AD with mikrotik

mktkRB · February 23, 2020, 11:49am

Hi, everyone.
Got a little issue and would want help.
Is there a possibility to redirect clients dns queries to a zentyal server domain, in same network.
So clients login session or even join that domain ?
just client having in dns field, IP of mikrotik as DNS.

Thanks!

mktkRB · February 23, 2020, 4:21pm

We have 3 subnets

192.168.0.0/24 Domain server and mikrotik are here
192.168.1.0/24
192.168.2.0/24

Would want any pc from any subnet to be able to join the server domaine, and login domain users.
client AD dns queries redirection using mikrotik Is it possible?
like said, client dns field, only mikrotik IP.

SiB · February 23, 2020, 4:27pm

You must redirect them?
Easy way is just provide AD DNS in DHCP-Server (who can be at M$ or MikroTik).
In existing dhcp server you can add dhcp option 6 and provide other DNS server’s for know users (static entry).

mktkRB · February 23, 2020, 4:33pm

Are you speaking about nat forward? dst-nat.
I saw some explainations about marking ad dns packets and redirecting them to the domain server.
But not really a success.

SiB · February 23, 2020, 4:47pm

??
Give clear information:

Who do a dhcp-server in your network? MikroTik router or Windows.
Those 3x subnets are at the same Layer2 (one dhcp server) or at differ vlan’s and can have separate own dhcp-server ?
Why you thinks about redirect DNS but not try use just DHCP Server or Option6 for static entry?

mktkRB · February 23, 2020, 5:12pm

Mikrotik does dhcp-server
The 3 subnets are configured as:

eth1 = subnet 1, mikrotik:192.168.0.100 gateway and dns in client entry, 192.168.0.101:domain server
eth2 = subnet 2, mikrotik:192.168.1.100 gateway and dns in client entry
eth3 = subnet 3, mikrotik:192.168.2.100 gateway and dns in client entry
Each with its dhcp-server, so 3.

So, on each subnet, any pc can join domain and login domain users.

SiB · February 23, 2020, 5:41pm

So, on each subnet, any pc can join domain and login domain users.

This is because in tree dhcp-server’s you provide the same AD DNS server = 192.168.0.101 and even user from eth3 with 192.168.2.x use as main DNS=192.168.0.101 .?

Next is your main question I think, this one:

Is there a possibility to redirect clients dns queries to a zentyal server domain, in same network.
So clients login session or even join that domain ?

This means you have got TWO DNS system in the same subnet and try “to redirect clients dns queries” ?

You see. You not write properly you situation and that’s why I must guessing what you try do and in what situation.

Best way is to use DNS=192.168.0.101 inside all tree subnest. PC can still join AD domain.
Next you can use DNS at AD Domain host and provide other/next DNS server’s who is feature know as “DNS forwarders” and you can enter the Zentyal / PiHole / External DNS.
I think this is proper answer for you. Users ask always your AD DNS and is like proxy… if he not know DNS entry he ask DNS forwarders and give answer to user who use only one DNS.

If my answer is wrong then please explain why and provide more information.

mktkRB · February 23, 2020, 5:58pm

Okay,

PC1 subnet1
ip:192.168.0.2
mask:255.255.255.0
gateway:192.168.0.100(mikrotik ip) eth1
dns : 192.168.0.100(mikrotik IP) eth1 (internet )

PC1 subnet2
ip:192.168.1.2
mask:255.255.255.0
gateway:192.168.1.100(mikrotik ip) eth2
dns : 192.168.1.100(mikrotik IP) eth2 (internet )

PC1 subnet3
ip:192.168.2.2
mask:255.255.255.0
gateway:192.168.2.100(mikrotik ip) eth3
dns : 192.168.2.100(mikrotik IP) eth3 (internet )

They’re all in different network.
Each pc has to be able to join the server domain( domain server ip not in client entry ) not possible right now, and login domain users.
That is the issue.

SiB · February 23, 2020, 6:55pm

Ok, then you provide in each dhcp-server the DNS on Mikrotik insted to 192.168.0.101.
Then all subnet ask MikroTik as his DNS server about any name to resolve.

Solution 1: setup in each Dhcp-server \ Network \ DNS Server: 192.168.0.101
Solution 2: enable DNS at MikroTik and give him info to ask about all entry the 192.168.0.101 AND blocking from asking from WAN.

/ip dns set allow-remote-requests=yes servers=192.168.0.101
/ip firewall filter add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp

Solution 3: stupid and very stupid. Just do DNAT in firewall of all 53:udp incomming to MikroTik and redirect them to 192.168.0.101 but this is so stupid and I haven’t why you think about this way.

/ip firewall nat add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp to-addresses=192.168.0.101 comment="Stupid DNAT DNS"

mktkRB · February 23, 2020, 7:14pm

I just need only dns from clients concerning AD to go to domain server 192.168.0.101, The other go to mikrotik (internet dns resolution)
Packet matching with layer7 protocol. possible to do so?

McSee · February 23, 2020, 8:39pm

@mktkRB
If those clients are Windows 10 machines you can use Name Resolution Policy (https://docs.microsoft.com/en-us/powershell/module/dnsclient/set-dnsclientnrptrule?view=win10-ps) to make clients use different DNS server(s) for different namespaces (subdomains).
Also can be done with Group Policy.

SiB · February 23, 2020, 8:43pm

Why setup all users to AD DNS who will be have DNS Forwarder cannot be setup ? This is normal way to do this.
When you divide your user to TWO differ AD DNS then you must use static DHCP lease with own DNS for each user (dhcp option 6).

Sob · February 23, 2020, 9:08pm

Using L7 to send some queries to different server is possible too:

http://forum.mikrotik.com/t/feature-request-per-domain-forwarding-in-dns/22672/3

It’s very far from perfect, but sometimes it’s possible to live with it.