External query resolves internal IP address

[Ryan Faricy]

So everyone, I've spent hours scouring the net and haven't really come up
with a definitive answer.

I have:
- a static IP from a local ISP
- DSL through local telco, with router
- Two boxes: 1) Win2K box, IP=10.0.0.2, w/ IIS, DNS, AD, and it's a PDC ...
2) is a mail server (Win2003 server), member of domain FARICY.NET, which is
on box 1.

Everything works GREAT. I only have one problem.

I set up DNS on box 1 with primary zone FARICY.NET which is AD integrated
and allows dynamic updates. Router forwards all traffic from 53 to box 1 for
resolution.

FARICY.NET contains all proper information needed to run my web services and
works great. EXCEPT ... AD insists on updating the zone with
(same as parent folder) HOST 10.0.0.2 ............. *in addition* to what I
REALLY want (to be the default at least) is:
(same as parent folder) HOST my.public.ip.address

They are both there, so I have two entries for FARICY.NET...
@ IN A 10.0.0.2
@ IN A my.public.ip.address

Whenever I run an nslookup, it always returns two results:
Non-authoritative answer:
Name: faricy.net
Addresses: my.public.ip.address, 10.0.0.2

Unfortunately, when I try to ping or visit faricy.net via local DNS or after
it propogates to my ISP, etc,, it tries to resolve 10.0.0.2.

Is there ANY way I can stop AD from messing with just this particular
entry?? Or any recommended solution?

I would be very grateful!!! Thank you so much.

 

[Ryan Faricy]

Aha! I might have found something... Will this work??

____________________________________________________________________
This is good especially if you have a Split Horizon environment where the
internal and external domain names are the same and the users need to get to
their external name by http://theirdomain.com but their DC/DNS server
responds and not the actual external website.

This one is done on the netlogon service parameters in the registry. This
will stop netlogon registering the blank FQDN with the internal private IP.

This stops the netlogon service from registering that "Blank Domain FQDN" IP
address. Those IPs are actually called the LdapIPAddress. Then you manually
create a blank FQDN with the IP that you do want, whether a local private IP
or some public IP, any or mutliple IPs, if you want.

If your ISP rotates or changes the website IP, then this will not work.
Usually we can delegate the www zone to the SOA of your external domain, but
this can;t be done with the blank domain record.

===========================================
Disabling the Same As Parent LdapIpAddress blank FQDN
[Taken from http://support.microsoft.com/?id=295328]

You do this by adding a registry entry to the DC(s) and rebooting:
1) Add the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry Value: DnsAvoidRegisterRecords and add the "LdapIpAddress"
Mnemonic.
2) Do this on all DCs and restart netlogon or restart machine.
This will prevent the DC from adding the domain A records from netlogon.
And you can add multiple Blank Domain A records as you need.
====================================

====================================
If you want to create mutliples, you can do it manually as I mentioned
above, or use this method to force the system to do it for you. I would
rather create them manually but here;s the instructions if you feel up to
it....

Now you can also publish the IP you want instead of having to put it in
manually for the blank FQDN. Do this on the DNS service in the registry.
[Taken from http://support.microsoft.com/?id=275554]

Configure the DNS service to publish a specific IP addresses to the DNS
zone.
To do so, make the following registry modification:
PublishAddresses
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Data type: REG_SZ
Range: IP address [IP address]
Default value: blank

This modification specifies the IP addresses that you want to publish for
the computer. The DNS server creates A records only for the addresses in
this list. If this entry does not appear in the registry, or if its value is
blank, the DNS server creates an A record for each of the computer's IP
addresses.

This entry is for computers that have multiple IP addresses, only a subset
of which you want to publish. Typically, this prevents the DNS server from
returning a private network address in response to a query when the computer
has a corporate network address.
____________________________________________________________________

 

[Ryan Faricy]

I found exactly what I needed ...

http://support.microsoft.com/?id=295328

For anyone else who needs it!

 

[Kevin D. Goodknecht Sr. [MVP]]

I found exactly what I needed ...

http://support.microsoft.com/?id=295328

Unfortunately, this is not the intended purpose of this article. Oh it will
stop the registration of the record but you're going to break replication
and Group Policies, using this in your situation.
The zone for the AD domain is for Active Directory communication and should
not be used as a public zone, especially for a web site.
You need to move the Public zone off the Domain controller to a DNS server
that does not resolve internal domains. I'm not saying you should not host
your own zone and preach to you about leaving the public zone with your
registrar. Who you get to host you public zone is your choice, just don't
use the same zone for both public and private resolution. Keep them separate
on different servers.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Ryan Faricy]

It's a tiny domain with no need for GP etc... But I just had an idea too...

I keep my AD zones on box 1 (well I have to, it's the PDC), put my public
zones on box 2 (mail server) and route all router traffic on port 53 to the
mail server. That should work fine, the network won't care if there are 2
primary nameservers that aren't mirrored if only one is being referenced
(box 1) by the domain clients, and the other one is public-only.

Yeah ... Windows wouldn't be overwriting my zones with its own stuff to keep
the domain happy... And all domain computers will still function normally,
and I could delete the regkey I added and all will live happily ever
after...

I'd just create a standard primary zone on the DNS server on box 2, route 53
tcp/udp to it and I don't think anything will even blink once I have it set
up correctly.

It's been such a long day, I don't know why I didn't think of this
yesterday. Public shame!! haha.

If you have any further recommendations or input, feel free to let me know.
Any potential security issues with this even with dynupdates off, etc?
Thanks a bunch btw!

 

[Ryan Faricy]

Yep I moved all public DNS over to box 2 and everything is just dandy now.
Thanks again!!

 

[Kevin D. Goodknecht Sr. [MVP]]

It's a tiny domain with no need for GP etc... But I just had an idea
too...

Your deduction that the domain is tiny and has no need for GP is flawed, the
are default group policies in all Active Directory domains, the policies are
accessed in the \\ADDNSDomainName\SYSVOL DFS share, which is why the AD DNS
Domain name must resolve only to Domain Controllers, and only to the IPs on
the DCs that have file sharing enabled. If the AD DNS Domain name resolves
to a web server (that in not a DC) then member clients will search the web
server for group policies; and logon scripts which are located in the
\\ADDNADomainName\NETLOGON DFS share.

I keep my AD zones on box 1 (well I have to, it's the PDC), put my
public zones on box 2 (mail server) and route all router traffic on
port 53 to the mail server. That should work fine, the network won't
care if there are 2 primary nameservers that aren't mirrored if only
one is being referenced (box 1) by the domain clients, and the other
one is public-only.

Yeah ... Windows wouldn't be overwriting my zones with its own stuff
to keep the domain happy... And all domain computers will still
function normally, and I could delete the regkey I added and all will
live happily ever after...

I'd just create a standard primary zone on the DNS server on box 2,
route 53 tcp/udp to it and I don't think anything will even blink
once I have it set up correctly.

If you keep your public zone on a DC, you will have to use standard primary
zones on all, you cannot make the zone ADI on one DC and Standard Primary on
another. This creates another problem by removing the secure updates from
the zone.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Ryan Faricy]

box 2 is not a DC...

Your deduction that the domain is tiny and has no need for GP is flawed,
the
are default group policies in all Active Directory domains, the policies
are
accessed in the \\ADDNSDomainName\SYSVOL DFS share, which is why the AD
DNS
Domain name must resolve only to Domain Controllers, and only to the IPs
on
the DCs that have file sharing enabled. If the AD DNS Domain name resolves
to a web server (that in not a DC) then member clients will search the web
server for group policies; and logon scripts which are located in the
\\ADDNADomainName\NETLOGON DFS share.


If you keep your public zone on a DC, you will have to use standard
primary
zones on all, you cannot make the zone ADI on one DC and Standard Primary
on
another. This creates another problem by removing the secure updates from
the zone.