Solved

DNS Forwarding to IIS in another Domain

Posted on 2006-11-11
8
800 Views
Last Modified: 2008-02-01
Environment: Windows 2003 Ent. Two Domains. 1 router, 1 firewall handling both domains on one RJ45 socket i.e. the second domain shares the same DMZ cable and backend switch as the first domain. (Both of these domains are set up on the DMZ)

I have DNS servers on one domain and I need to point traffice to an IIS server on the other domain. Will a normal HOST (A) record and WWW record DNS entry be sufficient? i.e. Can I put 2 host records of the IIS server in one DNS entry of a domain pointing to the IP address of the IIS server in the other domain?

I have set up a 2-way transitive trust between the domains.
0
Comment
Question by:PWyatt1
  • 4
  • 4
8 Comments
 
LVL 19

Expert Comment

by:feptias
ID: 17929087
The internal DNS servers must contain Host (A) records for the servers on the LAN defining their actual computer name and internal IP address. Provided you do not have a server called www, you can create a CNAME (alias) record for www and point it to any server that has a Host (A) record. CNAME records point to FQDN's, not to IP addresses. CNAME records in one domain can point to Host records in another domain so you could have a CNAME for www.domain1.local pointing to an IIS server PC with the FQDN mywebserver.domain2.local. This would be the best solution if you are referring to local intranet web site access only.

If, however, your web sites are being accessed from the Internet then the routing to the IIS server will be determined by the external IP address on the router and the port forwarding rules set in the router. Public DNS servers will contain records that determine the IP address to be used for, say, www.domain1.com and this will need to be an address that corresponds to a static IP address on the WAN side of the router. The router rules will then determine what happens to http requests arriving on its WAN port. If you want different web sites to be hosted on different IIS servers, then the easiest solution is to have a different static IP address on the WAN port of the router for each IIS server, then use port forwarding or one-to-one NAT to direct the requests to the right server.

Hope this helps.
0
 

Author Comment

by:PWyatt1
ID: 17931897
H-m-m-m-m. Sorry feptas, didn't quite understand. The router on the WAN (Cisco1720) is connected to the Internet and has the two subnets in its ARP and passes through queries to my firewall. The 2 subnets share the same DMZ port on my firewall as the firewall is set up to handle queries to both subnets. All my servers have static IP addresses and are connected to a switch that in turn is connected to the DMZ port on the firewall. The first subnet has been up and running for years.

The router and the firewall are not germaine to this question. They are set up and working. I just need a little direction on what entries to put into a zone on the second subnet (Domain 2) to talk to the first subnet (Domain 1). Example: For a DMZ zone on, say Subnet2 (Domain2.com), what are the records needed to pass queries to an IIS server called say, IISserver1 with IP addresss 67.95.76.244 on Subnet1(Domain1)? I have assumed that all I need are 2 host records:

(same as parent folder)  HOST (A)       67.95.76.244
www                            HOST (A)        67.95.76.244

The questions I have are:
1. Are these all the entries I need? if not, what do I need to add/delete/change?
2. Do I need to keep/setup up a transitive trust between the domains?

Thanks
0
 
LVL 19

Expert Comment

by:feptias
ID: 17934270
I believe your question may not be valid. You appear to be asking how to configure the DNS records to make DNS do something that it cannot do. A DNS server resolves names to IP addresses. It does not forward or re-direct IP traffic. I have read that ISA server can redirect http traffic based on the host header, so maybe you should look at that.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:PWyatt1
ID: 17934926
Thanks Fetpas.

In my situation, the name has already been resolved by my DNS resolution to the zone in the first domain. I don't want a redirect per se (i.e. redirect from one zone to another). I just want to pass over requests from a DNS server in one domain to a webiste on an IIS server in another domain. The two host records that I posted in the prior post are what I have set up to forward to the IIS server. Both domains happen to reside on the same physical netword, but with different subnet masks.

So, netting everything out, you are saying that these two host record entries will not get me over to the IIS server on the other subnet/domain?

Thanks
0
 
LVL 19

Expert Comment

by:feptias
ID: 17936761
I am not clear what you mean at the moment. We need to get some clarity on a few basics.
1. The two domains you mentioned - are they Windows AD domains, Internet domains (i.e. used for web and e-mail addresses) or both?
2. Are the web sites hosted on your web servers accessed from workstations on the LAN, from Jo Public on the Internet or both?
3. What device handles the routing from one subnet to the other? Can you already ping servers on one subnet from PC's on the other?
4. You describe the firewall as "set up to handle queries to both subnets", so the firewall is doing some routing. What sort of rules can you configure in this firewall that would determine if an http request coming from the Internet is going to be sent to subnet 1 or subnet 2?
5. Are you using NAT and, if so, how many static IP addresses do you have on the Internet port? (This question is not relevant if the answer to 2 is that Jo Public does not access your web sites)
6. Are you trying to get some web sites hosted on an IIS server in one domain/subnet while other web sites are hosted on a different IIS server in the other domain/subnet? (The alternative possibility would be that you are moving a single IIS server from one domain to the other).
7. Are you referring to internal DNS servers that are an integral part of the Windows AD setup or to external public DNS servers that are used to resolve name requests on the Internet? If the latter, are you hosting your own public DNS servers inside the DMZ or is it based on an external hosting service such as GoDaddy.com?

An IIS server running on one PC can host web sites for a great number of different Internet domains. You could be hosting sites for www.abcfish.com, www.xyzcats.com and www.wibble.co.uk on a server that is a member of the Windows domain mycompany.com or (better) mycompany.local. The routing of web traffic to that server is done by IP address. In the case of public web sites, your router or firewall would be configured to forward all http traffic to a particular IP address - the address of the IIS server. DNS would only be used by the browser to find the public port on your router. The Windows domain or even the destination subnet are of no significance provided the router can send the traffic to the IP address of the server. In the case of internal intranet web sites the IP address of the server would be found by resolving the URL of the web site on a local (internal) DNS server. A common problem in this situation is that your Windows AD domain name is identical to the domain name you want to use for your web site - e.g. web site is www.mycompany.com and Windows AD domain name is mycompany.com. This makes it impossible to use the URL http://mycompany.com because the DNS records for that name are fixed by the requirements of AD. However, it would still be possible to add a DNS record (Host A) for www that points to the IP address of the IIS server PC thus allowing you to use http://www.mycompany.com. If the web server allows anonymous access then the fact that the web server is a member of another Windows domain is not relevant. All that is relevant is that the PC doing the browsing is able to send IP traffic to the web server - if the web server is on a different subnet then that traffic will have to go via some kind of router.
0
 

Author Comment

by:PWyatt1
ID: 17937086
Thanks Fepta:
1. They are Internet domains, and as I said before , all of the DNS servers and IIS servers are on on the same DMZ. In Subnet1 (Domain1), there are 2 DNS servers (primary and secondary), 1 domain controller, and 1 IIS server, all AD integrated. On the second subnet (Domain2, there are 2 DNS severs and a domain controller with AD integrated DNS. I want the queries coming into Domain 2 to be sent over to the IIIS server on Domain 1. The domains are completely separate as far as the Internet root directories are concerned.
2. Servers are accessible to Jo Public from the WAN to the DMZ. All the servers sit on the DMZ.
3. No NAT, just transparent mode.
4. The firewall has been configured to do the routing to the 2 different subnets, and I can ping between one and the other. Don't worry about the configuration and the routing of the firewall. That has been tested, debugged and is up and running.

I appreciate all the detailed information you are giving me, but I am a simple man with a simple question. How do I route website requests from one domain to an IIS server in a different domain? Exactly what records do I need to put into the zone of the DNS server to route to the IIS server in the other domain.

Thanks for the help.
0
 
LVL 19

Accepted Solution

by:
feptias earned 125 total points
ID: 17937250
Perhaps I am looking for complexity and problems when there are none. I just assumed that you must be having some kind of problem with the DNS not behaving as you expected. Almost every web site in the World has the DNS server on a different subnet to the web server so it seemed strange that you mentioned this fact if it was causing no specific problems.

If you were to add the following 2 host records to the forward lookup zone for abcfish.com, and the DNS server on which you do it is the authoritative server for the Internet domain abcfish.com then Jo Public will be able to enter http://www.abcfish.com into his web browser and his browser will send its requests directly to 67.95.76.244:

(same as parent folder)  HOST (A)       67.95.76.244
www                            HOST (A)        67.95.76.244

An alternative, and possibly superior, method would be like this:
Suppose the web server is a member of the Internet domain wibble.com and its FQDN is websvr1.wibble.com. This means that you already have a Host (A) record in the forward lookup zone for wibble.com like this:
websvr1                     HOST (A)           67.95.76.244

So now you could add CNAME records to the forward lookup zone for abcfish.com like this:
(same as parent folder)   Alias (CNAME)          websvr1.wibble.com
www                             Alias (CNAME)          websvr1.wibble.com

The reason this second method is superior is because it gives you the option to change the IP address of the web server in a single place at some future date. Even if it is hosting the web sites for many different Internet domains, provided each of those is using a CNAME to point to it then you only need to change the Host (A) for websvr1 and that change will work for all the web sites.

I assume you already know about using host headers on the IIS server.

I really hope this is now the answer you were looking for.
0
 

Author Comment

by:PWyatt1
ID: 17938913
Bingo!
Thanks for the help and the options.
You get a gold star :)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question