Published on by

This article assumes that you are already familiar with configuring DHCP, DNS, and static DNS entries on your MikroTik router. If you have not yet familiarized yourself with that subject, please read the fine manual, then come back here for the nitty-gritty.

DISCLAIMER:

Running Active Directory DNS on a router (or pretty much anywhere else except on a Windows DNS server) is not advised -- if you use DNSSEC, dynamic DNS record updates from DHCP, domain controller replication, or if you have more than one domain in your Active Directory forest please stop reading now, because as far as I know MikroTik cannot handle any of that.

If on the other hand you have a simple domain with one domain controller and you want your DNS to always be accessible for your home network devices even when your domain controller is down while installing Windows Updates without having to dedicate another Windows PC to run as a DNS server, then maybe this article can help you out. Commands to create DNS records shown below are based on Microsoft's TechNet article SRV Records Registered by Net Logon, and were completed by analyzing a live test domain.

So without further ado, here is the script:

/ip dns static add name=ns.example.com address=DNSIP
/ip dns static add name=dc.example.com address=DCIP
/ip dns static add name=example.com address=DCIP
/ip dns static add name=example.com ns=ns.example.com
/ip dns static add name=_gc._tcp.Default-First-Site-Name._sites.example.com srv-port=3268 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_kerberos._tcp.Default-First-Site-Name._sites.example.com srv-port=88 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.Default-First-Site-Name._sites.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_gc._tcp.example.com srv-port=3268 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_kerberos._tcp.example.com srv-port=88 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_kpasswd._tcp.example.com srv-port=464 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_kerberos._udp.example.com srv-port=88 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_kpasswd._udp.example.com srv-port=464 srv-target=dc.example.com srv-weight=100
/ip dns static add name=DomainDnsZones.example.com address=DCIP
/ip dns static add name=_ldap._tcp.DomainDnsZones.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=ForestDnsZones.example.com address=DCIP
/ip dns static add name=_ldap._tcp.ForestDnsZones.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_msdcs.example.com ns=ns.example.com
/ip dns static add name=DsaGUID._msdcs.example.com cname=dc.example.com
/ip dns static add name=_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com srv-port=88 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_kerberos._tcp.dc._msdcs.example.com srv-port=88 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.dc._msdcs.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.DomainGUID.domains._msdcs.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.gc._msdcs.example.com srv-port=389 srv-target=dc.example.com srv-weight=100
/ip dns static add name=_ldap._tcp.pdc._msdcs.example.com srv-port=389 srv-target=dc.example.com srv-weight=100

However, before you rush to upload and run the above script on your MikroTik router, please note that you need to substitute a few placeholder values first, namely:

DNSIP                   - IP address of your MikroTik router
DCIP                    - IP address of your Domain Controller
example.com             - FQDN of your domain (this should never be the same as your internet domain)
dc.example.com          - FQDN of your domain controller (replace "dc" with domain controller's actual computer name)
Default-First-Site-Name - Replace with your actual Active Directory Site name if you renamed it
DsaGUID, DomainGUID     - Replace with actual values found in your domain controller DNS server configuration

After replacing those values you can upload the script to your MikroTik router and run it using the following command:

/import filename

Where filename is the name of the uploaded file.

After verifying that those records are in place using WinBox GUI (IP -> DNS -> Static), you can test if everything works by logging in to your domain controller, replacing DNS IP address in network adapter's properties with your router's IP address, and then executing the following commands in the command prompt:

ipconfig /flushdns
dcdiag /test:dns

First command ensures that any cached DNS entries are purged, and the second one runs actual tests which should obviously pass without any errors.

After making sure DNS configuration is ok, login to any domain-joined PC, change it's DNS server IP address temporarily, and run the following commands in the command prompt:

ipconfig /flushdns
gpupdate /force

As in the previous test we first purge the DNS cache to make sure we are actually testing new DNS server, and the second command serves to check whether your domain-joined PC can still fetch the group policy updates from your domain controller.

If both tests pass without errors then congratulations are in order -- you can now safely change your DHCP server's DNS IP address to point to your MikroTik router and remove the DNS role from your domain controller.