We are planning a new windows 2000 domain and would like to use "xyz.com" for our domain server address. A small problem is our company website, also "xyz.com". We'd like office users to access the website (outside hosted), but when the domain controller and DNS server are installed, it will direct out users internally not externally to our website. Is there anyway to make this work?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Internal/External DNS question
- Thread starter summoner
- Start date
Summoner,
This setup can cause some headaches and it is recommended that you dont setup that way. There is a work around for those of us, myself included, that find this out the hard way. You can always add a host record to your dns that is named has your websites ip for the address. Though this will work I still recommend choosing a different naming convention if possible.
This setup can cause some headaches and it is recommended that you dont setup that way. There is a work around for those of us, myself included, that find this out the hard way. You can always add a host record to your dns that is named has your websites ip for the address. Though this will work I still recommend choosing a different naming convention if possible.
Just the externally hosted web site is not the only problem! DO NOT use "anything.com" for your internal domain --> use "anything.local" and save yourself from DNS, DHCP, AD, printer, and other inexplicable errors that cause Win2k Admins to wake up screaming in the night.
Or go ahead and do it, but first contribute to Tek-Tips and maybe install a dedicated connection to this server...you will be here often and for a long time searching past threads in the forums...
Alex
Or go ahead and do it, but first contribute to Tek-Tips and maybe install a dedicated connection to this server...you will be here often and for a long time searching past threads in the forums...
Alex
- Thread starter
- #4
Thanks for the responses so far. Alex..I'm curious as to what type of problems you may have encountered using a .com ending. It seems that all the MCSE courses and MS literature stress the .com endings for all domains, whether internal or external. Could you please elaborate, we are halfway through building our new domain. Better to change things now than on a production server.
I have run into:
Web server - the standard issue you know of...who is
DNS - Who will be the authorative DNS server for mydomain.com...my AD server or the ISP name server?
DNS - Subdomain of WHOSE authorative domain?
DHCP - My internal clients are registering their DNS names with which server?
AD/Printers - I get my printers to register in the Directory, but I also have whos?
Let me give an example (this was just when 2k arrived
I set up a company "our.example.com", they have an ISDN router that I setup beforehand and its working great. Everyone knows you must have the server connected to a hub (at least) or the install fails (because the network card isn't enabled.) The first AD server installs fine, no errors, DNS is there and running...its not even thinking its a root server, so I add the forwarder and get started on some others which are easy. Clients drop in no sweat as they are DHCP from the AD machine. Beautiful day, only about 6 hours on the servers and the clients are no sweat. Couple more days and the network is done! Someone calls...there is a problem. I drive over...and there is 1000+ clients in the DHCP, more printers than you have ever seen, and DNS records for most of the western world. Now the server complains about the domain being not found, no authorative DNS and being a pain in my bum.
I reinstall as our.company.local, and there are all these questions I never saw on the first install about authorative DNS, active DHCP scope, this time it thinks its a root server. Why didn't this happen before?
The first time the AD server never gave any DNS messages because it bounced out to "example.com" and joined their domain, became a slave to their DNS including caching, and started participating in serving our clients with their DHCP scope. Any DNS info we had went upstream in the dynamic DNS updates. "Example.com" got this stuff appearing and secured their firewall and my install became a child domain without a parent, worked for a while, then stopped and screamed!
I have seen something not as bad when the AD DNS server becomes a child of the ISP (because the ISP is authorative for the domain name before the server is installed.)
The reasons all the books talk of .com is they expect you are starting the whole company from scratch, will host everything yourself, never need any security from the outside world, have unlimited hardware resources...
Use the .local for your private-internal network!
Web server - the standard issue you know of...who is
DNS - Who will be the authorative DNS server for mydomain.com...my AD server or the ISP name server?
DNS - Subdomain of WHOSE authorative domain?
DHCP - My internal clients are registering their DNS names with which server?
AD/Printers - I get my printers to register in the Directory, but I also have whos?
Let me give an example (this was just when 2k arrived
I set up a company "our.example.com", they have an ISDN router that I setup beforehand and its working great. Everyone knows you must have the server connected to a hub (at least) or the install fails (because the network card isn't enabled.) The first AD server installs fine, no errors, DNS is there and running...its not even thinking its a root server, so I add the forwarder and get started on some others which are easy. Clients drop in no sweat as they are DHCP from the AD machine. Beautiful day, only about 6 hours on the servers and the clients are no sweat. Couple more days and the network is done! Someone calls...there is a problem. I drive over...and there is 1000+ clients in the DHCP, more printers than you have ever seen, and DNS records for most of the western world. Now the server complains about the domain being not found, no authorative DNS and being a pain in my bum.
I reinstall as our.company.local, and there are all these questions I never saw on the first install about authorative DNS, active DHCP scope, this time it thinks its a root server. Why didn't this happen before?
The first time the AD server never gave any DNS messages because it bounced out to "example.com" and joined their domain, became a slave to their DNS including caching, and started participating in serving our clients with their DHCP scope. Any DNS info we had went upstream in the dynamic DNS updates. "Example.com" got this stuff appearing and secured their firewall and my install became a child domain without a parent, worked for a while, then stopped and screamed!
I have seen something not as bad when the AD DNS server becomes a child of the ISP (because the ISP is authorative for the domain name before the server is installed.)
The reasons all the books talk of .com is they expect you are starting the whole company from scratch, will host everything yourself, never need any security from the outside world, have unlimited hardware resources...
Use the .local for your private-internal network!
BlckJckFrnk
Technical User
Hey Guys......
I just setup AD last weekend and made the same mistake of using my Domain name and I going to correct it, but when you say you have to reinstall, is that a full server reinstall???
Thanks
I just setup AD last weekend and made the same mistake of using my Domain name and I going to correct it, but when you say you have to reinstall, is that a full server reinstall???
Thanks
GlenJohnson
MIS
DCPROMO twice should do it. Once to demote, once to promote. Good luck all.
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Action is the proper fruit of knowledge."
Thomas Fuller (1610-1661); English scholar, preacher
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Action is the proper fruit of knowledge."
Thomas Fuller (1610-1661); English scholar, preacher
Kaiser7187
Technical User
"Use the .local for your private-internal network!"
Alex (or anyone else who can comment),
I am setting up a small office LAN for ~20 computers. DNS server is configured properly with port 53 opened on the router. I followed Alex's advice and installed Active Directory using mycompany.local, and on the DNS server I have mycompany.com as well as mycompany.local as zones. Running checkdns.net on my domain, I get this -
NS list mismatch: registration authority reports that domain is hosted on following servers: 'ns1.mycompany.com', but DNS server ns1.mycompany.com reports domain to be hosted on 'svr1.mycompany.local; ns1.mycompany.com'. Please make sure that you configure the same DNS servers in registrar database and on your DNS server.
Any ideas?
Alex (or anyone else who can comment),
I am setting up a small office LAN for ~20 computers. DNS server is configured properly with port 53 opened on the router. I followed Alex's advice and installed Active Directory using mycompany.local, and on the DNS server I have mycompany.com as well as mycompany.local as zones. Running checkdns.net on my domain, I get this -
NS list mismatch: registration authority reports that domain is hosted on following servers: 'ns1.mycompany.com', but DNS server ns1.mycompany.com reports domain to be hosted on 'svr1.mycompany.local; ns1.mycompany.com'. Please make sure that you configure the same DNS servers in registrar database and on your DNS server.
Any ideas?
you can use .local
and or what i have had runing for years now
basically add the extension to you r domain name to specify your internal domain... ie
my domain website is xyz.com my AD internsl is boston.xyz.com
keep the 2 dns seperate... the dns server that handles xyz, never communicates with my internal dns server... they should never, because you are leaking info about your internal network to your outside server and then exposing it to the internet
if you host yourself, put ext dns in dmx and dotn open port 53 to internal net....
install external microsoft or bind DNS as basic primary.. with all externally available IP and names
install 2k dns as active directory integrated. zone name same as domain.. boston.xyz.com configure it for forwards ( usually your isp has 2 available) and that should be it... you will however need to manually enter all external website or available IP s form external dns to the internal one, but thats easy and shouldnt change much
and or what i have had runing for years now
basically add the extension to you r domain name to specify your internal domain... ie
my domain website is xyz.com my AD internsl is boston.xyz.com
keep the 2 dns seperate... the dns server that handles xyz, never communicates with my internal dns server... they should never, because you are leaking info about your internal network to your outside server and then exposing it to the internet
if you host yourself, put ext dns in dmx and dotn open port 53 to internal net....
install external microsoft or bind DNS as basic primary.. with all externally available IP and names
install 2k dns as active directory integrated. zone name same as domain.. boston.xyz.com configure it for forwards ( usually your isp has 2 available) and that should be it... you will however need to manually enter all external website or available IP s form external dns to the internal one, but thats easy and shouldnt change much
Hi,
I have a question on this topic. I currently am looking at planning a DNS implementation. In my Windows 2000 study book they talk about 4 methods of planning for DNS namespace and not one of them includes naming the domain name for internal to domain.local. Is the only reason to name the internal domain to domain.local. so that your company can eventually communicate and find other windows 2000/2003 AD domains and join their forests ?
I am curious because we are currently looking at using our domain.com for the root AD name. We currently have an ISP hosting our domain.com name (not sure if they use Windows 2000/2003 AD or not). We'd like to have the possiblity of later taking over another company by either joining forests or establishing trusts. We also currently have an existing NT4 DNS server on the internal network forwarding to our ISP's DNS for lookups. We also have a DMZ with a Webserver and we are using One to One NAT for it. Dynamic NAT for clients connecting out thorugh our firewall.
Here are the proposed ideas which I'd like some comments on:
1) Name our root AD domain corp.domain.com for internal and let our ISP hold records for domain.com and forward all requests from internal clients for domain.com to the ISP (via forwarders on our internal DNS).
2) Name our root AD domain.local (does this now limit the possibility of using DNS to find another forest to connect to?) for internal namespace and like method 1 use the ISP's DNS for external.
3) Use domain.com for internal as well as the ISP holding our domain.com entries and manually configure the internal domain.com DNS server to point to our entry. (this currently what we do on our NT4 DNS set up.)
I'd be really interested in hearing what other companies do in this case
Thanks
Kevin
I have a question on this topic. I currently am looking at planning a DNS implementation. In my Windows 2000 study book they talk about 4 methods of planning for DNS namespace and not one of them includes naming the domain name for internal to domain.local. Is the only reason to name the internal domain to domain.local. so that your company can eventually communicate and find other windows 2000/2003 AD domains and join their forests ?
I am curious because we are currently looking at using our domain.com for the root AD name. We currently have an ISP hosting our domain.com name (not sure if they use Windows 2000/2003 AD or not). We'd like to have the possiblity of later taking over another company by either joining forests or establishing trusts. We also currently have an existing NT4 DNS server on the internal network forwarding to our ISP's DNS for lookups. We also have a DMZ with a Webserver and we are using One to One NAT for it. Dynamic NAT for clients connecting out thorugh our firewall.
Here are the proposed ideas which I'd like some comments on:
1) Name our root AD domain corp.domain.com for internal and let our ISP hold records for domain.com and forward all requests from internal clients for domain.com to the ISP (via forwarders on our internal DNS).
2) Name our root AD domain.local (does this now limit the possibility of using DNS to find another forest to connect to?) for internal namespace and like method 1 use the ISP's DNS for external.
3) Use domain.com for internal as well as the ISP holding our domain.com entries and manually configure the internal domain.com DNS server to point to our entry. (this currently what we do on our NT4 DNS set up.)
I'd be really interested in hearing what other companies do in this case
Thanks
Kevin
I can offer what happened to one of my first AD installs...see I was putting in the new domain for internal.mycorp.com. Because this was before much of the now required security was installed (multiple firewalls, DNS daemons, SMTP AV gateways, etc.) I was deliously happy and just hooked up the server to the switch and booted from the CD. (The switch was connected a router at the time...)
Following the prompts until I got to the part about FQDN (it clearly states in the install to use .LOCAL unless you are hosting your own internet presence) I choose internal.mycorp.com and it installs. Later I found out that a BUNCH of questions never popped up (like they should.) But hey, is M$, maybe they changed that portion post-beta. Customer is happy, WTF.
About 2 month later customer calls and the whole domain is down. Why? Because when installing AD, even choosing "New Server in New Domain" it STILL checks for authorative DNS servers (before installing its own.) What happened was the install FOUND a DNS server that was "authorative" for MYCORP.COM on the outside world and attached to that. So when the other company's people got to checking, they had all my client's internal DNS records etc. all appearing on their server (somewhere in the UK I believe.) They took the ONLY DNS server down to find why, and then AD couldn't find its DNS and later crashed.
Now of course this cannot happen, you run two NAT's plus SPI firewall with DNS daemon w/ maybe also port-filtering AV and a SMTP gateway and you keep the whole network locked down tight...
Use .local, keep your FQDN systemized for office.site.region.country.planet.LOCAL and understand if you can keep your internal DNS seperate from your (or perhaps someone else's) external DNS - DO IT.
Alex
Following the prompts until I got to the part about FQDN (it clearly states in the install to use .LOCAL unless you are hosting your own internet presence) I choose internal.mycorp.com and it installs. Later I found out that a BUNCH of questions never popped up (like they should.) But hey, is M$, maybe they changed that portion post-beta. Customer is happy, WTF.
About 2 month later customer calls and the whole domain is down. Why? Because when installing AD, even choosing "New Server in New Domain" it STILL checks for authorative DNS servers (before installing its own.) What happened was the install FOUND a DNS server that was "authorative" for MYCORP.COM on the outside world and attached to that. So when the other company's people got to checking, they had all my client's internal DNS records etc. all appearing on their server (somewhere in the UK I believe.) They took the ONLY DNS server down to find why, and then AD couldn't find its DNS and later crashed.
Now of course this cannot happen, you run two NAT's plus SPI firewall with DNS daemon w/ maybe also port-filtering AV and a SMTP gateway and you keep the whole network locked down tight...
Use .local, keep your FQDN systemized for office.site.region.country.planet.LOCAL and understand if you can keep your internal DNS seperate from your (or perhaps someone else's) external DNS - DO IT.
Alex
stanleythemanley
Technical User
We host our own internet presece on a DMZ and would like to keep example.com for internal and external resolutions - is this possible and if so how do you do it ?
thanx
thanx
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question