Active Directory internal domain DNS working fine but all external names on my mail/web server resolve to the same IP Address with NSLOOKUP

Posted on 2004-11-08
Medium Priority
Last Modified: 2010-04-19
Believe it or not, I have only just got around to migrating from NT 4 server to AD. I have six master domains worldwide, and 20 resource domains. i am now working my way west from Asia to finish up with the US by January (hopefully).

I decided to go for different internal and external namespaces (domains) since I use my UK ISP (PSInet) for the DNS of the of public presence domain (company.com). I decided to use a company.net domain for the internal namespace. Just to be safe, I registered it with nameroute, though I don’t plan to use it on the outside. I’m setting up a single domain directory for Asia to cover Hong Kong, Singapore, Tokyo, Beijing and Shanghai. I decided to call this asia.company.net.

I’m still running Exchange 5.5 and Proxy 2.0 for the time being (waiting for a select contract to be signed) and everything is working ok apart from the fact that DNS keeps resolving all external addresses to the IP of the hosting company that are authoritative for the company.net domain. Somehow the IMC and Proxy are able to communicate properly with the Internet but nslookup is behaving strangely. Thank God that Proxy 2.0 and Exchange don't rely on nslookup working.

The mail/web server has two network cards, one trusted and one untrusted. The trusted has a 10.x.x.x address, gateways to my Private WAN router and DNS to the AD DNS servers(s). The untrusted has a 192.168.x.x address, gateways to my firewall (which NATs incoming SMTP to the server), and has the DNS provided by the ISP.

If I do an nslookup of www.bbc.com , it always resolves it as follows ;

C:\Documents and Settings\sysadmin>NSLOOKUP WWW.BBC.COM
Server:  dnscache2.singnet.com.sg

Non-authoritative answer:
Name:    WWW.BBC.COM.company.bdroma.net


Note : this is the hosting site for company.net which is a simple placeholder. I originally got very concerned that our DNS had been hijacked but when I discovered that the IP that it always resolves to is one that I am vaguely familar with I stopped worrying about this possibility.

The bindings order does not seem to matter, though at the moment I have the untrusted higher than the trusted so that it queries external DNS first (for Internet performance reasons). My DNS (which I allowed DCPROMO to set up) contains just the domain asia.company.net and _msdcs.asia.company.net.

I began to wonder if the problem stems from the fact that the root zone for  company.net domain is not setup in my internal DNS, only asia.company.net. I am planning to have europe.company.net, us.company.net,  lebanon.company.net etc. as separate domains/forests since my WAN is not reliable enough to support a single global domain. I am beginning to realise how important it is that the operations master server is visible at all times to DCs in the domain.

Can anyone think of a knowledge base article or technet document that might help me with this. I’d really appreciate any advice that you can offer, even if it means I have to go back up to Hong Kong (hub site) and change things. Ideally I could make any changes from here using terminal services.
Question by:kevinshepherd
LVL 15

Accepted Solution

harleyjd earned 2000 total points
ID: 12531235
I think your second last paragraph hits the nail on the head. Any request to server.company.com will be forced to go to the forwarder DNS servers. Have you set a root domain as "." - this would stop all external lookups, including to company.com, as it would see asia.company.com as the be all and end all.

I think you should stay where you are, and send me to Hong Kong to help out. I'm only 8 hours away in Oz. :)

LVL 25

Expert Comment

ID: 12534159
i agree with harley,,, your company.com lookups are resolving externally, and you want them resolved internally so they will resolve to your private ips.

Expert Comment

ID: 12534385
The real problem lies in that company.net is a registered Internet domain name. Even though it is a placeholder it still resolves to an Internet IP.
Generally this is not recommended because of the exact problem you are describing. It is recommended that y ou go with something like company.local for your internal DNS. This way DNS will never get "confused" as to what is external and what is internal.
If you can't change that, there are a couple of things you can do. company.net will need to be the name of your root domain. From there you can create child domains of asia, europe, etc. But you do need company.net to exist somewhere on your internal network.

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

LVL 15

Expert Comment

ID: 12538058
antknee - if the internal DNS namespace is Authorative for company.com then no requests will go outside for that domain, so it doesn't matter if it's registered or not. I agree with the .local recomendation - I always do that myself, but using en external, live domain name is ok in 2 situations:

You are Authoritative for the namespace, and your DNS servers are the registered nameservers for the domain and are accesable to anonymous internet borne requests

You are Authoritative for the internal domain namespace and don't give a tinkers cuss if you are able to access the live internet domain (which is this case)

In the second case you always have the option of manually adding hosts to the DNS server to allow access to certain parts of the external domain.

LVL 25

Expert Comment

ID: 12538104
you have a split dns setup which is  perfectly acceptable and works great with proper DNS setup.. there is no need to change to .local.  That will just confuse your users,,, you can keep the .net for both internal and external access if dns is set up properly....

your internal clients need top point to an internal DNS server to resolve to your private IPs

your external clients need to point to an external DNS dns server to resolve to your public IPs,, its that simple.

Author Comment

ID: 12541130
Thanks guys ! What a great site, I have a feeling tha this will become a home from home for me.

I reckon it would be asking for trouble to go changing the DNS on the last day before flying home so I'll try to reproduce the problem when I get back to London and then add the '.' (or company.net) zones to make sure that the problem goes away. I would only be a little worried that if I create a '.' root that the ISP DNS would stop working. Maybe a company.net would be better. Should I have set this up first and added asia.company.net later as a sub-domain. Perhaps then I would keep the primary zone in a well connected location and just secondarys in the other branches?

My internal clients are ok, as they only access the outside via a proxy. The only host/server that has a problem is the one running with two network cards. Obviously this guy needs to resolve to the internal and external (ISP) DNS servers. How does Server 2000 decide where to go first? I assume it's the bindings which I would change using the advanced tab of network connections.
LVL 15

Expert Comment

ID: 12541675
No, don't add a "." if you plan on using your DNS server as forwarders - I was actually worried you had a dot...

"Should I have set this up first and added asia.company.net later as a sub-domain. Perhaps then I would keep the primary zone in a well connected location and just secondarys in the other branches?"

in short, yeah, that's the way I woulda done it, but asia.company.com is a domain in its own right, so perhaps just adding company.net to one server, and offering it as secondaries to all other server will do the job... Then you could add the asia. usa. europe. domains in there, with the name servers pointing to the actual AD integrated server at each site. That should keep all *.company.net requests off the public network, without adding everything to a forest. You'd still need to add trusts, but that should be cool if the network is reliable enough to host your nt4.0 domains...


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question