Re: Flat Domain DNS Problem

You are correct, I meant one domain, in one forest for all three sites when I
said a "flat domain".

I could just create the one entry for the DMZ's external addresses under my
zone, but then the one site where the DMZ hosts are located wouldn't be able
to access it because they can't cross the firewall twice - so that’s not an
option.

The DMZ hosts are using another private IP Address (different from all
others) and the firewall is translating the external public addresses to the
private.
The clients local to the DMZ hosts use the private addresses because we
can't cross the firewall twice.

The other sites can't use the local IP addresses, because I would have to
open that up on the routers (no big deal) but there would be too much traffic
at this time - thus why I would want the other two sites to use the internet
to get to these resources.

Since it is Active directory Integrated and we all have one zone those
entries already exist for local addresses they can't get to.

I don't want them to access the hosts in the DMZ via the WAN because of
traffic. I want the other two sites to go over the internet to access those
resources.

Sorry for lengthy response, I just want to give you as much information as I
can...

Thanks for all your help, and I wouldn't mind giving you any more
information in order to find the best solution.

Thanks again - I really do appreciate it.

"Ace Fekay [MVP]" wrote:

> May I assume your definition of a "flat domain" means that you only have one
> domain in your forest and you have branch offices all in the same domain?
>
> I will also assume the DMZ in that one site is using a public IP address.
> That will be reachable by anyone on the Internet. Have you tried to just
> create the necessary record for that DMZ host and provide the external IP
> under your zone? The zone is AD Integrated anyway and will be available on
> all DCs. If there are problems accessing it based on routing, you can create
> static routes in your VPNs to access that by the NAT device connecting to
> that DMZ.
>
> If I missed something, please feel free to elaborate.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
.

Loading