Trying to join servers (on remote VPNed network) to Active Directory without forwarding all DNS queries over the tunnel

Question

At our company, we have a coloc at a local datacenter (where we host our public Web Servers) and a Site-to-Site VPN set up between the coloc and our office. We would like to join the servers at the datacenter to our Active Directory.

If I understand correctly, domain joining relies heavily on DNS. I would not like to have the servers at the datacenter resolve their DNS queries across the tunnel to our internal DNS server as this would decrease DNS query performance (and also in cases where the tunnel is down).

Is it possible to have the servers resolve all DNS queries using public DNS servers (Google's, ISP's, etc…) except the ones that are internal to our company? Instead these would be forwarded across the tunnel to our internal DNS Server? Would I need to host a DNS server at the coloc to achieve this functionality? Or is there a simpler way to do this?

After all, is this the correct solution of how I should join our coloc network to our Active Directory?

What is the reason for you to want to join these servers to AD Domain? — iPath, Apr 09 '15 at 15:40
Centralizing user authentication to the server and also we need to set up SQL AlwaysOn which apparently needs the servers to be domain joined — Christopher Demicoli, Apr 10 '15 at 10:18

Daniel · Answer 1 · 2015-04-08T07:24:45.847

I do not recommend to join your productive web servers located in the data center to your site-local Active Directory Domain! If the link is down or the connection to your office is bad, you risk losing access to those servers!

You could configure DNS forwarding on your data center’s DNS server for your site-local Active Directory domain.

For example, let’s say your Active Directory domain is named example.local and the site-local Active Directory DNS server has the IP address 192.168.0.10. Go to your data center’s DNS server and configure a DNS forwarder for example.local to 192.168.0.10.

Whenever you address a computer in the example.local domain, your data center’s DNS server will forward the DNS request to your site-local Active Directory DNS server.

Now you will be able to join the domain. You might need to configure a domain suffix, if you’d like to omit the domain name and work only by using the host names. That means, that you need to ping server1.example.local, client1.example.com and also join example.local and not only ping server1 and server2 and join example.

score 0 · Answer 2 · answered Apr 08 '15 at 19:40

This is the kind of situation that Read-Only Domain Controllers are intended for. Since it's read-only, you would have to depend on your site-local DC to join the domain, but after that the RODC could handle logins for your colo servers. It would also handle read-only DNS, even when the tunnel goes down.

This feature requires Server 2008 or higher, with a domain functional level of 2003 or higher. (Hopefully that's not an issue, considering that Server 2003 is out of support in July.)

Trying to join servers (on remote VPNed network) to Active Directory without forwarding all DNS queries over the tunnel

2 Answers2