Internal & External DNS

**jckylen** · 28-05-2008

I have begun working for a company who has a public and private DNS that is different. On the internal side the AD network is company.local while there are stand alone systems registered to the company workgroup and are shown to the world as company.org. Both myself and another new admin are trying to remove the workgroup systems but when we try to publish with the company.local the addresses fail due to DNS. Additionally, just making a DNS entry under company.org does not forward correctly. So, does anyone know how I can have a system with 2 DNS names associated to my systems?

Herb Martin · 28-05-2008

"jckylen" <jckylen.3a3b3e@DoNotSpam.com> wrote in message
news:jckylen.3a3b3e@DoNotSpam.com...
>
> I have begun working for a company who has a public and private DNS that
> is different. On the internal side the AD network is -company.local-
> while there are stand alone systems registered to the -company-
> workgroup and are shown to the world as -company.org-. Both myself and
> another new admin are trying to remove the workgroup systems but when we
> try to publish with the -company.local- the addresses fail due to DNS.

What does any of this have to do with "external DNS" from your subject
line?

> Additionally, just making a DNS entry under -company.org- does not
> forward correctly. So, does anyone know how I can have a system with 2
> DNS names associated to my systems?

You can have as many DNS names associated with a computer
as you wish but the computer will in some sense think of ITSELF
as being in but one Domain.

This is literally true for Active Directory, and close to 'true'
for the Primary Domain name of every Windows system.

You can have multiple NetBIOS names but this is not the
default -- e.g., for accessing shares and printers.

**jckylen** · 28-05-2008

Lets see if I can add some details.

1. The inside of our network is behind a firewall. We have both .local and .org names with the same company name assigned. With the internal DNS servers (inside the server 2003 AD environment) each of these "domains" are seperate and if the suffix isn't appended or specified the user doesn't see the server

2. On the outside the .local doesn't pass even with an entry on an external DNS server. Tried putting the system with a "fake" .org name but the internal servers don't seem to pass correctly from the outside to the inside. We do have a firewall which will pass the connection if I substitute the external IP address that is know and NATd to an internal IP address but if I use the servers name then that doesn't get thru.

So my less than clear question is how can I set up an outside DNS entry (ie. company.org) that will go to my internal server (company.local)? The attempt to make a straight up DNS entry didn't seem to work. I understand that if my domain is the same (company.???) than having children isn't a problem but the change from one extension to the next seems to be my problem (especially since .local doesn't seem to be working).

Herb Martin · 28-05-2008

"jckylen" <jckylen.3a3jfb@DoNotSpam.com> wrote in message
news:jckylen.3a3jfb@DoNotSpam.com...
>
> Lets see if I can add some details.
>
> 1. The inside of our network is behind a firewall. We have both
> local and .org names with the same company name assigned. With the
> internal DNS servers (inside the server 2003 AD environment) each of
> these "domains" are seperate and if the suffix isn't appended or
> specified the user doesn't see the server
>
> 2. On the outside the .local doesn't pass even with an entry on an
> external DNS server. Tried putting the system with a "fake" .org name
> but the internal servers don't seem to pass correctly from the outside
> to the inside. We do have a firewall which will pass the connection if
> I substitute the external IP address that is know and NATd to an
> internal IP address but if I use the servers name then that doesn't get
> thru.
>
> So my less than clear question is how can I set up an outside DNS entry
> (ie. company.org) that will go to my internal server (company.local)?

Just set it up any any zone you choose -- you must set it up in
some externally valid zone if it is going to be useable on the Internet.

Of course, it will only be useful to give it a Name (any name) to
IP mapping IF the IP is routable from the outside too.

If your internal machine has a private address then you must map
to a NAT which has specific address or port mapping setup for it
so that the external world can route (through that NAT) to the
internal computer.

> The attempt to make a straight up DNS entry didn't seem to work. I
> understand that if my domain is the same (company.???) than having
> children isn't a problem but the change from one extension to the next
> seems to be my problem (especially since .local doesn't seem to be
> working).

Pretend that you machine is at this IP: 68.178.144.167

Pretend that the machines "official" or primary name is www.LearnQuick.Com

You can certainly put an entry in the carolAndHerb.com zone,
that maps ftp.carolAndHerb.com to 68.178.144.167

That's a real example.

Were I trying ot map it to 192.168.20.35 that would be harder unless
I had the NAT to translate some Internet routable address to this
actual address.

Phillip Windell · 28-05-2008

My way of doing it is simple:

Hosts on the LAN use *only* the Internal DNS.
The DNS Service uses the External DNS in the forwarders list
The internal DNS has only the AD zone and nothing else.
Firewall allows the internal DNS to make outbound DNS queries.

If you have Split-DNS requirements, then add a second Primary zone for the
Public Domain to the internal DNS. Your external DNS will never be queried
for that Zone by internal Hosts, however it will still be queried by Public
hosts.

In our case I do not run an external DNS, to me it is pointless. Our ISP
handles the Public Authoritative DNS for our Public Domain. So I follow
this pattern

1. Hosts on the LAN use *only* the Internal DNS.
2. The ISP's DNS is used in the forwarders list
3. The internal DNS has the AD Zone and a second Standard Zone for the
Public Zone.
4. Firewall allows the internal DNS to make outbound DNS queries.
5. ISP's DNS is the only one the "public" is aware of and is the one that
handles the "queries" from the "public",...while my internal hosts always
query my internal DNS for either my AD Zone or my Public Zone.

It's simple, clean, and I only have the internal DNSs to maintain. I call
the ISP on the rare occasion that I need something changed there.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"jckylen" <jckylen.3a3jfb@DoNotSpam.com> wrote in message
news:jckylen.3a3jfb@DoNotSpam.com...
>
> Lets see if I can add some details.
>
> 1. The inside of our network is behind a firewall. We have both
> local and .org names with the same company name assigned. With the
> internal DNS servers (inside the server 2003 AD environment) each of
> these "domains" are seperate and if the suffix isn't appended or
> specified the user doesn't see the server
>
> 2. On the outside the .local doesn't pass even with an entry on an
> external DNS server. Tried putting the system with a "fake" .org name
> but the internal servers don't seem to pass correctly from the outside
> to the inside. We do have a firewall which will pass the connection if
> I substitute the external IP address that is know and NATd to an
> internal IP address but if I use the servers name then that doesn't get
> thru.
>
> So my less than clear question is how can I set up an outside DNS entry
> (ie. company.org) that will go to my internal server (company.local)?
> The attempt to make a straight up DNS entry didn't seem to work. I
> understand that if my domain is the same (company.???) than having
> children isn't a problem but the change from one extension to the next
> seems to be my problem (especially since .local doesn't seem to be
> working).
>
>
> --
> jckylen
> ------------------------------------------------------------------------
> jckylen's Profile: http://forums.techarena.in/member.php?userid=50506
> View this thread: https://forums.techarena.in/windows-server-help/976357.htm
>
> http://forums.techarena.in
>

Ace Fekay [MVP] · 01-06-2008

In news:jckylen.3a3jfb@DoNotSpam.com,
jckylen <jckylen.3a3jfb@DoNotSpam.com> typed:
> Lets see if I can add some details.
>
> 1. The inside of our network is behind a firewall. We have both
> local and .org names with the same company name assigned. With the
> internal DNS servers (inside the server 2003 AD environment) each of
> these "domains" are seperate and if the suffix isn't appended or
> specified the user doesn't see the server
>
> 2. On the outside the .local doesn't pass even with an entry on an
> external DNS server. Tried putting the system with a "fake" .org name
> but the internal servers don't seem to pass correctly from the outside
> to the inside. We do have a firewall which will pass the connection
> if I substitute the external IP address that is know and NATd to an
> internal IP address but if I use the servers name then that doesn't
> get thru.
>
> So my less than clear question is how can I set up an outside DNS
> entry (ie. company.org) that will go to my internal server
> (company.local)? The attempt to make a straight up DNS entry didn't
> seem to work. I understand that if my domain is the same
> (company.???) than having children isn't a problem but the change
> from one extension to the next seems to be my problem (especially
> since .local doesn't seem to be working).

What exactly are you trying to access from a machine on the outside world to
your internal network behind the NAT?
Logon to AD?
Access the mail server?
Access shares?
Join the machine to the AD domain?

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations