We help IT Professionals succeed at work.

DNS active directory problem.

rfinaly asked
Medium Priority
Last Modified: 2009-02-06
Hello Exports,

A week ago we have created a DMZ within our network.
From that time when we create users account the user record is been created on the Internal DNS server (private address) but not on the external DNS.
How can I synchronize the DNS in the private network with the DNS of the DMZ?
Please include step by step if possible.

When I access the users on active directory in the DNS of the Private network I see the users and when I access the DMZ DNS I do  not see the users
Thank you,
Watch Question

Irwin SantosComputer Integration Specialist

You need to add a DNS forwarder to the internal DNS server -->>>>external DNS server

Provide the SERVER OS information


Thank you for the respond the server OS is Windown 2000 server.
Irwin SantosComputer Integration Specialist

Go to DNS manager

Right click on your SERVER (host), choose properties, then click on the FORWARDERS tab.. enter in the IP address of the machine that you need to feed your DNS information.


Thanks again, quick question, that will move the accounts I created over the last week to the DNS for the DMZ? or I need to create the acocunt s again?
Thank you very much for your help.
I appologize for my question but probably you mean DC (Domain Controller) not DNS?



Yes I do mean Domain Controller, sorry about that.
I created the fowarding that you told me, the users will move the the second DC?

Irwin SantosComputer Integration Specialist

Oh wow... ok.. mis-direction....thinking...


Are both DNS server active directory integrated?

If so, make sure the external DNS server can talk to active directory.

If not, then I'd suggest making the external DNS server a secondary and point it to the primary (internal) DNS server.

Hope this helps,
I appologize again but I have another simple question - what is the reason to move a Domain Controller in DMZ?

The DMZ is considered as a less secure zone and I would like to understand the reason for such configuration.


NetoMeter is correct to question this.  Even if we are talking about a DNS server instead of a Domain Controller, what is the point in setting up an external facing DNS server with internal user and machine info on it?  If the internal network has private addresses then external users are not going to be able to legitimately access the internal machines anyway, and someone attempting to break in is going to have information of what to try to get to.  Understanding where you are going will help offering advice.



Let me try to explain the problem in more details.
When we create a user account the user is been create on the domain controller of the private network (not the DMZ) now in the DMZ I have servers that host secure web sites. Our users can login to those web sites using their network login information.
Just a reminder that we configure the DMZ last week.
All users that were created this week can not access a web site, but old users can.
So I checked and I see that the new users are on the domain controller of the internal network, but they are not on the domain controller of the DMZ network.

Now, why we have two domain controllers one for the internal and one for the DMZ? Before I added the DMZ configuration I had two domain controllers, I converted one to be the DNS server for the DMZ network. And the second one is for the internal network as always.

Maybe now it is clearer what the issue is and maybe you guys can help solve my problem.

Thank you in advance,
IT Consultancy
Your DC's aren't communicating, have you checked the event logs?  You are going to need to open up some holes in the firewall between DMZ and private network which is not really a good idea.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Yancey LandrumTechnical Team Lead
This is an extraordinarily bad idea. The whole reason for a DMZ is to insulate your network from your public facing servers (and since most attacks are application layer attacks nowadays rather than port-based attacks, even a DMZ is not a secure as it used to be). By putting a DC for your domain in the DMZ you are basically opening up your network to the bad guys. You are also giving them potential access to all your user accounts, as well as your private IP information, server names, confidential data, etc.

If you must have your own DNS server, then it needs to NOT be a domain controller! Run dcpromo to demote it to a member server, then set up a separate DNS zone that is NOT AD-integrated. Your "secure" web sites are anything but. They should have their own authentication, not windows-integrated.

Are these web sites accessible from the internet by non-employees? If not, there is no reason for them to be in a DMZ. Bring them back inside and cut off access at the firewall. If they do need to be accessed by non-employees via the internet, how are they authenticating? Are you giving non-employees login accounts on your domain? Another extraordinarily bad idea. If these sites are only accessed by employees, but they need to access them via the internet, you'd be MUCH better off security-wise to set up a VPN solution and get them out of the DMZ.

Would you mind posting the public IP address of your DC, as well as your admin login name and password? If you don't want to do that (and you shouldn't), GET THAT DC OUT OF THE DMZ!!!

I hope you can blame this setup on a consultant because if you did it, you should be fired immediately. Get your company to sign you up for some IT security courses ASAP (CompTIA Security+ is a good place to start).

Sorry if this seems harsh, but you must understand how serious it is.
Steve KnightIT Consultancy

makes my "not really a good idea" comment seem soft now, 100% agree, don't expose anything related to internal stuff to the internet in any way...



well it is a consultant that start the job and now I need to fix all the problems that doe snot work.
I will remove the DC right now, hopefully other things will not get brake on the way. I do have to give my clients network logins, this is the type of business we are in, and we have to allow them to access applications from the internet, so I guess my question how can I allow an application that a DMZ server hosts to authintecate of the DC?

Thanks for the advice.
After asking these two simple questions:
1.      Whether you mean DC (Domain Controller) instead of DNS server
2.      What is the reason to have a DC in the DMZ
for which I apologize again, I think I have a better understanding of your problem.

Now I am going to ask a couple more specific questions:
1.      Is it correct to assume that your clients need to access a web server and have to be authenticated before they get the corresponding level of access?
2.      Do they need to be Active Directory users?

If the answer to both questions is positive then you have to change a little bit your current configuration.
The suggested changes would be:
1.      Open the necessary ports in the firewall (I will provide you with the list of the ports and if necessary more info about the firewall configuration) in order to restore the normal communication between DC2 (I will name the Domain Controller in the DMZ DC2 and the internal – DC1 ) and DC1.
2.      Force replication between them, check the result and make sure that it is successful.
3.      Demote DC2, make sure that it is removed from the Domain Controllers container in ADUC (Active Directory Users and Computers) and clean the AD integrated zone if it is still listed as DC, GC etc there.
4.       Delete the AD integrated DNS zone in DC2 and create a primary DNS zone containing the records necessary for the external (internet) users. This configuration is called split DNS.

If you have successfully completed the above steps your Internet users will be able to access the web applications and authenticate against AD.

In addition I would recommend to monitor constantly the traffic to that server using an IDS (Intrusion Detection System).
The easiest way to do this is to install Snort in the DMZ. If you want to get serious you can configure Snort in front of your WEB server so it will drop automatically suspicious connections.

I hope that my comment was helpful.

Yancey LandrumTechnical Team Lead

Yes, I understand you have to take care of your customers. Completely redoing the security of your web servers will be a time-consuming process that will involve lots of downtime. Considering how it is set up, removing the DC will almost certainly break your web sites. The two DCs are not talking right now so that is good; you can leave the DMZ domain controller where it is for now and consider them two different domains but for heaven's sake do not open up anything in the firewall. Here's what you can do to secure your internal network:

On the firewall:
Make sure you are only allowing the minimum traffic, and only to your web servers (port 443 for SSL; port 80 only if there are any unsecure sections of the websites).
For DNS, you'd be better off getting your ISP to host your DNS records for you (usually they will do it for no charge if you have a T1 or better). The DMZ domain controller should not be reachable from the internet (only the web servers need it to authenticate). If you really need your own DNS, allow port 53 (tcp and udp) to the domain controller.

On the DMZ domain controller:
Remove all internal (non-web server) machine accounts from the DMZ domain.
Remove all DNS records that reference any internal machines.
Remove any internal users who do not need to access the websites.
Change the usernames and passwords for the existing users so they are different from your internal domain.

Then, at your earliest opportunity, rename the DMZ domain. Renaming the domain in Windows 2000 is possible if it is in mixed mode but it's pretty involved (Microsoft has instructions but Daniel Petri condensed them into a high-level overview here: http://www.petri.co.il/w2k_domain_rename.htm). You'd have better luck upgrading to Windows server 2003 and using the domain rename tool.

You will have to manage the two domains separately; new users will have to be added to both domains (assuming they need access to both domains) using the separate naming conventions for each. External customers need onloy bee added to the DMZ domain.

Dang consultants. You should get your money back, or at the very least warn all your friends that those guys don't know jack about security.
One more comment:
Having a Web server in the DMZ which authenticates against Active Directory is a very common configuration.
A good example is the OWA (Outlook Web Access) in the DMZ. Actually that is the way Microsoft recommends configuring OWA – installing a Front-end Exchange server in the DMZ. In that configuration we have exactly a WEB server and an Application server in the DMZ which authenticate against AD.



Thankyou very much for the responds, I am working now to get things a bit more secure. I already removed all Internal machines acocunts form the DMZ. also the DNS records. and I will keep working over the weekend on more confgurations.
I have a quick question for NetoMeter how do you confgure OWA that locate in the DMZ to authenticate against AD that locate now internaly?
Thanks again,
Yancey LandrumTechnical Team Lead


Just because it is very common doesn't mean it is a good idea. Microsoft may recommend OWA on a front-end server in the DMZ, but I don't, and neither do a lot of security professionals. You have to open WAY too many holes between the DMZ and the inside (since the front-end server must be a domain member, you have to open ports for ldap, ds, is, kerberos, dc, gc, lsa, ipsec if you are using it, etc), as well as statically set certain ports that should be dynamic. The end result is a configuration that is LESS secure; once you open all the holes in the firewall and statically set your ports, your OWA server is basically on the inside.

It is actually more secure to keep the front-end server on the inside and just allow port 443 to it.
I respect your opinion ylandrum and it is true that opening ports in a firewall leads to a less secure configuration.
Using a Front-end server (WEB, Application, etc…) in DMZ is the normal approach. In fact even when you check your bank account you are connecting to a Front-end server which communicates through a firewall to a Back-end server(s) and authenticating your request. May be you should send your concerns to your bank 

Anyway, my personal opinion is that Rfinaly should be fine if he demotes DC2, configures Split DNS and configures the WEB server to authenticate against DC.
I think that configuring and maintaining two separate domains - one inside and a second in DMZ is not a better idea and I would not prefer that approach.
As a matter of fact I’ve never seen such a configuration


PS: I would rather invest resources and time in implementing an IDS system than maintaining two Domains.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.