DNS Failed when join host to the AC DC

AHMADKABADAKI · December 14, 2021, 9:11am

Hello.
I configured a RB4011 dns server using google dns server 8.8.8.8 & 8.8.4.4, and I have in my network a server configured as active directory domain with dns server. The RB and the server are in the same subnet.
I joined a host to the domain by adding the ip address of the server as primary dns, but the host lost the connection to the internet, to resolve this issue I put the dns address ip of the server while joining the host then I put the dns taken automatically to reach internet. I know isn’t a suitable solution especially when I need to create rooming profile in the nearby future. So what should I do to resolve this problem in proper way.

bpwl · December 14, 2021, 8:37pm

Normally your AD server DNS service should forward requests to the RB4011 or public (8.8.8.8 ) DNS servers.

Both paths are possible with forwarders defined:
AD DNS → RB4011 → public DNS
RB4011 → AD DNS → public DNS (well AD DNS direct link with internet is a risk)

Problem is that the DNS client normally does not scan multiple DNS servers to find the answer. The first DNS server that is responsive (even with a “not found” answer) will be the only DNS server used.
You could give a list of multiple DNS servers via DHCP (AD server, RB4011, 8.8.8.8 ) , but it might not help.
With a full function DNS server at the internet gateway , one could “delegate” all requests for the own domain to the AD DNS server. (Or have a secondary zone with that domain on the gateway).
Not possible with MT DNS (AFAIK).

EDIT: learned further in this thread (@sob) that “delegate” is done with the FWD entry. So that is possible

AHMADKABADAKI · December 15, 2021, 8:54am

Thanks for your reply.

I go deeply through this error on the AD DC side and I found that the server FQDN unable to resolve. Any suggestion in this case ?

karlisi · December 15, 2021, 9:47am

It seems something wrong with your AD configuration. First fix that.
First, it is recommended to use Windows DHCP server in Windows AD network. If you are using third party DHCP, i.e. Mikrotik, you should specify internal DNS servers to clients, not Mikrotik or another third-party DNS. The commonly seen mistake is to use Google or another external DNS servers as fallback DNS.
Second, on internal Windows DNS servers configure forwarding to external DNS servers (ISP, Google, your mikrotik router, as you wish) as @bpwl already said.
Also, on AD DCs network config should point DNS to internal DNS servers only, no third party DNS there.

AHMADKABADAKI · December 15, 2021, 10:14am

Before anything, Thank you @bpwl & @karlisi for your effective replies.

I solve my issue regarding on your replies by the followings:
1- add primary dns server the RB ip address than the google dns addresses to be like that (192.168.xx.254, 8.8.8.8, 8.8.4.4).
2- check the (Allow Remote Requests) checkbox.

after ensuring these 2 points the AD get reply from the RB and vice versa.

Sob · December 15, 2021, 4:24pm

Be carefull with mixing public and private resolvers, it may seem to work, but it doesn’t. Sooner or later a query for internal name will be sent to public resolver, it of course can’t resolve it, and worse, it will say that it doesn’t exist at all, so client won’t ask anywhere else. If you do the mixing on host, it will result in temporary failure for that one host. If you do it on cache, it will affect all clients.

You have two options:

a) If you depend on AD domain a lot, all clients should get only AD servers as DNS resolvers.
b) If you mainly need internet access and you can live without AD domain temporarily, you can give the router to clients as resolver, and include AD domain using FWD record in router’s static records.

AHMADKABADAKI · December 16, 2021, 6:23am

Did you mean that I should uncheck the (Allow remote request) ?
If yes, do you suggest that I should use a secure open dns like cisco umbrella… or definitely drop out this kind of ideas and work with old configuration. Which means that the host should join the AD domain with the ad dns then after joining go back and turn the automatically obtaining DNS to reach internet (That’s my old configuration).
Logically it’s right ?

bpwl · December 16, 2021, 9:32am

Client PC → AD DNS → RB4011 → public DNS

is OK.

Client always uses AD DNS, AD DNS asks RB4011 . RB4011 asks public DNS

But: Client having AD DNS and RB4011 DNS and public DNS in its DNS list will give unpredictable outcome.

Be carefull with mixing public and private resolvers, it may seem to work, but it doesn’t. Sooner or later a query for internal name will be sent to public resolver,

AHMADKABADAKI · December 16, 2021, 10:15am

I understand these points but honestly I have been distracted due of the whole replies.
I will summarize my current configuration for host, AD, and RB.

MikroTik RB
/ip dns> set server=192.168.88.254,8.8.8.8,8.8.4.4 allow-remote-requests=yes
Active Directory Domain Controller DNS
DNS Forwarder add FQDN server 192.168.88.254
Host
1- Obtain Ip Address automatically
2- Primary DNS Server 192.168.88.254

The host joined to the domain successfully and reach internet without any problem.

Now is still have any confusing or lacking in this configuration should take into consideration.
Best Regards.

bpwl · December 16, 2021, 10:22am

Who uses 192.168.88.254 as IP address ? The RB or the AD server ???

AHMADKABADAKI · December 16, 2021, 10:35am

sorry it’s a mistake the server is 192.168.88.243

the host use primary dns 192.168.88.243

sorry again

bpwl · December 16, 2021, 2:28pm

Then all is OK

Client PC 88.xx-> AD DNS 88.243 → RB4011 88.254 → public DNS 8.8.8.8

But if 88.254 is the RB4011 with DNS server, it should not point to itself (eventually to the ISP modem if it has DNS or to the ISP DNS servers, but those will come with the DHCP from ISP)

MikroTik RB
/ip dns> set server=8.8.8.8,8.8.4.4 allow-remote-requests=yes

AHMADKABADAKI · December 17, 2021, 6:20am

Very well, Thanks a lots