One of the domain controllers is on an isolated network. How to exclude requests from a user's PC to a DNS server located in an isolated network.
One of the domain controllers is on an isolated network. How to exclude requests from a user's PC to a DNS server located in an isolated network.
Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Generally don't let the DHCP server hand out that address. Also if the isolation is intended to be permanent you can perform some cleanup to remove from the directory.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi,
Welcome to ask here!
It will be helpful if you can help confirm the following questions.
How many DCs do you have in your domain?
Was the DC a good one which is working or a problematic DC?
Did you set the DC in an isolated network for security reason or other purpose?
If you cut off the DC network purposefully, then I think there may be no way to perform DNS resolution. Because the user cannot find the DNS server.
If this DC becomes an isolated network due to a failure, we need to let the client maintain a smooth network connection with the DC.
Please let me know if I misunderstood you.
Best Regards,
Imagine 5 controllers, one in 5 cities, the networks are isolated from each other by the vlan. The user does not have access to a controller from another city. The domains themselves are available to each other over the network.
But if you run the command nslookup yourdomain.local, you will see a list of all domains randomly selected by the computer.
Ok, thanks for the detail, that technically isn't isolated. The dc locator should sort this for the member.
https://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi,
Based on my understanding, the result of the command :nslookup yourdomain.local will list all the DCs those have DNS records on the dns server the clients contacting to.
For example, siteA has the client 1 and DC 1. DC1 acts as DNS server at the same time.
When run command on client 1, client will query the records from DC1. DC 1 will send back all the ip address of DCs it has no matter the clients can contact other DCs or not.
The result doesn't mean that the clients will use all the DCs for DNS resolution.
If you want to know the DNS server of the clients, you can use the command: ipconfig /all.
Best Regards,
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Applied the ds locator policy to my computer did not help. As before, the domain name is pinged randomly to all domain controllers
ipconfig /all

ping my domain
nslookup my domain
Weights and priorities are set.
Maybe somewhere else I need to configure?

If possible, would you please share a screenshot of the DNS server settings on the clients?
I did not understand your question, I have already given the dns settings on my computer above.
duplicate:
Might also check the sites and subnets topology is correct.
https://www.rebeladmin.com/2015/02/why-active-directory-sites-and-subnets/
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi,
Let's make the questions more clearly.
1, nslookup domainname will list all the DCs those have DNS records
It is an expected behavior.
When you run this command, the clients will query the DNS server it can contact to (in its local site).
The DNS server have the records for all the DCs.
The DNS server will response all the IP address it has to the clients no matter the clients can contact them or not.
So, the result of the command: nslookup domainname doesn't mean the clients use all of them as DNS servers.
It is suggested to capture the network package to find out which the DNS server was the client used.
Feel free to let me know, if i misunderstand you.
Best Regards,
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
6 people are following this question.