Create record above your AD domain?

ok,,,, if your AD domain is sub.domain.com then they have to have the parent domain of domain.com since this had to be created before sub.domain.com was created.  All of your clients should be pointed to INTERNAL DNS servers which only have internal private DNS records.  If this was the case they would never be redirected out by a public IP.  

I'm a little confused though,  you say that "clients are being redirected outside and right back in which causes them not to be processed by the firewall rules".... if the clients are going out and coming back in then they ARE going through the firewall when they come back in right?  this is what is confusing me.

but the root cause of your problem is that your clients are getting public dns records for say mail.domain.com when they should be getting your private addresses right?  What makes you say you can't create a zone fro domain.com??
bottom line,, internal users should be pointed to internal dns servers, and external users should be pointed to external dns servers.  this will resolve your problem.

Mike,
actually if you create the domain for AD/DNS in win2k it will create it as sub.domain.com ..  It DOES NOT create the proper dns tree of parent child.  

so listed in dns under forward lookup zones is my first zone of sub.domain.com.. it is NOT listed as domain.com with a subdomain of "sub".  since i cant go to domain.com internally to create the records it wont work. Also i cannot create a domain called domain.com since i would end up with 2 authoritive domains for sub.domain.com.

the firewall is a fun one.. what happens is the address is resolved to an external address (mail.domain.com) so since the request is going out of the network, then being redirected back in, its not beind handled by the firewall rules and stops at the firewall.  example:: if a user goes to the webmail for exchange which has a site for public and a different path for internal.  the user types mail.domain.com (external) it goes out and back in and gets stuck at the firewall and shows the user the login page for the firewall appliance.

i guess my question/need is.  I need to delete the dns forward lookup zone i have so i can create domain.com and then create the child. then i need to reassociate AD with that child domain.

do you have an AD domain called domain.com or did you somehow create sub.domain.com initially?
if you created the sub.domain.com initially then it did create the proper dns tree.  Since in that case you dont have a domain named domain.com, but rather a domain called sub.domain.com.  since you happen to have a "real" public domain called domain.com (split dns) you have to manually create a domain.com zone and the A records for it.

have you tried creating a dns zone for domain.com and seeing what happens?  I think you are confusing things more than they need to be.  a domain can't be authoratiative for another domain (or sub domain), the "authoratative DNS server" is just the dns SERVER that is authoratative for a particular domain.  a dns server can be authoratative for any number of domains.  Think about your ISPs dns server. It is authoratative for 100s or 1000s of domains.  In either case this is an internal dns server so it doesn't have to confide by RFC rules anyway.  

they have an AD domain for sub.domain.com which since theres no parent listed for domain.com i cant create anything above it.  what i found is if i create a domain called domain.com and create some records in it it DOES work, however when people go to login theres two trees the domain.com with the sub. child and a domain.com with a records in it.  So while just creating a forward zone called domain.com works for this it ends up ruining the AD lookup feature for domain controllers as it becomes hit or miss on which domain it works through. or atleast thats what the testing has shown.  its amazing how someone elses grand idea makes things much harder

yeah,, whoever set up the sub.domain.com didn't know how to properly set up split dns for domain.com so they created sub.domain.com and screwed everything up.  What exacly do you mean when you say "however when people go to login theres two trees the domain.com with the sub. child and a domain.com with a records in it."  do you mean the USER sees 2 trees somehow?

which ad domain lookup feature are you referring to?.. when you say "it becomes hit or miss on which domain it works through" im confused... you still only have one AD domain (sub.domain.com)  you just created a DNS zone for domain.com, not an actual domain called domain.com

yah it was one of those things that "ehh we'll live with" and not its the bain of my existence.  Anyways..When you go to login you use the AD service to log in and it uses DNS to look up the service records for the DC's. If i create a forward lookup zone of just domain.com the records the client receives either get a failed lookup (if it goes through the domain.com dns zone) or it lets them in if it goes through the sub.domain.com zone.  I verified this with ethereal.

correct i just created the dns zone for domain.com and not an actual domain.  but due to the intergration of AD and DNS its a mess now.  I mean id really like to just remove they're sub.domain.com domain from DNS and then create  domain.com and create the child domain of "sub.".  While ive worked with AD for 5 years in enterprise environments ive never had to split the two and sew them back together and im not sure it can even be done to well.  

Only other option is since its a win2k3 domain is to rename the domain. Not thrilled on this idea as microsoft "made it work" in win2k3..

Mike i do appreciate you helping me out with this.