will not bet you! Just read common sense and you will understand https://technet.microsoft.com/en-us/library/cc7727...
https://technet.microsoft.com/en-us/library/cc7769...

ylebedev, 2015-12-17
@ylebedev

You are trying to climb a Christmas tree and F ... do not peel off.
The admin's theory is essentially correct. Stop saving and put a duplicate AD on the branch.
(at least a virtual Win-Linux machine doesn't matter.)
or do everything through 1 DNS, but then the VPN must be either redundant or reinforced concrete.
In addition, I do not see, not in the article, nor in my practice, that the problems were super global and could not be solved by restarting the machine.
He can, when there is a hitch with the answer, jump to DNS2 and, of course, find nothing there. And get away with Windows problems in that there is no connection to AD and everything else.
And purely my old admin's IMHO - I do not put AD for a long time.
There are no such tasks that he solves and does not lag when solving them.
Third-party programs can be used for passwords and access to servers.
(also 99% of users are sitting at their computers - with regards to passwords)
As soon as AD appears, troubles begin with accounts, DNS, file access, replication.

Dmitry, 2015-12-17
@Tabletko

the only DNS server in the AD environment is always a problem when it is unavailable

Maksim, 2015-12-17
@chumayu

Fuck the brain for yourself and the admin?
Primari (in your case) initially primari is needed to function vnt. the network, well, broadcast requests further if it does not know the answer to them.
Your head doesn’t hurt, it should hurt that the VPN channel lasts forever and think about reserving the DNS role in the second branch.
You are worried that the second external DNS server is registered, VPN is being created, your second branch will not know that buhgalterbigass.localdomain.su is 192.168.0.200, you need to understand this.

Yumado, 2015-12-17
@Yumado

As a correct answer to the question, I want to see a detailed description of why an external server cannot act as secondary dns, and a link to the MS article that confirms this, to support this point of view with an official source.

Adjust the answer to the question))) In the spirit of "family" lawyers.
The second NS may be an external server.
Correct, when the second server is authorized on the first.
lift the second server NS, specify the first for synchronization.