Solved

DNS issue

Posted on 2016-07-21
24
85 Views
Last Modified: 2016-07-28
Hi EE,

Please provide assistance for following issue.

I have a created a new active directory infrastructure  domain call  ABC.com and it has active directory local DNS and use all active directory member servers and clients. Also I do have a web site host in third party hosting services with same site name ABC.com. However, users now complaining that they cannot access to the website ( ABC.com) from their computers. I do have in house Microsoft environment as well.

Please list of possible solution ? All NAT configuration were made already.

Thank you
0
Comment
Question by:Jey_P
  • 9
  • 9
  • 4
  • +1
24 Comments
 
LVL 1

Expert Comment

by:XcelogiX
ID: 41723167
You have created a "split brain" DNS infrastructure, meaning you now have completely separate internal and external DNS namespaces for ABC.com. You will need to put all of the same records that are in your external DNS zone in your internal one.

It is usually recommended to setup the AD namespace as a delegation of your external namespace (etc, internal.abc.com) to avoid this problem.
0
 

Author Comment

by:Jey_P
ID: 41723200
Thank you. Could you please provide a walk through what are the configuration need  include in split brain DNS session? Do i need to do some changes in hosting site ? Also , include some short of reference to get more understanding . I am a junior Networking background person and not very familiar with AD, DNS.

Thanks,
0
 
LVL 9

Accepted Solution

by:
dipersp earned 500 total points
ID: 41723657
On your domain controller, go to the DNS console.  Create a new zone and call it www.abc.com.  In that zone, create a new A record.  The parent record should be blank, and the IP address should point to your external web site's IP address.

You will never be able to resolve your website by going to abc.com internally; since you used that internally, you're stuck with only accessing it at www.abc.com.
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41723851
You won't need a new zone if your Internal Domain matches your external Domain name, ie; both are abc.com, you will just need to create a new 'A' record in your existing DNS zone for abc.com called 'www'.

Go into DNS > View > Advanced.

Now, expand Forward Lookup Zones and select your zone 'abc.com'.

In the main panel on the right-hand side, right-click on a blank area and click on 'New Host (A or AAAA)...'

Name = www
IP Address = the Webserver's Internal IP
Create Associated Pointer Record = Tick if not already done
Timestamp = All 0's

It's important the timestamp is all 0's, this will make it a static entry so it will never be accidentally scavenged (if configured).
It's important
0
 
LVL 9

Expert Comment

by:dipersp
ID: 41723877
Correct - you don't need the new zone. Habit of mine. If your domain zone didn't match your web site domain you would want an additional zone.
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41723893
It would still work though, I'm just toeing the MS line 'least administrative effort'. :)
0
 

Author Comment

by:Jey_P
ID: 41723996
Thank you  for your comments. Still now working . I don't see PTR record created.  Is that cause the issue ?  Please assist .
0
 
LVL 9

Expert Comment

by:dipersp
ID: 41724012
What response do you get if you ping www.abc.com?  Does it resolve your website's IP address?
0
 

Author Comment

by:Jey_P
ID: 41724016
I am getting time out .
0
 

Author Comment

by:Jey_P
ID: 41724017
I am getting time out when i ping www.abc.com. However , when i do nslookup it will resolve name and or IP.
0
 
LVL 9

Expert Comment

by:dipersp
ID: 41724019
Are you doing the ping from the server or workstation?  What is the DNS server that is set on the NIC of the machine?
0
 

Author Comment

by:Jey_P
ID: 41724021
I am ping from one of AD member server.  The server NIC set to my local DNS which is our active directory DNS server IP.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 9

Expert Comment

by:dipersp
ID: 41724023
Without seeing it, hard to say.  If you want to send a screen shot and mask as little as possible. . .  Would be nice to see what you set in the DNS server.
0
 

Author Comment

by:Jey_P
ID: 41724552
Thank you , Please check screen shot. i did enter in public IP address in IP address session and  FQDN is abc.com . Also , i created new zone with revers lookup zone and the pointer will be created PTR automatically in revers zone
DNS-Updates.PNG
0
 
LVL 9

Expert Comment

by:dipersp
ID: 41724609
Thanks for the screen shot though it's not very helpful since everything is masked.  Here's an example of what mine would look like if I was in your shoes.

Also, a timeout when pinging is fine, IF the IP is resolving.  See attached.  Many hosts don't have ping turned on, so a timeout if normal but it must resolve to the correct IP.
Ping.jpg
DNS.jpg
1
 

Author Comment

by:Jey_P
ID: 41724703
Thank you for your comment . I did exactly same as you configured in the screen shot. Only different i did select PTR ( check marked ) record .

I understand the ping turned off some hosts. For your information ,I could able to resolve using NS LOOKUP.

Do I need uncheck PTR record ?
0
 
LVL 9

Expert Comment

by:dipersp
ID: 41724704
No PTR is fine.  So IP resolves.  I'm assuming you're not able to get to your site still from within your network by a browser?
0
 

Author Comment

by:Jey_P
ID: 41724719
Correct . I am able to resolving the IP using NSLOOKUP, i cannot browse it with in my network.
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41724720
Flush the dns cache on Servers and a test client - ipconfig /flushdns from a change prompt window. Then try accessing it again.
0
 
LVL 9

Expert Comment

by:dipersp
ID: 41724723
If the IP is resolving correctly, it sounds like all is fine on the DNS side.  If you ping your website from outside your network, does it ping successfully there?  You're sure the IP is correct (Verify against the ping on the outside world.)
0
 

Author Comment

by:Jey_P
ID: 41725410
I could resolve the IP from my domain controller using NSLOOKUP. I am unable to ping outside my network as well. The IP address is correct , i did verified.
0
 
LVL 9

Expert Comment

by:dipersp
ID: 41725431
Sorry out of ideas. If the ip is resolving the same internally as externally, then something else is at play such as web filtering or something. Could be any number of issues - firewall, web filtering, proxy...
0
 
LVL 1

Expert Comment

by:XcelogiX
ID: 41725550
Is the web server in your own network? If so, the traffic from your internal clients is being routed to the outside and then back in to that server, which then sends it back out again. This might not work if there is a router or firewall seeing traffic taking a route like that. If that is your case, and the server has an internal IP that is routeable by the internal clients, try connecting to it using the internal IP.
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41725763
Well picked up, I just read that used external / public ip address for your internal dns zone, use the internal address, otherwise you need configure nat loopback on your firewall.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now