3

The problem:
LAN client computers ping remote.mydomain.com and it resolves to our static, WAN IP Address. It should resolve to our server's local LAN IP Address.

The Details: We have a total of one server which is running SBS 2008 on some pretty fast hardware (can describe it if necessary). I've entered some local DNS zone A records so that users can use Outlook Web Access seamlessly whether they are on the LAN or outside the LAN. These DNS records include remote.mydomain.com and outlook.mydomain.com. Two domains is not necessary but the latter is easier for users to remember when accessing OWA.

I've also configured our SBS 2008 DHCP Server so that client computers get three DNS server IP Addresses as follows: 

192.168.1.10 (our SBS server)
208.67.222.222 (OpenDNS)
208.67.220.200 (OpenDNS)

The reason I have it configured this way is so that clients will still be able to access the Internet in the rare event that our server is not operational.

I think the problem is that that SBS 2008 doesn't respond quite fast enough to DNS queries so the clients go on to query OpenDNS instead, which hands back an address that is only correct if they are outside the LAN.

FYI, we are using a SonicWall TZ-210 router.

I'm looking for any suggestions on how I might ensure that LAN client computers can access OWA on our LAN without having do disable the "backup" DNS server addresses that I've configured via DHCP.

HK1
  • 268
  • 3
  • 14

3 Answers3

3

The "backup" DNS server addresses aren't a good idea and are the root of your problem. You could play games with a packet-filtering firewall to attempt to "work around" but you'd be better off only using the domain controller as the DNS server for your clients.

In general, you shouldn't ever specify DNS servers on Active Directory clients that aren't capable of resolving the AD domain's DNS records. You're going to get non-deterministic performance of logons, Group Policy, and/or Domain DFS roots in come cases with that kind of configuration. The clients rely heavily on DNS to make the "right decisions" re: working with Active Directory.

Specify only the AD DNS server for your clients and all will be well. If you're concerned about DNS being "down" then bring up a secondary domain controller and install the DNS Server role on it. (Having a second DC is a cheap insurance policy, anyway, and not a bad thing to have. In my experience, though, having the SBS server's DNS "down" probably means that you're having a lot larger problems than clients being able to browse web sites.)

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
1

Since you're using outside DNS servers in addition to internal ones, clients might decide to cycle DNS queries to all configured servers. When you try to resolve mydomain.com, these outside dns servers provide your WAN link as a response. Then these local machines cache the response.

I think it's a nice idea to have outside DNS servers just in case the server goes down, but realistically, if the server is down you've got bigger issues than whether or not everyone can get to the internet.

Timothy
  • 307
  • 1
  • 5
  • Well, yes, I agree but in the past I found that users wrung their hands even more if they couldn't at least access the web, especially since it wasn't technically down. Our server has been rock solid for almost a year now (that's when we purchased and installed it) so I guess I really don't anticipate anything in the near future but I do like to mitigate the possibility for excess user frustration when possible. – HK1 Aug 15 '11 at 18:17
  • I'm not too clear on the abilities of the sonicwall router, but you might be able to have that act as a backup DNS / DHCP server. Then, if the box goes down you could have everyone pull settings from that. Remember to keep DHCP on the sonicwall disabled till you need it though-- two active DHCP servers on the same network will fight each other to the death. – Timothy Aug 15 '11 at 18:20
  • Getting a little off the topic but you can actually run two DHCP servers on the same network at the same time. You just have to make sure they hand out addresses in different ranges. This is MS's recommended configuration for having two Windows DHCP servers on the same network. I've actually tried it and it does work quite well. The fastest machine just ends up handling all of the DHCP requests unless it's offline of course. – HK1 Aug 15 '11 at 18:45
0

From my testing with my Windows 7 box, if the preferred name server doesn't return a response in 1 second, it moves on to the next one in line. It won't retry the one it didn't get a response from, sticking to the one it got a response from. So, having this split DNS as you have it will only cause problems because if your LAN systems ever fail over to the public DNS servers, you'll have a hard time getting them back to the LAN DNS. Get another box to do DNS internally if you're really concerned about having a single point of failure. This could easily be done with a cheap linux box running BIND as a slave.

DandyPandy
  • 81
  • 5