forward lookup - (semi)unique case?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Our internal domain is "abc-xyz.com" - it just so happens we also have an
Internet-registered domain name of the same thing. Our email is hosted
externally, so whenever someone checks their email via Outlook on
mail.abc-xyz.com, it mistakenly looks for the host named "mail" on our
internal network. Only by manually specifiying our ISP's DNS server as a
secondary name server ON EACH PC (our internal W2K DNS server is primary) is
it able to then look out onto the Internet for the correct record. I thought
I'd correctly set the server to use forward lookups so that requests for mail
would all hit the W2K server and forward out to the Internet, but it hasn't
worked. What am I missing? Do I need to mess with Reverse Lookups or PTR
too? I also tried setting those records to point directly to the external
mail server's IP, but that failed too. Do I need to restart the DNS service?
Sorry, i'm obviosuly pretty new to DNS.
 
mikeindo said:
Our internal domain is "abc-xyz.com" - it just so happens we also have an
Internet-registered domain name of the same thing. Our email is hosted
externally, so whenever someone checks their email via Outlook on
mail.abc-xyz.com, it mistakenly looks for the host named "mail" on our
internal network. Only by manually specifiying our ISP's DNS server as a
secondary name server ON EACH PC (our internal W2K DNS server is primary) is
it able to then look out onto the Internet for the correct record. I
Click to expand...
thought

Do NOT do this. It will give unpredictable results even
if it SEEMS to work (sometimes.)
I'd correctly set the server to use forward lookups so that requests for mail
would all hit the W2K server and forward out to the Internet, but it hasn't
worked. What am I missing? Do I need to mess with Reverse Lookups or PTR
too?
NO.

I also tried setting those records to point directly to the external
mail server's IP, but that failed too. Do I need to restart the DNS
Click to expand...
service?

Not for this.
Sorry, i'm obviosuly pretty new to DNS.
Click to expand...

You need to run (almost are running) what is termed a "Shadow DNS"
(aka "Split DNS") where you have separate DNS servers for both the
external view of your DNS names and for the internal view of the
resouces.

On the internal version YOU must MANUALLY entry all (useful)
external names.

The external DNS server will ONLY list external resources while
the internal version will list both internal resources AND any external
resources you wish your users to contact.

You clients MUST specificy STRICTLY the internal DNS server (set)
on their NIC properties (and remember, that internal servers are internal
DNS clients too!)
 
sorry, again, being new, not sure how to set that up on the server! is there
a link with a tutorial (so you dont have to explain it all - unless you want
to ;)). fyi, there are no resources internally that must be accessed
externally. it's all outbound requests from the inside.
 
mikeindo said:
sorry, again, being new, not sure how to set that up on the server! is there
a link with a tutorial (so you dont have to explain it all - unless you want
to ;)). fyi, there are no resources internally that must be accessed
externally. it's all outbound requests from the inside.
Click to expand...

Likely such documentation will suffer from trying to be too
complete or including to many "choices".

Try the simple DNS for AD guide below, whether you have
AD or not, practically everything in it (EXCEPT "dynamic
DNS") applies to internal versus external DNS servers.

If you need the blow by blow or step by step for any particular
task we can help with that too. For instance, the forwarder is
set (on internal DNS servers) by right-clicking the DNS server
in the MMC and choosing -> Properties -> Forwarders tab.

You likely know how to set your clients NIC->IP properties for
DNS or using DHCP (if you already use DHCP). So set all
internal machines to the INTERNAL DNS ONLY.

Let the internal DNS forward to the ISP or firewall/DMZ DNS server OR
have it do the lookup itself (Forwarding to a your own Firewall/DMZ
DNS server is likely the best -- if you have or can create one of those.)

DNS for AD (without AD, just ignore the DYNAMIC references):

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
 
If you need the blow by blow or step by step for any particular task we
can help with that too.

unfortunately, we are rapidly approaching that point!
For instance, the forwarder is set (on internal DNS servers) by right-clicking the DNS server in the MMC and choosing -> Properties -> Forwarders tab.
Click to expand...

we'd aready had that one set up, but thanks.
So set all internal machines to the INTERNAL DNS ONLY.
check

Let the internal DNS forward to the ISP or firewall/DMZ DNS server OR
have it do the lookup itself (Forwarding to a your own Firewall/DMZ
DNS server is likely the best -- if you have or can create one of those.)
Click to expand...

is this referring to the first thing above? if so, yes, the forwarder is
set to our ISP's DNS servers. our firewall appliance has a setting to
specifiy DNS (primary set to our internal W2K and secondary to ISP's), but
that shouldnt play a part, should it?
3) DCs and even DNS servers are DNS clients too
check

4) If you have more than one Domain,
Click to expand...

only one domain
netdiag /fix... dcdiag /fix
Click to expand...

did both. didnt work. even flushed client DNS
nltest /dsregdns /server:DC-ServerNameGoesHere
Click to expand...

apparently /dsregdns option doesnt exist on W2K...
http://support.microsoft.com/kb/q260371/
Click to expand...
Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.
Click to expand...

it's the only internal DNS server
Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.
Click to expand...

only test failed was SERVICES: "RPCLOCATOR not running"

is it possible that any or all of these steps require refreshing of
different things from both the server and client side? been trying to do
that, but may have missed somewhere...

thanks again for your help! looking around Google, it seems that all
resolutioins come back to your posts, wherever they might be located!
 
Back
Top