DNS Traffic Control to forward Windows users to Domain Controllers

StanislavM

Hello,

we are building this scenario for our customer, its simplified but our goal is just to simply forward to clients SRV records for DCs based on their source IP.
I have the topology working but im struggling with LBDN patterns and the responses i get. Im not sure if i do something wrong or just dont understand the concept.

Here is the topology

I have now configured the domain by the topology picture, and its working client can sign to domain through DC, all DNS zones exists only on Infobloxu. But the DTC behavior is strange.

This is my LBDN topology - based on source subnet clients receive the dns records

For testing purposes i started with one zone for pattern

And i have created these SRV records for load balancing.

But the thing is if i ask any type of record i always get all the SRV records with the prefix i asked in dig. This is also populated into client DNS cache as i tested. For example SRV rec for ldap

And basically any kind of nonsese i ask, i always get all the records with the prefix i put in dig

Same behavior is in LBDN test.

can you please tell me what im doing wrong?
My goal is to simply get only records for _kerberos._tcp.test.com when i dig kerberos.
But now im getting all the records created in server DC01 and even the naming is change for the name i used in dig.

Thank you in advance

Stanislav

RossGibson

Don is correct, the use case needs to be considered carefully, and this isn't a great forum for something so nuanced. As far as why you are getting multiple answers, that could be for different reasons. For example, are you using the "all available" load balancing method within the pool that is being selected? Or, perhaps you are falling back to regular DNS and have the list of records there. As I mentioned above, this requires a much deeper discussion that your SA should coordinate.

StanislavM

+ i see that lbdn picture was not added. The same behavior as dig on client pc

RossGibson

In NIOS LBDN patterns, you should never use a wildcard in the left most position, because it answers for everything in the zone, including answering over any normal DNS records that exist (DTC processes before normal DNS). The purpose of the wildcard in a pattern is to let you apply the same hostname across multiple different zones (think www.*.com could be used to apply to example.com example1.com, etc.). If you need multiple different hostnames or service names (e.g., _kerberos, _ldap, etc.), add an additional pattern under the LBDN for each hostname/service name.

I also see you are using topology rulesets stacked upon one another, which is very unusual if you are trying to be deterministic about your answers, which I am assuming you are. Generally, the pool LB algorithm would be Global Availability, which functions as an ordered list, thus it would return the first in the list only as long as that server is passing the health checks.

However, this is a multi-level problem, you probably should be talking with your Solutions Architect for help, who can pull in SME resources if necessary.

StanislavM

Hello,

just after edit the pattern im not getting anymore the "edited" records. But im still getting all the SRV that exists in DTC such as ldap, keberos etc.

So the patterns and SRV records for load balancing are still bit a mystery, but ill check with my SA.

Anyway thanks for answers

S.

Don Smith

I didn't see what the desired outcome is and the reason why. If the customer is properly leveraging Sites and Site Links in AD, the best results for the client to get to an appropriate AD server would be resolved correctly.

What's the goal in attempting to alter or break the AD KCC to determine which destination clients should go to for specific services?

StanislavM

Hello,

sure im already in touch with our SA.

Anyway thank for the answers

Regards
S