DNS Issues On Win 2003 DC Home Domain

[bryan.travis]

Hey Guys,


to explain a bit about my situation, i have a home network that i have
configured for studying purposes, I own my own business. I have a
registered domain, that has an active site up and running through my
registrar.


Anyway I have been configuring my home network, and I think I have been

having DNS problems, without realizing it. I have come to the
conclusion that my home domain has interfered with my domain at the
registrar and has brought down my site, this is quite a serious issue.
I have figured this out by powering off my DC.
anyway on my providers site I am able to locate (A Records) and Name
Server Addresses. is there anyway for me to configure my home Domain
so that it is fully functional, and still be able to host my site
through my registrar? I have tried modifying my A Records and
Forwarders in Group Policy, but I am unsure of the correct procedure.
Also I would like to be able to maintain Internet Connectivity on these

machines as well.


Is there anyone that may be able to help me out with this? and give me
the proper steps and things I should be editing within my home DNS?


Thanks


Bryan

 

[Herb Martin]

Hey Guys,
to explain a bit about my situation, i have a home network that i have
configured for studying purposes, I own my own business. I have a
registered domain, that has an active site up and running through my
registrar.


Anyway I have been configuring my home network, and I think I have been
having DNS problems, without realizing it. I have come to the
conclusion that my home domain has interfered with my domain at the
registrar and has brought down my site, this is quite a serious issue.

Unlikely but easy to fix.

First (do this now because it may take time for the registrar to
reset it -- 12-24 hours):

Go to the registrar and check your DNS (NS) records to ENSURE
that ONLY your public DNS server(s) show up as NS records for
the public domain. Remove ANY NS record that points to a non-
public DNS server or to one that doesn't have precisely the correct
records.

From what you have said, it should ONLY show the REGISTRAR
DNS server set.

I have figured this out by powering off my DC.
anyway on my providers site I am able to locate (A Records) and Name
Server Addresses. is there anyway for me to configure my home Domain
so that it is fully functional, and still be able to host my site
through my registrar?

Yes. And you should start with the above to get your public
DNS correct.

I have tried modifying my A Records and
Forwarders in Group Policy,

None of that is going to help directly.

but I am unsure of the correct procedure.
Also I would like to be able to maintain Internet Connectivity on these
machines as well.

Easily doable but the solution isn't obvious if you have never done
this.

IF you home domain uses the SAME zone name as your public
domain you must setup a "Shadow DNS" (aka "Split DNS")
configuration.

This just means you have TWO INDEPENDENT Primaries (or
Master DNS servers) -- one at the Registrar with ONLY the
public addresses, and the other on your INTERNAL DNS
with public PLUS private addresses.

Since two Primaries will never replicate this is REALLY the
equivalent of two DNS zones with the same name. We purposely
BREAK replication between the two (versions of) the zone to
keep the private records private and the public records limited
to just the public resource machines.

Is there anyone that may be able to help me out with this? and give me
the proper steps and things I should be editing within my home DNS?

Once you have the two zones, you must make all PUBLIC record
changes to BOTH zones -- and do this manually. So if you change
your public WWW site IP you must change it on both DNS zone
versions.

It sounds bad, but since you likely only have a handful of resource
records publicly and they will seldom change it isn't too bad.
(www, ftp, smtp, etc.)

On the inside you will have your Internal DNS zone with all of
those public records but also with every internal, private record
listed.

You internal clients -- which includes DCs and the internal DNS
server(s) themselves -- just use STRICTLY the internal DNS server
(set) on their NIC->IP Properties.

Your internal DNS server will forward (in most cases) to either
your "firewall caching only DNS" or perhaps to your ISP for doing
the REST of the Internet resolution. (It can do recursion directly
but this is a poor idea.)

Notice that there will be NO relationship between YOUR internal
and external DNS except that you will keep the external records
manually synchronized on each (separately.)

You internal DNS servers will resolve their own Zone from a
private zone database and everything else EXCEPT that zone from
the Internet through either forwarding or recursion.



Here are some standard trouble shooting types to help with
DNS for AD:

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[bryan.travis]

Hi Herb,

I have checked my NS records on my Registrar's site, everythings seems
fine they point to the Public Domain. I have checked my DNS settings
on my NIC and on my DC the DNS is the same as the IP, which is good.
and on my 1 client machine the DNS is set to that of the DC or DNS. I
am able to get out to the internet just fine. The problem still lies
with when I power on my machine or keep it on. my www.itdzign.com is
unavailable due to DNS Errors. which I am sure is caused by my machine
and not by the registrar.

I am a little unsure of part of your reply which is below

*****IF you home domain uses the SAME zone name as your public
domain you must setup a "Shadow DNS" (aka "Split DNS")
configuration.


This just means you have TWO INDEPENDENT Primaries (or
Master DNS servers) -- one at the Registrar with ONLY the
public addresses, and the other on your INTERNAL DNS
with public PLUS private addresses.


Since two Primaries will never replicate this is REALLY the
equivalent of two DNS zones with the same name. We purposely
BREAK replication between the two (versions of) the zone to
keep the private records private and the public records limited
to just the public resource machines.

Is there anyone that may be able to help me out with this? and give me
the proper steps and things I should be editing within my home DNS?

Once you have the two zones, you must make all PUBLIC record
changes to BOTH zones -- and do this manually. So if you change
your public WWW site IP you must change it on both DNS zone
versions. *****

I have not touched DNS is about 2 years since I finished College, and I
am unsure as to how to accomplish the above successfully, would it be
possible if you could give me a more step-by-step?

Here is a bit more information
my domain/website host is 1and1.com, my ISP is 3web
the NS for 1and1.com are
ns30.1and1.com
ns29.1and1.com
my DNS for 3web is
216.58.97.21
216.58.97.20

if you could help me with this it would be greatly appreciated

Thanks

Bryan

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Herb,

I have checked my NS records on my Registrar's site, everythings seems
fine they point to the Public Domain. I have checked my DNS settings
on my NIC and on my DC the DNS is the same as the IP, which is good.
and on my 1 client machine the DNS is set to that of the DC or DNS. I
am able to get out to the internet just fine. The problem still lies
with when I power on my machine or keep it on. my www.itdzign.com is
unavailable due to DNS Errors. which I am sure is caused by my machine
and not by the registrar.

I am a little unsure of part of your reply which is below

*****IF you home domain uses the SAME zone name as your public
domain you must setup a "Shadow DNS" (aka "Split DNS")
configuration.

The point Herb is trying to make is, if you named your AD (Internal) domain
itdzign.com You will need to add records to the internal DNS server for
names you need that don't exist, for example "www", and the record needs to
give the IP of the website, because your internal DNS is not aware of names
in your external DNS, and will not forward any name in itdzign.com.
Additionally, I assume since it works when you power off your DC, you must
have your external DNS in TCP/IP properties of your internal machines, this
is incorrect and should not be done, all AD domain members must use only the
DC for DNS. This is required regardless of how small or large you local
network is.

 

[bryan.travis]

The point Herb is trying to make is, if you named your AD (Internal) domain
itdzign.com You will need to add records to the internal DNS server for
names you need that don't exist, for example "www", and the record needs to
give the IP of the website, because your internal DNS is not aware of names
in your external DNS, and will not forward any name in itdzign.com.
Additionally, I assume since it works when you power off your DC, you must
have your external DNS in TCP/IP properties of your internal machines, this
is incorrect and should not be done, all AD domain members must use only the
DC for DNS. This is required regardless of how small or large you local
network is.

Hi Kevin,
Thanks for your reply, I have checked my machines to make sure that
they do not have the external DNS on the TCP/IP Properties, and they do
not. both my DC and 1 user machine have only that of the DC as the DNS.

Do I create this record at the Domain level of itdzign.com within DNS?

Thanks
Bryan

 

[bryan.travis]

Thanks to Both of you for the Help. I finally have this working
correctly, thanks again

Bryan