2

We have a new Windows 2008 R2 installation running as a domain controller with DNS. We also have external public IP's which NAT to internal resources on our network. An external DNS has been configured with these external public IP's to resolve the internal resources on our company domain name.

These same DNS records have also been configured on the internal Windows 2008 DNS to map to the internal private IP's (where the A record is for a resource not part of the AD, i.e. like a custom company website URL etc).

Our problem is that even though internal clients or other member servers have the primary DNS setup as the Windows 2008 DNS server (and the router set as the secondary DNS) the DNS query would intermittently resolve to the external public IP (which won't work as the Cisco router blocks it). Even when you do a nslookup on the resource it will give the Windows DNS as the primay DNS, return the correct internal IP. But still when you ping the resource or try to access it via a browser (as it is a website) it would then resolve to the external public IP.

Why on earth would it do this?

Improve this question

3 Answers 3

Reset to default
3

This behavior is expected given your configuration. You shouldn't have the router's IP set as the secondary DNS for PCs and member servers or they'll always sometimes go there which you don't want. They should only have domain controllers as their DNS so all of their DNS traffic routes through the domain controller. You can then either configure your domain controller to forward to an upstream DNS server for domains it can't resolve (usually this would be your ISP) or just leave it alone and it will use the root hints servers to resolve external queries.

Typically you would want two DNS servers on the PCs and member servers and you would get that by having a second domain controller so DNS (and Active Directory) continue to function if the primary goes down.

Improve this answer
2
  • 1
    +1 in AD/DNS environment never use secondary external DNS for clients even if you only have 1 AD/DNS internally. This seems like a safebet but it just isn't going to work.
    – MadBoy
    Apr 11, 2011 at 15:32
  • Thanks, all the comments provided my answer. I removed the router as the secondary DNS and setup external forwarders on the Windows DNS.
    – user77994
    Apr 13, 2011 at 9:09
2

The first thing I would do is to remove the routers IP address from the DNS configuration on the clients (servers included). All AD/DNS clients should use your AD/DNS server for DNS only. I see no valid reason to use any other DNS server and can see that causing intermittent, flaky name resolution problems, such as what you're experiencing..

Improve this answer
1

icky3000 hit the nail on the head. Your fallback proxy DNS servers are providing a different view of the DNS namespace to your principal proxy DNS server, and things are going wrong as a result. Don't do that.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .