Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain Controller without DNS Server

Status
Not open for further replies.
fredmartinmaine

fredmartinmaine

IS-IT--Management
Mar 23, 2015
79
US
We had a pair of Domain Controllers that offered AD Authentication, DNS and DHCP. Dynamic DNS actually.
A decision has been made to move DHCP and DNS to another device, a firewall. I moved DHCP a while ago, and other than not having Dynamic DNS, it's worked well.

However, when I start up DNS on the firewall, and stop the DNS Server service on the Domain Controller, server shares start asking users to authenticate to browse to a share, and eventually logging in to a domain PC fails because it can't find a domain controller.

I've read in a handful of places that domain controllers don't need to be DNS servers but they don't offer any information on how that's properly set up.

Does anyone know what I'm missing here?
 
Sort by date Sort by votes
Did you integrate the Active Directory namespace into the firewall's DNS service?

You might want to try reading this
 
Upvote 0 Downvote
I did not. I'll read the article, thanks. I didn't see anything in the firewall GUI config that applies, but I know this firewall sometimes needs CLI setup for advanced features. Hopefully it's able to accommodate. It's a Fortigate 60F.
 
Upvote 0 Downvote
What's the reasoning for moving DNS to the fortigate? If its some filtering based on DNS (Cisco Umbrella?) then just use forwarders on the Windows DNS servers and disable root lookups.
I don't think I'd be keen on moving the DNS functionality for a Windows AD setup to a fortigate box.
 
Upvote 0 Downvote
We're retiring the domain. Company made the decision to move everything to the cloud. Data is already there. We've already got some of the workstations authenticating through Google with GCPW, they're not even on the domain. This is a step. In the end, DNS and DHCP will be served from the firewall, authentication through Google, and VPN access to the inside will be no more. I suspect, if we can't get authentication from AD to work in concert with DNS on the firewall, we'll skip that step and just move all the workstations off the domain sooner than planned.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
341
suncit
suncit
MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
233
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
290
Aquiles Vidal
Aquiles Vidal
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
406
goombawaho
goombawaho
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
244
fightaccording
fightaccording

Part and Inventory Search

Sponsor

Back
Top