External DNS queries on AD Domain controller failing

Question

question

Ravi-4578 asked Mar 23, '22 DSPatrick answered Mar 27, '22

External DNS queries on AD Domain controller failing

I have a Windows domain with a single AD domian controller (Server 2019) and a bunch of WIndows 10 clients. I also have a firewall (192.168.1.3) . I am unable to resolve external sites on my server but all the clients are fine. The server is getting it's IP from the firewall DHCP (the IP is reserved for the server). How do I fix this so I am able to resolve external hostnames on the server.

ipconfig on the server is shown below

 Default Gateway . . . . . . . . . : 192.168.1.3
 DHCP Server . . . . . . . . . . . : 192.168.1.3
 DHCPv6 IAID . . . . . . . . . . . : 143933641
 DHCPv6 Client DUID  . . . . : 00-01-00-01-25-92-C5-E1-94-45-e4-11-20-VB
 DNS Servers . . . . . . . . . . . :  ::1
                                              192.168.1.3
 NetBIOS over Tcpip. . . . . . . . : Enabled

On all the clients (all are part of the domain), I am able to resolve fine.

     Default Gateway . . . . . . . . . : 192.168.1.3
     DHCP Server . . . . . . . . . . . : 192.168.1.3
     DNS Servers . . . . . . . . . . . : 192.168.1.134
                                         192.168.1.3
     NetBIOS over Tcpip. . . . . . . . : Enabled
     Connection-specific DNS Suffix Search List :
                                         ark.local

windows-server-2016 windows-dhcp-dns

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-03-23T21:51:48.58Z

DSPatrick answered Mar 23, '22 DSPatrick commented Mar 26, '22

Domain controller and all members must use domain DNS only so you should remove the router address on clients and add the domain controller's own address listed for DNS. Domain controller should always have a static ip address. On domain controller remove the router address listed for DNS and add the DC's own static ip address. Domain members use domain DNS to find and logon to domain. Internet queries are forwarded and resolved in a top level down fashion by default to the 13 root hint servers. You can optionally add ISP or other public DNS as forwarders.

--please don't forget to upvote and Accept as answer if the reply is helpful--

image.png (141.5 KiB)

image.png (140.2 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick · Mar 26 at 12:44 PM

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--

0 ·

Answer 2 · 2022-03-26T21:53:15.907Z

Ravi-4578 answered Mar 26, '22

@DSPatrick Thank you for your response. Sorry was sick and unable to get to my server remotely. I was able to finally go into the office.

What I see is the following for the root hints section. All rows point to something that is not my IPv4 address.

In my Forwarders tab, I just see my local firewall address. When I added 8.8.8.8, it starts working.

I was thinking all the external DNS address resolutions will be performed by my firewall. All my clients are able to resolve external IP addresses by using the firewall.

screen-shot-2022-03-26-at-54632-pm.png (252.0 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2022-03-26T22:31:22.24Z

DSPatrick answered Mar 26, '22 Ravi-4578 commented Mar 27, '22

What I see is the following for the root hints section. All rows point to something that is not my IPv4 address.

Root hints are a list of top level DNS servers on the Internet that your DNS servers can use to resolve queries for names that it does not know.

When forwarders are configured then the root hints don't really matter, but the domain controller and all members must use domain DNS only so you should remove the router address on clients and add the domain controller's own address listed for DNS. Domain members use domain DNS to find and logon to domain. Domain controller should also always have a static ip address.

--please don't forget to upvote and Accept as answer if the reply is helpful--

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick · Mar 27 at 12:44 PM

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--

0 ·

Ravi-4578 · Mar 27 at 02:58 PM

Got it. Thank you. Will change the server to have a fixed IP address and clients will have just the server's fixed address as DNS Servers.

Just one question. In the past (before I created a domain), the DNS server used by all my PCs had the router as the DNS server. Having the router as the DNS forwarder on the windows DC is not helping with resolving external IP addresses. Why do I need to add 8.8.8.8 instead of DC using my firewall and firewall using ISP-provided DNS server to resolve external IP addresses?

0 ·

Answer 4 · 2022-03-27T15:13:23.91Z

DSPatrick answered Mar 27, '22

The domain members should not have the router or public DNS on connection properties. This causes great confusion for active directory. Domain members use domain DNS to find and logon to domain. Internet queries are forwarded to public DNS via configured forwarders or if none were configured then to the 13 root hint servers.

You could probably use the firewall appliance as the configured forwarder. If 8.8.8.8 as forwarder works but firewall appliance address doesn't then it seems some problem in the firewall appliance configuration.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question