Active directory server set up DNS resolution failure or VERY SLOW, can I route external DNS requests the traditional way, before the server existed?

Question

Active directory server set up DNS resolution failure or VERY SLOW, can I route external DNS requests the traditional way, before the server existed?

I’m very new to the world of active directory, windows server etc., so I apologise if some of the questions I ask are a bit stupid, but I’ll try and explain exactly what I want to do below, and my currrent setup.

I’m running Ubuntu Server on a Raspberry Pi, using kerberos and other software detailed in this video to use it as an AD-DC for my four clients that connect to it. At the moment this is really a test network on my Pi 2, before I launch on my Pi 4. The Raspbrry Pi is only just powerful enough to run the network and authenticate user logons and manage group policy etc, but DNS resolutions are extremely slow.

From the client perspective, the network is operating completely fine with logons and policy etc. EXCEPT what they have noticed is the time it takes to make a quick google search has increased dramatically and sometimes the search even fails.

Now, here’s the question… is there a way to operate my AD-DC server setup to manage group policy, users, groups, logon etc. without sending external DNS requests e.g. bbc.co.uk or google.com via the AD-DC. I want them to be processed as they would have before the server came along (by the router??) simply because it can’t handle them, and the setup before the server was perfectly fine at handling them

The windows clients are configured in dns settings to use the ADDC as their preferred dns server (if I change this, then they lose connection to the domain and can’t find it…) and use 8.8.8.8 google’s dns server as their secondary one, but whether I enter this in or not doesn’t really seem to have an effect.

And if the ADDC server is down, ALL external dns requests across the entire network fail. It’s like the backup isn’t even there. You can’t get onto google from a client when the DC is down.

Any info I’m happy to provide.

Secondary bonus question wondering why samba network transfer speed is dramatically slower using AD on this rapsberry pi rather than just installing samba and having it as a network share. Gone from 30Mb/s to 2Mb/s

Asked By: Oliver Ricketts

||

Source

Answer 1

The windows clients are configured in dns settings to use the ADDC as their preferred dns server (if I change this, then they lose connection to the domain and can’t find it…) and use 8.8.8.8 google’s dns server as their secondary one

That’s an invalid configuration, prone to unexpected errors in the Active Directory context. In an AD environment your (Windows) clients must not use a DNS server that doesn’t know about your internal AD setup.

Is there a way to operate my AD-DC server setup to manage group policy, users, groups, logon etc. without sending external DNS requests e.g. bbc.co.uk or google.com via the AD-DC

The Domain Controller for Active Directory must be canonical for your DNS domain. If you’re asking whether you can have clients that don’t use the DC for external DNS requests, then the answer is a qualified yes.

All DNS requests for your AD-controlled DNS domain must go to a DC
DNS requests for somewhere else may be resolved by any suitably responsive DNS server
You must not send DNS requests for your internal AD-controlled domain to an external server because its "NXDOMAIN" response will cause breakage

In the case of #2 for a Linux-based or other UNIX system clients you can use either systemd or dnsmasq to implement the stateful selection. (I’ve done both in various cases previously.)

systemd

Create /etc/systemd/network/20-local.network, setting the DNS server to be your AD DC, and your local domain as appropriate, remembering the leading ~:
```
# Network interface name (*=any)
[Match]
Name=*

# Specific DNS server(s) to use for this domain
[Network]
DNS=10.0.0.1
Domains=~contoso.com
```
Create /etc/systemd/resolved.conf.d/20-local.conf, setting the default external DNS servers as appropriate:
```
[Resolve]
DNS=1.1.1.1 9.9.9.9
```
Reload the network and check the resolver
```
systemctl restart systemd-networkd
resolvectl status
```
You should see that queries for your AD-controlled domain go to your Domain Controller, and everything else goes to 1.1.1.1 and/or 9.9.9.9.

dnsmasq.conf

Edit /etc/dnsmasq.conf setting the following values appropriately:

# Global nameservers
server=1.1.1.1
server=9.9.9.9

# Domain-specific nameserver (forward and reverse)
server=/contoso.com/10.0.0.1
server=/1.0.0.10.in-addr.arpa/10.0.0.1

Restart dnsmasq

Potentially useful references

How to configure the network interfaces from Dave Embedded Systems
Configure systemd-resolved to use a specific DNS nameserver for a given domain from Gist (Github)
Need to set different DNS configurations for home and work from Ask Fedora
domain-based routing with systemd-resolved from SuperUser

Answered By: Chris Davies