External Internet Access when Domain Controller is offline [closed]
We have a single Windows Server 2019 Domain controller. We do not have a backup domain controller.
The Windows Server 2019 Domain Controller is also our DHCP server, and our DNS server.
When the Domain Controller is offline, all the devices on our network are unable to access the external internet. Of course, this is because our Domain Controller is offline, which means our DNS lookups cannot go through it.
When the domain controller is offline, that also means the DHCP server is offline, which means newly booted devices cannot get assigned IP addresses. I know the IP addresses on online devices are fine, until they need to renew their lease.
We would like to migrate the DHCP server to our Sonicwall firewall. This way, if the domain controller does go offline, our Sonicwall can still distribute IP addresses, and our network devices can still obtain IP addresses. I'll be configuring it with the same range, and make sure the proper reservations are in place. I will not enable it until the domain controller's DNS server is disabled.
Since the DHCP server will now reside in the Sonicwall, I will have the ability there to specify DNS settings. I plan to keep the Domain Controller are the primary DNS server, but am thinking of using either the Sonicwall or Google (8.8.8.8) as the secondary DNS server.
Is there any issue or concern with doing this?
The reason why we want to do this, is to make sure everyone still has external access to the internet, if the domain controller (primary DNS server) is offline. I know that the internal name resolutions will fail (//machine1/folder share) and break.
If that is not the correct way to provide external internet access to our network, in the case our primary DNS server is not available (which again is our domain controller), then can you recommend a better way to accomplish this?
The correct way to solve this is to add a secondary domain controller, adding an external DNS server as a secondary DNS in the DHCP options on the firewall isn't really a great idea since DNS failover is spotty at best, you might run into any of the following issues:
- Clients takes a long time to failover to 8.8.8.8, so your clients might still experience an outage
- After your clients have failed over to 8.8.8.8, they won't switch back to the primary DNS server until 8.8.8.8 stops answering or they're rebooted.
- Clients might randomly elect to use 8.8.8.8 even if the DC is available.
Furthermore, it's beneficial to have a Microsoft DHCP/DNS server or a DC with these components installed serve DHCP requests on your network, as this will also allow you to dynamically create DNS records for your client machines, as well as reverse lookup records that are very useful when diagnosing issues.