We are having issues with our DMZ AD setup. Let me set my situation and see
if anyone has any good suggestions:


We have a DMZ setup for providing our DMZ machines to be members of an
outside AD domain.

The DMZ houses two important computers. NS and NS1. They are both AD DC's.
Their IP's: (outsides are not real)

Host DMZ IP Outside IP

NS 192.168.128.4 197.3.128.4
NS1 192.168.128.5 197.3.128.5

They are working great, providing DNS resolution for outside clients to
resolve our domain name and many hosts.

DNS is setup with a standard primary on our AD domain. We did this because
DDNS was switching NS & NS1's DNS
records back to "192.168.128.4" and "192.168.128.5" -- which was breaking
DNS for the outside name resolution.

Fine, we made it so NS was a standard primary, and NS1 was a standard
secondary. Dynamic dns shut-off, the name servers
records never changed or auto-updated themselves.

All is working fine, till I noticed the two DC's (ns and ns1) cannot
replicate. They are trying to resolve each other to their outside
IP addresses (the 197 IP). I tried using a hosts file to fool them into
seeing each other as 192. I don't think that ever worked. I created unique
static WINS addresses with their names and DMZ IP addresses - no change.

The only way I see to make them replicate is to change their "A" records
back to "192" DMZ ip's so they can resolve each other. This will break
external name resolution on the internet for our zones.

We obviously need to fix the AD replication issue - but are unsure which
avenue to go down. We've thought about changing the names of the machines
from NS and NS1 to something else. Then keeping NS & NS1's A records "197"
and then creating A records for the DMZ hosts as "192" addresses. This
might work - but will it create other issues?? Will this break reverse DNS
lookups? (or invalidate them)

I might have missed some information here - so feel free to ask questions...


Brian

In news:(E-Mail Removed),
Brian Roberson <(E-Mail Removed)> posted a question
Then Kevin replied below:
> We are having issues with our DMZ AD setup. Let me set my situation
> and see if anyone has any good suggestions:
>
>
> We have a DMZ setup for providing our DMZ machines to be members of an
> outside AD domain.
>
> The DMZ houses two important computers. NS and NS1. They are both
> AD DC's. Their IP's: (outsides are not real)
>
> Host DMZ IP Outside IP
>
> NS 192.168.128.4 197.3.128.4
> NS1 192.168.128.5 197.3.128.5
>
> They are working great, providing DNS resolution for outside clients
> to resolve our domain name and many hosts.
>
> DNS is setup with a standard primary on our AD domain. We did this
> because DDNS was switching NS & NS1's DNS
> records back to "192.168.128.4" and "192.168.128.5" -- which was
> breaking DNS for the outside name resolution.
>
> Fine, we made it so NS was a standard primary, and NS1 was a standard
> secondary. Dynamic dns shut-off, the name servers
> records never changed or auto-updated themselves.
>
> All is working fine, till I noticed the two DC's (ns and ns1) cannot
> replicate. They are trying to resolve each other to their outside
> IP addresses (the 197 IP). I tried using a hosts file to fool them
> into seeing each other as 192. I don't think that ever worked. I
> created unique static WINS addresses with their names and DMZ IP
> addresses - no change.
>
> The only way I see to make them replicate is to change their "A"
> records back to "192" DMZ ip's so they can resolve each other. This
> will break external name resolution on the internet for our zones.
>
> We obviously need to fix the AD replication issue - but are unsure
> which avenue to go down. We've thought about changing the names of
> the machines from NS and NS1 to something else. Then keeping NS &
> NS1's A records "197" and then creating A records for the DMZ hosts
> as "192" addresses. This might work - but will it create other
> issues?? Will this break reverse DNS lookups? (or invalidate them)
>
> I might have missed some information here - so feel free to ask
> questions...
>
>
> Brian

The reason these two DCs cannot replicate is because you have configured DNS
for external resolution. So DNS resolution works fine from the outside but
you are dealling with two DCs that are behind NAT and cannot comunicate with
each other by the public addresses because of NAT.
Move the public DNS to another DNS server and let these two comunicate with
the private addresses. Or set up another DNS server and point these two DCs
to it for DNS so they can register their private addresses and communicate.
So far as what you did with the host file, well that might work for the
machine but did you create the LDAP IP addresses which is the addresses that
are used for DFS shares and replication. The LDAP Ip address is what your
domain name resolves to. Does the domain name resolve to all IP addresses on
the domain controllers.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

Thanks for the input. Wow, thats a good idea.. Creating a DNS server to
reference each others internal IP's. That will probably be my ticket to
success.

I never have manually created "LDAP IP addresses" - i don't know what that
is. Doesn't AD set this up automatically? There are no DFS roots or shares
setup in the AD DMZ - probably overkill. Should I consider setting them up?

I believe the domain name resolves correctly to all IP addresses.. But
again, its probably resolving to the wrong ones!!

Brian

"Kevin D. Goodknecht [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In news:(E-Mail Removed),
> Brian Roberson <(E-Mail Removed)> posted a question
> Then Kevin replied below:
> > We are having issues with our DMZ AD setup. Let me set my situation
> > and see if anyone has any good suggestions:
> >
> >
> > We have a DMZ setup for providing our DMZ machines to be members of an
> > outside AD domain.
> >
> > The DMZ houses two important computers. NS and NS1. They are both
> > AD DC's. Their IP's: (outsides are not real)
> >
> > Host DMZ IP Outside IP
> >
> > NS 192.168.128.4 197.3.128.4
> > NS1 192.168.128.5 197.3.128.5
> >
> > They are working great, providing DNS resolution for outside clients
> > to resolve our domain name and many hosts.
> >
> > DNS is setup with a standard primary on our AD domain. We did this
> > because DDNS was switching NS & NS1's DNS
> > records back to "192.168.128.4" and "192.168.128.5" -- which was
> > breaking DNS for the outside name resolution.
> >
> > Fine, we made it so NS was a standard primary, and NS1 was a standard
> > secondary. Dynamic dns shut-off, the name servers
> > records never changed or auto-updated themselves.
> >
> > All is working fine, till I noticed the two DC's (ns and ns1) cannot
> > replicate. They are trying to resolve each other to their outside
> > IP addresses (the 197 IP). I tried using a hosts file to fool them
> > into seeing each other as 192. I don't think that ever worked. I
> > created unique static WINS addresses with their names and DMZ IP
> > addresses - no change.
> >
> > The only way I see to make them replicate is to change their "A"
> > records back to "192" DMZ ip's so they can resolve each other. This
> > will break external name resolution on the internet for our zones.
> >
> > We obviously need to fix the AD replication issue - but are unsure
> > which avenue to go down. We've thought about changing the names of
> > the machines from NS and NS1 to something else. Then keeping NS &
> > NS1's A records "197" and then creating A records for the DMZ hosts
> > as "192" addresses. This might work - but will it create other
> > issues?? Will this break reverse DNS lookups? (or invalidate them)
> >
> > I might have missed some information here - so feel free to ask
> > questions...
> >
> >
> > Brian
>
> The reason these two DCs cannot replicate is because you have configured
DNS
> for external resolution. So DNS resolution works fine from the outside but
> you are dealling with two DCs that are behind NAT and cannot comunicate
with
> each other by the public addresses because of NAT.
> Move the public DNS to another DNS server and let these two comunicate
with
> the private addresses. Or set up another DNS server and point these two
DCs
> to it for DNS so they can register their private addresses and
communicate.
> So far as what you did with the host file, well that might work for the
> machine but did you create the LDAP IP addresses which is the addresses
that
> are used for DFS shares and replication. The LDAP Ip address is what your
> domain name resolves to. Does the domain name resolve to all IP addresses
on
> the domain controllers.
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ============================
> --
> When responding to posts, please "Reply to Group" via your
> newsreader so that others may learn and benefit from your issue.
> To respond directly to me remove the nospam. from my email.
> ==========================================
> http://www.lonestaramerica.com/
> ==========================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ==========================================
> Keep a back up of your OE settings and folders with
> OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ==========================================
>
>

In news:(E-Mail Removed),
Brian Roberson <(E-Mail Removed)> posted a question
Then Kevin replied below:
> Thanks for the input. Wow, thats a good idea.. Creating a DNS server
> to reference each others internal IP's. That will probably be my
> ticket to success.

Yes, it is you can do this on a member server, I just have one big point to
keep in mind, all internal machines must ONLY point to this internal DNS.
You can forward the internal DNS to the two external DNS servers you have
set up.

>
> I never have manually created "LDAP IP addresses" - i don't know what
> that is. Doesn't AD set this up automatically?
The LDAP IP address is what the domain name resolves to, (the same as parent
folder) host is the one used for LDAP.

There are no DFS
> roots or shares setup in the AD DMZ - probably overkill. Should I
> consider setting them up?

Domain Controllers automatically set up one DFS share, it is the SYSVOL
share. Member machines get their group policies from this share at
\\domain.com\SYSVOL\domain.com\policies This share is replicated to all DCs
and is why the domain name must resolve to all IP addresses on domain
controllers that have file sharing.


> I believe the domain name resolves correctly to all IP addresses.. But
> again, its probably resolving to the wrong ones!!

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================