Best practice for Active Directory (AD)

#1

Hello,

I run Active Directory (AD) at home. The AD Windows domain consists of two Domain Controllers which also run DNS (DC1 & DC2). All clients in my house receive their DNS servers via DHCP. The DNS servers issued out via DHCP are my DCs (e.g. Primary = DC1, Secondary = DC2). I have both my DCs setup to forward their requests to the Pi-hole. DNS requests flow as follows.

clients -> DCs -> Pi-hole -> 8.8.8.8

This seems to work perfectly as my clients find all their needed AD SRV records and have redundancy across my two DCs. The DCs forward to the Pi-hole for anything they are not authoritative for.

The issue with this setup is that I lose visibility into what DNS requests are coming from which clients. As far as Pi-hole is concerned, it is servicing two clients (e.g. DC1 & DC2).

I have considered pointing all my clients to the Pi-hole then using a conditional forwarder in Pi-hole to forward all requests to my internal domain. For example, myInternalDomain.com -> the IP of one of my DCs (e.g DC1).

clients -> Pi-hole -> 8.8.8.8
_________â”” myInternalDomain -> DC1

The issue with this is that if DC1 goes down then I lose name resolution for myInternalDomain.com. This is because Pi-hole only allows a single IP for conditional forwarders. Another issue with this is that if Pi-hole goes down I also lose name resolution for my internal domain.

I realize I may just have to pick my preferred issue (client request granularity vs. high availability of internal domain resolution).

Thoughts on this?

Thanks!

0 Likes

#2

while the Pi-hole instances will only show the DC as a client isn’t there a DNS service that shows the requests and what device requested them?

perhaps something like this https://www.adamcouch.co.uk/active-directory-dns-logging/may give you a good place to start

0 Likes

#3

@technicalpyro Yes, absolutely there are ways in Windows to log\audit that. However, the Pi-hole interface is really nice. Again, I realize I am being picky and will probably just have to decide on which issue I prefer. Thanks!

0 Likes

#4

i wish there was a better way the only thing i can think of is if you disable the DNS portion of the DC and have it use the pi-hole based on DHCP

0 Likes

#5

I’m having the exact same issue as you…

This is how DNS works but for our scenario it obviously isn’t ideal

My idea to solve this is that the first DNS server my DHCP clients get is the Pi-Hole. And I’m gonna set two custom DNS servers: The first one will be a external one (Google for example) and the second will be a domain controller. This means external queries Will be fast (in my scenario ideal) and secondary internal queries might take a bit more.

There is a second option ( but I have to test ). In my DHCP server (and router) , pfSense can create a load balancing IP. I would create one, add all my DCs to it and done. Set that as my internal DNS server.

0 Likes

#6

Read this bit I posted yesterday:

0 Likes

#7

This is INCORRECT. Excluding cache scenarios, hosts file, etc., Windows DNS client always hits it’s primary DNS server first and if it falls, then tries it’s alternative DNS servers.

0 Likes

#8

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb457118(v=technet.10)

The resolver also keeps track of which servers answer queries more quickly, and it might move servers up or down on the list based on how quickly they reply to queries.

0 Likes

#9

https://social.technet.microsoft.com/Forums/Lync/en-US/5b5467b2-dc96-4d93-bd19-ee038ec4155c/dns-queries-failing-when-primary-server-is-being-rebooted?forum=winserverNIS

If the DNS server does not respond, which we call a NULL response (when the DNS is down and can’t respond), it will go to subsequent DNS entries in the order entered in the NIC after a time out period

0 Likes

#10

If you dont want to believe me and prefer another forum post over the official MS doc, thats fine with me.
But dont come asking here where those ads come form!

0 Likes

#11

Are you kidding me? There are multiple links explaining how the Windows DNS client works. Its not just a post.

If you want to nitpick, your article is about Windows XP. Since its from Windows XP, it doesnt apply…

Also:

Your own (deleted) article does state there is a primary and then alternative servers…

1 Like

#12

Both are occurring dont you understand ?
If a system runs long enough, the list can get mixed up.
:tongue:

EDIT: example for an enterprise with 100+ clients and two DNS servers.
Do you want all your clients to only do lookups against the primary DNS server ?
No you want them to spread the load depending on usage.

0 Likes

#13

Why are you trying to steer off topic? Have you noticed that you messed up?

A client will attempt always a primary DNS server. If it cant, then it goes to alternative ones.

Its pretty simple. Who is talking about enterprises and load balancing and other offtopic stuff?

0 Likes

#17

I couldnt resist :smiley:
What do you mean by steering off topic ?
The 100+ clients bit ?
This topic is about AD.
Do you have AD running at home ?
Most home users dont but most enterprises do.

Why cant you accept whats in the official doc ?
Initially at boot, the primary, secondary order is applied to create a list and the top (preferred/primary) one will be queried.
But after a while, the other logic comes into play scrambling the order of the list, rearranging who comes on top of the list to be queried depending which DNS server is quickest to respond.

In an enterprise, a Windows XP client could connect to the network and if it does, your setup scheme fails.
Some home users still run XP, maybe virtualized, for game compatibility.
And some technology/code logics dont change that much over the years.
I bet the code logic hardly changed with the newer Windows versions.
The XP MS doc was just the first hit when I googled/duckducked :wink:

0 Likes

#18

What part exactly of this dont you get:

Windows XP Professional allows multiple DNS servers to be specified. The first DNS server specified, known as the preferred DNS server, can be followed by an unlimited number of alternate DNS servers.

1. The resolver sends the query to the first server on the preferred adapter’s search list and waits one second for a response.
2. If the resolver does not receive a response from the first server within the allotted time, it sends the query to the first DNS server on the search list of each adapter still under consideration. The resolver waits two seconds for a response.
3. If the resolver does not receive a response from any server within this allotted time, the resolver sends the query to all DNS servers on all adapters still under consideration and waits another two seconds for a response.

0 Likes

#20

I get all three parts.

EDIT:
Google for “Microsoft Smart Multi-Homed Name Resolution”

0 Likes

#21

I had a hard time to find any docs on Windows so decided to manually configure a win7 setup with primary being Pi-hole and secondary my router DNS (with no Pi-hole upstream).
nslookup was persistently hitting the primary DNS but as soon as I browsed to my favorite local news site, ads appeared all over the place that I usually never see when Pi-hole is doing its job.
There are many implementations depending OS, release or app how the resolver operates.
And as you cant be sure what kind of devices are connecting, assuming that always the primary DNS will get all queries is no guaranty

0 Likes