Active Directory internal domain DNS working fine but all external names on my mail/web server resolve to the same IP Address with NSLOOKUP

Believe it or not, I have only just got around to migrating from NT 4 server to AD. I have six master domains worldwide, and 20 resource domains. i am now working my way west from Asia to finish up with the US by January (hopefully).

I decided to go for different internal and external namespaces (domains) since I use my UK ISP (PSInet) for the DNS of the of public presence domain ( I decided to use a domain for the internal namespace. Just to be safe, I registered it with nameroute, though I don’t plan to use it on the outside. I’m setting up a single domain directory for Asia to cover Hong Kong, Singapore, Tokyo, Beijing and Shanghai. I decided to call this

I’m still running Exchange 5.5 and Proxy 2.0 for the time being (waiting for a select contract to be signed) and everything is working ok apart from the fact that DNS keeps resolving all external addresses to the IP of the hosting company that are authoritative for the domain. Somehow the IMC and Proxy are able to communicate properly with the Internet but nslookup is behaving strangely. Thank God that Proxy 2.0 and Exchange don't rely on nslookup working.

The mail/web server has two network cards, one trusted and one untrusted. The trusted has a 10.x.x.x address, gateways to my Private WAN router and DNS to the AD DNS servers(s). The untrusted has a 192.168.x.x address, gateways to my firewall (which NATs incoming SMTP to the server), and has the DNS provided by the ISP.

If I do an nslookup of , it always resolves it as follows ;

C:\Documents and Settings\sysadmin>NSLOOKUP WWW.BBC.COM

Non-authoritative answer:


Note : this is the hosting site for which is a simple placeholder. I originally got very concerned that our DNS had been hijacked but when I discovered that the IP that it always resolves to is one that I am vaguely familar with I stopped worrying about this possibility.

The bindings order does not seem to matter, though at the moment I have the untrusted higher than the trusted so that it queries external DNS first (for Internet performance reasons). My DNS (which I allowed DCPROMO to set up) contains just the domain and

I began to wonder if the problem stems from the fact that the root zone for domain is not setup in my internal DNS, only I am planning to have,, etc. as separate domains/forests since my WAN is not reliable enough to support a single global domain. I am beginning to realise how important it is that the operations master server is visible at all times to DCs in the domain.

Can anyone think of a knowledge base article or technet document that might help me with this. I’d really appreciate any advice that you can offer, even if it means I have to go back up to Hong Kong (hub site) and change things. Ideally I could make any changes from here using terminal services.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I think your second last paragraph hits the nail on the head. Any request to will be forced to go to the forwarder DNS servers. Have you set a root domain as "." - this would stop all external lookups, including to, as it would see as the be all and end all.

I think you should stay where you are, and send me to Hong Kong to help out. I'm only 8 hours away in Oz. :)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
i agree with harley,,, your lookups are resolving externally, and you want them resolved internally so they will resolve to your private ips.
The real problem lies in that is a registered Internet domain name. Even though it is a placeholder it still resolves to an Internet IP.
Generally this is not recommended because of the exact problem you are describing. It is recommended that y ou go with something like company.local for your internal DNS. This way DNS will never get "confused" as to what is external and what is internal.
If you can't change that, there are a couple of things you can do. will need to be the name of your root domain. From there you can create child domains of asia, europe, etc. But you do need to exist somewhere on your internal network.

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

antknee - if the internal DNS namespace is Authorative for then no requests will go outside for that domain, so it doesn't matter if it's registered or not. I agree with the .local recomendation - I always do that myself, but using en external, live domain name is ok in 2 situations:

You are Authoritative for the namespace, and your DNS servers are the registered nameservers for the domain and are accesable to anonymous internet borne requests

You are Authoritative for the internal domain namespace and don't give a tinkers cuss if you are able to access the live internet domain (which is this case)

In the second case you always have the option of manually adding hosts to the DNS server to allow access to certain parts of the external domain.

you have a split dns setup which is  perfectly acceptable and works great with proper DNS setup.. there is no need to change to .local.  That will just confuse your users,,, you can keep the .net for both internal and external access if dns is set up properly....

your internal clients need top point to an internal DNS server to resolve to your private IPs

your external clients need to point to an external DNS dns server to resolve to your public IPs,, its that simple.
kevinshepherdAuthor Commented:
Thanks guys ! What a great site, I have a feeling tha this will become a home from home for me.

I reckon it would be asking for trouble to go changing the DNS on the last day before flying home so I'll try to reproduce the problem when I get back to London and then add the '.' (or zones to make sure that the problem goes away. I would only be a little worried that if I create a '.' root that the ISP DNS would stop working. Maybe a would be better. Should I have set this up first and added later as a sub-domain. Perhaps then I would keep the primary zone in a well connected location and just secondarys in the other branches?

My internal clients are ok, as they only access the outside via a proxy. The only host/server that has a problem is the one running with two network cards. Obviously this guy needs to resolve to the internal and external (ISP) DNS servers. How does Server 2000 decide where to go first? I assume it's the bindings which I would change using the advanced tab of network connections.
No, don't add a "." if you plan on using your DNS server as forwarders - I was actually worried you had a dot...

"Should I have set this up first and added later as a sub-domain. Perhaps then I would keep the primary zone in a well connected location and just secondarys in the other branches?"

in short, yeah, that's the way I woulda done it, but is a domain in its own right, so perhaps just adding to one server, and offering it as secondaries to all other server will do the job... Then you could add the asia. usa. europe. domains in there, with the name servers pointing to the actual AD integrated server at each site. That should keep all * requests off the public network, without adding everything to a forest. You'd still need to add trusts, but that should be cool if the network is reliable enough to host your nt4.0 domains...

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.