Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Windows 2003 DNS

Posted on 2011-10-03
Medium Priority
Last Modified: 2012-05-12
Hi Folks, Wondering if you can help me, Ok the Layout,

Firstly its a split Brain as our Domain Name for our site is named the Same our active Directory FQDN, ie web: domain.com AD: domain.com ( This was implemented before I joined so not the best solution)

Internal DNS on Windows 2003. With External DNs Servers outside the DMZ.
Windows 2003 internal Active Directory integrated
DNs External Just Standard DNs Server`s in the DMZ

The issue I am having is in Relation to DNs for a Externally hosted website, http://www.domain.com ON the internal only and External works fine...

We Have A records for Both http://www.domain.com and http://domain.com
on Both internal and External DNS servers

However when it comes to http://domain.com The external server have a A record to resolve this and All works Fine,

When it comes to the internal DNS Server`s they have the Same A record for http://domain.com as the external,. But it dosnt resolve internally,

For Some reason all the DC Servers seem to Have A Records there also, And i am told this is a Part of Active Directory Intgrated zones

If I do a nslookup for domain.com  I get the Web site address as I should from the A record, But for some Reason I also get all the Domain Controllers listed in under the nslookup

And when i check The DNS records themselves I can see, A records for the Server Name and one for Each under them for Parent Folder
For Example
Server 1 A record and IP  

Also As Parent folder A record and IP Address (Under the First a record
Server 2 A record and Ip

Also as Parent-Folder A record and IP address

Any Ideas, how i can Fix the internal DNs Lookup for this record, as 1 server in the internal Network, Someone has IIS installed on it, and the WWW service. and when you go to http://domain.com its seems to only see this A record for this WWW Server (I am getting another sysadmin to Remove the www service from this internal Server) And not the outside http://domain.com A record.

Any way to fix this? Or Make it See the A record for http://domain.com?
I have tryed removing the Server a records but they return as they should.

Help :)
Question by:dark_jedi_ire
  • 5
  • 4
  • 3
  • +2
LVL 15

Expert Comment

ID: 36904524
if you have IIS installed on the domain controllers, try setting redirection to www.domain.com

Author Comment

ID: 36905050
Thanks,, Only 1 IIS server with www currently installed. this is being removed and all will only be FTP,
Dont know if this Will have any effect on the Rogue DC A records I keep seeing,, From tomorrow that will be the Case anyway. 3 DC`s with IIS only using FTP

As this Might work, And I will test it, I am really looking more for a DNS resolve for this issue or a DNs workaround to fix,

But thanks if all else fails, I might fall back on this


Expert Comment

ID: 36905168
This is a classic issue with having your internal and external domains the same. Internally, domain.com must resolve to your domain controllers so that your domain member computers can find the domain when they boot, etc. Outside of renaming your internal domain (potentially VERY painful), the easiest way to workaround this issue is to have your internal users go to www.domain.com when they want the organization's public website.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

LVL 71

Expert Comment

by:Chris Dent
ID: 36905528
achaldave and lwalcher are right, nothing short of a domain rename will actually fix this. All you can do is work-around it as everyone has already been described.


Expert Comment

ID: 36909802
A complete split aka internal domain rename would be the ultimate fix, however there are some work-around you can implement if a domain rename is out of the question.

create additional internal DNS zones with extension .INT or .INTRANET to direct web based services rendered by internal servers and for external services create a zone with extension .EXT or .INTERNET and then your internal users can use these zones to address any particular internal or external network services. (DO NOT create these zones on your public DNS servers)
www.domain.int  or www.domain.intranet for internal website(s)
and www.domain.ext or www.domain.internet for external website(s)

Your internal users can now flip between the intranet or public websites with an easy URL change.

Author Comment

ID: 36909893

Thanks But this is only an external hosted Website and  basically we have A records for both www.domain.com and http:/domain.com internal and on External DNS servers. Outside our internal Network all works perfect, only on our internal Network, do we have problems with http://domain.com

The internal users flipping, is not possible and we have no intranet. this is just our company site out hosted,


Accepted Solution

lwalcher earned 2000 total points
ID: 36913657
Here is the setup for IIS required on each and every domain controller if you want to go that route:

From http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx

"As for resolving the domain name with http://domain.com/ (without the www in front of it), is a little more complex. Normally if you are not using Active Directory internally, you would simply create a new Host record (as in step#1), but without typing anything in for the hostname, and simply type in the IP address. This is called a blank domain name, which allows the name to resolve without the 'www' in front of it. However, if you are using Active Directory, this 'blank' domain name is actually used by the domain controllers in the domain. It's a unique record that each domain controller registers into DNS with an IP address, without a hostname, which appears under your internal zone name as:

(same as parent)   A   x.x.x.x

"This record that the DCs register, is actually called the "LdapIpAddress." Each DC registers one for itself. AD uses these records for a number of things, such as DC to DC replication, Sysvol replication, GPOs and DFS. Don't mess with it please or expect problems. The DCs will re-register this record anyway if you delete it and thwart your attempt. If you create a blank record for your website, it will get cause problems with AD.

"To get around that, you can use a workaround. The workaround is, on EACH DC, install IIS. Then open Internet Information Services console. In the default website properties, Directory tab, select redirect, and redirect it to http://www.domain.com/. This way when any one of your users type in http//domain.com, it will resolve to the www record you've created in Step#1 or #2 above. But this procedure must be performed on each DC."


Expert Comment

ID: 36923820

The solution from lwalcher can work; however I feel obliged to state categorically IIS on a DC is never a good idea.

AD security is always a concern, not only will it increase your support and attack surface on your DC's for exploits on these crucial domain systems within your network; it also impacts your AD/IIS performance since these servers do have heavy workloads or can be taxed heavily depending on their design.
This can also break or have some unintended negative results compromising your infrastructure.

Personally I would totally refrain from doing this, so be very, very cautious if you do decide to implement this.

for review/ further reading...

Expert Comment

ID: 36924261
Agreed! BTS-Techie is on the money as far as the security risks involved. This is definitely NOT a recommended "solution" that I would feel comfortable with either. The link I sent calls it a workaround, and a better solution would be to just have your internal folks type the "www" in front of the domain "when they want the World Wide Web site" (as opposed to "the Intranet site" or other internal resources) for the organization.

Author Comment

ID: 36924360
Thanks Guys I am well aware of the Security Risks of this, I spend 5 years as an IIS web server Admin for a ISP, :)  I have locked it down to our internal LAN IP range and the Usual IIS Lock down tool and URL scan Etc,.,  As this came form the Head management they Wanted to have this working and I have to do it.


Expert Comment

ID: 36931023
no problem....I know the pressure when management usurp the tech decisions without proper consult.

Your AD would stay at higher risk for as long as this is done, and believe me that management will
conveniently forget about this decision when AD crashes around them.

If they remain adamant, do the better of a bad choice and install a stand alone web service like tomcat or tinyweb or any other webservice to do a simple redirection of port 80 traffic that would reach your DC's.
IIS' requirement of using local accounts, which is disabled/removed on DC's, would then be a non issue since these web services provide built-in account management by themselves.

Author Comment

ID: 36932320
Do you mean , install a Web service on any other Machine except the DC ? ie Have a Build 2008 Server Standalone with a Web service only Running locally? This then would reroute the traffice with the www redirect. Or Remove IIS from the DC and Us Tomcat etc instead?

Have space on a esxi host I can build a 2008 member server and install IIS 7 and do it that way...

Thanks guy. Really appreciate all this :)


Expert Comment

ID: 36948867
Remove IIS from the DC and use Tomcat etc instead on the DC as the provider of web services.

to get the http://domain.com to work, web service on all the domain controllers are required
LVL 15

Expert Comment

ID: 36949387
If you have your DCs properly secured  and not accessible from outside your network, i don't think there will be any problem using IIS on DCs and there will not be performance impact on DC as the IIS is only going to do redirection. The other option is to work with network engineers and configure router/firewall to redirect port 80 requests sent to DCs to web server.

Expert Comment

ID: 36949537

that is not the real issue here, see my previous comment  at 10/06/11 05:02 AM

IIS and AD are not designed to co-exist on the same server system, they each use
 two opposing account architectures.

if you use a 3rd party product like tomcat to provide web services and NOT IIS,  then you can negate that constraint and provide web service on port 80 and place a url redirect page on tomcat to access your external company website.

>>>The other option is to work with network engineers and configure router/firewall to redirect port 80 requests sent to DCs to web server.
for this option to work you will need to install a firewall between each DC and its internal network nic to allow redirection of port 80 traffic before it gets to your DC's nic.
LVL 15

Expert Comment

ID: 36950462
Yes IIS and AD are not designed to co-exist but they still can IIS is prefered in this situation as it is built in feature on server and since no .net or annonymous account is needed for just redirecting default website to different url i think it is better choice over installing thirdparty application on domain controller which needs to be maintained with security updates seperately from windows updates.

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Integration Management Part 2
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question