Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can't access our external web site from 1 of our locations

Posted on 2013-01-14
10
Medium Priority
?
480 Views
Last Modified: 2013-01-15
We have 3 separate locations not linked in any way.  From our LA office we were unable to access our own web site.  spcala.com and secure.spcala.com.  IP address for both is 208.94.246.30.  
I had a DNS support person help me figure out why.  We never did figure out why, but he did solve the issue.  
He added a Host (A) record for both entries to the DNS server.  After that we could access the sites.  
The difference in DNS between the 3 locations is in the attachment.  I don't know why LA has the two additional forward lookup zones.  They were created by a company I fired.

Any ideas what is wrong?
DNS-LA.jpg
0
Comment
Question by:J.R. Sitman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 7

Accepted Solution

by:
John Jennings earned 2000 total points
ID: 38776486
Are you hosting the website or ANYTHING related to those domain names on that server?

If you are 100% COMPLETELY POSITIVE, then you can delete those zones.

I can't tell you why they created them, but I can tell you what they're there for.

When you create a forward lookup zone in a Windows DNS Server, it will, by default, act 'authoritative' for that zone. What this means is that server will act as the primary DNS server for that zone. If the IP addresses/DNS records for that zone are obsolete, you'll see problems like what you've experienced.

In general, you should only have zones defined that you are actually operating services on.

If you need more detail or explanation, let me know and i'll be happy to break it down further for you.
0
 
LVL 7

Expert Comment

by:John Jennings
ID: 38776501
I also noticed, looking at a few of your entries, that you have exchange and owa defined. It also appears as though those IP addresses are internal to your network, is that correct?

If so, the reason that those zones exist is so that name resolution for exchange.spcala.com works inside your network. Normally for a split-DNS network like you have (I can tell by the .corp) the Exchange server is configured to use its internal DNS name when a client connects to it.

External resolution names should be defined outside of a network (usually through a domain provider like GoDaddy) - and the appropriate firewall holes should be opened to route those services securely into your network.

Just something else I noticed. :)
0
 

Author Comment

by:J.R. Sitman
ID: 38776609
I do recall something about them trying to access the owa from within.  I'll make a screen shot of the two zones and delete them.  Then I can add then back if necessary.  Sound ok?
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 7

Expert Comment

by:John Jennings
ID: 38776610
Sounds good. Just be prepared to hear users complain about their Outlook losing connection to Exchange! :)

If something does break, we can definitely put the zones back in and fix the issue for the time being, but we're going to want to make a plan about how you can resolve your DNS routing issues permanently.
0
 

Author Comment

by:J.R. Sitman
ID: 38776618
Now I'm concerned.  Does one of those zones gives us access to our internal Exchange server?  If it's internal why would we need this?
0
 

Author Comment

by:J.R. Sitman
ID: 38776976
What I'm asking is why would we need the other zones?
0
 
LVL 7

Assisted Solution

by:John Jennings
John Jennings earned 2000 total points
ID: 38777103
Okay, as simply as I can put it...

You don't need the other zones. That's not necessary for your configuration, had it been set it up correctly. Your internal users should be accessing the Exchange server with its internal name *.corp. I can't tell you whether or not this is how your environment is set up. The reason I warned you is because if they're using the external name internally as it appears they might be, you might experience an interruption to your users.

The only reason you would need those external *.com zones defined is if your DNS servers were acting authoritatively for those zones (i.e. - your DNS servers were acting as the primary resolving servers for that zone for the entire internet) OR if you were doing some kind of DNS spoofing for your internal users (making records resolve for users internally while appearing as though it is internet traffic by its name - most users dont know the difference)
0
 

Author Comment

by:J.R. Sitman
ID: 38780948
I deleted the two zones before the users got to work and "zero" problems.  So you were correct.
0
 
LVL 7

Expert Comment

by:John Jennings
ID: 38780953
Glad I could help!
0
 

Author Closing Comment

by:J.R. Sitman
ID: 38780956
Thanks
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question