i have GTMs set up for authoritative screening for internal DNS queries. clients have the pri and sec dns settings pointing to GTM listeners. Problem encountered is when a client joins the AD domain. It can not. If I change client dns to ad\dns servers, client can join domain without issue. the zone exists on the GTM. trying to determine if a srv record needs to be created. am i missing a step here?

In your GTM pool config, are your members the actual AD servers or virtual servers on an LTM that load balances across your AD servers? When you say the zone exists on the GTM, does that mean you created the zone within ZoneRunner? Or created a DNSSEC zone for it? Or both?

yes there is a pool to LB the dns queries that aren't matched by a WIP. yes in zonerunner the zone exists. not using dnssec.

You may not need the pool at all. If the zone that you define within ZoneRunner is a forward zone, and you specify the two AD server IP addresses as the forwarders, then any non-wide IP queries for that zone should be forwarded to the AD servers.

when the WIP is created it creates the zone as master. I would have to delete and re-create the zone as a forwarder. However per the deployment guide for screening the creation of a pool to LB non WIP queries is created and assigned to the listener. So I have to think this is best practice.... the stats indicate queries are getting to sent to the servers.

I'd recommend running a tcpdump on your GTM to help isolate what the problem may be. If the setup is working properly, you'll see GTM sending DNS queries to your pool members. Could be that responses aren't coming back for whatever reason.

Authoritative Screening

Cory_50405
Noctilucent
Sep 04, 2014
In your GTM pool config, are your members the actual AD servers or virtual servers on an LTM that load balances across your AD servers?

When you say the zone exists on the GTM, does that mean you created the zone within ZoneRunner? Or created a DNSSEC zone for it? Or both?
steve_88008
Nimbostratus
Sep 04, 2014
yes there is a pool to LB the dns queries that aren't matched by a WIP.

yes in zonerunner the zone exists. not using dnssec.
Cory_50405
Noctilucent
Sep 05, 2014
You may not need the pool at all. If the zone that you define within ZoneRunner is a forward zone, and you specify the two AD server IP addresses as the forwarders, then any non-wide IP queries for that zone should be forwarded to the AD servers.
steve_88008
Nimbostratus
Sep 05, 2014
when the WIP is created it creates the zone as master. I would have to delete and re-create the zone as a forwarder. However per the deployment guide for screening the creation of a pool to LB non WIP queries is created and assigned to the listener. So I have to think this is best practice....

the stats indicate queries are getting to sent to the servers.
Cory_50405
Noctilucent
Sep 05, 2014
I'd recommend running a tcpdump on your GTM to help isolate what the problem may be. If the setup is working properly, you'll see GTM sending DNS queries to your pool members. Could be that responses aren't coming back for whatever reason.
steve_88008
Nimbostratus
Sep 05, 2014
a couple zones didn't exists.... the other zones are working just fine.

thanks for the response cory.
- Cory_50405
  Noctilucent
  Sep 05, 2014
  Sounds like an easy fix. Glad you got it figured out.
steve_88008
Nimbostratus
Sep 05, 2014
this is unfamiliar territory for me. so the zones that are missing are sub zones.

example zone returning SRV records - abc123.local zone not returning SRV records - test.abc123.local

all SOA and NS records are identical in both zones...
steve_88008
Nimbostratus
Sep 05, 2014
i am getting an unspecified error when i run against GTM nslookup ->set type=all ->_ldap._tcp.dc._msdcs.test.abc123.local

returns SRV records nslookup ->set type=all ->_ldap._tcp.dc._msdcs.abc123.local

however this query against DNS server returns srv records, nslookup ->set type=all ->_ldap._tcp.dc._msdcs.test.abc123.local
steve_88008
Nimbostratus
Sep 05, 2014
set debug and discovered read failed: result too large. looks like this can gone on for awhile better buckle in...
Cory_50405
Noctilucent
Sep 08, 2014
When querying for the SRV record you mention from an outside client, does the GTM return a response to the query? What do you see when using tcpdump?

Forum Discussion

Authoritative Screening

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

dns transparent cache as authoritative?

GTM as Authoritative DNS

Directed DDoS Attacks as Screens

Windows APM 7.2.2 - blue screens?

BIG-IP DNS - Response to SRV request in Authoritative screening mode?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS