DMZ Setup Quandry

[Brian Roberson]

We are having issues with our DMZ AD setup. Let me set my situation and see
if anyone has any good suggestions:


We have a DMZ setup for providing our DMZ machines to be members of an
outside AD domain.

The DMZ houses two important computers. NS and NS1. They are both AD DC's.
Their IP's: (outsides are not real)

Host DMZ IP Outside IP

NS 192.168.128.4 197.3.128.4
NS1 192.168.128.5 197.3.128.5

They are working great, providing DNS resolution for outside clients to
resolve our domain name and many hosts.

DNS is setup with a standard primary on our AD domain. We did this because
DDNS was switching NS & NS1's DNS
records back to "192.168.128.4" and "192.168.128.5" -- which was breaking
DNS for the outside name resolution.

Fine, we made it so NS was a standard primary, and NS1 was a standard
secondary. Dynamic dns shut-off, the name servers
records never changed or auto-updated themselves.

All is working fine, till I noticed the two DC's (ns and ns1) cannot
replicate. They are trying to resolve each other to their outside
IP addresses (the 197 IP). I tried using a hosts file to fool them into
seeing each other as 192. I don't think that ever worked. I created unique
static WINS addresses with their names and DMZ IP addresses - no change.

The only way I see to make them replicate is to change their "A" records
back to "192" DMZ ip's so they can resolve each other. This will break
external name resolution on the internet for our zones.

We obviously need to fix the AD replication issue - but are unsure which
avenue to go down. We've thought about changing the names of the machines
from NS and NS1 to something else. Then keeping NS & NS1's A records "197"
and then creating A records for the DMZ hosts as "192" addresses. This
might work - but will it create other issues?? Will this break reverse DNS
lookups? (or invalidate them)

I might have missed some information here - so feel free to ask questions...


Brian

 

[Kevin D. Goodknecht [MVP]]

In

We are having issues with our DMZ AD setup. Let me set my situation
and see if anyone has any good suggestions:


We have a DMZ setup for providing our DMZ machines to be members of an
outside AD domain.

The DMZ houses two important computers. NS and NS1. They are both
AD DC's. Their IP's: (outsides are not real)

Host DMZ IP Outside IP

NS 192.168.128.4 197.3.128.4
NS1 192.168.128.5 197.3.128.5

They are working great, providing DNS resolution for outside clients
to resolve our domain name and many hosts.

DNS is setup with a standard primary on our AD domain. We did this
because DDNS was switching NS & NS1's DNS
records back to "192.168.128.4" and "192.168.128.5" -- which was
breaking DNS for the outside name resolution.

Fine, we made it so NS was a standard primary, and NS1 was a standard
secondary. Dynamic dns shut-off, the name servers
records never changed or auto-updated themselves.

All is working fine, till I noticed the two DC's (ns and ns1) cannot
replicate. They are trying to resolve each other to their outside
IP addresses (the 197 IP). I tried using a hosts file to fool them
into seeing each other as 192. I don't think that ever worked. I
created unique static WINS addresses with their names and DMZ IP
addresses - no change.

The only way I see to make them replicate is to change their "A"
records back to "192" DMZ ip's so they can resolve each other. This
will break external name resolution on the internet for our zones.

We obviously need to fix the AD replication issue - but are unsure
which avenue to go down. We've thought about changing the names of
the machines from NS and NS1 to something else. Then keeping NS &
NS1's A records "197" and then creating A records for the DMZ hosts
as "192" addresses. This might work - but will it create other
issues?? Will this break reverse DNS lookups? (or invalidate them)

I might have missed some information here - so feel free to ask
questions...


Brian

The reason these two DCs cannot replicate is because you have configured DNS
for external resolution. So DNS resolution works fine from the outside but
you are dealling with two DCs that are behind NAT and cannot comunicate with
each other by the public addresses because of NAT.
Move the public DNS to another DNS server and let these two comunicate with
the private addresses. Or set up another DNS server and point these two DCs
to it for DNS so they can register their private addresses and communicate.
So far as what you did with the host file, well that might work for the
machine but did you create the LDAP IP addresses which is the addresses that
are used for DFS shares and replication. The LDAP Ip address is what your
domain name resolves to. Does the domain name resolve to all IP addresses on
the domain controllers.

 

[Brian Roberson]

Thanks for the input. Wow, thats a good idea.. Creating a DNS server to
reference each others internal IP's. That will probably be my ticket to
success.

I never have manually created "LDAP IP addresses" - i don't know what that
is. Doesn't AD set this up automatically? There are no DFS roots or shares
setup in the AD DMZ - probably overkill. Should I consider setting them up?

I believe the domain name resolves correctly to all IP addresses.. But
again, its probably resolving to the wrong ones!!

Brian

 

[Kevin D. Goodknecht [MVP]]

In

Thanks for the input. Wow, thats a good idea.. Creating a DNS server
to reference each others internal IP's. That will probably be my
ticket to success.

Yes, it is you can do this on a member server, I just have one big point to
keep in mind, all internal machines must ONLY point to this internal DNS.
You can forward the internal DNS to the two external DNS servers you have
set up.

I never have manually created "LDAP IP addresses" - i don't know what
that is. Doesn't AD set this up automatically?

The LDAP IP address is what the domain name resolves to, (the same as parent
folder) host is the one used for LDAP.

There are no DFS

roots or shares setup in the AD DMZ - probably overkill. Should I
consider setting them up?

Domain Controllers automatically set up one DFS share, it is the SYSVOL
share. Member machines get their group policies from this share at
\\domain.com\SYSVOL\domain.com\policies This share is replicated to all DCs
and is why the domain name must resolve to all IP addresses on domain
controllers that have file sharing.