My current Windows Workplace Network need some users to have restricted access to the internet and some users to have full access to the internet.
So I used a OPENDNS as it turned out to be the most simple and yet cost effective option (as in free!) So I granted those users limited accounts and restricted groups of sites like file and video sharing, social networking, adult sites, etc in the OPENDNS control panel and point those users DNS setting to the OPENDNS.
Now I have decided to upgrade this network to Windows Server 2008 R2 environment, obviously for better management and to make use of centrallized file storage and access restrictions on the file server and I'm stuck again because I want to have some computers use the OPENDNS servers to continue the restrictions as that seems to be the easiest way to do so. But adding all computers on the network to the domain would also mean that these user would have to use the server's DNS which inturn would give them full access to the internet. Also in this latest environment some users have not to be given internet access at all (at least for the time being). Can someone help me here!
Yeah sure, for simple internet access control DNS can be used in a very primitive form, for people who don't know how DNS works and don't know how to get around your configuration... but for comprehensive control you need a comprehensive solution. DNS wasn't meant for the use you intend it for, and as such isn't a very robust, scalable, reliable, fool-proof solution for your needs.
My suggestion would be to look at a solution from Microsoft, or any one of the blue zillion vendors who have products that do what you need.
DNS isn't meant for Internet access control, you should use a firewall or a proxy server for that.
If you're going to set up a domain environment, there is a very definite need for all domain computer to use the domain DNS server(s) (usually being the domain controller(s)); "very definite need" meaning "do this, or everything will start behaving strangely and/or not working at all".
You could have your domain DNS server(s) use OpenDNS as a forwarder, instead of using your ISP's ones or looking up external names themselves; but this way, all DNS queries would come to OpenDNS from the DC(s), and it wouldn't be able to filter anything. The reverse also wouldn't work: you could have your users use OpenDNS and then have it forward queries for your internal AD domain to your domain controller(s) and resolve Internet queries itself... but Windows clients need to talk directly to domain DNS server(s), not only for name resolution, but also to register themselves in your internal DNS zone.
You should definitely look into a proxy or firewall solution; DNS just wasn't created for this.
DNS really is not going to work for access control. As soon as a user finds out that it's possible to access sites (including proxy sites) by IP address, it's all over.
If you are looking for a free community web filtering platform, you might consider Untangle.
Domain machines will only use your domain's DNS servers if you haven't configured them otherwise with group policy. Group the computers in various OU's according to whatever policy you have. Then create group policy objects for each OU that explicitly sets the DNS settings. You can find them here:
But like joeqwerty mentioned, this is not going to stop technically savvy people from getting where they need to go.