DNS Forwarding to IIS in another Domain

Posted on 2006-11-11
Last Modified: 2008-02-01
Environment: Windows 2003 Ent. Two Domains. 1 router, 1 firewall handling both domains on one RJ45 socket i.e. the second domain shares the same DMZ cable and backend switch as the first domain. (Both of these domains are set up on the DMZ)

I have DNS servers on one domain and I need to point traffice to an IIS server on the other domain. Will a normal HOST (A) record and WWW record DNS entry be sufficient? i.e. Can I put 2 host records of the IIS server in one DNS entry of a domain pointing to the IP address of the IIS server in the other domain?

I have set up a 2-way transitive trust between the domains.
Question by:PWyatt1
  • 4
  • 4
LVL 19

Expert Comment

ID: 17929087
The internal DNS servers must contain Host (A) records for the servers on the LAN defining their actual computer name and internal IP address. Provided you do not have a server called www, you can create a CNAME (alias) record for www and point it to any server that has a Host (A) record. CNAME records point to FQDN's, not to IP addresses. CNAME records in one domain can point to Host records in another domain so you could have a CNAME for www.domain1.local pointing to an IIS server PC with the FQDN mywebserver.domain2.local. This would be the best solution if you are referring to local intranet web site access only.

If, however, your web sites are being accessed from the Internet then the routing to the IIS server will be determined by the external IP address on the router and the port forwarding rules set in the router. Public DNS servers will contain records that determine the IP address to be used for, say, and this will need to be an address that corresponds to a static IP address on the WAN side of the router. The router rules will then determine what happens to http requests arriving on its WAN port. If you want different web sites to be hosted on different IIS servers, then the easiest solution is to have a different static IP address on the WAN port of the router for each IIS server, then use port forwarding or one-to-one NAT to direct the requests to the right server.

Hope this helps.

Author Comment

ID: 17931897
H-m-m-m-m. Sorry feptas, didn't quite understand. The router on the WAN (Cisco1720) is connected to the Internet and has the two subnets in its ARP and passes through queries to my firewall. The 2 subnets share the same DMZ port on my firewall as the firewall is set up to handle queries to both subnets. All my servers have static IP addresses and are connected to a switch that in turn is connected to the DMZ port on the firewall. The first subnet has been up and running for years.

The router and the firewall are not germaine to this question. They are set up and working. I just need a little direction on what entries to put into a zone on the second subnet (Domain 2) to talk to the first subnet (Domain 1). Example: For a DMZ zone on, say Subnet2 (, what are the records needed to pass queries to an IIS server called say, IISserver1 with IP addresss on Subnet1(Domain1)? I have assumed that all I need are 2 host records:

(same as parent folder)  HOST (A)
www                            HOST (A)

The questions I have are:
1. Are these all the entries I need? if not, what do I need to add/delete/change?
2. Do I need to keep/setup up a transitive trust between the domains?

LVL 19

Expert Comment

ID: 17934270
I believe your question may not be valid. You appear to be asking how to configure the DNS records to make DNS do something that it cannot do. A DNS server resolves names to IP addresses. It does not forward or re-direct IP traffic. I have read that ISA server can redirect http traffic based on the host header, so maybe you should look at that.

Author Comment

ID: 17934926
Thanks Fetpas.

In my situation, the name has already been resolved by my DNS resolution to the zone in the first domain. I don't want a redirect per se (i.e. redirect from one zone to another). I just want to pass over requests from a DNS server in one domain to a webiste on an IIS server in another domain. The two host records that I posted in the prior post are what I have set up to forward to the IIS server. Both domains happen to reside on the same physical netword, but with different subnet masks.

So, netting everything out, you are saying that these two host record entries will not get me over to the IIS server on the other subnet/domain?

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 19

Expert Comment

ID: 17936761
I am not clear what you mean at the moment. We need to get some clarity on a few basics.
1. The two domains you mentioned - are they Windows AD domains, Internet domains (i.e. used for web and e-mail addresses) or both?
2. Are the web sites hosted on your web servers accessed from workstations on the LAN, from Jo Public on the Internet or both?
3. What device handles the routing from one subnet to the other? Can you already ping servers on one subnet from PC's on the other?
4. You describe the firewall as "set up to handle queries to both subnets", so the firewall is doing some routing. What sort of rules can you configure in this firewall that would determine if an http request coming from the Internet is going to be sent to subnet 1 or subnet 2?
5. Are you using NAT and, if so, how many static IP addresses do you have on the Internet port? (This question is not relevant if the answer to 2 is that Jo Public does not access your web sites)
6. Are you trying to get some web sites hosted on an IIS server in one domain/subnet while other web sites are hosted on a different IIS server in the other domain/subnet? (The alternative possibility would be that you are moving a single IIS server from one domain to the other).
7. Are you referring to internal DNS servers that are an integral part of the Windows AD setup or to external public DNS servers that are used to resolve name requests on the Internet? If the latter, are you hosting your own public DNS servers inside the DMZ or is it based on an external hosting service such as

An IIS server running on one PC can host web sites for a great number of different Internet domains. You could be hosting sites for, and on a server that is a member of the Windows domain or (better) mycompany.local. The routing of web traffic to that server is done by IP address. In the case of public web sites, your router or firewall would be configured to forward all http traffic to a particular IP address - the address of the IIS server. DNS would only be used by the browser to find the public port on your router. The Windows domain or even the destination subnet are of no significance provided the router can send the traffic to the IP address of the server. In the case of internal intranet web sites the IP address of the server would be found by resolving the URL of the web site on a local (internal) DNS server. A common problem in this situation is that your Windows AD domain name is identical to the domain name you want to use for your web site - e.g. web site is and Windows AD domain name is This makes it impossible to use the URL because the DNS records for that name are fixed by the requirements of AD. However, it would still be possible to add a DNS record (Host A) for www that points to the IP address of the IIS server PC thus allowing you to use If the web server allows anonymous access then the fact that the web server is a member of another Windows domain is not relevant. All that is relevant is that the PC doing the browsing is able to send IP traffic to the web server - if the web server is on a different subnet then that traffic will have to go via some kind of router.

Author Comment

ID: 17937086
Thanks Fepta:
1. They are Internet domains, and as I said before , all of the DNS servers and IIS servers are on on the same DMZ. In Subnet1 (Domain1), there are 2 DNS servers (primary and secondary), 1 domain controller, and 1 IIS server, all AD integrated. On the second subnet (Domain2, there are 2 DNS severs and a domain controller with AD integrated DNS. I want the queries coming into Domain 2 to be sent over to the IIIS server on Domain 1. The domains are completely separate as far as the Internet root directories are concerned.
2. Servers are accessible to Jo Public from the WAN to the DMZ. All the servers sit on the DMZ.
3. No NAT, just transparent mode.
4. The firewall has been configured to do the routing to the 2 different subnets, and I can ping between one and the other. Don't worry about the configuration and the routing of the firewall. That has been tested, debugged and is up and running.

I appreciate all the detailed information you are giving me, but I am a simple man with a simple question. How do I route website requests from one domain to an IIS server in a different domain? Exactly what records do I need to put into the zone of the DNS server to route to the IIS server in the other domain.

Thanks for the help.
LVL 19

Accepted Solution

feptias earned 125 total points
ID: 17937250
Perhaps I am looking for complexity and problems when there are none. I just assumed that you must be having some kind of problem with the DNS not behaving as you expected. Almost every web site in the World has the DNS server on a different subnet to the web server so it seemed strange that you mentioned this fact if it was causing no specific problems.

If you were to add the following 2 host records to the forward lookup zone for, and the DNS server on which you do it is the authoritative server for the Internet domain then Jo Public will be able to enter into his web browser and his browser will send its requests directly to

(same as parent folder)  HOST (A)
www                            HOST (A)

An alternative, and possibly superior, method would be like this:
Suppose the web server is a member of the Internet domain and its FQDN is This means that you already have a Host (A) record in the forward lookup zone for like this:
websvr1                     HOST (A) 

So now you could add CNAME records to the forward lookup zone for like this:
(same as parent folder)   Alias (CNAME)
www                             Alias (CNAME)

The reason this second method is superior is because it gives you the option to change the IP address of the web server in a single place at some future date. Even if it is hosting the web sites for many different Internet domains, provided each of those is using a CNAME to point to it then you only need to change the Host (A) for websvr1 and that change will work for all the web sites.

I assume you already know about using host headers on the IIS server.

I really hope this is now the answer you were looking for.

Author Comment

ID: 17938913
Thanks for the help and the options.
You get a gold star :)

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now