Active directory server set up DNS resolution failure or VERY SLOW, can I route external DNS requests the traditional way, before the server existed?
I’m very new to the world of active directory, windows server etc., so I apologise if some of the questions I ask are a bit stupid, but I’ll try and explain exactly what I want to do below, and my currrent setup.
I’m running Ubuntu Server on a Raspberry Pi, using kerberos and other software detailed in this video to use it as an AD-DC for my four clients that connect to it. At the moment this is really a test network on my Pi 2, before I launch on my Pi 4. The Raspbrry Pi is only just powerful enough to run the network and authenticate user logons and manage group policy etc, but DNS resolutions are extremely slow.
From the client perspective, the network is operating completely fine with logons and policy etc. EXCEPT what they have noticed is the time it takes to make a quick google search has increased dramatically and sometimes the search even fails.
Now, here’s the question… is there a way to operate my AD-DC server setup to manage group policy, users, groups, logon etc. without sending external DNS requests e.g. bbc.co.uk or google.com via the AD-DC. I want them to be processed as they would have before the server came along (by the router??) simply because it can’t handle them, and the setup before the server was perfectly fine at handling them
The windows clients are configured in dns settings to use the ADDC as their preferred dns server (if I change this, then they lose connection to the domain and can’t find it…) and use 184.108.40.206 google’s dns server as their secondary one, but whether I enter this in or not doesn’t really seem to have an effect.
And if the ADDC server is down, ALL external dns requests across the entire network fail. It’s like the backup isn’t even there. You can’t get onto google from a client when the DC is down.
Any info I’m happy to provide.
Secondary bonus question wondering why samba network transfer speed is dramatically slower using AD on this rapsberry pi rather than just installing samba and having it as a network share. Gone from 30Mb/s to 2Mb/s
The windows clients are configured in dns settings to use the ADDC as their preferred dns server (if I change this, then they lose connection to the domain and can’t find it…) and use 220.127.116.11 google’s dns server as their secondary one
That’s an invalid configuration, prone to unexpected errors in the Active Directory context. In an AD environment your (Windows) clients must not use a DNS server that doesn’t know about your internal AD setup.
Is there a way to operate my AD-DC server setup to manage group policy, users, groups, logon etc. without sending external DNS requests e.g. bbc.co.uk or google.com via the AD-DC
The Domain Controller for Active Directory must be canonical for your DNS domain. If you’re asking whether you can have clients that don’t use the DC for external DNS requests, then the answer is a qualified yes.
- All DNS requests for your AD-controlled DNS domain must go to a DC
- DNS requests for somewhere else may be resolved by any suitably responsive DNS server
- You must not send DNS requests for your internal AD-controlled domain to an external server because its "NXDOMAIN" response will cause breakage
In the case of #2 for a Linux-based or other UNIX system clients you can use either
dnsmasq to implement the stateful selection. (I’ve done both in various cases previously.)
/etc/systemd/network/20-local.network, setting the DNS server to be your AD DC, and your local domain as appropriate, remembering the leading
# Network interface name (*=any) [Match] Name=* # Specific DNS server(s) to use for this domain [Network] DNS=10.0.0.1 Domains=~contoso.com
/etc/systemd/resolved.conf.d/20-local.conf, setting the default external DNS servers as appropriate:
[Resolve] DNS=18.104.22.168 22.214.171.124
Reload the network and check the resolver
systemctl restart systemd-networkd resolvectl status
You should see that queries for your AD-controlled domain go to your Domain Controller, and everything else goes to 126.96.36.199 and/or 188.8.131.52.
/etc/dnsmasq.confsetting the following values appropriately:
# Global nameservers server=184.108.40.206 server=220.127.116.11 # Domain-specific nameserver (forward and reverse) server=/contoso.com/10.0.0.1 server=/18.104.22.168.in-addr.arpa/10.0.0.1
Potentially useful references
- How to configure the network interfaces from Dave Embedded Systems
- Configure systemd-resolved to use a specific DNS nameserver for a given domain from Gist (Github)
- Need to set different DNS configurations for home and work from Ask Fedora
- domain-based routing with systemd-resolved from SuperUser