How do I get our internal domain DNS to point to a different IP than outside DNS

Discussion in 'DNS Server' started by Saucer Man, Sep 12, 2008.

  1. Saucer Man

    Saucer Man Guest

    We have a public ip address assigned to a Terminal Server. Outside our
    domain, there is a DNS entry that directs clients to our public IP. We have
    a name assigned such as TS1.Domain.com

    Within our network, we cannot use that same public address. I would our
    internal dns to direct internal clients to our internal IP when using
    TS1.Domain.com. How can I do this?
     
    Saucer Man, Sep 12, 2008
    #1
    1. Advertisements

  2. Saucer,
    Its not quite clear what you mean. I assume the server has an internal
    address, but that it has NAT to a static external address.
    You need to create a fake zone for domain.com on your internal DNS and
    populate it with the internal host records you want internal clients to
    find.
    Anthony,
    http://www.airdesk.com
     
    Anthony [MVP], Sep 12, 2008
    #2
    1. Advertisements

  3. Saucer Man

    Saucer Man Guest

    Sorry if I wasn't clear. Basically, I am trying to get ts1.domain to
    resolve with an internal IP within the network. From the internet, I want
    it to resolve to its external IP. Will your instructions accomplish that?
    Thanks.

     
    Saucer Man, Sep 15, 2008
    #3
  4. Saucer Man

    Saucer Man Guest

    I also want to to add that the server (ts1.domain.com) is located on our
    network...not on the internet.

     
    Saucer Man, Sep 15, 2008
    #4
  5. Do a Google for "Split-DNS".
    The *context* would be when the Internal Domain and the Public Domain are
    not spelled the same way. This is not the same as when the Internal and
    Public Domain Names are spelled the same way. Split-DNS is used with both
    but is not done the same way with each type.

    When you read tha material it will say you need two DNS Server (hence the
    "split" concept). You do not,...the ISPs DNS *is* the "other" DNS,..some
    material does not make that clear. So you only have to worry about the one
    on "your side".

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------


     
    Phillip Windell, Sep 15, 2008
    #5
  6. Saucer Man

    Saucer Man Guest

    So I would create a new primary forward lookup zone called Domain.com that
    is NOT AD integrated. I would then create a HOST record called
    ts1.domain.com and point it to the internal address of the server. Is this
    correct?

    Our mail server is called mail.domain.com. Clients that are inside the
    network resolve to its Internet address as well as external clients. If I
    implement the split-dns, will it prevent internal clients from resoving
    mail.domain.com?
     
    Saucer Man, Sep 15, 2008
    #6
  7. Well, they shouldn't have been going to it via the External Address to begin
    with. So the Split-DNS having them use the private IP# will be correcting
    your former mistake. But with Split-DNS you can make it use whatever IP#
    you want,..that is the whole point of it,...they will use whatever IP you
    assign to the "mail" CNAME in the new Zone. Remember Zones are related to
    Names, not IP#s,..IP#s are irrelevant,..you can assign any IP# to a Record
    if the IP# is valid and works.

    Once a Zone is created it will become the "authoritative" DNS for that Zone
    with respect to the users who use that DNS. Therefore once you add Records
    for that Zone you will have to add *All* of the Records because any queries
    live and die at that DNS, they will not be forwarded anywhere else.
    Basically you will duplicate the Records your ISP uses except that you will
    use whatever IP# are relevant to your LAN (or just use a CNAME that points
    to the Record in your AD Zone),..but there is no need for an MX Record and
    you most likely will not need a Reverse Lookup zone.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Sep 15, 2008
    #7
  8. Little correction. If it is a CNAME then is simply points to an existing A
    Record (any Zone). If it uses an IP# it will be a A Record. I personally
    prefer CNAMEs, but either will work.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Sep 15, 2008
    #8
  9. Saucer Man

    Saucer Man Guest

    Ok..Thanks. Just so you know, our email server lives outside our domain and
    does not have an internal address. That's why our internal clients use the
    public address. So I will create two records under the new domain. The
    first one "ts1" (A record) which will point to the terminal server (internal
    address) and the second one "mail" (A record as we don't have an existing A
    record) will point to the external address on the email server.
     
    Saucer Man, Sep 15, 2008
    #9
  10. Yes.
    The concept you need is Authoritative. The external DNS server is
    authoritative for domain.com. That means that any DNS in the world will
    start looking at .com and find the server that is authoritative for
    domain.com. This will point to the external address of ts1.domain.com.
    Internal clients will ask the internal DNS first, which will only forward
    queries it can not resolve. So you can "cheat" by having a non-authoritative
    version of the zone. Since it can only be queried by internal clients, it
    won't cause any conflict with the authoritative external server. This one
    will point to the internal address. Because the internal DNS server can now
    answer the query, it will not forward that query to the external DNS where
    it would get a different answer.
    Once you set up an internal non-authoritative zone, you need to add any and
    all entries for that zone manually, including the ones you DO want to go to
    an external address. This is because the DNS server now has that zone. If a
    query comes in for a record that does not exist on the internal zone, the
    reply will be "does not exist". It will not go out to ask if it exists on an
    external copy of the zone.
    Hope that helps,
    Anthony
    http://www.airdesk.com


     
    Anthony [MVP], Sep 20, 2008
    #10
  11. Saucer Man

    Saucer Man Guest

    Yes that helps. Thanks.

     
    Saucer Man, Sep 22, 2008
    #11
  12. Great, you are welcome,
    Anthony

     
    Anthony [MVP], Sep 22, 2008
    #12
  13. Saucer Man

    Saucer Man Guest

    This is a really old thread but I am just getting around to implement this
    so I would appreciate some clarification.

    Currently, our DNS structure looks like this in the snap in...

    - Server
    + Event Viewer
    + Cached Lookups
    - Forward Lookup Zones
    ABC-Domain
    + abc-domain.local
    + Reverse Lookup Zone


    - I create a new PRIMARY zone called abc.com and I UNCHECK "Store the zone
    in Active Directory"
    - Select "To all DNS servers in the Active Directory "domain" (We only have
    one domain)
    - Add an CNAME record to point ts1.abc.com to the internal server's A record
    - Add an A record to point mail to the IP address of our mail server (it's
    in a DMZ and not in the domain)
    - We have a website hosted externally at www.abc.com, what kind of record do
    I add so internal clients can still get to the site?


    1) Are the above steps correct?
    2) Do I right-click on "Server" and select New Zone... or do I right-click
    on "Forward Lookup Zones" and select New Zone... ?
    3) Do I need to Disable recursion and remove Root Hints in the new zones
    properties?
    4) If for some reason things don't work right, can I just right-click and
    remove the zone I created to get things back to normal?

    Thanks!

    Rich
     
    Saucer Man, Mar 18, 2010
    #13
  14. Saucer Man

    Grant Taylor Guest

    Please clarify what you are wanting to do. Are you wanting to override
    external DNS for specific host names?
    You can create www as either an A record pointing to the web servers IP,
    or as a CNAME record pointing to the web servers FQDN.
    I do not get the prompt "To all DNS servers in the Active Directory
    domain" if I uncheck "Store the zone in Active Directory".

    Other than that, I think what you are asking will work.
    Either should work. If you right-click on "server", the New Zone Wizard
    will ask you if you are creating a forward or reverse lookup zone.
    Where as if you right-click on "Forward Lookup Zones", the New Zone
    Wizard will assume that you are creating a forward lookup zone.
    Those are server properties, not zone properties.
    As far as the zone is concerned, yes. If you make changes to the server
    its self (recursion / root hints) you will need to undo them too.

    Another (in my opinion) simpler option if you are only wanting to change
    the IP addresses for the "ts1.abc.com" and "mail.abc.com" would be to
    create a couple zones by those names. I.e. if you wanted to re-define
    "ts1.abc.com" this way, you would do the following:

    1) Create a new forward lookup zone named "ts1.abc.com". (I
    personally don't care if it's stored in AD or not.)
    2) Create a new CNAME or A record in the "ts1.abc.com" zone with a
    blank name. (Will show up "(same as parent folder)" once it is created.)

    This simple trick will allow you to override the host name "ts1.abc.com"
    on your local DNS server with out needing to worry about any of the
    other records that are in the "abc.com" zone. The only draw back that I
    can see to this method is that you will have to have a new zone for each
    host record that you want to override. However this is much better than
    duplicating records from the real zone and then forgetting to make a
    change at some point down the road.



    Grant. . . .
     
    Grant Taylor, Mar 19, 2010
    #14

  15. What exactly are you trying to accomplish? Is your AD DNS domain name the same as the external name?

    Also, that "ABC-Domain" zone you mentioned under the Forward Lookup Zone is an illegal domain name. It's single label, meaning it has no hierarchy ("domain" vs the correct minimal format of 'domain.com'). Single label names are extremely problematic to the point that XP SP2 and newer has problems resolving single label names, not to mention the extraneous network traffic to the internet Root servers it creates trying to resolve it. I can further explain, but I am thinking at this point that what you posted is a misprint (hopefully).

    Now if your current AD domain name is single label, you will much more on your hands to fix than what you are trying to accomplish. However, to verify all of this, it will help if you can elaborate your intentions, as well as whether this is truly a single label name or not.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Mar 19, 2010
    #15
  16. Saucer Man

    Saucer Man Guest

    I'm sorry. This is a very old thread and I didn't realise that everyone
    else wouldn't have the rest of it.

    Basically, we have a public ip address assigned to a terminal server and our
    mail server. Our hosting provider has DNS entrys that direct clients to our
    public IPs of these servers. I would like to create a split dns to direct
    internal clients to our internal IPs when using ts1.abc.com and
    mail.abc.com. Currently, internal clients using mail.abc.com are actually
    going out to the internet to resolve the name and are getting re-directed
    back here. We also have a website that is hosted with the provider. It is
    www.abc.com. This name is NOT the same as our internal domain. Our
    internal AD domain is abc-domain.

    As far as the illegal domain name(ABC-Domain), I don't know when it was
    created. It just has three records in it...two NS records pointing to our
    domain controllers and one SOA record. The other zone(abc-domain.local) has
    the exact same three records along with everything else. Is it safe to
    delete the illegal domain name from the forward lookup zone? We do NOT
    have a zone called abc-domain.com. Thanks.



    What exactly are you trying to accomplish? Is your AD DNS domain name the
    same as the external name?

    Also, that "ABC-Domain" zone you mentioned under the Forward Lookup Zone is
    an illegal domain name. It's single label, meaning it has no hierarchy
    ("domain" vs the correct minimal format of 'domain.com'). Single label names
    are extremely problematic to the point that XP SP2 and newer has problems
    resolving single label names, not to mention the extraneous network traffic
    to the internet Root servers it creates trying to resolve it. I can further
    explain, but I am thinking at this point that what you posted is a misprint
    (hopefully).

    Now if your current AD domain name is single label, you will much more on
    your hands to fix than what you are trying to accomplish. However, to verify
    all of this, it will help if you can elaborate your intentions, as well as
    whether this is truly a single label name or not.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Saucer Man, Mar 19, 2010
    #16
  17. I see, so you have a split zone scenario. Just create the external zone name abc-domain.com internally, make it AD integrated, create the necessary records, such as ts1 under it, and give it the internal IP address. That's it. Provided all internal are ONLY using the internal DNS servers, you are fine.

    As for the single label name and the abc-domain.local, that depends on which one really exists whether to delete or keep one or the other. When you open ADUC, in the top left, what is the domain name?

    Also, post an ipconfig /all of the DC. I would like to see the DNS configs, see if it is multhomed, and see what the Primary DNS suffix is.

    Thanks,
    Ace
     
    Ace Fekay [MVP-DS, MCT], Mar 19, 2010
    #17
  18. Saucer Man

    Saucer Man Guest

    In ADUC, it says abc-domain.local. Here is the ipconfig...

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : abc-dc-1
    Primary Dns Suffix . . . . . . . : abc-domain.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : abc-domain.local

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    Physical Address. . . . . . . . . : 00-23-73-3D-1F-6C
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.168.100
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.168.254
    DNS Servers . . . . . . . . . . . : 192.168.168.101
    192.168.168.100

    I was told that the zone name I need to create would be abc.com, not
    abc-domain.com. Our terminal server and mail server dns names are
    ts1.abc.com and mail.abc.com. Also, the website is abc.com. The
    abt-domain.local is only the internal AD domain. Also I was told that it
    should NOT be AD integrated.

    Where do I create the new zone...under the server level or under the Forward
    Lookup Zones level?

    We have a BDC also so I would like the records to propagate.

    Thanks.




    I see, so you have a split zone scenario. Just create the external zone name
    abc-domain.com internally, make it AD integrated, create the necessary
    records, such as ts1 under it, and give it the internal IP address. That's
    it. Provided all internal are ONLY using the internal DNS servers, you are
    fine.

    As for the single label name and the abc-domain.local, that depends on which
    one really exists whether to delete or keep one or the other. When you open
    ADUC, in the top left, what is the domain name?

    Also, post an ipconfig /all of the DC. I would like to see the DNS configs,
    see if it is multhomed, and see what the Primary DNS suffix is.

    Thanks,
    Ace
     
    Saucer Man, Mar 19, 2010
    #18
  19. If the external domain name is abc.com, then that is what needs to be created. I was going by what you posted, based on your obfiscating the domain name. Basically, it's whatever the external name is.

    As for that abc-domain zone that exists (without the ".local"), is not needed and should be deleted. I don't even know why it's there, because based on your ipconfig (which looks fine), and the ADUC name and Primary DNS Suffix matches the ADUC name, then it tells me your AD DNS domain name is abc-domain.local.

    How many DCs do you have? I noticed that you have two listed in the ipconfig, .100 and .101. I assume .101 is a DC. And a suggestion, the preferred method it point to itself first in DNS (.100), and make the replica DC (.101) the second entry.

    Who told you that the abc.com zone should not be AD integrated? Did the person provide a reason? AD integrated just says to store the zone in the physical AD database and not as a simple, hackable text file in the system32\dns folder. That's all it means, nothing else. Storing it in AD is actually increases security on the zone where you can't simply modify the text file with anything you want to put in it. Not that it will ever happen, but it's a possibility. Plus, making it AD integrated, you only create it once, and it automatically replicates to the other DC/DNS servers without any further action on your part. If you don't make it Ad integrated, you will need to create a secondary zone on the other DC/DNS for it and specifying the other as the Master. AD integration follows the RFCs regarding SOA and other DNS zone implementation guidelines with a big benefit of having a multi-master feature. This means if you need to update something in the zone, you can do it from either DC and it automatically replicate to the other.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Mar 20, 2010
    #19
  20. Saucer Man

    Saucer Man Guest

    If the external domain name is abc.com, then that is what needs to be
    created. I was going by what you posted, based on your obfiscating the
    domain name. Basically, it's whatever the external name is.

    As for that abc-domain zone that exists (without the ".local"), is not
    needed and should be deleted. I don't even know why it's there, because
    based on your ipconfig (which looks fine), and the ADUC name and Primary DNS
    Suffix matches the ADUC name, then it tells me your AD DNS domain name is
    abc-domain.local.

    How many DCs do you have? I noticed that you have two listed in the
    ipconfig, .100 and .101. I assume .101 is a DC. And a suggestion, the
    preferred method it point to itself first in DNS (.100), and make the
    replica DC (.101) the second entry.

    Who told you that the abc.com zone should not be AD integrated? Did the
    person provide a reason? AD integrated just says to store the zone in the
    physical AD database and not as a simple, hackable text file in the
    system32\dns folder. That's all it means, nothing else. Storing it in AD is
    actually increases security on the zone where you can't simply modify the
    text file with anything you want to put in it. Not that it will ever happen,
    but it's a possibility. Plus, making it AD integrated, you only create it
    once, and it automatically replicates to the other DC/DNS servers without
    any further action on your part. If you don't make it Ad integrated, you
    will need to create a secondary zone on the other DC/DNS for it and
    specifying the other as the Master. AD integration follows the RFCs
    regarding SOA and other DNS zone implementation guidelines with a big
    benefit of having a multi-master feature. This means if you need to update
    something in the zone, you can do it from either DC and it automatically
    replicate to the other.

    Ace



    It's becoming clearer...but where do I create the new zone? I see I can do
    it under the server level or under the Forward Lookup Zones level.

    I read here... http://www.amset.info/netadmin/split-dns.asp and it states
    under the configuration instructions in step 3 to create a new zone that is
    NOT AD integrated. I then posted my steps in this thread a lonnnnng time
    ago about NOT making it AD integrated and it was confirmed as "Exactly"....

    Exactly


    Interesting you mention the "reversal" of the IP addresses between my
    primary DC and my backup DC. I had a thread once where the discussion
    showed that some people believe the DCs should first point to the other
    server and others believed they should first point to themselves.

    I reference to deleting that abc-domain zone, I think I should mention that
    the servers and pcs were joined to abc-domain (not abc-domain.local). Even
    though our true AD Domain name is abc-domain.local, the Windows logon box of
    everything shows abc-domain (not abc-domain.local). If I delete abc-domain,
    will my devices no longer be able to connect? Thanks.
     
    Saucer Man, Mar 22, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.