0

I have read Can I create a DC without a DNS Server?. But my question is a bit different.

I have one client in a completely different subnet from the DC. That client does not have access to the appropiate DNS structure for the domain, but can otherwise connect to the DC. I would like to tell that client "the DC for domain example.net is at dc1.site2.example.com". I have seen, that this sort of thing is possible for kerberos things using ksetup /addkdc. Is there something like this for generic AD?

Elrond
  • 556
  • 2
  • 5
  • 16
  • 1
    If your client machine doesn't have access to DNS, how do you expect it to resolve `dc1.site2.example.com` into an IP address? – HopelessN00b Jan 07 '15 at 19:41
  • 1
    Can you create a forwarder for your AD domain the DNS server at the remote site? For example, sitedomain.com redirects all requests for realdomain.com to ip of realdomain.com DC? – Linuxx Jan 07 '15 at 20:11
  • @HopelessN00b: It's a strange setup, I don't like it. But DNS for hostnames works from that client, just not the domain related stuff. Mostly because of stupid dns decisions. – Elrond Jan 07 '15 at 21:34
  • @Linuxx: I probably could do some tricky dns tunneling and stuff, yes. But I would prefer a client-local solution. – Elrond Jan 07 '15 at 21:36
  • Use a hosts file entry for the domain controller(s) it needs to know about? – HopelessN00b Jan 07 '15 at 21:40
  • There is no tunneling or trick involved. Its simply telling the DNS server at the remote site how to resolve names for the target/desired domain. I use forwarders all the time, and they are native to Windows DNS. I would assume there is IP connectivity from the remote site to the desired site. Perhaps your question is to vague? Is there a site-to-site VPN? Is the client using VPN software locally to connect to the desired site? Perhaps you have the VPN software/concentrator mis-configured. – Linuxx Jan 07 '15 at 21:43
  • Active Directory bundles DNS, LDAP and kerberos together - if you could get the host authenticated I'm not sure what issues you'll run into if the client can't resolve the domain's DNS. You could try adding the DC' s ip address to %systemroot%\system32\drivers\etc\hosts and using a kerberos command to get authorization, but windows expects SRV DNS records to function and I don't expect the setup to be functional in that state. – Andy Jan 07 '15 at 21:56
  • You can use the #PRE and #DOM tags in the LMHOSTS file on the client to preload the NetBIOS name of the DC in the NetBIOS name cache of the client. I'm not aware of a similar method for use with the Hosts file. – joeqwerty Jan 07 '15 at 21:57
  • @Linuxx: This is a stupid setup, yes. I can either try to workaround locally on the client, or use hours and hours to convince admins on the main site to fix dns. Or implement my own faked dns that provides the needed entries to that one client. I had the hope to avoid any of that. – Elrond Jan 07 '15 at 22:31
  • @joeqwerty: Right, one would need something to preload a few srv records. – Elrond Jan 07 '15 at 22:32
  • It seems like you are shopping for a specific answer. Without a better idea of what the domain structure is, and ip connectivity, there is no way to give you a better answer. From all the information you have provided, it seems like forwarders at the remote site would work. "It's a weird setup" doesn't give enough info. – Linuxx Jan 07 '15 at 22:55
  • @Linuxx: It's using a broken split horizon setup. I have no idea, why and what. I am shopping for something a la lmhosts/#DOM/#PRE just for AD. But that shopping item does not seem to exist, it seems. So I am likely going for a lengthy fix-that-dns-crappiness. – Elrond Jan 07 '15 at 23:11

1 Answers1

0

Split horizon, or dual DNS zones still leaves a large amount of ambiguity. If you have Microsoft DNS servers on both sides, each hosting their own AD (or one side hosting AD, and the remote branch with a Windows DNS server), you can specify conditional DNS forwarders in the remote branch DNS server. It will forward all requests (A, AAAA, SRV, PTR, etc.) for said domain example.net to DNS server at specified IP.

Think of conditional forwarders as "overrides" for DNS domains.

From this video, think of the 192.168.2.2 DNS server as your remote site DNS server, and the ISP DNS as your example.net DNS server. It will forward all requests for said domain.

Image

Linuxx
  • 1,189
  • 8
  • 7