question

StarkeevichSergey-9329 avatar image
0 Votes"
StarkeevichSergey-9329 asked FanFan-MSFT commented

One of the domain controllers is on an isolated network. How to exclude requests from a user's PC to a DNS server located in an isolated network.

One of the domain controllers is on an isolated network. How to exclude requests from a user's PC to a DNS server located in an isolated network.

windows-dhcp-dns
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

Generally don't let the DHCP server hand out that address. Also if the isolation is intended to be permanent you can perform some cleanup to remove from the directory.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

--please don't forget to upvote and Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Welcome to ask here!
It will be helpful if you can help confirm the following questions.
How many DCs do you have in your domain?
Was the DC a good one which is working or a problematic DC?

Did you set the DC in an isolated network for security reason or other purpose?
If you cut off the DC network purposefully, then I think there may be no way to perform DNS resolution. Because the user cannot find the DNS server.

If this DC becomes an isolated network due to a failure, we need to let the client maintain a smooth network connection with the DC.
Please let me know if I misunderstood you.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StarkeevichSergey-9329 avatar image
0 Votes"
StarkeevichSergey-9329 answered

Imagine 5 controllers, one in 5 cities, the networks are isolated from each other by the vlan. The user does not have access to a controller from another city. The domains themselves are available to each other over the network.
But if you run the command nslookup yourdomain.local, you will see a list of all domains randomly selected by the computer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Ok, thanks for the detail, that technically isn't isolated. The dc locator should sort this for the member.
https://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx

--please don't forget to upvote and Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT edited

Hi,
Based on my understanding, the result of the command :nslookup yourdomain.local will list all the DCs those have DNS records on the dns server the clients contacting to.
For example, siteA has the client 1 and DC 1. DC1 acts as DNS server at the same time.
When run command on client 1, client will query the records from DC1. DC 1 will send back all the ip address of DCs it has no matter the clients can contact other DCs or not.
111718-754.jpg

The result doesn't mean that the clients will use all the DCs for DNS resolution.
If you want to know the DNS server of the clients, you can use the command: ipconfig /all.

Best Regards,


754.jpg (118.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StarkeevichSergey-9329 avatar image
0 Votes"
StarkeevichSergey-9329 answered StarkeevichSergey-9329 commented

Applied the ds locator policy to my computer did not help. As before, the domain name is pinged randomly to all domain controllers
ipconfig /all

112046-image.png

ping my domain
112052-image.png

nslookup my domain
112008-image.png

Weights and priorities are set.
Maybe somewhere else I need to configure?

112017-image.png



image.png (2.4 KiB)
image.png (8.2 KiB)
image.png (8.2 KiB)
image.png (15.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If possible, would you please share a screenshot of the DNS server settings on the clients?

0 Votes 0 ·

I did not understand your question, I have already given the dns settings on my computer above.
duplicate:
112437-image.png


0 Votes 0 ·
image.png (2.3 KiB)
DSPatrick avatar image
0 Votes"
DSPatrick answered

Might also check the sites and subnets topology is correct.
https://www.rebeladmin.com/2015/02/why-active-directory-sites-and-subnets/

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT edited

Hi,
Let's make the questions more clearly.
1, nslookup domainname will list all the DCs those have DNS records
It is an expected behavior.
When you run this command, the clients will query the DNS server it can contact to (in its local site).
The DNS server have the records for all the DCs.
The DNS server will response all the IP address it has to the clients no matter the clients can contact them or not.
So, the result of the command: nslookup domainname doesn't mean the clients use all of them as DNS servers.

It is suggested to capture the network package to find out which the DNS server was the client used.

Feel free to let me know, if i misunderstand you.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.