Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active Directory/DNS and Domain Name

Posted on 2009-07-08
8
Medium Priority
?
473 Views
Last Modified: 2012-06-27
I have a network that is controlled by a windows 2003 AD. The network domain was setup as somedomain.com. (somedomain.com is also our website address). The AD servers are set external to our network. This means that our machine names are exposed to the internet. Yes, I know. Very dangerous but the firewall blocks any traffic. The AD DNS contains records for computers on the network as well as our web sites we host. We are trying to correct this problem as well as a few others. I do have one question I am not sure of. Our AD domain is somedomain.com. when I type that into the web browser it doesnt resolve anywhere. (If I type www.somedomain.com it works fine) When I do an NSLookup it returns all of our AD servers. I need this domain to point to our webserver/website. How do we resolve this even after we have split our DNS and set things up correctly?
0
Comment
Question by:ronayers
7 Comments
 
LVL 11

Accepted Solution

by:
willettmeister earned 400 total points
ID: 24805141
I don't think that you are going to be able to resolve somedomain.com on the web until you cleanup DNS.  The entries that are in DNS currently are required for proper AD functionality.  If you modify them you will likely cause your self problems.  If you are planning on making a new domain and migrating the existing machines then to a new domain like somdomain.local then you coudl eventually point somedomain.com to the webserver but there is a lot of cleanup that is necessary first.
0
 
LVL 1

Assisted Solution

by:Wildone63
Wildone63 earned 400 total points
ID: 24805206
This can be quite confusing but if you follow a few simple rules of thumb you should be ok.

First you would create the "Internal DNS" that will support your active directory, Your Internal domain  should be called something like somedomain.local then on the same DNS server create a second DNS zone for External addresses that You control such as your web site and setup forwarders for all other requests. The External Domain will be somedomain.com. You need to configure your pc's that are internal to use the .local dns suffix. So your DNS server will resolve all local addresses and forward external DNS request's to your ISP's DNS servers

Hope this helps.
0
 
LVL 10

Assisted Solution

by:Alan_White
Alan_White earned 400 total points
ID: 24805222
I concur.
You are in a whole lot trouble.  I believe you would be best buying in some consultantancy to get you back on track.  If this was a test site, go ahead and try stuff, but dont mess with DNS in a live environment unless you are 100% sure what you are doing.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 18

Assisted Solution

by:Americom
Americom earned 400 total points
ID: 24805357
What you should probably do is create a new AD domain either with somedomain.local or just newdomain.somedomain.com. See debate on which one to use here:http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23446306.html
I personally prefer the second one as a new root domain. This means the  "newdomain" is not a child domain of "somedomain.com". It is a completely separate domain from "somedomain.com" and it has and runs on it's own DNS. Once that's setup, you can create trust between "somedomain.com" and "newdomain.somedomain.com" and migrate all the internal servers from "somedomain.com" to "newdomain.somedomain.com" and leave the systems in the somedomain.com such as if it's external web or DNS servers etc. Then for your internal domain "newdomain.somedomain.com", configure your DNS to forward unresolve quiery to external DNS in the "somedomain.com". You can also eliminate the establised or just leave one-way trust from external to internal domain, this way you in the internal can access the external resources but not the other way around.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 400 total points
ID: 24806723

> How do we resolve this even after we have split our DNS and set things up correctly?

For the rest of the world you'll be able to deal with that if you split the public DNS service out. I strongly advise you find somewhere to host it. In my opinion public DNS services have no place on Domain Controllers.

However, unless you rename the AD domain, or rebuild it entirely you will not be able to use "http://domain.com" within your own network. AD must keep that name, it's essential to the operation of your domain.

I would also go with "newdomain.somedomain.com", an example of that would be corp.contoso.com. But unless there's a desperate need to rebuild the domain I would just have everyone inside use "www.somedomain.com" rather than make yourself a lot of work. Putting aside this limitation there's no real reason you can't use "somedomain.com" for AD.

Chris
0
 
LVL 18

Expert Comment

by:Americom
ID: 24984732
I suggest points be splited.
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 25018164
Americom,
 can you post the comments you would recomment for split in the form:
  http://#a<comment id>

thanks
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question