Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorvgrana
    • CommentTimeSep 4th 2009
     permalink
    Hello,

    I have recently switched our school over to OpenDNS. We have a Win2003 server running as our domain controller and DNS.

    To make the switch, I changed the DNS forwarder on our server from my ISPs DNS to OpenDNS. As soon as I did that, I could not join new machines to the domain unless I changed the DNS on the new machine to my ISPs address.

    It seems Active Directory is still working. After joining the machine to the domain and changing it back to OpenDNS, I am able to log onto the machine as a domain user and all policies are still in effect.

    I have checked the Event Log for errors, and have found no discrepancies.

    Any help would be appreciated.
    Thanks,
    Vince
    • CommentAuthorrotblitz
    • CommentTimeSep 4th 2009
     permalink
    Here's your (not so good) solution: http://www.opendns.com/support/article/148
    An even better solution is to fix your configuration, i.e. to set your forwarder rules more restrictive, to not send any internal lookups to external. It will increase the internal speed significantly, because you got rid of unnecessary external lookups.
    • CommentAuthorhilofish
    • CommentTimeSep 5th 2009 edited
     permalink
    Set your forwarders on your DNS server (the windows 2003/8/whatever server configured to be your primary DNS server) to the OpanDNS server addresses and set all your PCs (via DHCP or manually) to use the MS DNS server.

    example
    We have a 2003 server is @ 192.168.0.2 and 192.168.0.3
    The 0.2 server is the primary DNS and the other is the backup DNS.
    Our Firewall/Gateway has a DHCP server (it could also be on a MS server - it doesn't really matter) and there the DNS servers will have the MS servers @ 0.2 and 0.3. Internal DNS queries (for private addresses) will be resolved internall and WAN (internet) queries will be directed to the forwarders (as configured per OpenDNS's instructions http://www.opendns.com/support/article/78)

    Now Active Directory can see all the PCs and resolve them normally.
    • CommentAuthorvgrana
    • CommentTimeSep 5th 2009
     permalink
    Thanks for all your suggestions.

    Hilofish, I do have my DHCP server to give out both my internal DNS IPs.

    Rotblitz, I also followed the directions from the site and do have my DNS server not to foward any internal queries.

    I have tried several other things, like creating a totally different DNS server.

    It has been a few months now since I switched to OpenDNS. And for now I have been manually setting the machines to my ISPs addresses and then back to OpenDNS. But I would like to make everything work the right way.
  1.  permalink
    Make sure you configure your DC/DNS to point to itself for DNS. Then on the DNS server point the forwards to OpenDNS. Make sure that DHCP is giving out only internal addresses. Your workstations/computers DO NOT need your ISP DNS or OpenDNS.

    Example: DC/DNS server. (using a 172.16.1.1/16 network)

    IP: 172.16.1.1/16
    DNS: 172.16.1.1
    Gateway: 172.16.254.1 <-- Your internet router

    Config your DNS forwarders to: 208.67.222.222 and 208.67.220.220. Now at the server open a web page (i.e. microsoft.com typically not blocked by the server). If that is all working, go to your DHCP server and make sure it is giving out IP, and DNS setting.

    Lets say and IP range of: 172.16.100.1 - 17.16.100.254/16.
    Make sure the DNS is 172.16.1.1/16.

    Go to a workstation/computer and reboot, make sure that it has a good IP address and DNS is 172.16.1.1 you can check this from the command prompt with 'ipconfig /all'. Now your DC will see the workstations/computers and you can add and remove computers to the domain.

    ReCap:

    DC/DNS Server:

    172.16.1.1
    255.255.0.0
    172.16.254.1 <--- Your router to the internet

    DNS
    172.16.1.1

    Workstations/Computers
    172.16.100.1
    255.255.0.0
    172.16.254.1

    DNS
    172.16.1.1

    check 'ipconfig /all' (the example assumes your DHCP is also your DNS server)

    Ethernet adapter Local Area Connection 1:

    Connection-specific DNS Suffix . : yourdomain.local
    Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont
    Physical Address. . . . . . . . . : 00-00-00-00-00-00
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 172.16.100.1
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 172.16.254.1
    DHCP Server . . . . . . . . . . . : 172.16.1.1
    DNS Servers . . . . . . . . . . . : 172.16.1.1

    Lease Obtained. . . . . . . . . . : Friday, Sept 04, 2009 7:42:24 PM
    Lease Expires . . . . . . . . . . : Saturday, Sept 05, 2009 7:42:24 PM

    I hope this helps.
    • CommentAuthorliamhanee
    • CommentTimeSep 5th 2009
     permalink
    That's great this page a more information related to DNS

    http://www.goarticles.com/cgi-bin/showa.cgi?C=1839461
    • CommentAuthorrotblitz
    • CommentTimeSep 5th 2009
     permalink
    • CommentAuthorvgrana
    • CommentTimeSep 8th 2009
     permalink
    My IP scheme is all correct. The DC/DNS is pointed to itself and the DNS is set to forward to OpenDNS and my dhcp server is giving out my internal DNS not external.

    Active Directory seems to be working, because changes to group polices propagate to the domain. The only problem I have is that newly built machines can not join the domain with the DNS forwarded to OpenDNS. New machines will join the domain when the DNS is set to anything other than OpenDNS.
    • CommentAuthorrotblitz
    • CommentTimeSep 8th 2009
     permalink
    That's really weird. If nobody else here has an idea, I would like to propose opening a support ticket at http://www.opendns.com/support/contact/
    • CommentAuthordiacon
    • CommentTimeSep 8th 2009
     permalink
    Have you looked at your DNS on your server to see if all forward and reverse zones have been created properly? Sounds like it isn't and that's why it is forwarding requests on causing everything to fail. When you switch back to your ISP's DNS, DNS resolution fails and NetBIOS takes over in order to find the domain controller. OpenDNS always responds and never fails causing NetBIOS to never fire up and resolve the DC.
    • CommentAuthorvgrana
    • CommentTimeSep 8th 2009
     permalink
    Thanks everyone for the help.

    Diacon, I have looked at all zones and everything looks correct.

    I will have to take rotblitzs' advice and open a support ticket.

    Thanks again for the help guys.
    • CommentAuthorlocal_lad
    • CommentTimeSep 9th 2009
     permalink
    Silly question, but seeing as I'm running a Server 2k8 AD domain and I'm only using OpenDNS as my forwarder - with no issues or problems. I'd have to say your DNS is incorrectly configured! Can you check you have got all of the correct Windows DNS services running...? (ie: in DNS primary zone you should have a whole host of service folders like _gc and _domainname most with sub folders and entries...). If not, then thats the cause of why machine cannot join the windows domain...
    Lemme know please?
    Thanks
  2.  permalink
    make sure the forwarders are set to all other DNS domains
    • CommentAuthordiacon
    • CommentTimeSep 9th 2009
     permalink
    I still think it is your internal DNS. You should do a nslookup of your domain controller from a workstation that isn't part of the domain yet and see what you get back for results. If it is forwarding the request, your internal DNS isn't setup right.
    •  
      CommentAuthorravid
    • CommentTimeAug 6th 2012
     permalink
    Administrator
    Though this thread is old, we do have a relevant update: OpenDNS now offers official Active Directory integration. OpenDNS Insights (http://www.opendns.com/insights) offers the same malware and botnet protection as OpenDNS Enterprise, but with the ability to connect to Active Directory for granular per-user filtering and reporting.

    If you're using OpenDNS for Web filtering, you can set up Web filtering policies by user, group or machine. If you're using OpenDNS for malware and botnet protection, you now have additional insight into which specific machines are infected.

    More information at: http://www.opendns.com/insights .

    Thanks for using OpenDNS!

    - Ravi Dehar
    OpenDNS
    Thankful People: zelus, maintenance

This discussion has been inactive for longer than 30 days, and is thus closed.