Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, December 6, 2011 3:11 AM
Hi All,
Let me explain my setup in brief. My Primary Domain controller windows 2008 is pdc.abc.com, with IP address 10.10.0.47 and same has been NATTED with Live IP 1.1.1.1. One record same as parent folder for Ip address 10.10.0.47 has been created automatically.
I have also A record entry for live domain name (our live website) abc.gov.in with IP 1.1.1.2 in the same dns server forward zone. Respective reverse zone has been created in DNS server. Now the problem is when external users type nslookup abc.gov.in through command prompt or resolve externally, they are getting both the IP address 10.10.0.47 and 1.1.1.2
And my site not open regularely as external users try to resolve 10.10.0.47, which is private IP?
Please let me know the solution. Should i remove "same as parent folder dns entry" A record entry for 10.10.0.47????
Please help.
All replies (5)
Thursday, December 8, 2011 5:09 AM ✅Answered | 1 vote
1) I have to create one external DNS server with IP 10.10.20.1 (without Active Directory-- Just DNS role only) in DMZ zone.
That's correct.
2) Then i have to map this IP 10.10.20.1 to Live IP 1.1.1.1, which is previously NATTED with my main domain controller/internal DNS 10.10.0.47 (Please read above scenario for understanding IP allocation).
The external DNS server will have your public IP address so your internet users can resolve mail.abc.gov.in, www.abc.gov.in, etc, to the public IP.
And, yes, you will have to port translate TCP 53 and UDP 53 through NAT to this external DNS server.
3) I have to create zone and "A" record for abc.gov.in in new external DNS.
Yes, with the public IP address.
4) In internal DNS, i have to give new external DNS IP as forwarding DNS.
Yes, that will work. You can also forward from the external to another ISP's or external DNS, too.
Should i need to change NS record in domain registrar..
No, not based on what you said, that the NS hostname info was already registered to your public WAN IP. Just create those names in the Nameserver tab in DNS properties to match the registered NS records.
Should i create mail.abc.gov.in entry in new external DNS server to open from internet?????
Yes. The external DNS will have the public IP for the mail host record and MX record. Internally, you create it with the private IP of the internal mail server. I usually create two zones (not a record) with the private IP:
- mail.domain.com
- autodiscover.domain.com
I hope that helps and answers your questions,
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Tuesday, December 6, 2011 3:13 PM
I'm trying to understand your scenario. Here is what I believe you have:
1. It sounds like your AD domain controller's DNS server is also your DNS server for your public name that people on the internet are using to resolve your public domain name.
2. The above assumes that you have TCP 53 & UDP 53 port translated to your AD DNS server?
2. The above also assumes you are hosting your website on the AD domain controller.
Are the assumptions above correct?
If so, the best course of action is to get a separate DNS server (separate machine) to host public records, such as for your abc.gov.in zone. Hosting it on an AD DNS poses problems with AD, because it creates an additional LdapIpAddress (the "same as parent" name), which is used by AD GPOs and other domain functions, and it returns the private address to internet resolution queries.
Put the public abc.gov.in zone on a separate DNS server, port translate TCP & UDP 53 to that server for your public DNS, create the abc.gov.in zone on that server, and create the necessary www record and same as parent record.
On the zone that still exists on your AD DNS server, remove the public IP addresses, and create a www entry with the private IP of the web server. THis way your internal users can resolve the internal website's address.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, December 7, 2011 2:36 AM
Thanks for the reply.... Please find below my response in-line.....to your query.. I'm trying to understand your scenario. Here is what I believe you have: Q.1. It sounds like your AD domain controller's DNS server is also your DNS server for your public name that people on the internet are using to resolve your public domain name. YES...your assumption is correct...my internal user's DNS server ip is 10.10.0.47 and NS record for public domain is 1.1.1.1 which is NAT with 10.10.0.47..... Q 2. The above assumes that you have TCP 53 & UDP 53 port translated to your AD DNS server? YES A 2. The above also assumes you are hosting your website on the AD domain controller. A.3 ...here your assumption is not correct...my webserver is not on AD/DNS server....i have created manuaaly "A" record entry for my webserver live IP 2.2.2.2, which is in DMZ zone of firewall... Now when external user query the DNS lookup for abc.gov.in,,,,they are getting NS server as 1.1.1.1 (AD/DNS) and getting two "A" record one is 10.10.0.47 and another is 2.2.2.2......and then after site not opening as they tried to resolved private IP 10.10.0.47.... I have already created two separed forward/reverse zone in AD/DNS server..one for 10.10.0.0/24 and another for live IP.... Hope now you are clear about my scenario.... Thanks...
Wednesday, December 7, 2011 9:02 AM | 1 vote
Hi Suhag,
Thanks for posting here.
I think Ace gave the solution for this scenario which should separate the external and internal domain to different DNS servers, server for external domain should be hosted at internet with a valid internet address and modify the SOA record of external domain to point to this address .
Creating an Internet DNS Domain Name
http://technet.microsoft.com/en-us/library/cc787342(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thursday, December 8, 2011 2:26 AM
Thanks Tiger Li and Ace Fekay,
So below is summury to reslove this issue...
1) I have to create one external DNS server with IP 10.10.20.1 (without Active Directory-- Just DNS role only) in DMZ zone.
2) Then i have to map this IP 10.10.20.1 to Live IP 1.1.1.1, which is previously NATTED with my main domain controller/internal DNS 10.10.0.47 (Please read above scenario for understanding IP allocation).
3) I have to create zone and "A" record for abc.gov.in in new external DNS.
4) In internal DNS, i have to give new external DNS IP as forwarding DNS.
Should i need to change NS record in domain registrar..
Please confirm the above steps..so i can implemet in my live scenario.
Now there is only one issue, what about live exchage server which is installed in main AD/Internal DNS Server? Should i create
mail.abc.gov.in entry in new external DNS server to open from internet?????
I really thanks to all of you for extending your support till now....
Regards,
Suhag Desai