Active directory server set up DNS resolution failure or VERY SLOW, can I route external DNS requests the traditional way, before the server existed?

Question

I'm very new to the world of active directory, windows server etc., so I apologise if some of the questions I ask are a bit stupid, but I'll try and explain exactly what I want to do below, and my currrent setup.

I'm running Ubuntu Server on a Raspberry Pi, using kerberos and other software detailed in this video to use it as an AD-DC for my four clients that connect to it. At the moment this is really a test network on my Pi 2, before I launch on my Pi 4. The Raspbrry Pi is only just powerful enough to run the network and authenticate user logons and manage group policy etc, but DNS resolutions are extremely slow.

From the client perspective, the network is operating completely fine with logons and policy etc. EXCEPT what they have noticed is the time it takes to make a quick google search has increased dramatically and sometimes the search even fails.

Now, here's the question... is there a way to operate my AD-DC server setup to manage group policy, users, groups, logon etc. without sending external DNS requests e.g. bbc.co.uk or google.com via the AD-DC. I want them to be processed as they would have before the server came along (by the router??) simply because it can't handle them, and the setup before the server was perfectly fine at handling them

The windows clients are configured in dns settings to use the ADDC as their preferred dns server (if I change this, then they lose connection to the domain and can't find it...) and use 8.8.8.8 google's dns server as their secondary one, but whether I enter this in or not doesn't really seem to have an effect.

And if the ADDC server is down, ALL external dns requests across the entire network fail. It's like the backup isn't even there. You can't get onto google from a client when the DC is down.

Any info I'm happy to provide.

Secondary bonus question wondering why samba network transfer speed is dramatically slower using AD on this rapsberry pi rather than just installing samba and having it as a network share. Gone from 30mbps to 2mbps

Answer 1

Yes, but...

is there a way to operate my AD-DC server setup to manage group policy, users, groups, logon etc. without sending external DNS requests e.g. bbc.co.uk or google.com via the AD-DC. I want them to be processed as they would have before the server came along (by the router??) simply because it can't handle them, and the setup before the server was perfectly fine at handling them

Yes, you can treat AD DNS exactly like a normal DNS domain. The main requirement is simply that entire AD domain (including subdomains, of course) must be resolvable by clients – but it doesn't necessarily need to be direct; it could be via typical DNS NS delegations, or it could be through a 'forward' or 'stub' zone in your existing Dnsmasq/Unbound/whatever setup – as long as nslookup or dig still returns the correct results.

> nslookup -q=SOA ad.example.com
> nslookup -q=SRV _kerberos._udp.ad.example.com

(So if you already had e.g. a local dnsmasq setup that all DNS requests are routed to – it should do the job, with --server=/ad.example.com/192.168.0.5. or something similar.)

But keep in mind that clients must still have the ability to directly talk to the DNS service at AD DCs, i.e. port 53 must not be firewalled away. That's because dynamic DNS registration updates are sent directly to the authoritative server (i.e. whichever DC is in the "primary name server" field of the SOA record).

---

That being said, I'm surprised that DNS is too much for a Pi too handle... yes, things like serving GPO via SMB will require some resources, but that's not a long-running task – as soon as the hosts are done loading GPOs, the Pi should be very nearly idle, and even a complete potato PC should be able to handle DNS queries for a total of four machines.

So before you go through with your plan, I'd recommend investigating once more where the problem actually is. Is it really the Pi2 unable to keep up with the load (is it at 100% CPU), or is it actually some network issue (packets not going where they should & machines waiting for time-out)?

Footnote: Samba AD DC also supports using BIND9 in place of Samba's built-in DNS service (using a special DLZ module to load zones directly from AD) – this might improve performance a little bit, as BIND might be better-optimized.