Basic concept of AD and DNS

Discussion in 'Active Directory' started by mactable, Nov 18, 2005.

  1. mactable

    mactable Guest

    Hello i am just a newbie to learn AD and DNS, 1st of all i am sorry my poor
    english but i hope you may undertsand

    my environment is:
    internet --- router --- internal network (192.168.0.0/24)
    win2003 AD and DNS (192.168.0.10)
    www server (192.168.0.11)
    mail server (192.168.0.12)
    user A, B, C... N (get IP from dhcp
    192.168.0.100~200)

    router has 2 nic
    one connect to internet with 8 external IPs (202.xx.yy.2 - 202.xx.yy.9)
    another one connect to internal network (192.168.0.0/24)

    i have registered own domain (ex. abc.com)

    my case is:
    recently i have set up a new win2003 server (192.168.0.10) with AD and DNS
    installed. all internal users get IP from dhcp and their DNS will be pointed
    to this win2003 dns 192.168.0.10

    all users on internal network can join to win2003 domain (192.168.0.10), but
    when users would like to join domain from external network, they cannot.
    because win2003 dns register abc.com ip is 192.168.0.10 which cannot access
    from outside network.

    if i modify the win2003 dns record, change abc.com ip to real IP to
    202.xx.yy.2 (of course i have set nat and ports mapping in router also),
    outside users could join this win2003 domain, but internal users cannot join
    domain. (i known that internal users on 192.168.0.0/24 cannot connect to
    202.xx.yy.2 because this is the restriction for tcpip)

    i just think my conecpt maybe missunderstand of AD and DNS, for my case,
    could you please advise me how to do it on a correct way? and let the
    win2003 AD and DNS (which behind router) can be served for both external and
    internal users?

    thx very much in advance.
     
    mactable, Nov 18, 2005
    #1
    1. Advertisements

  2. Looks like you know what you are doing. I would like to say that there is
    nothing wrong with your English - I didn't have any difficulties reading
    your post.

    Anyway, external users should not be able to join the domain as is. They
    need to VPN into your network, and then join the domain and access
    resources, etc.

    A nice way of doing this is with an ISA server. With a VPN setup you leave
    things as they are, and just work on getting the external users into your
    network and using your resources.

    If you need certain systems resolved externally, for example web pages, ftp,
    etc., then you need to implement what is known as split brain DNS. In your
    case though the ISP will host the external DNS, and you only need to worry
    about internal users resolving external names (you'll have to add things
    like www to the internal zone).

    Hope that makes sense.
     
    Paul Williams [MVP], Nov 18, 2005
    #2
    1. Advertisements

  3. mactable

    mactable Guest

    Thx very much Paul.

    yes, i force my router to do nat and let my users join domian in external
    network, i doubt that it is not a reasonable way. as your suggestion,
    should i build up a vpn service in my win2003 AD server, or i could use my
    router instead of win2003 to accept vpn connection instead? (my router
    supports vpn)
    i am afraid i missunderstand your meaning, you mean that if external users
    could join to my internal network via vpn, external users can access my
    internal resources just like they are sitting local lan?
    since i registered my own down abc.com and the base DNS is pointing to this
    win2003 AD and DNS (all domain and sub domains are managed this win2003
    machine), in case i have build up a record like:

    www host (A) 202.xx.yy.2
    my internal users on 192.168.0.0/24 cannot access to web server, is there
    any way to make win2003 dns to response a correct IP address?
    ex. enquiry from outside network www.abc.com will be translated to
    202.xx.yy.2, but translated to 192.168.0.10 if enquiry from internal
    network?

    is this somethings relate to your suggestion "add things to the internal
    zone", would you please tell me more about this?

    at last i am sorry that my question maybe a little bit out of topic of this
    group, thx in advance to make me more clear.
     
    mactable, Nov 18, 2005
    #3
  4. yes, i force my router to do nat and let my users join domian in external
    Ideally you would use your router or another server - you don't want to use
    the DC for this type of stuff.

    Yes. With a VPN tunnel established, it would be a kind of extension of your
    LAN.

    win2003 AD and DNS (all domain and sub domains are managed this win2003
    machine), in case i have build up a record like: www host (A) 202.xx.yy.2
    my internal users on 192.168.0.0/24 cannot access to web server, is there
    any way to make win2003 dns to response a correct IP address? ex. enquiry
    from outside network www.abc.com will be translated to
    202.xx.yy.2, but translated to 192.168.0.10 if enquiry from internal
    network?

    Generally, all you need to do is add a www address into the internal domain.
    The www address should be the external address of the web server. If you've
    done this already, and the IP address is correct, you might have a routing
    problem. Can you contact the web server via IP address? Can you telnet
    onto the web server's IP address using port 80?
     
    Paul Williams [MVP], Nov 18, 2005
    #4
  5. mactable

    mactable Guest

    I could only telnet www.abc.com port 80 from outside but fails from internal
    network, so maybe a routing problem. should i setup another DNS which only
    for internal users? or any better way to do it?
    I do not want to use hosts file to override because it will cause some of my
    mobile users cannot access my web when they are outside.

    Thx very much Paul.
     
    mactable, Nov 18, 2005
    #5
  6. You need to check how things are being routed outside. You should already
    have a different zone for internal users - the one that AD is using - you
    don't need to have any more unless your ISP isn't managing your websites
    DNS, in which case you also need an external zone.
     
    Paul Williams [MVP], Nov 19, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.