DNS issue

Hi EE,

Please provide assistance for following issue.

I have a created a new active directory infrastructure  domain call  ABC.com and it has active directory local DNS and use all active directory member servers and clients. Also I do have a web site host in third party hosting services with same site name ABC.com. However, users now complaining that they cannot access to the website ( ABC.com) from their computers. I do have in house Microsoft environment as well.

Please list of possible solution ? All NAT configuration were made already.

Thank you
Jey_PIT Security Eng Asked:
Who is Participating?
 
diperspConnect With a Mentor Commented:
On your domain controller, go to the DNS console.  Create a new zone and call it www.abc.com.  In that zone, create a new A record.  The parent record should be blank, and the IP address should point to your external web site's IP address.

You will never be able to resolve your website by going to abc.com internally; since you used that internally, you're stuck with only accessing it at www.abc.com.
0
 
XcelogiXCommented:
You have created a "split brain" DNS infrastructure, meaning you now have completely separate internal and external DNS namespaces for ABC.com. You will need to put all of the same records that are in your external DNS zone in your internal one.

It is usually recommended to setup the AD namespace as a delegation of your external namespace (etc, internal.abc.com) to avoid this problem.
0
 
Jey_PIT Security Eng Author Commented:
Thank you. Could you please provide a walk through what are the configuration need  include in split brain DNS session? Do i need to do some changes in hosting site ? Also , include some short of reference to get more understanding . I am a junior Networking background person and not very familiar with AD, DNS.

Thanks,
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
MdlinnettCommented:
You won't need a new zone if your Internal Domain matches your external Domain name, ie; both are abc.com, you will just need to create a new 'A' record in your existing DNS zone for abc.com called 'www'.

Go into DNS > View > Advanced.

Now, expand Forward Lookup Zones and select your zone 'abc.com'.

In the main panel on the right-hand side, right-click on a blank area and click on 'New Host (A or AAAA)...'

Name = www
IP Address = the Webserver's Internal IP
Create Associated Pointer Record = Tick if not already done
Timestamp = All 0's

It's important the timestamp is all 0's, this will make it a static entry so it will never be accidentally scavenged (if configured).
It's important
0
 
diperspCommented:
Correct - you don't need the new zone. Habit of mine. If your domain zone didn't match your web site domain you would want an additional zone.
0
 
MdlinnettCommented:
It would still work though, I'm just toeing the MS line 'least administrative effort'. :)
0
 
Jey_PIT Security Eng Author Commented:
Thank you  for your comments. Still now working . I don't see PTR record created.  Is that cause the issue ?  Please assist .
0
 
diperspCommented:
What response do you get if you ping www.abc.com?  Does it resolve your website's IP address?
0
 
Jey_PIT Security Eng Author Commented:
I am getting time out .
0
 
Jey_PIT Security Eng Author Commented:
I am getting time out when i ping www.abc.com. However , when i do nslookup it will resolve name and or IP.
0
 
diperspCommented:
Are you doing the ping from the server or workstation?  What is the DNS server that is set on the NIC of the machine?
0
 
Jey_PIT Security Eng Author Commented:
I am ping from one of AD member server.  The server NIC set to my local DNS which is our active directory DNS server IP.
0
 
diperspCommented:
Without seeing it, hard to say.  If you want to send a screen shot and mask as little as possible. . .  Would be nice to see what you set in the DNS server.
0
 
Jey_PIT Security Eng Author Commented:
Thank you , Please check screen shot. i did enter in public IP address in IP address session and  FQDN is abc.com . Also , i created new zone with revers lookup zone and the pointer will be created PTR automatically in revers zone
DNS-Updates.PNG
0
 
diperspCommented:
Thanks for the screen shot though it's not very helpful since everything is masked.  Here's an example of what mine would look like if I was in your shoes.

Also, a timeout when pinging is fine, IF the IP is resolving.  See attached.  Many hosts don't have ping turned on, so a timeout if normal but it must resolve to the correct IP.
Ping.jpg
DNS.jpg
1
 
Jey_PIT Security Eng Author Commented:
Thank you for your comment . I did exactly same as you configured in the screen shot. Only different i did select PTR ( check marked ) record .

I understand the ping turned off some hosts. For your information ,I could able to resolve using NS LOOKUP.

Do I need uncheck PTR record ?
0
 
diperspCommented:
No PTR is fine.  So IP resolves.  I'm assuming you're not able to get to your site still from within your network by a browser?
0
 
Jey_PIT Security Eng Author Commented:
Correct . I am able to resolving the IP using NSLOOKUP, i cannot browse it with in my network.
0
 
MdlinnettCommented:
Flush the dns cache on Servers and a test client - ipconfig /flushdns from a change prompt window. Then try accessing it again.
0
 
diperspCommented:
If the IP is resolving correctly, it sounds like all is fine on the DNS side.  If you ping your website from outside your network, does it ping successfully there?  You're sure the IP is correct (Verify against the ping on the outside world.)
0
 
Jey_PIT Security Eng Author Commented:
I could resolve the IP from my domain controller using NSLOOKUP. I am unable to ping outside my network as well. The IP address is correct , i did verified.
0
 
diperspCommented:
Sorry out of ideas. If the ip is resolving the same internally as externally, then something else is at play such as web filtering or something. Could be any number of issues - firewall, web filtering, proxy...
0
 
XcelogiXCommented:
Is the web server in your own network? If so, the traffic from your internal clients is being routed to the outside and then back in to that server, which then sends it back out again. This might not work if there is a router or firewall seeing traffic taking a route like that. If that is your case, and the server has an internal IP that is routeable by the internal clients, try connecting to it using the internal IP.
0
 
MdlinnettCommented:
Well picked up, I just read that used external / public ip address for your internal dns zone, use the internal address, otherwise you need configure nat loopback on your firewall.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.