• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 212
  • Last Modified:

Active Directory-Integrated DNS Question

We have two servers (one local and one at a remote location) that are setup for replication of DNS (setup as Active Directory-Integrated).  Our workstations at the local office should access the website via the private IP address, but I would like the workstations at the remote office to use the public IP address of the website.  The problem is any changes made in DNS to either server replicates back to the other. How I prevent the DNS entry for the website on the remote server to replicate back to the local (or be overwritten for that matter)? or how do I bypass the DNS setting?
0
chipsexpert
Asked:
chipsexpert
  • 4
  • 3
  • 2
  • +2
3 Solutions
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Well, not clear why you don't want DNS to handle this for both sites... did you name the AD Domain after your registered DNS domain?

In any case, you can just create local hosts files on a workstation and use that to override DNS.
0
 
chipsexpertAuthor Commented:
That might be okay for 5 or 10 users, but not acceptable for 500+ users.  How would the DNS handle it for both sides then as you mentioned? (Because thats what I am looking for.  I want mywebsite.com to resolve to one IP at "local", and another ip at "remote", but there is a single entry in DNS that gets replicated of mywebsite.com)
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
You didn't specify how many users until your comment.  Why is it not acceptable?  You script the change - it'll take 10 minutes.

Again, why must the two sites work differently?  The logic is not making sense to me.

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
chipsexpertAuthor Commented:
The logic is we don't want the traffic to our website from the remote location to bog down the connection across the internal network (I.e. VPN). Thats all. Our website is constanly accessed by our our employees.
0
 
WpgComputerGuyCommented:
I'm going to assume that you don't want remote users to access the Web site via the VPN that is supporting replication of AD info. Not that it really matters.

AD integrated domains will replicate among all of your DNS servers (that are domain controllers) by default. The only way to stop this is to change your zone types from AD integrated to Primary. However, if both zones are Primary, then there is no replication between the server and you'll have to manually update both locations.

If your AD is 2003 native mode then there's some funky stuff you can do with application partitions to control DNS replication between servers, but in your situations I don't think it will help.

There is no method that I'm aware of to stop the replication of a single DNS record.

As LeeW mentioned, you could configure a hosts file for workstations at the remote location. You could copy the file out as part of the logon script, but inevitably there will be hiccups with a hosts based solution.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
The only potential hiccups is with a hosts file is when you change the IP of the server.  But this is easily fixable with a script.
0
 
WpgComputerGuyCommented:
By hiccups I mean problems ensuring that the host file is up to date on all the workstations. Do you copy the file just once? Do you copy the file during each login?

In my experience the copying process always seems to get messed up somewhere along the way. With 500+ workstations, it just increases the odds a problem on some of the workstations.

Have you considered creating a different DNS record that uses the external address. For example, www2.xxxxxx.com could resolve to the external address. Then direct the users to access that site, or if it's their home page, push it out with group policy.

Still not perfect, but I'd take it over managing hosts files on workstations.

0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
The problem here is we still don't know the asker's environment.  A PROPER Active Directory domain setup should be ending in a non-routable domain name.  Typically, .local.  But we don't know this.  I still cannot see a logical reason for accessing the web site from different addresses.  

As for the hosts file issue, a logon script won't cut it because for standard users, they won't have access to the hosts folder/file.  You run a script against each machine with an admin account.  should take a couple of minutes.  A proper script will generate a log of successes and failures and you run it until all systems have been applied.  Typically, it takes 3-5 passes for that many machines (I used to run a network with about 600 workstations running Windows).
0
 
feptiasCommented:
Try this - it should work:
Create a new fwd lookup zone called xyz.local on each DNS server. Type is primary, not AD-integrated, no replication.
At the remote office, add a host record to this new zone called webserver and assign it the external IP address of your web site. At your local office add a host record to the xyz.local zone called webserver and assign it the internal IP address of your web server.

In your main fwd lookup zone, the one that is AD-integrated, delete the existing www host record and replace it with a CNAME record called www. Set the 'target host' of the CNAME record to webserver.xyz.local.

The CNAME record will be identical at both sites, but the target host record it points to will resolve to a different IP address depending which site you are at.

(You might need to add webserver.xyz.local to the list of host headers on the web server, but I don't think that will be necessary).
0
 
WpgComputerGuyCommented:
I think feptias has the most simple and graceful solution. I wish I had thought of it.
0
 
rm250motoxCommented:
How would this method work in the case of site with an SSL cert thats keyed to the domain which is also the name of the Primary AD integrated zone?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now