Solved

Can't access our external web site from 1 of our locations

Posted on 2013-01-14
10
432 Views
Last Modified: 2013-01-15
We have 3 separate locations not linked in any way.  From our LA office we were unable to access our own web site.  spcala.com and secure.spcala.com.  IP address for both is 208.94.246.30.  
I had a DNS support person help me figure out why.  We never did figure out why, but he did solve the issue.  
He added a Host (A) record for both entries to the DNS server.  After that we could access the sites.  
The difference in DNS between the 3 locations is in the attachment.  I don't know why LA has the two additional forward lookup zones.  They were created by a company I fired.

Any ideas what is wrong?
DNS-LA.jpg
0
Comment
Question by:jrsitman
  • 5
  • 5
10 Comments
 
LVL 7

Accepted Solution

by:
JohnThePro earned 500 total points
ID: 38776486
Are you hosting the website or ANYTHING related to those domain names on that server?

If you are 100% COMPLETELY POSITIVE, then you can delete those zones.

I can't tell you why they created them, but I can tell you what they're there for.

When you create a forward lookup zone in a Windows DNS Server, it will, by default, act 'authoritative' for that zone. What this means is that server will act as the primary DNS server for that zone. If the IP addresses/DNS records for that zone are obsolete, you'll see problems like what you've experienced.

In general, you should only have zones defined that you are actually operating services on.

If you need more detail or explanation, let me know and i'll be happy to break it down further for you.
0
 
LVL 7

Expert Comment

by:JohnThePro
ID: 38776501
I also noticed, looking at a few of your entries, that you have exchange and owa defined. It also appears as though those IP addresses are internal to your network, is that correct?

If so, the reason that those zones exist is so that name resolution for exchange.spcala.com works inside your network. Normally for a split-DNS network like you have (I can tell by the .corp) the Exchange server is configured to use its internal DNS name when a client connects to it.

External resolution names should be defined outside of a network (usually through a domain provider like GoDaddy) - and the appropriate firewall holes should be opened to route those services securely into your network.

Just something else I noticed. :)
0
 

Author Comment

by:jrsitman
ID: 38776609
I do recall something about them trying to access the owa from within.  I'll make a screen shot of the two zones and delete them.  Then I can add then back if necessary.  Sound ok?
0
 
LVL 7

Expert Comment

by:JohnThePro
ID: 38776610
Sounds good. Just be prepared to hear users complain about their Outlook losing connection to Exchange! :)

If something does break, we can definitely put the zones back in and fix the issue for the time being, but we're going to want to make a plan about how you can resolve your DNS routing issues permanently.
0
 

Author Comment

by:jrsitman
ID: 38776618
Now I'm concerned.  Does one of those zones gives us access to our internal Exchange server?  If it's internal why would we need this?
0
 

Author Comment

by:jrsitman
ID: 38776976
What I'm asking is why would we need the other zones?
0
 
LVL 7

Assisted Solution

by:JohnThePro
JohnThePro earned 500 total points
ID: 38777103
Okay, as simply as I can put it...

You don't need the other zones. That's not necessary for your configuration, had it been set it up correctly. Your internal users should be accessing the Exchange server with its internal name *.corp. I can't tell you whether or not this is how your environment is set up. The reason I warned you is because if they're using the external name internally as it appears they might be, you might experience an interruption to your users.

The only reason you would need those external *.com zones defined is if your DNS servers were acting authoritatively for those zones (i.e. - your DNS servers were acting as the primary resolving servers for that zone for the entire internet) OR if you were doing some kind of DNS spoofing for your internal users (making records resolve for users internally while appearing as though it is internet traffic by its name - most users dont know the difference)
0
 

Author Comment

by:jrsitman
ID: 38780948
I deleted the two zones before the users got to work and "zero" problems.  So you were correct.
0
 
LVL 7

Expert Comment

by:JohnThePro
ID: 38780953
Glad I could help!
0
 

Author Closing Comment

by:jrsitman
ID: 38780956
Thanks
0

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now