Windows 2003 DNS

Hi Folks, Wondering if you can help me, Ok the Layout,

Firstly its a split Brain as our Domain Name for our site is named the Same our active Directory FQDN, ie web: AD: ( This was implemented before I joined so not the best solution)

Internal DNS on Windows 2003. With External DNs Servers outside the DMZ.
Windows 2003 internal Active Directory integrated
DNs External Just Standard DNs Server`s in the DMZ

The issue I am having is in Relation to DNs for a Externally hosted website, ON the internal only and External works fine...

We Have A records for Both and
on Both internal and External DNS servers

However when it comes to The external server have a A record to resolve this and All works Fine,

When it comes to the internal DNS Server`s they have the Same A record for as the external,. But it dosnt resolve internally,

For Some reason all the DC Servers seem to Have A Records there also, And i am told this is a Part of Active Directory Intgrated zones

If I do a nslookup for  I get the Web site address as I should from the A record, But for some Reason I also get all the Domain Controllers listed in under the nslookup

And when i check The DNS records themselves I can see, A records for the Server Name and one for Each under them for Parent Folder
For Example
Server 1 A record and IP  

Also As Parent folder A record and IP Address (Under the First a record
Server 2 A record and Ip

Also as Parent-Folder A record and IP address

Any Ideas, how i can Fix the internal DNs Lookup for this record, as 1 server in the internal Network, Someone has IIS installed on it, and the WWW service. and when you go to its seems to only see this A record for this WWW Server (I am getting another sysadmin to Remove the www service from this internal Server) And not the outside A record.

Any way to fix this? Or Make it See the A record for
I have tryed removing the Server a records but they return as they should.

Help :)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

if you have IIS installed on the domain controllers, try setting redirection to
dark_jedi_ireAuthor Commented:
Thanks,, Only 1 IIS server with www currently installed. this is being removed and all will only be FTP,
Dont know if this Will have any effect on the Rogue DC A records I keep seeing,, From tomorrow that will be the Case anyway. 3 DC`s with IIS only using FTP

As this Might work, And I will test it, I am really looking more for a DNS resolve for this issue or a DNs workaround to fix,

But thanks if all else fails, I might fall back on this

This is a classic issue with having your internal and external domains the same. Internally, must resolve to your domain controllers so that your domain member computers can find the domain when they boot, etc. Outside of renaming your internal domain (potentially VERY painful), the easiest way to workaround this issue is to have your internal users go to when they want the organization's public website.
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Chris DentPowerShell DeveloperCommented:
achaldave and lwalcher are right, nothing short of a domain rename will actually fix this. All you can do is work-around it as everyone has already been described.

A complete split aka internal domain rename would be the ultimate fix, however there are some work-around you can implement if a domain rename is out of the question.

create additional internal DNS zones with extension .INT or .INTRANET to direct web based services rendered by internal servers and for external services create a zone with extension .EXT or .INTERNET and then your internal users can use these zones to address any particular internal or external network services. (DO NOT create these zones on your public DNS servers)
e.g.  or www.domain.intranet for internal website(s)
and www.domain.ext or www.domain.internet for external website(s)

Your internal users can now flip between the intranet or public websites with an easy URL change.
dark_jedi_ireAuthor Commented:

Thanks But this is only an external hosted Website and  basically we have A records for both and http:/ internal and on External DNS servers. Outside our internal Network all works perfect, only on our internal Network, do we have problems with

The internal users flipping, is not possible and we have no intranet. this is just our company site out hosted,

Here is the setup for IIS required on each and every domain controller if you want to go that route:


"As for resolving the domain name with (without the www in front of it), is a little more complex. Normally if you are not using Active Directory internally, you would simply create a new Host record (as in step#1), but without typing anything in for the hostname, and simply type in the IP address. This is called a blank domain name, which allows the name to resolve without the 'www' in front of it. However, if you are using Active Directory, this 'blank' domain name is actually used by the domain controllers in the domain. It's a unique record that each domain controller registers into DNS with an IP address, without a hostname, which appears under your internal zone name as:

(same as parent)   A   x.x.x.x

"This record that the DCs register, is actually called the "LdapIpAddress." Each DC registers one for itself. AD uses these records for a number of things, such as DC to DC replication, Sysvol replication, GPOs and DFS. Don't mess with it please or expect problems. The DCs will re-register this record anyway if you delete it and thwart your attempt. If you create a blank record for your website, it will get cause problems with AD.

"To get around that, you can use a workaround. The workaround is, on EACH DC, install IIS. Then open Internet Information Services console. In the default website properties, Directory tab, select redirect, and redirect it to This way when any one of your users type in http//, it will resolve to the www record you've created in Step#1 or #2 above. But this procedure must be performed on each DC."


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

The solution from lwalcher can work; however I feel obliged to state categorically IIS on a DC is never a good idea.

AD security is always a concern, not only will it increase your support and attack surface on your DC's for exploits on these crucial domain systems within your network; it also impacts your AD/IIS performance since these servers do have heavy workloads or can be taxed heavily depending on their design.
This can also break or have some unintended negative results compromising your infrastructure.

Personally I would totally refrain from doing this, so be very, very cautious if you do decide to implement this.

for review/ further reading...;en-us;308160
Agreed! BTS-Techie is on the money as far as the security risks involved. This is definitely NOT a recommended "solution" that I would feel comfortable with either. The link I sent calls it a workaround, and a better solution would be to just have your internal folks type the "www" in front of the domain "when they want the World Wide Web site" (as opposed to "the Intranet site" or other internal resources) for the organization.
dark_jedi_ireAuthor Commented:
Thanks Guys I am well aware of the Security Risks of this, I spend 5 years as an IIS web server Admin for a ISP, :)  I have locked it down to our internal LAN IP range and the Usual IIS Lock down tool and URL scan Etc,.,  As this came form the Head management they Wanted to have this working and I have to do it.

no problem....I know the pressure when management usurp the tech decisions without proper consult.

Your AD would stay at higher risk for as long as this is done, and believe me that management will
conveniently forget about this decision when AD crashes around them.

If they remain adamant, do the better of a bad choice and install a stand alone web service like tomcat or tinyweb or any other webservice to do a simple redirection of port 80 traffic that would reach your DC's.
IIS' requirement of using local accounts, which is disabled/removed on DC's, would then be a non issue since these web services provide built-in account management by themselves.
dark_jedi_ireAuthor Commented:
Do you mean , install a Web service on any other Machine except the DC ? ie Have a Build 2008 Server Standalone with a Web service only Running locally? This then would reroute the traffice with the www redirect. Or Remove IIS from the DC and Us Tomcat etc instead?

Have space on a esxi host I can build a 2008 member server and install IIS 7 and do it that way...

Thanks guy. Really appreciate all this :)

Remove IIS from the DC and use Tomcat etc instead on the DC as the provider of web services.

to get the to work, web service on all the domain controllers are required
If you have your DCs properly secured  and not accessible from outside your network, i don't think there will be any problem using IIS on DCs and there will not be performance impact on DC as the IIS is only going to do redirection. The other option is to work with network engineers and configure router/firewall to redirect port 80 requests sent to DCs to web server.

that is not the real issue here, see my previous comment  at 10/06/11 05:02 AM

IIS and AD are not designed to co-exist on the same server system, they each use
 two opposing account architectures.

if you use a 3rd party product like tomcat to provide web services and NOT IIS,  then you can negate that constraint and provide web service on port 80 and place a url redirect page on tomcat to access your external company website.

>>>The other option is to work with network engineers and configure router/firewall to redirect port 80 requests sent to DCs to web server.
for this option to work you will need to install a firewall between each DC and its internal network nic to allow redirection of port 80 traffic before it gets to your DC's nic.
Yes IIS and AD are not designed to co-exist but they still can IIS is prefered in this situation as it is built in feature on server and since no .net or annonymous account is needed for just redirecting default website to different url i think it is better choice over installing thirdparty application on domain controller which needs to be maintained with security updates seperately from windows updates.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.