Split Brain DNS setup

[Adam Marx]

I have 2 DNS servers running, my first is "DNS1.Hostname.com" and is public
containing my WWW, FTP, etc. My second DNS server "Local.Hostname.com" it is
a domain controller and is a fresh install.

I'm not sure what records I need to enter in the "Local.hostname.com" DNS.
From what I've read I need to enter a copy of my "Hostname.com" zone but I'm
not sure why and what records would I then need to add after that, WWW, FTP,
etc.? would they point to my DNS1.Hostname.com DNS server or to the
internet?

Thanks for any help you can give.

AJM,

 

[Ace Fekay [MVP]]

In

I have 2 DNS servers running, my first is "DNS1.Hostname.com" and is
public containing my WWW, FTP, etc. My second DNS server
"Local.Hostname.com" it is a domain controller and is a fresh install.

I'm not sure what records I need to enter in the "Local.hostname.com"
DNS. From what I've read I need to enter a copy of my "Hostname.com"
zone but I'm not sure why and what records would I then need to add
after that, WWW, FTP, etc.? would they point to my DNS1.Hostname.com
DNS server or to the internet?

Thanks for any help you can give.

AJM,

That6's all you really need, www and ftp. If mail is hosted externally, then
you need a mail record, whatever your mail server name is. If mail is hosted
internally, then no mail record is needed.

More info
Split zone or split horizon
http://www.winnetmag.com/Windows/Article/ArticleID/39771/39771.html
http://www.microsoft.com/serviceproviders/whitepapers/split_dns.asp
http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html#SeparateContentServers


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Adam Marx]

So, the WWW and FTP record should point to the internal IP to prevent a loop
back issue correct? What about any other zones that are hosted by the
external DNS server should they also be recreated in the Local DNS server
and like wise pointing to the internal IP of the DNS server?

Thanks,


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

So, the WWW and FTP record should point to the internal IP to prevent
a loop
back issue correct?

Not a "loop back issue" but rather the fact that a NAT device will not port
remap a request from the internal interface to the external interface and
back again internally. More like a port remap loop issue.

What about any other zones that are hosted by the
external DNS server should they also be recreated in the Local DNS
server
and like wise pointing to the internal IP of the DNS server?

Yes, if you have any others, they should be stipulated as well.

Thanks,

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Adam Marx]

Ace,

Is there a way to replicate the External DNS to the
Internal DNS without manually keying all the information
again?

Thanks.

AJM,

 

[Ace Fekay [MVP]]

In

Ace,

Is there a way to replicate the External DNS to the
Internal DNS without manually keying all the information
again?

Thanks.

AJM,

From your external DNS? Not feasible because the external zone is a Primary
and the internal is a Primary (even if AD Integrated, its acting as a
"Primary"), and if you make the internal a Secondary zone, then you would
need the external to allow updates then 2 things happen: 1.you will now be
exposing your whole internal structure to the outside world, and 2, the data
from the internal network are your private IPs and you cannot mix private
and public IPs on the outside.

Its not really that hard to make a couple entries internally with the
private IPs.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Adam Marx]

I kind of thought it would be self defeating to have the
records automatically update because you have to change
the IP's from public to private.

I'm having a setup problem with this Internal DNS server,
I created the new zone on the internal DNS server the same
as my zone on my external DNS and it now points to my
internal DNS servers private IP instead of my public IP.
Now when I go to pull the site except from the external
DNS server all I get is a DNS error where the site can't
be found so I'm pretty sure I set this up wrong?

When I nslookup the domain name on my internal DNS server
it resolves to the private IP of the DNS server, shouldn't
it resolve to the public IP or at least the IP of the
external DNS server?

My AD name is the same as my external zone that I added so
I assume the FQDN of my internal DNS is
Local.domainname.com.

???????

 

[Ace Fekay [MVP]]

In

I kind of thought it would be self defeating to have the
records automatically update because you have to change
the IP's from public to private.

I'm having a setup problem with this Internal DNS server,
I created the new zone on the internal DNS server the same
as my zone on my external DNS and it now points to my
internal DNS servers private IP instead of my public IP.
Now when I go to pull the site except from the external
DNS server all I get is a DNS error where the site can't
be found so I'm pretty sure I set this up wrong?

When I nslookup the domain name on my internal DNS server
it resolves to the private IP of the DNS server, shouldn't
it resolve to the public IP or at least the IP of the
external DNS server?

My AD name is the same as my external zone that I added so
I assume the FQDN of my internal DNS is
Local.domainname.com.

???????

Like I said, you need 2 separate physical servers to do what you're doing.
And if they are the same zone name inside and out, you can't create two
zones of the same name on the one machine, as it appears you were trying to
do, unless I'm misunderstanding what you're trying to accomplish. The
internal zone on the internal DNS is for AD. You can't mix priv and public
data.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Adam Marx]

I am running 2 seperate DNS servers, so I must not be
explaining myself clearly.

I have 2 boxes one external one internal. The external
houses all my publc Ip's and is working fine. The FQDN of
the box is "DNS1.Domainname.com.".

My Internal server at the moment only has 1 zone
webajm.com and that zone is also a zone on my external
DNS. The FQDN of the internal DNS server
is "Local.webajm.com." and it is a DC and is running AD, I
have 2 clients attached to this server which can ot
resolve webajm.com?

I hope I made it a little clearer?

Thanks,

 

[Ace Fekay [MVP]]

In

I am running 2 seperate DNS servers, so I must not be
explaining myself clearly.

I have 2 boxes one external one internal. The external
houses all my publc Ip's and is working fine. The FQDN of
the box is "DNS1.Domainname.com.".

My Internal server at the moment only has 1 zone
webajm.com and that zone is also a zone on my external
DNS. The FQDN of the internal DNS server
is "Local.webajm.com." and it is a DC and is running AD, I
have 2 clients attached to this server which can ot
resolve webajm.com?

I hope I made it a little clearer?

I think so. So your AD zone name is called webajm.com. Correct?
Your external zone also has webajm.com, correct?
From the outside world, and assuming you're talking about http connectivity,
you can connect to http://webajm.com and display your web, correct?
From the inside however, you cannot connect to http://webajm.com and you
wind up getting the DC's default website, correct?

Well, if this is the case, that will be somewhat difficult because that
record is called the LdapIpAddress. Its registered by the DCs' netlogon
service and is used by a few things, namely GPO application:
\\webajm.com\sysvol\webajm.com\policies\{LongGuidPolicyNumber..etc}
and DFS:
\\webajm.com\corporateDFSroot

You can overcome this with a registry setting to kill the LdapIpAddress and
you can manually create or publish the IP you want, but it will effect
domain communication.

That's up to you. I can post you the registry steps to kill this but I would
not recommend this. Its one of the drawbacks of designing AD using the same
name internally and externally.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I am running 2 seperate DNS servers, so I must not be
explaining myself clearly.

I have 2 boxes one external one internal. The external
houses all my publc Ip's and is working fine. The FQDN of
the box is "DNS1.Domainname.com.".

My Internal server at the moment only has 1 zone
webajm.com and that zone is also a zone on my external
DNS. The FQDN of the internal DNS server
is "Local.webajm.com." and it is a DC and is running AD, I
have 2 clients attached to this server which can ot
resolve webajm.com?

I hope I made it a little clearer?

If any of the sites from the public DNS server are hosted locally you would
need those site on your internal DNS server, and they will need to resolve
to the IP of the server they are on.

e.g. the external DNS has a zone for domain.com, and all the records have
public IPs so people on the internet can access these sites.
How ever if any of the domain.com sites locally behind your router, you
would have to use the private IP from behind your router. The way I would
handle the situation is that say you only host www.domain.com locally and
all the others are hosted elsewhere, on your internal DNS create a zone
named www.domain.com and create a new host leaving the name field blank, and
give it the local IP of your webserver hosting the site. (click OK to create
the record anyway when it barks at you saying it now a vlid host name)
Doing it this way you only have to create the local records all the others
are forwarded to your external DNS to be given Public IPs.

 

[Adam Marx]

So your AD zone name is called webajm.com. Correct? Yes.

From the outside world, and assuming you're talking about http connectivity,
you can connect to http://webajm.com and display your web, correct? Yes.

From the inside however, you cannot connect to http://webajm.com and you
wind up getting the DC's default website, correct? Yes, I get a DNS error

but it could be that I've stopped the internal website?

You can overcome this with a registry setting to kill the LdapIpAddress and
you can manually create or publish the IP you want, but it will effect
domain communication.

Do you think I really should modify the registry to get this to work?

From my interpretation of how Internal/External DNS was to work is that the
External DNS was to hold all the public IP's visible from the web and no
private IP's should be listed. My Internal DNS is in charge of the internal
function of the domain and wasn't supposed to hold any public IP's only
private IP's. My client's should all point to the internal DNS and any DNS
requests it couldn't resolve it would forward on to the External DNS for
resolution.

My External DNS is behind a router and is on 192.168.2.99 it holds the
public IP's of webajm.com and is not a DC or running AD it also has a second
NIC 192.168.1.99. My internal DNS is on 192.168.1.100 and currently I've
demoted it from AD and DC. It currently holds the zone webajm.com and the
server is named "Local". I added an A record in the zone webajm.com that
pointed to the external DNS server "192.168.1.99" and I added an A record
for the WWW."

So, I thought I should be able to resolve webajm.com and www.webajm.com
after adding the records and it does resolve to the IP's I gave it (private
IP's) but it won't open the site? I changed both records to reflect the
public IP's for webajm.com on the Internal DNS and the site came right up.

Shouldn't the Internal DNS server be forwarding on the request instead of
resolving it?


Kevin,

"If any of the sites from the public DNS server are hosted locally you would
need those site on your internal DNS server, and they will need to resolve
to the IP of the server they are on."

Are you referring to running my webserver on a box other than the external
DNS? If so, then they are both on the same box, DNS and Webserver that is.

"Doing it this way you only have to create the local records all the others
are forwarded to your external DNS to be given Public IPs."

I think it might be the forwarding piece that's not working, it's appears to
be resolving the domain webajm.com to 192.168.1.99 instead of to the public
IP?

AJM,


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

but it could be that I've stopped the internal website?


Do you think I really should modify the registry to get this to work?

From my interpretation of how Internal/External DNS was to work is
that the External DNS was to hold all the public IP's visible from
the web and no private IP's should be listed. My Internal DNS is in
charge of the internal function of the domain and wasn't supposed to
hold any public IP's only private IP's. My client's should all point
to the internal DNS and any DNS requests it couldn't resolve it would
forward on to the External DNS for resolution.

My External DNS is behind a router and is on 192.168.2.99 it holds the
public IP's of webajm.com and is not a DC or running AD it also has a
second NIC 192.168.1.99. My internal DNS is on 192.168.1.100 and
currently I've demoted it from AD and DC. It currently holds the zone
webajm.com and the server is named "Local". I added an A record in
the zone webajm.com that pointed to the external DNS server
"192.168.1.99" and I added an A record for the WWW."

So, I thought I should be able to resolve webajm.com and
www.webajm.com after adding the records and it does resolve to the
IP's I gave it (private IP's) but it won't open the site? I changed
both records to reflect the public IP's for webajm.com on the
Internal DNS and the site came right up.

Shouldn't the Internal DNS server be forwarding on the request
instead of resolving it?


Kevin,

"If any of the sites from the public DNS server are hosted locally
you would need those site on your internal DNS server, and they will
need to resolve to the IP of the server they are on."

Are you referring to running my webserver on a box other than the
external DNS? If so, then they are both on the same box, DNS and
Webserver that is.

"Doing it this way you only have to create the local records all the
others are forwarded to your external DNS to be given Public IPs."

I think it might be the forwarding piece that's not working, it's
appears to be resolving the domain webajm.com to 192.168.1.99 instead
of to the public IP?

AJM,

Now we have a better and more accurate picture of your configuration, we can
suggest a resolution. I should have asked for a more accurate description in
the beginning.

No, you do not want to make those registry changes. Its not recommended
since it alters necessary domain communication and functionality. The best
thing is to live with just connecting with the www record, unless you can
change the AD DNS domain name.

On the internal DNS, if you stick with your current same name design, then
you have to manually create whatever records your internal users need to get
to on the "external" website. If the website's IP is Forwarding does NOT
work in this scenario. Why? Because forwarding will forward whatever names
it is NOT aware of. Since the internal DNS holds that name, then it believes
it has all the answers for that name. If it doesn't have the answer you
want, then it will not forward it since it believes it is authorative for
the zone.

Since you say that 192.168.2.99 is running your 'external' DNS and your
website, then create the www record on your 'internal' DNS with that IP
address. Not suggested to alter the LdapIpAddress (as I explained earlier)
to this address or else GPOs will ask that server for it's group policies
but it does not have them, your DCs do.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Adam Marx]

Sorry, I wasn't being very clear before.

The best thing is to live with just connecting with the www record, unless you can
change the AD DNS domain name.

My mail client expects me to log in using my domain name or
"(e-mail address removed)" so by only having a www record I think that's going to
cause some issues? However it is a possibility for me to change the Internal
DNS name does it matter what I change it to, I mean does it have to be a
registered domain?

"...Why? Because forwarding will forward whatever names it is NOT aware of."

I think you hit it on the head, the internal believes it is authoritive for
the domain webajm.com and therefore has no need to forward it on to the
external DNS.

Since you say that 192.168.2.99 is running your 'external' DNS and your
website, then create the www record on your 'internal' DNS with that IP
address.

So, essentially the internal DNS would forward it on to the external DNs
and hence resolve the name?




"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Sorry, I wasn't being very clear before.


My mail client expects me to log in using my domain name or
"(e-mail address removed)" so by only having a www record I think that's going
to cause some issues? However it is a possibility for me to change
the Internal DNS name does it matter what I change it to, I mean does
it have to be a registered domain?

Sorry, I'm not sure what you mean here. What sort of mail client are you
using? How is the mail client connecting? MAPI, IMAP4, OWA, or POP3 client?

Or maybe you're you talking about the UPN?

"...Why? Because forwarding will forward whatever names it is NOT
aware of."

I think you hit it on the head, the internal believes it is
authoritive for the domain webajm.com and therefore has no need to
forward it on to the external DNS.

Well, you can still forward to it and from the 'external' machine forward to
the ISP. It will still resolve everything else.

So, essentially the internal DNS would forward it on to the external
DNs and hence resolve the name?

No. When you create the www record under the webajm.com zone on the
'internal' DNS, it will resolve it directly.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

 

[Adam Marx]

Sorry, I'm not sure what you mean here. What sort of mail client are you
using? How is the mail client connecting? MAPI, IMAP4, OWA, or POP3 client?

I use Outlook Express and POP3, when logging in to retrieve my mail I must
use "(e-mail address removed)" so that record webajm.com needs to resolve to my
external IP.

No. When you create the www record under the webajm.com zone on the

'internal' DNS, it will resolve it directly.

So, when entering the record www what address will it have? my public IP or
my External DNS IP (192.168.1.99)?

However it is a possibility for me to change the Internal DNS name does it

matter what I change it to, I mean does it have to be a registered domain?

What do you think about this?

AJM,



"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

using? How is the mail client connecting? MAPI, IMAP4, OWA, or POP3
client?

I use Outlook Express and POP3, when logging in to retrieve my mail I
must use "(e-mail address removed)" so that record webajm.com needs to resolve
to my external IP.

Can't you just use the username without the @webajm.com?

Unfortunately that will cause problems with AD if you change that
internally. But yes, it can be changed. First need to disable LdapIpAddress
registration, then manually create the record with the IP you want. I can
provide the registry info to alter this is you like.

'internal' DNS, it will resolve it directly.

So, when entering the record www what address will it have? my public
IP or my External DNS IP (192.168.1.99)?

Set it to your web server's private IP address.

matter what I change it to, I mean does it have to be a registered
domain?

No, any name will be fine. You can change it to webajm.internal,
webajm.corp, webajm.net. It doesn't have to be, and it's recommended that
it's not a registered name so no conflicts arise, as you've seen.

What do you think about this?

It will work.

AJM,



"Ace Fekay [MVP]"

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================