DNS replication - operating as a synced domain backup
With current features in Sophos. In your company network with domain joined pc’s you can only have the DC/DNS server as DNS address on your clients to make GPO, shares and your domain work.
(1. Default Setup)
When your DC server reboots or fails, clients won’t be able to browse or work.
(2. Scenario no *****)
A solution for browsing the internet would be to add the Sophos ip as secondary DNS. When the DC fails, secondary DNS kicks in, browsing will work.
When the DC server is back online, Windows will not automatically go back to the primary DNS server. So this will give issues with GPO and entire internal network.
Solution for this would be to have a dns feature on the Sophos. A sync between DC and Sophos will sync the DNS records.
(3. Sophos DNS)
Scenario with Sophos DNS feature:
DC fails and is not responding to DNS requests anymore. Windows will take it’s secondary DNS address, Sophos firewall. Who’ll handle the DNS requests for the internal (office.local) and external network.
When the DC is live again, it doesn’t matter if DNS request are flowing to DC or Sophos, both of them will reply and there will be no issue with GPO, shares, …
(4. Scenario Sophos )
Illustrations to explain it: https://www.lucidchart.com/documents/view/3385757a-100e-4cce-aafe-5d9bacf9bb97