i have GTMs set up for authoritative screening for internal DNS queries. clients have the pri and sec dns settings pointing to GTM listeners. Problem encountered is when a client joins the AD domain. It can not. If I change client dns to ad\dns servers, client can join domain without issue. the zone exists on the GTM. trying to determine if a srv record needs to be created. am i missing a step here?

In your GTM pool config, are your members the actual AD servers or virtual servers on an LTM that load balances across your AD servers? When you say the zone exists on the GTM, does that mean you created the zone within ZoneRunner? Or created a DNSSEC zone for it? Or both?

yes there is a pool to LB the dns queries that aren't matched by a WIP. yes in zonerunner the zone exists. not using dnssec.

You may not need the pool at all. If the zone that you define within ZoneRunner is a forward zone, and you specify the two AD server IP addresses as the forwarders, then any non-wide IP queries for that zone should be forwarded to the AD servers.

when the WIP is created it creates the zone as master. I would have to delete and re-create the zone as a forwarder. However per the deployment guide for screening the creation of a pool to LB non WIP queries is created and assigned to the listener. So I have to think this is best practice.... the stats indicate queries are getting to sent to the servers.

I'd recommend running a tcpdump on your GTM to help isolate what the problem may be. If the setup is working properly, you'll see GTM sending DNS queries to your pool members. Could be that responses aren't coming back for whatever reason.

Authoritative Screening

steve_88008
Nimbostratus
Sep 08, 2014
i see a response from the GTM back to the client with the SRV records.
Cory_50405
Noctilucent
Sep 08, 2014
But the client isn't receiving the response? This could be due to some device in between performing DNS packet inspection and dropping the response if the packet size exceeds a certain value, or not allowing certain query types. Any firewalls in the data path between your GTM and the client?
steve_88008
Nimbostratus
Sep 08, 2014
i thought that at first as well. I fired up wireshark and reviewed. wireshark showed the response being returned to the client as well.

the odd thing is if I back up one level SRV records are returned. its only with there is sub domain.

returns SRV records nslookup ->set type=all ->_ldap._tcp.dc._msdcs.abc123.local

returns no srv records, nslookup ->set type=all ->_ldap._tcp.dc._msdcs.test.abc123.local
- Cory_50405
  Noctilucent
  Sep 08, 2014
  But these test.abc123.local queries directly against AD are working? When looking at a tcpdump on the GTM, do you notice any difference between responses returned to the client for _ldap._tcp.dc._msdcs.abc123.local vs. _ldap._tcp.dc._msdcs.test.abc123.local?
steve_88008
Nimbostratus
Sep 08, 2014
yes against AD they work. no difference in captures between domains via the GTM...
Cory_50405
Noctilucent
Sep 08, 2014
If you run a Wireshark capture on the client, do you notice any difference in the queries there?
steve_88008
Nimbostratus
Sep 08, 2014
nope.
Cory_50405
Noctilucent
Sep 08, 2014
So the communications appear to be working as intended (client to GTM, GTM to AD) as far I can tell. The unspecified error is being presented by which application?
steve_88008
Nimbostratus
Sep 08, 2014
this was discovered when joining a host to the domain. nslookup was used to discover srv were not being returned...
steve_88008
Nimbostratus
Sep 11, 2014
so... two things..

someone changed the dns profile i had assigned to the listeners
source address was not enabled on the dns TCP VIP
steve_88008
Nimbostratus
Sep 11, 2014
its resolved..

Forum Discussion

Authoritative Screening

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

dns transparent cache as authoritative?

GTM as Authoritative DNS

Directed DDoS Attacks as Screens

Windows APM 7.2.2 - blue screens?

BIG-IP DNS - Response to SRV request in Authoritative screening mode?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS