DNS resolution issue

  • Thread starter Thread starter Kevin Melton
  • Start date Start date
K

Kevin Melton

Hello

I am having an internal DNS issue that is as follows. My
company FQDN is www.boarsheadinn.com, at adx 66.223.46.238.

If an nslookup is performed from outside my private
network, I get the correct adx displayed above when I
query for either www.boarsheadinn.com, or for
boarsheadinn.com (no www). this is correct.

Inside I have another issue. I have users who like to
type boarsheadinn.com vs. www.boarsheadinn.com. This
worked ok until a few weeks ago. Now when the users type
in boarsheadinn.com, they get a page cannot be displayed.

this is happening (sniffer revealed this) because when the
users are typing in boarsheadinn.com, dns gives them
records resolution back to inside address of our 2 doamin
controllers, because our DNS zone record Forward Lookup
zone is called "boarsheadinn.com". So I guess the DNS box
thinks that these clients are querying for the domain.

What can I do to make it so that when my inside users
use "boarsheadinn.com, they resolbe to the 66.223.46.238
public address???

thanks in advance...
 
Kevin,
Unfortunately, due to the design you have chosen for the active directory, there isn't a way around this. Since AD is named after boarsheadinn.com, the DCs
will register host records in as boarsheadinn.com. This allows clients to easily find DCs. A workaround would be to use an ISA server or proxy server to
redirect requests from clients to boarsheadinn.com to the correct IP address of the web server.

Our recommended solution would have been to configure AD as something like corp.boarsheadinn.com. This way the DCs register in corp and not at the
parent. This would allow the parent zone to contain whichever records are necessary for the website removing the conflict.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
In
Kevin Melton said:
Hello

I am having an internal DNS issue that is as follows. My
company FQDN is www.boarsheadinn.com, at adx 66.223.46.238.

If an nslookup is performed from outside my private
network, I get the correct adx displayed above when I
query for either www.boarsheadinn.com, or for
boarsheadinn.com (no www). this is correct.

Inside I have another issue. I have users who like to
type boarsheadinn.com vs. www.boarsheadinn.com. This
worked ok until a few weeks ago. Now when the users type
in boarsheadinn.com, they get a page cannot be displayed.

this is happening (sniffer revealed this) because when the
users are typing in boarsheadinn.com, dns gives them
records resolution back to inside address of our 2 doamin
controllers, because our DNS zone record Forward Lookup
zone is called "boarsheadinn.com". So I guess the DNS box
thinks that these clients are querying for the domain.

What can I do to make it so that when my inside users
use "boarsheadinn.com, they resolbe to the 66.223.46.238
public address???

thanks in advance...
Click to expand...

No problem here Kevin. I like the split horizon method and have instituted
it in many sites. Jonathan mentions in his link on how to get around it.
Here's something more specific on how to get this to work for you:

===============================
This is good especially if you have a Split Horizon environment where the
internal and external domain names are the same and the users need to get to
their external name by http://theirdomain.com but their DC/DNS server
responds and not the actual external website.

This one is done on the netlogon service parameters in the registry. This
will stop netlogon registering the blank FQDN with the internal private IP.

Here's two steps to clean that up. First you stop the netlogon service from
registering that "Blank Domain FQDN" IP address. Those IPs are actually
called the LdapIPAddress. Then you create your own Blank Domain FQDN IP
(your own LdapIPAddress) that cooresponds to your actual external website.
Here you go:
==========================================
Disabling the Same As Parent LdapIpAddress blank FQDN and auto Publishing a
Blank Domain FQDN IP:
[Taken from http://support.microsoft.com/?id=295328]

To disable only the registration of the local IP addresses, set the
following registry value, then reboot the machine for it to take effect:

1) Add the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Value: LdapIpAddress

2) Do this on all DCs and restart netlogon or restart machine.
This will prevent the DC from adding the domain A records from netlogon.
And you can add multiple Blank Domain A records as you need.

After you set this value, you must manually create your publicly available
IP addresses for your domain to appear as:
Same as parent folder Host "publicIP"

TO do so, rt-click your domain name, new Host, leave the name field blank,
enter the actual external IP address.

You're done.

====================================



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top