Re: Is this a split / shadow situation resolving non routable IPs without DNS authourity.

Just to clarify, this is where I'm in the dark about how this works

(
Include another zone called www.abc-company.com with no names (data) and a single
entry 192.168.0.10

The idea is the internal nameserver answers for www.abc-company.com ONLY and only
for the clients who use the DC DNS server pair
)

I don't know how a zone and a host can result in the same thing because www is indeed a RR but I keep reading that it will somehow
work out, I guess I need to try it and see, not my authority though so I have to come up with the plan first before I present
it.


"John Sitka" <johnsitka@xxxxxxxxxxxxxxxxx> wrote in message news:u4kknWhGHHA.1232@xxxxxxxxxxxxxxxxxxxxxxx
Wow thanks for the help in this and the other group, really feel I'm making progress.
Internal is abccompany.com
External is abc-company.com DNS server for abc-company.com is in our DMZ as well as that web host.
(This is the single example, reality is there are multiple externals def-company.com, ghi-company.com)

nodash = INTERNAL AD
dash = EXTERNAL

there are two AD DCs each with a DNS server and each containing AD integrated zones for abccompany.com (the internal lan domain)

both of these use forwarders to our ISP's DNS, there are some here who get internet access and some who use a proxy and some
who get none.

So if an internal client needs to get to the DMZ located web server, they can get there with no name via 192.168.0.10.
if they request www.abc-company .com it won't work because that would go first to the ISP's DNS which would find the external
facing IP
which not everybody is allowed to go to. So rather than make a bunch of left turn routing rules on the firewalls. I just need
to have the internal DNS serve up www.abc-company.com as 192.168.0.10...

When I said you gave me a clue in the other thread, delegate, this is what I came up with.
It may be wrong in a lot of ways but I'm hoping it will help in the understanding.



On Internal DNS
put in a new Zone abc-company.com (external) then right click that zone -> new delegation
and use the wizard to point it to the actual authoritative nameserver in the DMZ for abc-company.com
Then
Include another zone called www.abc-company.com with no names (data) and a single
entry 192.168.0.10

The idea is the internal nameserver answers for www.abc-company.com ONLY and only
for the clients who use the DC DNS server pair

all other abc-comapny.com requests; mail.abc-company.com for example would be handled by
the authoritative DNS server for abc-company.com

The first part is called delegation. (thanks to ACE FEKAY)

The second part is called a split brain DNS. Two DNS both with the same name for the zone, and both primary
but ONE is extremely limited even to the point on a single range which is in effect a single host!! and serving
a small group of clients. The other is out on the WEB and handles ALL other requests, even ones from
internal clients via forwarding.


"Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx> wrote in message news:enL3j2gGHHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
In news:uDtT3XTGHHA.3268@xxxxxxxxxxxxxxxxxxxx,
John Sitka <johnsitka@xxxxxxxxxxxxxxxxx> stated, which I commented on below:
Hi,

Active Directory root zone is abccompany.com inside the firewall.
This (these) DNS server then uses forewarders to resolve Internet
names. But I need to resolve names for the DMZ webserver abc-company.com
which has the authouritative DNS server in the DMZ for
abc-company.com.
So from the internet browser www.abc-company.com resolves fine to a
static internet IP. (our web server)
From behind the firewall I need to resolve www.abc-company.com to a
non routable IP 192.168.x.x. This can be accomplished by each lan PC
having an appropriate host entry. But I would rather have the these entries statically resolved by the
internal DNS Server.
The goal here is to have the external website resolve the same way
from a client on the internet as from clients behind the firewall.

I accidentally showed a fellow how conditional redirection could be
used to make this work. Now there are so many different asp. redirection pages I can't
maintain these external virtual webs without screaming.


externally
www.abc-company.com
www.def-company.com
www.ghi-company.com

all resolved by authouritative DNS in the DMZ to static Internet IP's

internally behind the firewall
www.abc-company.com 192.168.0.10
www.def-company.com 192.168.0.20
www.ghi-company.com 192.168.0.30

thanks

Confusion: Is the internal "abccompany.com" or "abc-company.com"?

I'm going to assume both are abc-company.com since you refer to that name multiple times.

I wouldn't use hosts files. It's tedious. Under your internal abc-company.com zone just create a www entry and provide the
internal private IP of the webserver. This will work assuming you are only using the internal DNS servers for all internal
machines (as it should be with an AD infrastructure).

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express or any other newsreader), and configure a news
account, pointing to news.microsoft.com. This is a direct link to the Microsoft Public Newsgroups. It is FREE and requires NO
ISP's Usenet account. OEx allows you to easily find, track threads, cross-post, sort by date, poster's name, watched threads or
subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...





.

Relevant Pages

  • Re: Creating my first user accounts
    ... I am trying to log onto the domain with the clients to have access to shared ... files and access the internet. ... DNS is almost always the cause of authentication errors -- ... Did you alter the DNS server settings, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unix Bind and Windows DNS with Dynamic update issues!!!
    ... >suggest but it does NOT service internal clients directly. ... still have UNIX BIND to do the rest for host name and internet resolution. ... Windows 2003 DNS will acting as another internal DNS server like UNIX BIND? ...
    (microsoft.public.win2000.dns)
  • Re: Before adding desktops to....
    ... On the DC you can use the default settings to connect the clients to the domain. ... On the DC/DNS server you have to setup forwarders to the ISP's DNS server, so all clients in the domain have internet access if needed. ...
    (microsoft.public.windows.server.general)
  • Re: Unix Bind and Windows DNS with Dynamic update issues!!!
    ... >> 2) All internal DNS clients NIC\IP properties must specify SOLELY ... >> we are running UNIX BIND as internal and external DNS server. ... > expose your sensitive internal information on the Internet. ... >> internal clients like Windows, Mac etc are pointing to UNIX BIND server to ...
    (microsoft.public.win2000.dns)
  • Re: Is this a split / shadow situation resolving non routable IPs without DNS authourity.
    ... External is abc-company.com DNS server for abc-company.com is in our DMZ as well as that web host. ... (This is the single example, reality is there are multiple externals def-company.com, ghi-company.com) ... This DNS server then uses forewarders to resolve Internet ...
    (microsoft.public.win2000.dns)
Loading