[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2401
  • Last Modified:

Have the same internal domain name as our external domain name, what changes in DNS do i need to allow.

Hey Yall,

Ok have another issue....

We have a internal domain name (abcdefg.com) as our external domain name (abcdefg.com) what changes would I need to do in DNS to allow internal users to access their external webpage (www.abcdefg.com) ????

I'm a bit confused!

Thanks,

Nathan
0
HannasIT
Asked:
HannasIT
  • 6
  • 3
  • 2
  • +2
10 Solutions
 
A2the6thCommented:
I put an "A" record in our internal DNS.  

W W W and the IP address of our webhosting company

So if users want the internal web site they type domain.com into their address line

If they want the external site they type www.domain.com.

Cheers
0
 
MSE-dwellsCommented:
The issue you're experiencing is quite common and is due to a DNS server's concept of authority.  When a name server receives a query for a name it cannot resolve itself because no such local zone is named suitably to house a possible answer, the name server uses the process of recursion through forwarding or iterating through multiple queries beginning at the worldwide root servers to arrive at an answer, cache it and send it on to the requesting client.  In the past, I imagine this worked fine since your public presence it's likely housed outside of your intranet.  Since you've now created a zone with the same name as the public domain, your DNS server has claimed authority over that namespace and anything subordinate to it.  

In short, no automated solution is available in Windows for dealing with this scenario, it is simply a matter of manually adding (and keeping in step) all records from the public zone to the private zone.

As an FYI (though it would seem a little on the late side ;0) - naming your AD after your public presence is something most (including me) would recommend against doing.
0
 
HannasITAuthor Commented:
A2the6th,

What do you mean put an "A" record in our internal DNS?

Thanks
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
MSE-dwellsCommented:
He means adding a HOST record (A record) named www that points to your company's web site.
0
 
arrkerr1024Commented:
One thing to point out - they'll always have to use the www in front of abcdefg.com.  You can't change the A record for just abcdefg.com to point to your web server because active directory needs it to point to AD servers.

Thats why its a bad idea to use a public domain for AD.  I always use abcdefg.local for active directory for this reason.

If you can (2k3 only), rename your AD.
0
 
MSE-dwellsCommented:
Bare in mind that the ".local" suffix is also used by mDNS and, as such, should ideally be avoided due to the unknown potential for adoption of mDNS (that said, you'll note I've used it myself ... sadly, that was before the mDNS drafts proposed its usage and renaming a domain is cumbersome at best, deadly at worst).
0
 
JohnDemerjianCommented:
MSE-dwells

You raise an interesting point "... naming your AD after your public presence is something most (including me) would recommend against doing."

Apart from a hacker knowing the internal DNS name, what harm can this really cause?  I've never really heard a convincing argument but am always willing to learn something new.

Cheers
0
 
MSE-dwellsCommented:
It's exclusively related to any number of resulting name resolution headaches, some of which we've already discussed.  To my mind, security has no bearing ... it's simply a painful process to manage the almost daily occurrence of some kind of name resolution-related oddity or inability.

A more common-place naming convention is the 'corp' prefix, i.e. corp.abcdef.com - this permits name resolution to function in the manner it was intended and allows us to glue the parent and child together should we choose to do so (not that I'm necessarily recommending that we create a delegation in the public zone to the subordinate AD namespace).
0
 
JohnDemerjianCommented:
MSE-dwells

Thanks for the reply.  So this is interesting, but I'm still not clear.  If internal machines use internal DNS to resolve internal names and unknown name requests are forwarded to the Internet, where do the name resolution headaches come into play?  I haven't managed a large DNS deployment, so I'm not doubting there can be problems, I'd just like to know once and for all what specifically these problems look like.  I've never gotten a specific.  

Honestly, the "headaches" above don't sound like headaches at all.  Adding a host record for "www" is pretty easy and is a one time thing.  Renaming the AD because you need to type www.abcdefg.com instead of abcdefg.com is (respectfully) making a mountain out of a mole hill.  Actually, you only really need to type "www" to reach your web site after the host record is added.  
0
 
MSE-dwellsCommented:
Don't misunderstand me, it's certainly doable ... I've had to live with it myself ... but it isn't something I would ever design without a very strong motivator (for which I can think of none right now).

Q = How do you resolve your public presence?
A = We manually keep the two in step which can become painful depending upon complexity and volatility.  Delegation compounds that no end.

Q = If users normally browse to the web site using http://company.com, how can they do that now internally?
A = they can't unless you deploy the public web site on every DC along with IIS

Q = It's very rarely only a WWW record in larger orgs?  What about the MX records or delegations or CNAMEs that many companies utilize?

For the smaller organizations, I'd agree, tedious problems are tedious in a small way ... but the statement holds true for larger enterprises.

NOTE - I didn't suggest renaming, nor would I -

>> MSE-dwells: .. renaming a domain is cumbersome at best, deadly at worst ...
0
 
JohnDemerjianCommented:
MSE-dwells

Good enough, I agree with your statements.  For a large organization with a hundred public names, administration would double at least.  In smaller organizations with www, ftp and maybe another, I feel the point is moot.  I know it was not you who suggested renaming the domain, that was just added for effect ;)  It's a good day when I gain clarity on anything at all...

Cheers
0
 
MSE-dwellsCommented:
Nod, agreed with the smaller installs ... glad that helped.
0
 
A2the6thCommented:
Gents, this has been a fine discussion on DNS.  I agree with pretty  much everything on here.  Given the option before hand one should never line up internal and external domain names.  Given a relatively simple 2003 AD rename.  

In instances when you have perhaps inherited a domain or maybe migrated from nt4.0 to 2k and didn't know any better at the time or didn't plan to have a public presence, whatever the case may be; I would still suggest my host record (thanks for the clarification on my behalf MSE) as a simply and direct solution.  The only gotcha for me has been changing web host's broke our external site for an hour until I remembered what I had done.  

Cheers
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 6
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now