Link to home
Start Free TrialLog in
Avatar of maderosia
maderosiaFlag for United States of America

asked on

Remote site DNS setup with internal & external sites

More DNS problems. This is my third post in a week about DNS

Corp
3- DC's that are also DNS servers
     Zone transfers between them for some domains
1- DNS server in DMZ to host external DNS (100 domain zones, 1 for each location + some for corp)

53 Remote Sites
1- DC that is DNS at each

Internal domain name xyz.com is Active Directory Integrated and on all DC's.
20 or so other names are set up on 3 DC's as primary\secondary.

Last night, I set up secondary DNS with our ISP only changing the DMZ DNS. For some reason because of my change, this morning about 20 locations were unable to connect to internal sites on doman abc.com. Here is what we did to fix but unsure if it is right. I went into the DNS console on each DC and added the DC from corp as the forwarding address where it was blank before. The sites would then resolve to the internal site. The idea was that the DNS server did not know site abc.com so asked root servers and got no response because the Host records are set up internal and not external. Appears to be working now but I do not know if that is best practice.

The domain abc.com is our comapny website but we use it as an Intranet site as well. Is it an OK setup to do this or is it common? We are using it as an internal site and an external site. How do clients know whether to look outside or internal for this setup? test.abc.com should go internal but abc.com is also an external website.

Is pointing all remote sites DC's to forward to the DC at corp the best way to fix this or is it best to make abc.com an Active Ditectory Integrated zone so that it propagates to all DC's? Really unsure of best practices. We only have the one Active Directory Integrated site that is our DC's domain name everything is a member of.

I am guessing that if you know DNS you will know what I am asking. I am new to DNS so I am unsure if I am asking the right questions. I will post any questions asked bythe Experts.
Avatar of Netman66
Netman66
Flag of Canada image

If you put abc.com on any server, you become Authoritative for that domain and all queries for it will stop at your server - regardless of a hit or not.

I don't think you want ANY AD Namespace zones exposed to the DMZ - that's asking for trouble.

You can use Conditional Forwarding or Stub Zones (only on 2003 DNS) to send queries for certain domains to the correct DNS server.  This is how it's normally done.

If you only have one site that is both internally and externally resolved then it may be best to use a HOSTS file so just that one site is picked up correctly without hosting the root domain name and therefore being locked into managing it all.

Avatar of maderosia

ASKER

Our internal domain is not listed in the DMZ. I realize that would be bad. The DMZ DNS hosts our external domain names only. We have one domain abc.com that we use internally for our Intranet for things like my.abc.com or projects.abc.com and it is also a domain name used externally for our web site and other things like test.abc.com, mail.abc.com, or spam.abc.com. I didn'y know if ther were any problems in doing this because before I added the corp DC and a forwarder on a remote DC, it resolved the external address and the internal. Also I just wanted to make sure that my remote setup is correct with every remote DC looking at itself and then forwarding to the corp DC if it can not resolve. The corp DC will then forward to outside DNS servers if needed. The more I read the more I am sure I am correct. Should abc.com be an active directory integrated zone internally and a primary\secondary zone externally? The two should be completely seperate if my thinking is correct.
I have inherited this problem and I have learned more about DNS in the last week than I have in the last 5 years. I want to make sure I am working towards the corect setup and not just patching a bad one.

Thanks
What is the AD Namespace for the Forest?

Is it the same as the publicly registered name?

No it is not. We own the domain name but it is not listed or hosted on any external DNS. The AD domain name is completely internal.
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial