Create record above your AD domain?

Posted on 2005-03-30
Medium Priority
Last Modified: 2011-09-20
  i inherited a network at a client who is setup as sub.domain.com for AD and they own domain.com publicly.  However we now host services inside so the clients are being redirected outside and right back in which causes them not to be processed by the firewall rules.  I need to create records at the domain.com level.  However windows dns will not let me.  Has anyone been through this as I dont want to remove DNS and try to get it working again with AD.  

the example is mail.domain.com externally points to our public IP.  since our AD/DNS domain internally is sub.domain.com i cannot create a mail.domain.com record to point internally for when the staff is here.
Question by:Poudrecomputer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 25

Expert Comment

ID: 13665666
ok,,,, if your AD domain is sub.domain.com then they have to have the parent domain of domain.com since this had to be created before sub.domain.com was created.  All of your clients should be pointed to INTERNAL DNS servers which only have internal private DNS records.  If this was the case they would never be redirected out by a public IP.  

I'm a little confused though,  you say that "clients are being redirected outside and right back in which causes them not to be processed by the firewall rules".... if the clients are going out and coming back in then they ARE going through the firewall when they come back in right?  this is what is confusing me.

but the root cause of your problem is that your clients are getting public dns records for say mail.domain.com when they should be getting your private addresses right?  What makes you say you can't create a zone fro domain.com??
bottom line,, internal users should be pointed to internal dns servers, and external users should be pointed to external dns servers.  this will resolve your problem.

Author Comment

ID: 13665723
actually if you create the domain for AD/DNS in win2k it will create it as sub.domain.com ..  It DOES NOT create the proper dns tree of parent child.  

so listed in dns under forward lookup zones is my first zone of sub.domain.com.. it is NOT listed as domain.com with a subdomain of "sub".  since i cant go to domain.com internally to create the records it wont work. Also i cannot create a domain called domain.com since i would end up with 2 authoritive domains for sub.domain.com.

the firewall is a fun one.. what happens is the address is resolved to an external address (mail.domain.com) so since the request is going out of the network, then being redirected back in, its not beind handled by the firewall rules and stops at the firewall.  example:: if a user goes to the webmail for exchange which has a site for public and a different path for internal.  the user types mail.domain.com (external) it goes out and back in and gets stuck at the firewall and shows the user the login page for the firewall appliance.

i guess my question/need is.  I need to delete the dns forward lookup zone i have so i can create domain.com and then create the child. then i need to reassociate AD with that child domain.
LVL 25

Expert Comment

ID: 13666004
do you have an AD domain called domain.com or did you somehow create sub.domain.com initially?
if you created the sub.domain.com initially then it did create the proper dns tree.  Since in that case you dont have a domain named domain.com, but rather a domain called sub.domain.com.  since you happen to have a "real" public domain called domain.com (split dns) you have to manually create a domain.com zone and the A records for it.

have you tried creating a dns zone for domain.com and seeing what happens?  I think you are confusing things more than they need to be.  a domain can't be authoratiative for another domain (or sub domain), the "authoratative DNS server" is just the dns SERVER that is authoratative for a particular domain.  a dns server can be authoratative for any number of domains.  Think about your ISPs dns server. It is authoratative for 100s or 1000s of domains.  In either case this is an internal dns server so it doesn't have to confide by RFC rules anyway.  
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 13666085
they have an AD domain for sub.domain.com which since theres no parent listed for domain.com i cant create anything above it.  what i found is if i create a domain called domain.com and create some records in it it DOES work, however when people go to login theres two trees the domain.com with the sub. child and a domain.com with a records in it.  So while just creating a forward zone called domain.com works for this it ends up ruining the AD lookup feature for domain controllers as it becomes hit or miss on which domain it works through. or atleast thats what the testing has shown.  its amazing how someone elses grand idea makes things much harder
LVL 25

Expert Comment

ID: 13666233
yeah,, whoever set up the sub.domain.com didn't know how to properly set up split dns for domain.com so they created sub.domain.com and screwed everything up.  What exacly do you mean when you say "however when people go to login theres two trees the domain.com with the sub. child and a domain.com with a records in it."  do you mean the USER sees 2 trees somehow?

which ad domain lookup feature are you referring to?.. when you say "it becomes hit or miss on which domain it works through" im confused... you still only have one AD domain (sub.domain.com)  you just created a DNS zone for domain.com, not an actual domain called domain.com

Author Comment

ID: 13666291
yah it was one of those things that "ehh we'll live with" and not its the bain of my existence.  Anyways..When you go to login you use the AD service to log in and it uses DNS to look up the service records for the DC's. If i create a forward lookup zone of just domain.com the records the client receives either get a failed lookup (if it goes through the domain.com dns zone) or it lets them in if it goes through the sub.domain.com zone.  I verified this with ethereal.

correct i just created the dns zone for domain.com and not an actual domain.  but due to the intergration of AD and DNS its a mess now.  I mean id really like to just remove they're sub.domain.com domain from DNS and then create  domain.com and create the child domain of "sub.".  While ive worked with AD for 5 years in enterprise environments ive never had to split the two and sew them back together and im not sure it can even be done to well.  

Only other option is since its a win2k3 domain is to rename the domain. Not thrilled on this idea as microsoft "made it work" in win2k3..

Mike i do appreciate you helping me out with this.
LVL 25

Accepted Solution

mikeleebrla earned 1000 total points
ID: 13671521
shoot,,, for some reason i thought this was a 2000 domain.  If i would have realized this was a 2003 domain i would have suggested renaming the domain to domain.com since you can do that with 2003.  I would do that if i was you.  That way you would end up with a nice clean split dns setup where domain.com is both your public and private (AD) domain

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question