DNS for AD Group

[karldenton]

Hi,
Is there a way to have a certain AD group use 1 set of DNS and the rest use another.

Basically I have blocked facebook.com via an A Record in DNS to a dead IP address. I want to block dailymotion for 1 group of users but allow it for everyone else. I don't have ISA

Thanks

[RageRiot]

I think the best option might be to setup a proxy.
do you only have the one server?
and I'm assuming you dont have a cache box(proxy)

Depending on the current load or roles your server has then it might be worth installing squid proxy using AD authentication, I've never done this but based on the fact our school is using a Cache pilot from equinet it uses Ad auth and runs Squid. it allows you to block or allow access to certain sites depending on the AD group they belong to. as well as it's primary function to serve as a web cache.

[bio]

I would do this with a proxy/firewall. But i guess you could do this the hard way by creating a loginscript that copies a modified hostname (that points facebook.com to dead ip) based on AD groups to the local machine.

bio..

[januttall]

I have set up a ubuntu server box with squid, and dansguardian, webmin and the dansguardian plugin for webmin. we have difrent lists for difrent sets of users staff students admin. and it authenitcates via ident which we have deployed through GPO. there is also a script wich i think is on the dansguardian homepage to copy a list of specific users, we copy admin and staff as students are in the lower group so if some one brings anything in and connects they are automaticly filterd as students. and it can be set up transparently so no setings in each machine have to be specifyed if you so wished.

[Michael]

DNS is set per domain/network rather than per OU or Security Group. I don't think it'd ever be possible with how Active Directory currently works. I agree a proxy would be the best way.