local website working outside but on in our network
Hello we have a web server here. it works on my cell phone but does not work here in the network. what and where do i have to put a dns record?
Thanks.
Thanks.
Making some assumption here... (that your internal DNS server thinks it's authoritative for the domain in which the website resides, and from the point of view of the outside, it isn't.)
Assuming my assumptions are correct :
On your internal Windows 2003 DNS server, in the forward zone which the DNS server thinks it's authoritative for, add a static entry ('A record') for the web server name, pointed to IP address of the website.
Assuming my assumptions are correct :
On your internal Windows 2003 DNS server, in the forward zone which the DNS server thinks it's authoritative for, add a static entry ('A record') for the web server name, pointed to IP address of the website.
ASKER
after i choose new primary zone do i choose
first second or third option?
first second or third option?
first
ASKER
Works. but not right. when i made the Host (A) record for the FQDN it put my domain at the end of the string so now the site works internally if we go to the whole FQDN not just www.tfsi1.com
why is that?
why is that?
Okay, I'll spell other parts of my assumptions:
1. Internal clients are able to access other, external websites.
2. Your website is using a second level domain that your are also using for your internal Windows domain... and the internal machines therefore believe that your DNS server is authoritative for the domain. They aren't GOING outside to resolve the address... unlike your cell phone, because the cell phone doesn't use your windows DNS server to resolve.
If those assumptions are true -- you don't need to create a new forward lookup zone. Your internal clients aren't resolving the address correctly because you already have the zone that indicates it's authoritative. You also don't want to make that zone disappear, because you are using it internally for your Windows domain. In that case, ONLY create the new A record.
1. Internal clients are able to access other, external websites.
2. Your website is using a second level domain that your are also using for your internal Windows domain... and the internal machines therefore believe that your DNS server is authoritative for the domain. They aren't GOING outside to resolve the address... unlike your cell phone, because the cell phone doesn't use your windows DNS server to resolve.
If those assumptions are true -- you don't need to create a new forward lookup zone. Your internal clients aren't resolving the address correctly because you already have the zone that indicates it's authoritative. You also don't want to make that zone disappear, because you are using it internally for your Windows domain. In that case, ONLY create the new A record.
ASKER
Yes, That is the case. your assumptions are all right.
the only websites that internal users can't get to are ours. How do i make a record to point hrtraining.tfsi1.com to 172.17.7.69
also, the only other site they can not get to is our www.tfsi1.com but it is not hosted here. do i have to create a record for that too? as you can see i tried from the image above but that didn't work.
how do i create a record for internal users to get to www.tfsi1.com extreral ip address 12.40.84.40
the only websites that internal users can't get to are ours. How do i make a record to point hrtraining.tfsi1.com to 172.17.7.69
also, the only other site they can not get to is our www.tfsi1.com but it is not hosted here. do i have to create a record for that too? as you can see i tried from the image above but that didn't work.
how do i create a record for internal users to get to www.tfsi1.com extreral ip address 12.40.84.40
Okay... it looks like my previous assumptions were not valid.
If you do not have a separate forward lookup zone for tfs1.com on your DNS servers... then that domain does not believe it's authoritative. Rather than attempt to determine how to get the local DNS server to resolve the address locally, may be troubleshoot why that server isn't responding with the correct address?
Assuming this website was a recent change, lets ensure a bad address isn't in the cache. In the DNS management, select 'View', 'Advanced', and you should now see 'Cache Lookups'. Drill down into that tree, and see if you can find the bad address. You should be able to delete the entry directly from the cache that way... (without clearing all of the server cache.)
If you do not have a separate forward lookup zone for tfs1.com on your DNS servers... then that domain does not believe it's authoritative. Rather than attempt to determine how to get the local DNS server to resolve the address locally, may be troubleshoot why that server isn't responding with the correct address?
Assuming this website was a recent change, lets ensure a bad address isn't in the cache. In the DNS management, select 'View', 'Advanced', and you should now see 'Cache Lookups'. Drill down into that tree, and see if you can find the bad address. You should be able to delete the entry directly from the cache that way... (without clearing all of the server cache.)
> How do i make a record to point hrtraining.tfsi1.com to 172.17.7.69
In the forward lookup zone for tfsi1.com, (at the very top of that part of the zone... not in one of the 'subdirectories') add an A record for hrtraining, with a value of 172.17.7.69.
What you have in the attached screen shots is a 'fsgdmn.local' zone. If you put something under the root of that it would be 'something.fsgdmn.local'..
Do you have a forward lookup zone for tfsi1.com that doesn't appear in the screen shot above?
In the forward lookup zone for tfsi1.com, (at the very top of that part of the zone... not in one of the 'subdirectories') add an A record for hrtraining, with a value of 172.17.7.69.
What you have in the attached screen shots is a 'fsgdmn.local' zone. If you put something under the root of that it would be 'something.fsgdmn.local'..
Do you have a forward lookup zone for tfsi1.com that doesn't appear in the screen shot above?
ASKER
no i do not have a tfsi1.com forward look up zone. should i make one like setasoujiro first said?
thakn you again for sticking w/ me on this...
thakn you again for sticking w/ me on this...
ASKER
But i think it has to be a secondary zone. not primary.
Oh... one additional thing... which may confuse when you start hitting addresses from the browser.
In some cases... what you have above might work for workstations in your domain, but let me explain what may also be happening.
If your windows domain is using fsgdmn.local as it's domain... when you attempt to resolve an address... if Windows can't resolve... it will attempt to append your domainname to the address it is attempting to resolve. So... if you type in www.tfsi1.com , and windows isn't able to resolve... it may try www.tfsi1.com.fsgdmn.local... which it might be able to resolve. I assume that it why you have an 'intranet' entry in there as well.
You can test this from your workstation... assuming 'intranet.tfsi1.com' works for you. Visit that site from your workstation (which I assume will direct you to 172.17.7.229. From the CMD prompt on that machine, type 'ipconfig /displaydns', and look for the address.... which under the record name, show you the FQDN.
In some cases... what you have above might work for workstations in your domain, but let me explain what may also be happening.
If your windows domain is using fsgdmn.local as it's domain... when you attempt to resolve an address... if Windows can't resolve... it will attempt to append your domainname to the address it is attempting to resolve. So... if you type in www.tfsi1.com , and windows isn't able to resolve... it may try www.tfsi1.com.fsgdmn.local... which it might be able to resolve. I assume that it why you have an 'intranet' entry in there as well.
You can test this from your workstation... assuming 'intranet.tfsi1.com' works for you. Visit that site from your workstation (which I assume will direct you to 172.17.7.229. From the CMD prompt on that machine, type 'ipconfig /displaydns', and look for the address.... which under the record name, show you the FQDN.
If you don't have a tfsi1.com forward lookup zone, and you aren't prepared to work with the folks who have the DNS server to do zone transfers to receive a secondary zone from them -- I would strongly advise against creating a new secondary zone just to add this address. You will end up in a bad place as far as attempting to resolve correct addresses for that zone going forward. (That is, unless you find the reason addresses in that domain aren't being resolved correctly, and it is for a very good reason...)
ASKER
for hrtraining.tfsi1.com which in an internal website we can't get..
browse to it via IP address (works)
did an ipconfig /displaydns
for hrtraining.tfsi1.com
Name does not exist
browse to it via IP address (works)
did an ipconfig /displaydns
for hrtraining.tfsi1.com
Name does not exist
ASKER
ok, i won't create a secondary zone... but still can't figure out how to get 172.17.7.69 to point to hrtraining.tfsi1.com (internal server)
currently it is pointed to hrtraining.tfsi1.com.fsgdm
is this set up wrong? how do i get the local domain out of here?
currently it is pointed to hrtraining.tfsi1.com.fsgdm
is this set up wrong? how do i get the local domain out of here?
just add an A record for that under the right zone in dns
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
NOT under .local
ASKER
@setasoujiro didn't Razmus just say her would strongly recommend not doing that?
Okay... one more thing to try before we get into tracing down where things are broken:
Within the DNS Console, right click the server name, and select properties, and check the forwarders tab. Make certain you don't have a specific entry for the DNS domain tfsi1.com already. And if there IS an entry, make certain it doesn't point to a broken DNS server. (Well... i guess make certain it's there...) But if it isn't... one sec, and we'll trace this down.
Within the DNS Console, right click the server name, and select properties, and check the forwarders tab. Make certain you don't have a specific entry for the DNS domain tfsi1.com already. And if there IS an entry, make certain it doesn't point to a broken DNS server. (Well... i guess make certain it's there...) But if it isn't... one sec, and we'll trace this down.
ASKER
her *they
@setasoujiro -- _I_ can resolve hrtraining.tfsi1.com to 63.174.109.163.
If tfsaccount sets up a new zone for tfsi1.com ... and isn't REALLY prepared to keep the entries up to date... he's asking for trouble down the line.
If tfsaccount sets up a new zone for tfsi1.com ... and isn't REALLY prepared to keep the entries up to date... he's asking for trouble down the line.
why shouldn't he?
ok then....
ASKER
What if hrtraining.tfsi1.com to 63.174.109.163 never changes?
then please follow the things i said...
If you add the zone 'tfsi1.com'... and hrtraining never changes... than that address would work.
But if the administrator for the zone adds 'newfunctionwebsite'.tfsi1
I'd encourage you to determine why tfsi1.com addresses aren't resolving... troubleshooting procedure next...
But if the administrator for the zone adds 'newfunctionwebsite'.tfsi1
I'd encourage you to determine why tfsi1.com addresses aren't resolving... troubleshooting procedure next...
ASKER
here is what the the forwarders tab looks like. it only has our ISP dns addresses in there. 
The first entry is for Sprint's DNS... I assume you aren' otherwise having a resolution problem.
Rather than creating a new zone -- under forwarders, try adding a New forwarder for tfsi1.com
Under than entry, try IP address for 205.178.190.52 and 205.178.188.52
Those are the NS for srsplus.com which report that they ARE authoritative for the tfsi1.com domain.
Rather than creating a new zone -- under forwarders, try adding a New forwarder for tfsi1.com
Under than entry, try IP address for 205.178.190.52 and 205.178.188.52
Those are the NS for srsplus.com which report that they ARE authoritative for the tfsi1.com domain.
ASKER
I think i am having a resolution problem. even some emails are not working but that could be a whole different issue in its own.
ASKER
so now hrtraining.tfsi1.com is working on the DNS server but not on my computer.
i did a flush dns and still noting.
it tells me if could not find host
i did a flush dns and still noting.
it tells me if could not find host
This is why I don't recommend creating zones without coordination and having DNS servers report they are authoritative when they aren't.
The first entry on your DNS list is 206.228.179.10
It reports:
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20693
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;www.tfsi1.com. IN A
;; ANSWER SECTION:
www.tfsi1.com. 86400 IN A 12.40.84.40
;hrresources.tfsi1.com. IN MX
;; AUTHORITY SECTION:
tfsi1.com. 86400 IN NS ns1-auth.sprintlink.net.
tfsi1.com. 86400 IN NS ns2-auth.sprintlink.net.
tfsi1.com. 86400 IN NS ns3-auth.sprintlink.net.
tfsi1.com. 86400 IN MX 10 mail.global.frontbridge.co
tfsi1.com. 7200 IN SOA ns1-auth.sprintlink.net. dns-admin.sprint.net. 2004072301 43200 3600 2419200 7200
So -- it would seem to be saying that sprintlink.net name servers are authoritative.
------
Internic reports:
Domain Name: TFSI1.COM
Registrar: TLDS, LLC DBA SRSPLUS
Whois Server: whois.srsplus.com
Referral URL: http://www.srsplus.com
Name Server: NS1-HOSTS.SRSPLUS.COM
Name Server: NS2-HOSTS.SRSPLUS.COM
(And be aware... the expiration on that domain is Expiration Date: 29-may-2011 !!! Just a couple weeks.)
-----
the SRSPLUS.COM name servers report:
;; ANSWER SECTION:
www.tfsi1.com. 3600 IN A 65.162.244.77
;; AUTHORITY SECTION:
tfsi1.com. 172800 IN NS ns1-hosts.srsplus.com.
tfsi1.com. 172800 IN NS ns2-hosts.srsplus.com.
tfsi1.com. 3600 IN SOA ns1-hosts.srsplus.com. hostmaster.srsplus.com. 1268676666 10800 3600 604800 86400
tfsi1.com. 3600 IN MX 10 mail.global.sprint.com.
----
Once again... this specifically why I don't recommend creating zones when you aren't really authoritative... it causes troubleshooting hell.
The 'quick-fix' is to add the forwarder specificially for tfsi1.com as I recommend above. If you are responsible for the domain, there may be some coordinating of cleanup...
The first entry on your DNS list is 206.228.179.10
It reports:
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20693
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;www.tfsi1.com. IN A
;; ANSWER SECTION:
www.tfsi1.com. 86400 IN A 12.40.84.40
;hrresources.tfsi1.com. IN MX
;; AUTHORITY SECTION:
tfsi1.com. 86400 IN NS ns1-auth.sprintlink.net.
tfsi1.com. 86400 IN NS ns2-auth.sprintlink.net.
tfsi1.com. 86400 IN NS ns3-auth.sprintlink.net.
tfsi1.com. 86400 IN MX 10 mail.global.frontbridge.co
tfsi1.com. 7200 IN SOA ns1-auth.sprintlink.net. dns-admin.sprint.net. 2004072301 43200 3600 2419200 7200
So -- it would seem to be saying that sprintlink.net name servers are authoritative.
------
Internic reports:
Domain Name: TFSI1.COM
Registrar: TLDS, LLC DBA SRSPLUS
Whois Server: whois.srsplus.com
Referral URL: http://www.srsplus.com
Name Server: NS1-HOSTS.SRSPLUS.COM
Name Server: NS2-HOSTS.SRSPLUS.COM
(And be aware... the expiration on that domain is Expiration Date: 29-may-2011 !!! Just a couple weeks.)
-----
the SRSPLUS.COM name servers report:
;; ANSWER SECTION:
www.tfsi1.com. 3600 IN A 65.162.244.77
;; AUTHORITY SECTION:
tfsi1.com. 172800 IN NS ns1-hosts.srsplus.com.
tfsi1.com. 172800 IN NS ns2-hosts.srsplus.com.
tfsi1.com. 3600 IN SOA ns1-hosts.srsplus.com. hostmaster.srsplus.com. 1268676666 10800 3600 604800 86400
tfsi1.com. 3600 IN MX 10 mail.global.sprint.com.
----
Once again... this specifically why I don't recommend creating zones when you aren't really authoritative... it causes troubleshooting hell.
The 'quick-fix' is to add the forwarder specificially for tfsi1.com as I recommend above. If you are responsible for the domain, there may be some coordinating of cleanup...
I assume the ping screen shot is from the DNS server. It's resolving hrtraining.tfsi1.com as hrtraining.tfsi1.com.fsgdm
(which srsplus says should be:
hrtraining.tfsi1.com. 3600 IN A 63.174.109.163
And sprintnet reports it doesn't have an entry for... but it says it's authoritative.)
(which srsplus says should be:
hrtraining.tfsi1.com. 3600 IN A 63.174.109.163
And sprintnet reports it doesn't have an entry for... but it says it's authoritative.)
ASKER
right. the ping resovling the hrtraining.tfsi1.com.fsgdm
but its not doing that on my computer and i have manually put in the dns server address in my nic card settings.
but its not doing that on my computer and i have manually put in the dns server address in my nic card settings.
If it's not working from your workstation, it's not walking thru your domain suffix. (There is a specific term, that is escaping me at the moment.)
If you workstation is joined to the fsgdmn.local domain -- double check that in your TCP/IP, DNS settings, that you have the option selected to appending the parent suffixes.
But going back to: why your phone is able to resolve the address and folks inside your domain are not -- it's that first DNS server that your local DNS server uses as a forwarder. Did you try putting in a separate forwarder specifically for tfsi1.com?
If you workstation is joined to the fsgdmn.local domain -- double check that in your TCP/IP, DNS settings, that you have the option selected to appending the parent suffixes.
But going back to: why your phone is able to resolve the address and folks inside your domain are not -- it's that first DNS server that your local DNS server uses as a forwarder. Did you try putting in a separate forwarder specifically for tfsi1.com?
ASKER
Not sure if this is the BEST way to fix this issue. But it did work after flushing the dns on server and computer
ASKER
This is what i did. Thank you guys for your help! 
no prob, as i said this would be the easiest way, just remember to add/update information in dns whe you change things for that domain name
if this is a windows server
administrative tools-->dns-->new forward lookup zone-->primary zone-->your domainname.com-->
then under this zone-->new "A" record-->FQDN: www.yourwebsite.com - IP of your server
and another one for "yoursite.com"-IP of server
and make sure internal clients use internal dns