Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CGoodwin
New Contributor

FortiGate as remote site DNS for Domain Clients

Hello all,

So we are testing using fortigates as DNS servers for remote sites. Our test site is as follows.

A Windows Domain Server Hosted in Azure 192.168.1.10 (HQ Server)

Site to Site VPN

FortiGate 60D in the remote site 192.168.10.254

 

The DNS Server on the Domain controller is configured to use the fortigate as a Second Name server. Zone Transfer is set to use the Name servers of the Zone and so is Notify

 

DNS Database is turned on, on the 60D

A salve database is configured on the DNS Server settings below:

Type: salve

View: Shadow

DNS Zone: company.local

Domain: company.local

IP of Master: 192.168.1.10

Authoritative: Enabled

 

Interface Services configured for the internal interface

I also added in the Set Source-ip to the internal interface and set forwarder to the HQ DC

 

But users could not long on and where getting no name servers found. I then also configured the _msdcs Zone

 

Type: salve

View: Shadow

DNS Zone: _msdcs.company.locall

Domain: _msdcs.company.local <-- I had to do this as it will not allow me to have company.local as the above database is using it

IP of Master: 192.168.1.10

Authoritative: Enabled

 

But still no signons. Anyone any thoughts?

CLI config:

config system dns-database
    edit "company.local"
        set domain "company.local"
        set type slave
        set forwarder "192.168.1.10" 
        set source-ip 192.168.10.254
        set ip-master 192.168.1.10
    next
    edit "_msdcs.company.local"
        set domain "_msdcs.company.local"
        set type slave
        set forwarder "192.168.1.10" 
        set source-ip 192.168.10.254
        set ip-master 192.168.1.10
    next
end

FCNSA, FCNSP (NSE4), NSE5

FCNSA, FCNSP (NSE4), NSE5
1 Solution
sc_bperry
New Contributor

Wow, no one's answered you in almost two years! I had this same issue today and was looking for a solution. I eventually resolved it by marking FortiGate DNS database as not authoritative. This makes sense because it should query the Windows DNS server if it's not found in the FortiGate database.

View solution in original post

1 REPLY 1
sc_bperry
New Contributor

Wow, no one's answered you in almost two years! I had this same issue today and was looking for a solution. I eventually resolved it by marking FortiGate DNS database as not authoritative. This makes sense because it should query the Windows DNS server if it's not found in the FortiGate database.

Labels
Top Kudoed Authors