Active Directory internal domain DNS working fine but all external names on my mail/web server resolve to the same IP Address with NSLOOKUP

Posted on 2004-11-08
Last Modified: 2010-04-19
Believe it or not, I have only just got around to migrating from NT 4 server to AD. I have six master domains worldwide, and 20 resource domains. i am now working my way west from Asia to finish up with the US by January (hopefully).

I decided to go for different internal and external namespaces (domains) since I use my UK ISP (PSInet) for the DNS of the of public presence domain ( I decided to use a domain for the internal namespace. Just to be safe, I registered it with nameroute, though I don’t plan to use it on the outside. I’m setting up a single domain directory for Asia to cover Hong Kong, Singapore, Tokyo, Beijing and Shanghai. I decided to call this

I’m still running Exchange 5.5 and Proxy 2.0 for the time being (waiting for a select contract to be signed) and everything is working ok apart from the fact that DNS keeps resolving all external addresses to the IP of the hosting company that are authoritative for the domain. Somehow the IMC and Proxy are able to communicate properly with the Internet but nslookup is behaving strangely. Thank God that Proxy 2.0 and Exchange don't rely on nslookup working.

The mail/web server has two network cards, one trusted and one untrusted. The trusted has a 10.x.x.x address, gateways to my Private WAN router and DNS to the AD DNS servers(s). The untrusted has a 192.168.x.x address, gateways to my firewall (which NATs incoming SMTP to the server), and has the DNS provided by the ISP.

If I do an nslookup of , it always resolves it as follows ;

C:\Documents and Settings\sysadmin>NSLOOKUP WWW.BBC.COM

Non-authoritative answer:


Note : this is the hosting site for which is a simple placeholder. I originally got very concerned that our DNS had been hijacked but when I discovered that the IP that it always resolves to is one that I am vaguely familar with I stopped worrying about this possibility.

The bindings order does not seem to matter, though at the moment I have the untrusted higher than the trusted so that it queries external DNS first (for Internet performance reasons). My DNS (which I allowed DCPROMO to set up) contains just the domain and

I began to wonder if the problem stems from the fact that the root zone for domain is not setup in my internal DNS, only I am planning to have,, etc. as separate domains/forests since my WAN is not reliable enough to support a single global domain. I am beginning to realise how important it is that the operations master server is visible at all times to DCs in the domain.

Can anyone think of a knowledge base article or technet document that might help me with this. I’d really appreciate any advice that you can offer, even if it means I have to go back up to Hong Kong (hub site) and change things. Ideally I could make any changes from here using terminal services.
Question by:kevinshepherd
    LVL 15

    Accepted Solution

    I think your second last paragraph hits the nail on the head. Any request to will be forced to go to the forwarder DNS servers. Have you set a root domain as "." - this would stop all external lookups, including to, as it would see as the be all and end all.

    I think you should stay where you are, and send me to Hong Kong to help out. I'm only 8 hours away in Oz. :)

    LVL 25

    Expert Comment

    i agree with harley,,, your lookups are resolving externally, and you want them resolved internally so they will resolve to your private ips.
    LVL 3

    Expert Comment

    The real problem lies in that is a registered Internet domain name. Even though it is a placeholder it still resolves to an Internet IP.
    Generally this is not recommended because of the exact problem you are describing. It is recommended that y ou go with something like company.local for your internal DNS. This way DNS will never get "confused" as to what is external and what is internal.
    If you can't change that, there are a couple of things you can do. will need to be the name of your root domain. From there you can create child domains of asia, europe, etc. But you do need to exist somewhere on your internal network.

    LVL 15

    Expert Comment

    antknee - if the internal DNS namespace is Authorative for then no requests will go outside for that domain, so it doesn't matter if it's registered or not. I agree with the .local recomendation - I always do that myself, but using en external, live domain name is ok in 2 situations:

    You are Authoritative for the namespace, and your DNS servers are the registered nameservers for the domain and are accesable to anonymous internet borne requests

    You are Authoritative for the internal domain namespace and don't give a tinkers cuss if you are able to access the live internet domain (which is this case)

    In the second case you always have the option of manually adding hosts to the DNS server to allow access to certain parts of the external domain.

    LVL 25

    Expert Comment

    you have a split dns setup which is  perfectly acceptable and works great with proper DNS setup.. there is no need to change to .local.  That will just confuse your users,,, you can keep the .net for both internal and external access if dns is set up properly....

    your internal clients need top point to an internal DNS server to resolve to your private IPs

    your external clients need to point to an external DNS dns server to resolve to your public IPs,, its that simple.

    Author Comment

    Thanks guys ! What a great site, I have a feeling tha this will become a home from home for me.

    I reckon it would be asking for trouble to go changing the DNS on the last day before flying home so I'll try to reproduce the problem when I get back to London and then add the '.' (or zones to make sure that the problem goes away. I would only be a little worried that if I create a '.' root that the ISP DNS would stop working. Maybe a would be better. Should I have set this up first and added later as a sub-domain. Perhaps then I would keep the primary zone in a well connected location and just secondarys in the other branches?

    My internal clients are ok, as they only access the outside via a proxy. The only host/server that has a problem is the one running with two network cards. Obviously this guy needs to resolve to the internal and external (ISP) DNS servers. How does Server 2000 decide where to go first? I assume it's the bindings which I would change using the advanced tab of network connections.
    LVL 15

    Expert Comment

    No, don't add a "." if you plan on using your DNS server as forwarders - I was actually worried you had a dot...

    "Should I have set this up first and added later as a sub-domain. Perhaps then I would keep the primary zone in a well connected location and just secondarys in the other branches?"

    in short, yeah, that's the way I woulda done it, but is a domain in its own right, so perhaps just adding to one server, and offering it as secondaries to all other server will do the job... Then you could add the asia. usa. europe. domains in there, with the name servers pointing to the actual AD integrated server at each site. That should keep all * requests off the public network, without adding everything to a forest. You'd still need to add trusts, but that should be cool if the network is reliable enough to host your nt4.0 domains...


    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now