NimbostratusGTM with AD integration for internal use
Hi everyone, we've been working on implementing a few GTM boxes for internal DR purposes -- e.g. always return one LTM VS IP address unless we tell it to return a different one -- and we are pretty close to completion. We have everything GTM-related working well, but we have having some AD-DNS integration issues.
We understand how records are delegated to GTM and have a few in place, including some test Wide IPs that we can play with. The issue comes with making the "delegation records," as I'm calling it, available globally.
For this scenario, we have ~100 Windows domain controllers running DNS. All workstations and servers themselves are under the zone lan.company.com... the domain "company.com" is reserved mostly for static "A" records and the like, to make URLs a little prettier.
We have a separate domain set up, internally and externally, to delegate to: companydyn.com. Internally under that zone, we have two NS records in place, pointing to the GTM listeners. Additionally, under lan.company.com, we have two "A" records listed for the names listed as the NS servers for companydyn.com.
So far, on a test basis, everything works fine. With the above base config in place, and then by setting up "test.company.com" as a cname to "test.companydyn.com", and with the Wide IP configured, the GTM properly responds to "test.company.com" when a client does a DNS query against one AD DNS server.
Now, under the above scenario, with the zone companydyn.com being a standalone on that one DNS server, a client pointing to a different DNS server would not know how to reach it... it would see the CNAME entry under lan.company.com but then not know how to reach companydyn.com (or worse, it would recursively look to the internet for it, yielding no results.) So, we made the zone companydyn.com AD-integrated so it appears on all AD DNS servers. This populated the zone with not only the two NS records for the GTM listeners, but an NS record for each and every DNS server in the AD forest. Yes, by AD design, but this now causes our queries to that zone appear to fail: whatever mechanism AD uses to choose the NS to reply to the user's request doesn't have the "A" records to reply. Those are all on the GTM box. I imagine that if it's random or round-robin, the request would eventually hit the GTM and I would receive a proper reply.
Bottom line... we would like someone trying to reach the URL "abc.lan.company.com" or sometimes "abc.company.com" to do a DNS lookup to an AD-DNS server, receive the CNAME abc.companydyn.com, then know how to properly reach the GTM boxes (authoritative for companydyn.com) for resolution. We would like the zone companydyn.com to show up on all DCs (which I believe it necessary so the DC knows how to reach its NSs) but only show two NS records inside: the GTM boxes.
I realize that this is really an AD issue, but I figure that there must be some people out there with the exact same scenario that they have worked through.
On a positive note, GTM works great externally. We have the domain companydyn.com set up with NS and "A" glue records, and lookups to, for example, xyz.company.com work great.
Thanks everyone. -mark g
