Your IP:

Our Forums Have Moved!

Visit our new forums at to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.


Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorvgrana
    • CommentTimeSep 4th 2009

    I have recently switched our school over to OpenDNS. We have a Win2003 server running as our domain controller and DNS.

    To make the switch, I changed the DNS forwarder on our server from my ISPs DNS to OpenDNS. As soon as I did that, I could not join new machines to the domain unless I changed the DNS on the new machine to my ISPs address.

    It seems Active Directory is still working. After joining the machine to the domain and changing it back to OpenDNS, I am able to log onto the machine as a domain user and all policies are still in effect.

    I have checked the Event Log for errors, and have found no discrepancies.

    Any help would be appreciated.
    • CommentAuthorrotblitz
    • CommentTimeSep 4th 2009
    Here's your (not so good) solution:
    An even better solution is to fix your configuration, i.e. to set your forwarder rules more restrictive, to not send any internal lookups to external. It will increase the internal speed significantly, because you got rid of unnecessary external lookups.
    • CommentAuthorhilofish
    • CommentTimeSep 5th 2009 edited
    Set your forwarders on your DNS server (the windows 2003/8/whatever server configured to be your primary DNS server) to the OpanDNS server addresses and set all your PCs (via DHCP or manually) to use the MS DNS server.

    We have a 2003 server is @ and
    The 0.2 server is the primary DNS and the other is the backup DNS.
    Our Firewall/Gateway has a DHCP server (it could also be on a MS server - it doesn't really matter) and there the DNS servers will have the MS servers @ 0.2 and 0.3. Internal DNS queries (for private addresses) will be resolved internall and WAN (internet) queries will be directed to the forwarders (as configured per OpenDNS's instructions

    Now Active Directory can see all the PCs and resolve them normally.
    • CommentAuthorvgrana
    • CommentTimeSep 5th 2009
    Thanks for all your suggestions.

    Hilofish, I do have my DHCP server to give out both my internal DNS IPs.

    Rotblitz, I also followed the directions from the site and do have my DNS server not to foward any internal queries.

    I have tried several other things, like creating a totally different DNS server.

    It has been a few months now since I switched to OpenDNS. And for now I have been manually setting the machines to my ISPs addresses and then back to OpenDNS. But I would like to make everything work the right way.
  1.  permalink
    Make sure you configure your DC/DNS to point to itself for DNS. Then on the DNS server point the forwards to OpenDNS. Make sure that DHCP is giving out only internal addresses. Your workstations/computers DO NOT need your ISP DNS or OpenDNS.

    Example: DC/DNS server. (using a network)

    Gateway: <-- Your internet router

    Config your DNS forwarders to: and Now at the server open a web page (i.e. typically not blocked by the server). If that is all working, go to your DHCP server and make sure it is giving out IP, and DNS setting.

    Lets say and IP range of: -
    Make sure the DNS is

    Go to a workstation/computer and reboot, make sure that it has a good IP address and DNS is you can check this from the command prompt with 'ipconfig /all'. Now your DC will see the workstations/computers and you can add and remove computers to the domain.


    DC/DNS Server: <--- Your router to the internet




    check 'ipconfig /all' (the example assumes your DHCP is also your DNS server)

    Ethernet adapter Local Area Connection 1:

    Connection-specific DNS Suffix . : yourdomain.local
    Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont
    Physical Address. . . . . . . . . : 00-00-00-00-00-00
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DHCP Server . . . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :

    Lease Obtained. . . . . . . . . . : Friday, Sept 04, 2009 7:42:24 PM
    Lease Expires . . . . . . . . . . : Saturday, Sept 05, 2009 7:42:24 PM

    I hope this helps.
    • CommentAuthorliamhanee
    • CommentTimeSep 5th 2009
    That's great this page a more information related to DNS
    • CommentAuthorrotblitz
    • CommentTimeSep 5th 2009
    • CommentAuthorvgrana
    • CommentTimeSep 8th 2009
    My IP scheme is all correct. The DC/DNS is pointed to itself and the DNS is set to forward to OpenDNS and my dhcp server is giving out my internal DNS not external.

    Active Directory seems to be working, because changes to group polices propagate to the domain. The only problem I have is that newly built machines can not join the domain with the DNS forwarded to OpenDNS. New machines will join the domain when the DNS is set to anything other than OpenDNS.
    • CommentAuthorrotblitz
    • CommentTimeSep 8th 2009
    That's really weird. If nobody else here has an idea, I would like to propose opening a support ticket at
    • CommentAuthordiacon
    • CommentTimeSep 8th 2009
    Have you looked at your DNS on your server to see if all forward and reverse zones have been created properly? Sounds like it isn't and that's why it is forwarding requests on causing everything to fail. When you switch back to your ISP's DNS, DNS resolution fails and NetBIOS takes over in order to find the domain controller. OpenDNS always responds and never fails causing NetBIOS to never fire up and resolve the DC.
    • CommentAuthorvgrana
    • CommentTimeSep 8th 2009
    Thanks everyone for the help.

    Diacon, I have looked at all zones and everything looks correct.

    I will have to take rotblitzs' advice and open a support ticket.

    Thanks again for the help guys.
    • CommentAuthorlocal_lad
    • CommentTimeSep 9th 2009
    Silly question, but seeing as I'm running a Server 2k8 AD domain and I'm only using OpenDNS as my forwarder - with no issues or problems. I'd have to say your DNS is incorrectly configured! Can you check you have got all of the correct Windows DNS services running...? (ie: in DNS primary zone you should have a whole host of service folders like _gc and _domainname most with sub folders and entries...). If not, then thats the cause of why machine cannot join the windows domain...
    Lemme know please?
  2.  permalink
    make sure the forwarders are set to all other DNS domains
    • CommentAuthordiacon
    • CommentTimeSep 9th 2009
    I still think it is your internal DNS. You should do a nslookup of your domain controller from a workstation that isn't part of the domain yet and see what you get back for results. If it is forwarding the request, your internal DNS isn't setup right.
    • CommentTimeAug 6th 2012
    Though this thread is old, we do have a relevant update: OpenDNS now offers official Active Directory integration. OpenDNS Insights ( offers the same malware and botnet protection as OpenDNS Enterprise, but with the ability to connect to Active Directory for granular per-user filtering and reporting.

    If you're using OpenDNS for Web filtering, you can set up Web filtering policies by user, group or machine. If you're using OpenDNS for malware and botnet protection, you now have additional insight into which specific machines are infected.

    More information at: .

    Thanks for using OpenDNS!

    - Ravi Dehar
    Thankful People: zelus, maintenance

This discussion has been inactive for longer than 30 days, and is thus closed.