Active Directory Domain Services - Reverse Lookup Zone

[NTDaws]

Hi.

 

Is it possible to connect to a domain without using a forward and reverse DNS lookup zone.

In general not use DNS at all?

Thanks.

[Windows7ge]

If I understand your question correctly then yes. You get the IP address of the website and it skips the DNS lookup. Therroredically it'd eliminate the need for a DNS server but it's common for website addresses to change so often DDNS services are used to accociate a domain with a constantly changing IP. If I recall correctly can get the current IPv4 of a website via CMD in the nslookup function.

[NTDaws]

3 minutes ago, Windows7ge said:

If I understand your question correctly then yes. You get the IP address of the website and it skips the DNS lookup. Therroredically it'd eliminate the need for a DNS server but it's common for website addresses to change so often DDNS services are used to accociate a domain with a constantly changing IP. If I recall correctly can get the current IPv4 of a website via CMD in the nslookup function.

Let me rephrase. Active Directory Domain.

[Windows7ge]

2 minutes ago, Being Delirious said:

Let me rephrase. Active Directory Domain.

Ah, Active Directory. Cannot help. I have no experience with it.

@leadeater might be able to answer that.

[leadeater]

1 hour ago, Being Delirious said:

Hi.

 

Is it possible to connect to a domain without using a forward and reverse DNS lookup zone.

In general not use DNS at all?

Thanks.

 

1 hour ago, Being Delirious said:

Let me rephrase. Active Directory Domain.

Not for Active Directory no, it requires DNS to work as it uses special srv records for key functionality. You only need forward lookup though.

[AngryBeaver]

As Leadeater just pointed out... in order to run AD you need a DNS server as it is used to serve as a location mechanism for the domain controllers. So without it the machines on the domain would be unable  to obtain the ip addressed needed to function.

[NTDaws]

26 minutes ago, leadeater said:

 

Not for Active Directory no, it requires DNS to work as it uses special srv records for key functionality. You only need forward lookup though.

Is there any reason why my computers wont connect evern though I have DNS and a Forward lookup zone setup. the computers are connected to the dns.

[Mikensan]

17 minutes ago, Being Delirious said:

Is there any reason why my computers wont connect evern though I have DNS and a Forward lookup zone setup. the computers are connected to the dns.

The AD service auto-configures a DNS server for you. Did you put your AD IP as your primary DNS on your computers? Are your AD and computer(s) on different subnets?

[KirbyTech]

Are you trying to connect to the domain controller or are you trying to put in the DNS? Sounds like you are putting the DNS in, then again it has been a hell of a day so I might be reading it wrong.

[NTDaws]

40 minutes ago, Mikensan said:

The AD service auto-configures a DNS server for you. Did you put your AD IP as your primary DNS on your computers? Are your AD and computer(s) on different subnets?

I put the end in, then I try to connect to the AD

[Mikensan]

44 minutes ago, Being Delirious said:

I put the end in, then I try to connect to the AD

I don't quite understand what you mean "put the end in."

[NTDaws]

5 minutes ago, Mikensan said:

I don't quite understand what you mean "put the end in."

Dns

[Guest]

3 hours ago, Being Delirious said:

Dns

Can you post a screenshot of the DNS console?

[NTDaws]

1 hour ago, Windspeed36 said:

Can you post a screenshot of the DNS console?

I am upgrading windows server so can't atm.

[Jay Deah]

a windows client using a AD DC / DNS Server as its DNS server will successfully resolve everything on that domain. if theyre on the same subnet with no firewall blocking then youll have zero problems connecting.

 

quick test to do (which is not conclusive) is to simply run the following on the client:

 

"nslookup domain.local"

 

and check you are returned the IPs of the Domain Controllers

[Mikensan]

18 hours ago, Being Delirious said:

Dns

put the end of an IP, the end of a domain name, the end of a type of record, in the ipv4 settings or hosts file or edited a dns entry? I mean I don't know what you did with "dns" or on which computer/server. There is a lot of things you can edit or do related to DNS.

[iJarda]

AFAIK, you always need some form of DNS server, as @leadeater said that SRV records aren't that much special, but they describes AD servers which serves your local "search domain" with additional services like basic LDAP, kerberos etc. DNS on Windows server has one advantage - as you add more machines to domain, they are automatically added to DNS with records coresponding to their names, but same thing can be done with DHCP DDNS update function without anything related to AD.

 

If you can't or don't want to let your AD DNS server to send DNS records updates "notifications" to your other (not AD) DNS server, you can grab all of required DNS records from %systemroot%\System32\config\netlogon.dns file and it will work without AD DNS being main DNS for your network (it can be even disabled or blocked by firewall or so...)

[leadeater]

41 minutes ago, iJarda said:

If you can't or don't want to let your AD DNS server to send DNS records updates "notifications" to your other (not AD) DNS server, you can grab all of required DNS records from %systemroot%\System32\config\netlogon.dns file and it will work without AD DNS being main DNS for your network (it can be even disabled or blocked by firewall or so...)

Yea we actually use Linux servers for DNS even though we are heavily Microsoft server place, same with DHCP.

[iJarda]

8 minutes ago, leadeater said:

Yea we actually use Linux servers for DNS even though we are heavily Microsoft server place, same with DHCP.

 me (at home) and us (at work) too - (mostly Linux and AD just because end users wants windows...) AFAIK MS DHCP and DNS cannot be easily used with any kind of API something like that

[leadeater]

4 minutes ago, iJarda said:

AFAIK MS DHCP and DNS cannot be easily used with any kind of API something like that

Current versions can, well with powershell, but we've been running the Linux DNS/DHCP setup since the 90's and no big reason to change really. There are annoying things like with MS clustering services that really really want to be using a MS DNS server and to push DNS updates in itself but you can make bind work with that, just a bit of a pain.

 

I also do like the newer MS DHCP split-scope feature.

 

Personally in a mostly all Windows environment now I would put in MS DNS/DHCP just to keep all the MS tie in stuff happy and easier. 

[iJarda]

4 minutes ago, leadeater said:

Current versions can, well with powershell, but we've been running the Linux DNS/DHCP setup since the 90's and no big reason to change really. There are annoying things like with MS clustering services that really really want to be using a MS DNS server and to push DNS updates in itself but you can make bind work with that, just a bit of a pain.

 

I also do like the newer MS DHCP split-scope feature.

 

Personally in a mostly all Windows environment now I would put in MS DNS/DHCP just to keep all the MS tie in stuff happy and easier. 

yea MS DHCP and ISC DHCPD are currently only DHCP servers, which have properly implemented failover as it is described in RFC. Our network was and partialy still is based on linux firewalls which are there since ages... and till few years ago they do ISC-DHCP and bind DNS authoritative/recursive combo also. Then we moved internal routing part, DHCP and DNS forwarding/recursive part to Mikrotik routers - we heavily use their API for DHCP registrations in our custom web app (!! DISCLAIMER you don't want it, Mikrotik is not reliable as DHCP, DNS, NTP etc... PM if anyone wants explanation !!) we will be moving to Cisco L3 switches with stack redundancy and we are preparing and evaluating to use ISC kea-dhcp - I really like it as it has native databse backends support, that means it can be scaled in >2 DHCP servers and use anycast with DHCP relays and clustered database backend (as Facebook uses it in their datacenters).

[leadeater]

3 minutes ago, iJarda said:

DISCLAIMER you don't want it, Mikrotik is not reliable as DHCP, DNS, NTP

, I've always been rather dubious of lower tier brands like them even though they do actually make excellent products. Been burned by Ubnt Edge Routers and lack of or badly implemented high end features, but to be fair they are cheap. I'd rather pay a higher price for something that works.

[iJarda]

4 minutes ago, leadeater said:

, I've always been rather dubious of lower tier brands like them even though they do actually make excellent products. Been burned by Ubnt Edge Routers and lack of or badly implemented high end features, but to be fair they are cheap. I'd rather pay a higher price for something that works.

yes, they make excellent SOHO, WISP and even their CAPsMAN are great, but not for big deployments which requires reliability. I don't know how better are Edge Routers (they are just even more cleaner Linux based on Debian just with more "friendly" GUI) but as I have long experience with their UniFi products, it is one big piece of sh.. They make excellent WISP products for long time, then they decided to join "enterprise" market by creating UniFi ... we have growing since 2013 with 40 APs to now almost 90 APs and I really wish to get rid with it ... it is just like standalone OpenWRT SOHO APs with orchestration like Ansible/Puppet written in Java and central collectiong of statistics with multiple minutes delay  so ... also not recommended for big deployments. (also can explain -> PM). One thing that justifies that crap is that Robert Pera (Ubiquiti founder and CEO) says UniFi is "enterprise like" system. I wish if their marketing department think so.