Active Directory DNS: single entry for external domain?

Posted on 2011-10-05
Medium Priority
Last Modified: 2012-05-12
Sorry for the convoluted title.

I have the following situation:

A web server that lives in our company intranet has an address in a private range in the domain mycorp.localdomain. Certain license restrictions prevent us from changing this address. Port 443 is made public using port-forwarding over a public address on our gateway. So far so good.

Externally, we use a hosted Linux server with Bind9 as the authoritative name server for the mycorp.com domain. This server resolves our web server fqdn to the external, public address, so:

superwebsite.mycorp.com -> (apologies to google)

Internally, we use an W2k3 Active Directory server as a dns server. This server is authoritative for our intranet domain and resolves the internal fqdn of our server to the private address, so:

superwebsite.mycorp.localdomain ->

We have recently purchased a commercial SSL certificate for superwebsite.mycorp.com, so we need our internal AD Server to resolve the public fqdn to the private address, so:

superwebsite.mycorp.com ->

We also would like to serve Subversion repositories from this server, so it is important that the external URL be the same as the internal, otherwise developers will have trouble with their workspaces...

How can I tell Active Directory to resolve this one specific fqdn to the private address? Obviously I can't create the zone superwebsite.mycorp.com inside the intranet: this would cause the AD DNS server to consider itself authoritative and ignore the real authoritative server outside of the intranet.

Question by:alpha-lemming
LVL 15

Expert Comment

ID: 36920789
I would do what you suggested, create a zone on your windows dns server. It means managing the same zone twice , depending on numbers though you could create an entry in he users hosts files.
LVL 16

Accepted Solution

Bruno PACI earned 2000 total points
ID: 36923941

What you can to solve your problem is :

1) on your internal DNS server create a new DNS zone named "superwebsite.mycorp.com" (a DNS zone with the full fqdn of the web server). Like that, your DNS server is authoritative for the zone "superwebsite.mycorp.com" but not for "mycorp.com".
2) in the new DNS zone create a DNS A record with no name, pointing to the internal IP address of the web server. DNS record with no name will be shown in the list as "same as parent" meaning that requests to "superwebsite.mycorp.com" will be resolved as a host name.
3) you may also have to configure IE exclusions depending on how your internal clients reach internet. If they are configured to use a proxy server then DNS resolution is not made by the internet browser but is done by the proxy server. So if you want your internal users to reach the extranet web server on the internal IP address and resolve the name using the new DNS zone on the internal DNS server you must make things so that internet browser don't use proxy for this URL. You can do that adding the "superwebsite.mycorp.com" name in IE proxy exclusions.

Have a good day.
LVL 27

Expert Comment

ID: 36930187
Hi alpha-lemming,

you have two viable options as touched upon by the guys above:

Hosts file entries to override DNS.
You can add the entry to the Hosts file on internal clients so they are forced to use the internal address for the external FQDN.
this depends on how many clients you have as it could be a pain. its also a bit of a naughty solution but is perfectly valid.

new zone.
You existing dns server can host the external DNS zone without a problem. it does mean you'll have to manually store entries for anything yor clients may access from inside but works fine in many systems.
If you have a lot of DNS entries this may be a bit more admin than you'd like, but is otherwise the safest option.

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question