Same internal and external domain name, split-brain configuration

[Joseph]

We have a split-brain DNS configuration. I'm looking for a way to have
http://www.mycompany.com and http://mycompany.com properly display our
website on internal clients when using the same domain name for AD as our
corporate site. Our corporate web site is hosted externally. Everything is
setup properly for www.mycompany.com to work, but still haven't been able to
find a way for http://mycompany.com to work internally.

I've read quite a bit and have tried several configurations in a lab, but
haven't seen anything 100% clear as to how to accomplish this. Outside of
AD DNS I would just add a (same as parent folder) entry for the root of the
domain that points to the external IP, but I'm concerned this could affect
AD operations since every domain controller has the same type of entry (we
have dns on all domain controllers). I've read up on SRV records, but
haven't seen anything that clearly addresses this issue. In a lab, when
adding a blank (same as parent folder) "A" record that points to the
external address it seems to work, but intermittently and there is a delay
on resolution when it does work. The SRV record approach has not worked at
all up to this point.

Has anyone seen a documented solution or have a configuration that is
currently working in their environment?

Thanks,

Joseph

 

[Deji Akomolafe]

There has been several discussions about this issue in this NG. I think
there was one recently ( a week or 2 ago). Search the archive and you will
find the "solution". Or, wait for one of the other guys to wake up and point
it out for you

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Lanwench [MVP - Exchange]]

The lazy admin answer (which is also mine, <cough>) is just to tell people
to use www. It's three identical letters. Not hard to remember, not hard to
type. Heck, I think most people assume www is an absolute requirement for
navigating to web sites anyway ;-)

However, I'm also curious, so I'll watch this thread for more info.

 

[Herb Martin]

"Lanwench [MVP - Exchange]"

The lazy admin answer (which is also mine, <cough>) is just to tell people
to use www. It's three identical letters. Not hard to remember, not hard to
type. Heck, I think most people assume www is an absolute requirement for
navigating to web sites anyway ;-)

And with Internet Explorer, you just type MYCOMPANY and hit Ctrl-Enter
anyway.

Ctrl-Enter adds the http :// www. (and the) .com

 

[Kevin D. Goodknecht [MVP]]

In

We have a split-brain DNS configuration. I'm looking for a way to
have http://www.mycompany.com and http://mycompany.com properly
display our website on internal clients when using the same domain
name for AD as our corporate site. Our corporate web site is hosted
externally. Everything is setup properly for www.mycompany.com to
work, but still haven't been able to find a way for
http://mycompany.com to work internally.

I've read quite a bit and have tried several configurations in a lab,
but haven't seen anything 100% clear as to how to accomplish this.
Outside of AD DNS I would just add a (same as parent folder) entry
for the root of the domain that points to the external IP, but I'm
concerned this could affect AD operations since every domain
controller has the same type of entry (we have dns on all domain
controllers). I've read up on SRV records, but haven't seen anything
that clearly addresses this issue. In a lab, when adding a blank
(same as parent folder) "A" record that points to the external
address it seems to work, but intermittently and there is a delay on
resolution when it does work. The SRV record approach has not worked
at all up to this point.

Has anyone seen a documented solution or have a configuration that is
currently working in their environment?

Thanks,

Joseph

The method I have recommended is, that since this requires a blank host
record and that domain controllers will create a blank host for each IP on
them, install IIS on the DCs and use website redirection to redirect to
http://www.mydomain.com on the Home directory tab.
The blank host is required and must point to the DCs for group policies to
be applied, group policies are in the SYSVOL share
\\domain.com\SYSVOL\domain.com\policies if you change the blank host to
point to a webserver then members will look to the webserver for the SYSVOL
share.

 

[Ace Fekay [MVP]]

In

We have a split-brain DNS configuration. I'm looking for a way to
have http://www.mycompany.com and http://mycompany.com properly
display our website on internal clients when using the same domain
name for AD as our corporate site. Our corporate web site is hosted
externally. Everything is setup properly for www.mycompany.com to
work, but still haven't been able to find a way for
http://mycompany.com to work internally.

I've read quite a bit and have tried several configurations in a lab,
but haven't seen anything 100% clear as to how to accomplish this.
Outside of AD DNS I would just add a (same as parent folder) entry
for the root of the domain that points to the external IP, but I'm
concerned this could affect AD operations since every domain
controller has the same type of entry (we have dns on all domain
controllers). I've read up on SRV records, but haven't seen anything
that clearly addresses this issue. In a lab, when adding a blank
(same as parent folder) "A" record that points to the external
address it seems to work, but intermittently and there is a delay on
resolution when it does work. The SRV record approach has not worked
at all up to this point.

Has anyone seen a documented solution or have a configuration that is
currently working in their environment?

Thanks,

Joseph

Here's one of my many previous posts with a how-to on this subject. But I do
recommend NOT to use the same name (Split Horizon) internal and external due
to the adminstrative overhead. Especially want to point out what Kevin
mentioned about the sysvol connection that GPOs use. Keep in mind, the
LdapIpAddress reg alteration must be done on ALL your DCs.

=======================================

This is good especially if you have a Split Horizon environment where the
internal and external domain names are the same and the users need to get to
their external name by http://theirdomain.com but their DC/DNS server
responds and not the actual external website.

This one is done on the netlogon service parameters in the registry. This
will stop netlogon registering the blank FQDN with the internal private IP.

This stops the netlogon service from registering that "Blank Domain FQDN" IP
address. Those IPs are actually called the LdapIPAddress. Then you manually
create a blank FQDN with the IP that you do want, whether a local private IP
or some public IP, any or mutliple IPs, if you want.

If your ISP rotates or changes the website IP, then this will not work.
Usually we can delegate the www zone to the SOA of your external domain, but
this can;t be done with the blank domain record.


===========================================
Disabling the Same As Parent LdapIpAddress blank FQDN
[Taken from http://support.microsoft.com/?id=295328]

You do this by adding a registry entry to the DC(s) and rebooting:
1) Add the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry Value: DnsAvoidRegisterRecords and add the "LdapIpAddress"
Mnemonic.
2) Do this on all DCs and restart netlogon or restart machine.
This will prevent the DC from adding the domain A records from netlogon.
And you can add multiple Blank Domain A records as you need.
====================================




====================================
If you want to create mutliples, you can do it manually as I mentioned
above, or use this method to force the system to do it for you. I would
rather create them manually but here;s the instructions if you feel up to
it....


Now you can also publish the IP you want instead of having to put it in
manually for the blank FQDN. Do this on the DNS service in the registry.
[Taken from http://support.microsoft.com/?id=275554]

Configure the DNS service to publish a specific IP addresses to the DNS
zone.
To do so, make the following registry modification:
PublishAddresses
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Data type: REG_SZ
Range: IP address [IP address]
Default value: blank

This modification specifies the IP addresses that you want to publish for
the computer. The DNS server creates A records only for the addresses in
this list. If this entry does not appear in the registry, or if its value is
blank, the DNS server creates an A record for each of the computer's IP
addresses.

This entry is for computers that have multiple IP addresses, only a subset
of which you want to publish. Typically, this prevents the DNS server from
returning a private network address in response to a query when the computer
has a corporate network address.
====================================

See These Links for more info on it (the first one, IMO, is the best on this
subject):
Problems with Many DCs and Integrated DNS Zones [Q267855]
http://support.microsoft.com/?id=267855
Private Network Interfaces on a DC Are Registered in DNS [Q295328]
http://support.microsoft.com/?id=295328
Optimizing the Location of DC/GC That's Outside of Client's Site [Q306602]
http://support.microsoft.com/?id=306602


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Lanwench [MVP - Exchange]]

Ayuh. ;-)

"Lanwench [MVP - Exchange]"

The lazy admin answer (which is also mine, <cough>) is just to tell
people to use www. It's three identical letters. Not hard to
remember, not hard to type. Heck, I think most people assume www is
an absolute requirement for navigating to web sites anyway ;-)

And with Internet Explorer, you just type MYCOMPANY and hit Ctrl-Enter
anyway.

Ctrl-Enter adds the http :// www. (and the) .com

 

[Joseph]

Very clever, Kevin!!!

Thanks,

Joseph

In

The method I have recommended is, that since this requires a blank host
record and that domain controllers will create a blank host for each IP on
them, install IIS on the DCs and use website redirection to redirect to
http://www.mydomain.com on the Home directory tab.
The blank host is required and must point to the DCs for group policies to
be applied, group policies are in the SYSVOL share
\\domain.com\SYSVOL\domain.com\policies if you change the blank host to
point to a webserver then members will look to the webserver for the SYSVOL
share.

 

[Kevin D. Goodknecht [MVP]]

In

Very clever, Kevin!!!

Hey, it works and it requires very little resources to redirect a
website.