cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1926
Views
0
Helpful
10
Replies

Using RV120W DNS with Active Directory

davidnusbaum
Level 1
Level 1

I'm inserting a RV120W into an environment with an Active Directory server. In the past the Activer Directory server was also the DHCP and DNS server, but this essentially shuts down the entire network when the Windows server isn't available. I would like to fully leverage the DHCP and DNS Proxy capabilities of the RV120W, but the general nature of the documentation makes it hard for me to decide how to do this.

If there is a recommendation on how to do this, I'll start with that and the rest of these questions won't matter.

I think the best scenerio would be to have the RV12W DNS Proxy accept and cache the updates from local clients, and essentially act as a non-configurable local DNS. But if the DNS Proxy forwards local DNS updates this isn't possible.

If this isn't possible, do I try to leverage the DNS Proxy in front of the Windows DNS server or between the Windows DNS Sever and names servers provided by the ISP?

If I turn off the DNS Proxy on the LAN Configuration Page, does it disable the Proxy or does it just not return the address of the router to DHCP clients? If so, I could have the DHCP server return the address of the Windows Active Directory/DNS server as the primary name server and the address of the router as the secondary name server.

10 Replies 10

rmanthey
Level 4
Level 4

What are you using for your DHCP server? The DNS Proxy does two things first it can be used to set the WAN DNS server information to the QVPN users. The Second is it can be used to set the router to respond to dns queries, and sets the WAN DNS servers to forwarders. When DNS Proxy is disabled the DHCP clients from the router will receive the WAN DNS settings.

If you are using the router for the DHCP server I would suggest using an internal DNS server from your Active Directory in the DHCP scope. Then setup forwarders on the Windows DNS server to query the ISP's DNS servers. Lan Proxy will need to be enabled.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

What he wants to do is have a back up configuration in case the DC goes down. Currently (from my understanding) is that he has one server the Domain Controller which is running DHCP along with the default DNS.

One thing to understand on most small business and home routers is that their main function is to route and nothing else. Other features like DNS proxy are just that; a proxy, and they are usually not configureable. The router will not cache any information it will mearly forward the queary to the WAN or ISP DNS servers.

My recommendation would be this:

Get a old box or another server that is being used for other puposes and either install Server OS then configure it as a member server and / or install DNS and make sure the zone(s) are replicating from the Primary. Another option would be to install Linux and run BIND as your secondary DNS server. If you are not familar with Linux you can find plenty of help on line and also you can use WebMin to manage the server graphically.

...but wait there is one more!!!

Most of people configure the domain as '.local' and if you only have one subnet (which is what I am betting on) then you can install "Bonjour for Windows" (on all Windows hosts in the network) to allow you to resolve the '.local' domain. How? Well by using DNSresponder, which is how bonjour discovers local printers. All we need is the service so do not worry about anything having to do with printers (unless you need it of course). Once installed you will be able to ping any local host by its name depending on how your DNS server option is configured but at worst you would connect like this: https://myemailserver.local

Like with anything there are some catches but as a back up solution its really not bad and the only configuration would to install the software. This is taking into concideration that all hosts are joined to your Active Directory domain and its suffix is '.local'

Alejandro,

I think you understand my challenge pretty well. I would be quiet content setting up a Linux server with BIND for my own personal purposes, but I'm helping out a non-profit and trying to help them through a pretty bad network situation. I'm work to build a network that is very simple to manage but still meets their needs. There is only onet subnet to worry about and only one windows server.

I'm going to have to dig into the ".local", but I think you are on the right track. The domain is currently using a subdomain, office.domain_name.org, and ping requests are going to the name server for the root domain.

Unfortunately, I think the Active Directory domain was set up as office.domain_name.org. I'm sure this was done when they are using exchange for email, but we moved the organization to google for email and are just using windows server as a file server now.

Would the Bonjour solution work for the QVPN clients as well?

On the RV120W it has an area on the LAN for DNS servers but only if you enable DHCP. to use the QVPN's remote DNS you setup the WAN ISP's Primary DNS to the internal DNS servers IP. As far as the previous post I would then set your DHCP scope to use the Second DNS server of a public address like 4.2.2.2 or something like that.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Thank you for sticking with me through this!

There a 4 VLANs set up on the router, but only one needs access to the local DNS. The other three are isolated networks that only needs access to the WAN.

I've read both of your posts carefully, but I'm not sure if the last post is suggesting that I leave DHCP on the router in order to make QVPN clients see the local network?

With Windows as DHCP and DNS Servers

For VLAN 1: Let the active directory server handle DHCP and DNS. On the Windows Server set the DHCP server to return the Windows Server as the Primary DNS and the Router as the Secondary DNS. If the Windows Server is down the client will using their currently assigned address and the DNS will fail over to the secondary DNS that had been returned previously. I think DHCP laptops off the network for more than 7 days will not work until the DHCP server is back up.

With Router as DHCP Server

For VLAN 1: In the LAN settings set by Windows Server as the Primary DNS server and the router as my Secondary DNS Server.  The DNS forwarder on the Windows server can point right back to the router and the DNS Proxy will handle the Primary and Secondary for the WAN. If I turn on the DNS Proxy will it override my primary and insert the router as primary as well as secondary? Will this senerio get the local DNS server to the QVPN client?

I'm sorry for the confusion on my part. I might be ready too much between the lines. Thanks for all the help.

Randy,

The DHCP Server and DNS Server were both running on the Windows server, but this prevented the entire location from accessing the Internet if the Windows server was down. I have moved the DHCP Server to the RV120W and that seems to be working well. I also turned on the DNS Proxy and left the Name Server entries on the LAN configuration blank, which I assumes means they are getting the DNS addresses from the WAN. I expect this to make the local windows network inaccessible because there is no local DNS, but at some point in the past somebody actually configured an A record for the domain in question and pointed it to the internal network address of the domain controller. Anyway.... I was trying to understand if the local DNS Proxy on the router could be used as a primitive local DNS.

After ready your update I'm a bit worried because if my QVPN client get the WAN DNS settings, they are not going to see the local domain names.

I got somewhat twisted up when I looked at the Available LAN Hosts page on the router. All of the hosts I need, and their IP addresses are right there. If the router would simply respond to DNS requests against those names (local or VPN attached) my most basic local needs would be covered.

Thanks for the quick reply,

Dave

If you only have one Vlan I would use the Windows Server with Active Directory to do DHCP and DNS that way the devices will auto update the forward and reverse lookup zones. The Primary DNS server should be the Windows server the second DNS server can be a public DNS server or the router that has DNS Proxy Enabled or Disabled. If enabled it use the WAN DNS to query but the router is the responder to the DNS queries to the clients.

Example:

Windows AD server 10.1.1.15

RV120W  10.1.1.1

WAN ISP DNS 4.2.2.2

You could set the DHCP scope to:

Primary DNS 10.1.1.15

Secondary DNS 10.1.1.1 or 4.2.2.2

Set the lease time to a minimum of 24 hours or longer like 7 days. This would prevent the clients from renewing their IP when there is small outages with the AD server. If the AD server goes down. The second DNS will be queried. If the AD server is up but ether response to the DNS query with a bad address or no address the query will never go to the second DNS server, that is why a DNS forwarder is needed and to make sure the windows DNS server is healthy. If you use the router as the second DNS server then you have to ensure that the router is querying a public DNS instead of the local DNS. There are many different ways to do this. But to keep AD healthy it should remain the DNS and DHCP server when possible. If you need to use multiple VLans then the configuration can have problems, especially with the small business line. There are ways to get it to work but it will take some modifications.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Just wondering if the two scenerios I mentioned earlier were accurate and usable? I was trying to piece together multipe response, but I ended up putting my response in the middle of the thread rather than at the end.

Thanks again for the help!

Dave

Bottom line is this; you will not be able to use the router as DNS back-up to resolve local hostnames, period. If you need to be able to resolve local hostnames all the time your only option (aside from hostfiles) is to have a backup DNS server. I would caution using the router as the DHCP server as it will not register DNS changes with lease updates to your DC. Only an authorized DHCP server or user will be able to make these updates. In other words, it would be likely that a duplicate DNS record exists for a single host.

Since you have a "real" FQDN I would really push the second physical DNS server option. I would not worry too much about the DHCP server as already stated setting the lease to 7 days (too long for me) would give plenty of time to correct the issue. Lastly, since you are using google apps for your domain mail now, maybe you really don't need a domain anymore. Going to a workgroup environment may actually be the best option, or maybe not since you did mention multiple subnets. Anyway, if you are running all your computers on AD do not try to rig some random DNS solution. It is not worth the effort you will have when DNS gets messed or permissions get broken due to malformed DNS zones. My rule is, Active Directory IS DNS and DNS is very special.

Linux is starting to sound better and better. 

Thank you again Alejandro,

I read your response last night, just before bed, and spent the next several hours staring at the ceiling and wondering where to head next with this project. Adding a second DNS server just isn't practical for this environment. Leaving one Windows server to provide DHCP, DNS, AD and File Sharing servers isn't practical either because any problems with the server prints the entire environment to it's knees. But now you have me thinking... if email is on the Internet (cannot even say cloud after those MS commercials) and the only local service the organization needs is File Sharing, then AD seems to be overkill. I did a brief search and found many references to Bonjou and zeroconfig. I have a lot to research, like implications of using .local, but there seems to be a lot of potenital for an organization that can no longer afford to pain thousands of dollars to have local vendors "fix" their existing solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: