This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
One of the clients has the following situation - only one AD server located in another data center, outside the client's office. There is a router in the office with DHCP and DNS enabled. An IPsec tunnel is established from the router to the data center where AD is located.
Currently, domain joined computers receive their IP address from the router's DHCP server. The router's DHCP gives the AD IP address as the primary DNS server, followed by two external DNS servers. At the same time, the AD DNS server has the same two external DNS servers listed as forwarders.
Question - is this ok? I don't want the router's DHCP to give the domain joined computers only one DNS server that would be the AD IP, because if the IPsec tunnel goes down, which has happened a couple of times (but not very often), then the computers will no longer have internet.
Is there a possibility that AD DNS is not processing internet queries at all, but only internal queries - the ones that AD needs to?
btw Windows Server DNS is not my strong point. :/
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Domain controller and all members must use the static ip address of DC listed for DNS and no others such as router or public DNS. Having the router handle DHCP isn't a problem but do not hand out public DNS. Better option is to add a domain controller at the site.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Yes, having domain controller at the site would be best option. However, the customer is a government entity and has the ability to keep AD in a secure data center at low cost. And with the client's office space being as big as it is, they don't want to keep a separate server just to run AD because of DNS.
I understand that DNS is basically the basis for AD to work at all, but I think it's kinda stupid that keeping all DNS records on it is a requirement given the various situations. :/
Sounds good but that's the way it works. You can report this using the feedback hub.
https://support.microsoft.com/en-us/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
