Best practice for Active Directory (AD)

Hello,

I run Active Directory (AD) at home. The AD Windows domain consists of two Domain Controllers which also run DNS (DC1 & DC2). All clients in my house receive their DNS servers via DHCP. The DNS servers issued out via DHCP are my DCs (e.g. Primary = DC1, Secondary = DC2). I have both my DCs setup to forward their requests to the Pi-hole. DNS requests flow as follows.

clients -> DCs -> Pi-hole -> 8.8.8.8

This seems to work perfectly as my clients find all their needed AD SRV records and have redundancy across my two DCs. The DCs forward to the Pi-hole for anything they are not authoritative for.

The issue with this setup is that I lose visibility into what DNS requests are coming from which clients. As far as Pi-hole is concerned, it is servicing two clients (e.g. DC1 & DC2).

I have considered pointing all my clients to the Pi-hole then using a conditional forwarder in Pi-hole to forward all requests to my internal domain. For example, myInternalDomain.com -> the IP of one of my DCs (e.g DC1).

clients -> Pi-hole -> 8.8.8.8
_________└ myInternalDomain -> DC1

The issue with this is that if DC1 goes down then I lose name resolution for myInternalDomain.com. This is because Pi-hole only allows a single IP for conditional forwarders. Another issue with this is that if Pi-hole goes down I also lose name resolution for my internal domain.

I realize I may just have to pick my preferred issue (client request granularity vs. high availability of internal domain resolution).

Thoughts on this?

Thanks!

while the Pi-hole instances will only show the DC as a client isn’t there a DNS service that shows the requests and what device requested them?

perhaps something like this https://www.adamcouch.co.uk/active-directory-dns-logging/may give you a good place to start

@technicalpyro Yes, absolutely there are ways in Windows to log\audit that. However, the Pi-hole interface is really nice. Again, I realize I am being picky and will probably just have to decide on which issue I prefer. Thanks!

i wish there was a better way the only thing i can think of is if you disable the DNS portion of the DC and have it use the pi-hole based on DHCP

I’m having the exact same issue as you…

This is how DNS works but for our scenario it obviously isn’t ideal

My idea to solve this is that the first DNS server my DHCP clients get is the Pi-Hole. And I’m gonna set two custom DNS servers: The first one will be a external one (Google for example) and the second will be a domain controller. This means external queries Will be fast (in my scenario ideal) and secondary internal queries might take a bit more.

There is a second option ( but I have to test ). In my DHCP server (and router) , pfSense can create a load balancing IP. I would create one, add all my DCs to it and done. Set that as my internal DNS server.

Read this bit I posted yesterday:

This is INCORRECT. Excluding cache scenarios, hosts file, etc., Windows DNS client always hits it’s primary DNS server first and if it falls, then tries it’s alternative DNS servers.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb457118(v=technet.10)

The resolver also keeps track of which servers answer queries more quickly, and it might move servers up or down on the list based on how quickly they reply to queries.

https://social.technet.microsoft.com/Forums/Lync/en-US/5b5467b2-dc96-4d93-bd19-ee038ec4155c/dns-queries-failing-when-primary-server-is-being-rebooted?forum=winserverNIS

If the DNS server does not respond, which we call a NULL response (when the DNS is down and can’t respond), it will go to subsequent DNS entries in the order entered in the NIC after a time out period

If you dont want to believe me and prefer another forum post over the official MS doc, thats fine with me.
But dont come asking here where those ads come form!

Are you kidding me? There are multiple links explaining how the Windows DNS client works. Its not just a post.

If you want to nitpick, your article is about Windows XP. Since its from Windows XP, it doesnt apply…

Also:

Your own (deleted) article does state there is a primary and then alternative servers…

1 Like

Both are occurring dont you understand ?
If a system runs long enough, the list can get mixed up.
:tongue:

EDIT: example for an enterprise with 100+ clients and two DNS servers.
Do you want all your clients to only do lookups against the primary DNS server ?
No you want them to spread the load depending on usage.

Why are you trying to steer off topic? Have you noticed that you messed up?

A client will attempt always a primary DNS server. If it cant, then it goes to alternative ones.

Its pretty simple. Who is talking about enterprises and load balancing and other offtopic stuff?

I couldnt resist :smiley:
What do you mean by steering off topic ?
The 100+ clients bit ?
This topic is about AD.
Do you have AD running at home ?
Most home users dont but most enterprises do.

Why cant you accept whats in the official doc ?
Initially at boot, the primary, secondary order is applied to create a list and the top (preferred/primary) one will be queried.
But after a while, the other logic comes into play scrambling the order of the list, rearranging who comes on top of the list to be queried depending which DNS server is quickest to respond.

In an enterprise, a Windows XP client could connect to the network and if it does, your setup scheme fails.
Some home users still run XP, maybe virtualized, for game compatibility.
And some technology/code logics dont change that much over the years.
I bet the code logic hardly changed with the newer Windows versions.
The XP MS doc was just the first hit when I googled/duckducked :wink:

What part exactly of this dont you get:

Windows XP Professional allows multiple DNS servers to be specified. The first DNS server specified, known as the preferred DNS server, can be followed by an unlimited number of alternate DNS servers.

1. The resolver sends the query to the first server on the preferred adapter’s search list and waits one second for a response.
2. If the resolver does not receive a response from the first server within the allotted time, it sends the query to the first DNS server on the search list of each adapter still under consideration. The resolver waits two seconds for a response.
3. If the resolver does not receive a response from any server within this allotted time, the resolver sends the query to all DNS servers on all adapters still under consideration and waits another two seconds for a response.

I get all three parts.

EDIT:
Google for “Microsoft Smart Multi-Homed Name Resolution”

I had a hard time to find any docs on Windows so decided to manually configure a win7 setup with primary being Pi-hole and secondary my router DNS (with no Pi-hole upstream).
nslookup was persistently hitting the primary DNS but as soon as I browsed to my favorite local news site, ads appeared all over the place that I usually never see when Pi-hole is doing its job.
There are many implementations depending OS, release or app how the resolver operates.
And as you cant be sure what kind of devices are connecting, assuming that always the primary DNS will get all queries is no guaranty

I’m in the same situation…
I run an AD at home with two DCs
Would it be a solution to set up two Pi-Hole servers and set a conditional forwarder for Pi-Hole 1 to DC1 and Pi-Hole2 to DC2.
And then set the DHCP server to serve the Pi-Hole servers as DNS Server.
That way I guess I would get an answer as long as both Pi-Hole1 and DC1 is up and running, or Pi-Hole2 and DC2 is running. I will run in to problem if for example Pi-Hole1 and DC2 is down. But then again I guess I have some more problem :slight_smile:

Am I right?

///Peter!

I think the question here, going back to the OP, is either these two scenarios:

Client <–> DC/DNS <–> Pi-Hole <–> Router

Or

Client <–> Pi-Hole <–> DC/DNS <–> Router

In the first scenario, one Pi-Hole is needed and you can have as many DCs that you want. However, it seems the logging of clients becomes an issue sine Pi-Hole only sees the DCs.

In the second scenario, you have to have a Pi-Hole per DC in order to have DNS redundancy with the DCs. This way you can see the logging of the clients, but it runs more resources with more Pi-Holes running.

Not sure that more than one Pi-Hole instance is required for redundancy of DCs. Pi-hole does support multiple conditional forwarders/endpoints but not in the interface, you can simply edit your dnamasq config file as discussed here though;