Configure DC & Firewall/ Router such that clients can use Internet even if DC is down?

Question

How do Windows domain clients behave if the DC is offline?

Read this and am getting some symptoms. Curious about the answer for this scenario.

When my Windows Server 2012 R2 Essentials is down, clients can't go on the internet. Is there a way that they could?

Read this but its for 2012 and talks about having a Windows server. Is this not possible to do in CONJUNCTION with a dedicated Firewall/ Router box.

Always a path to the internet even in Windows SBS is off

This link says its not a good idea, but.. Is there anyway to do a SEPARATION of CONCERNS? Let external requests be routed out and internal requests go to the DC?
Wondering if there's some part of this we can leverage:
Moving the DHCP/DNS services from a Windows server (Active Directory) to a Linux machine
Prevent / Throttle LAN clients using domain controller as gateway

SBS 2008/ Server 2008 DC Environment.

Originally DHCP was managed by DC, but now its been disabled.

We figured that if DHCP was handed off from the DC, domain clients could still carry on with their usual Internet/ Email activity via ISP connectivity.

But, for some reason when the DC is down, clients lose Net Access.

A dedicated Router/ Firewall box handles DHCP now. Let's say it uses 2 DNS entries:
ISP DNS 1 or Google DNS 1
ISP DNS 2 or Google DNS 2

Now, these Internet DNS will not understand or handle LAN / Local Domain DNS needs that the DC understands.

How should we configure the DC so that it works well (to service local domain DNSes) in co operation with the ISP / Google DNSes for external.

So, that even if the DCs are shut down clients can still access the Internet.

Could we configure them both such that External Internet requests continue forward via Router/ Firewall and ISP DNS (even if DC is down) while Internal Domain requests go to / via the DC.

Thoughts? Maybe use some kind of DNSMasq/ forward/ redirection from router/ firewall to the DC?

score 8 · Answer 1 · answered Jul 23 '16 at 00:01

8

You solve this by having more than one domain controller running DNS in your environment. A domain-joined client should use only domain controllers for DNS.

answered Jul 23 '16 at 00:01

MDMarra

100,183
32
195
326

We wish to not be dependent on DCs or Network level issues (DHCP/ DNS/ ISP) as the only purpose they serve is Occasional application of Updates & some policies. We wish to drive & control a lot of Network Level stuff from the Dedicated Firewall/ Router box which has lot of features. Can you share a Non DC related Alternative way? – ProBonoVolunteerAdmin Jul 23 '16 at 06:04
7

@ProBonoVolunteerAdmin You don't know what you're doing. And that's okay, but the answer you received here is kindly giving you the _best practice_ for this type of setup. Ignore at your peril. – ewwhite Jul 23 '16 at 12:58
2

`We wish to not be dependent on DCs or Network level issues (DHCP/ DNS/ ISP)` - Then get rid of your DC's, DHCP, DNS and ISP. – joeqwerty Jul 23 '16 at 19:16

score 4 · Answer 2 · answered Jul 23 '16 at 12:49

4

From your router (or whatever is handling DNS resolution), you can delegate queries for ad-related names, say all Those for the ad.example.com domain, to your domain controllers.

This would allow non-ad related names to still be resolved even if the domain controllers are down.

answered Jul 23 '16 at 12:49

EEAA

108,414
18
172
242

Interesting. Care to link/ detail on how one could do that? Some links & steps would help. – Alex S Jul 24 '16 at 12:27

score -1 · Answer 3 · answered Aug 19 '17 at 18:33

-1

If you're not using the features of the DC then get rid. DNS (if you don't fully understand it) is a nightmare and all of the 'pretty' boxes in the world won't help if you still have the DC online.

answered Aug 19 '17 at 18:33

PooterBloke

9

Configure DC & Firewall/ Router such that clients can use Internet even if DC is down?

3 Answers3