DNS - W2K Server AD same DN inside/outside

[Mike Ninder]

We run W2K Server AD in a small office. Assume our internal
domain name in the internal W2K network is example.com. We
also have a third party web hosting service hosting a
website and a mail server accessible on the Internet at
example.com and pop3.example.com, respectively.

Until today, the W2K DNS server inside our office didn't do
anything. The primary and secondary DNS records delivered
via DHCP internally pointed to our ISP's DNS servers.
Everything worked fine. We don't need to access anything
internally via the example.com names. All DNS lookups were
handled by the ISP nameservers.

Recently, we've been adding XP machines. They are not happy
when pointed to the ISP's nameservers via DHCP. We have
intermittent problems with lost access to mapped drives and
messages like "The system detected a possible attempt to
compromise security. Please ensure that you can contact the
server that authenticated you." Research indicates that
this is probably related to timeout of the DHCP lease and
attempts by XP to do a DNS lookup of the authenticating
server 9example.com), which is internal, not out on the
internet with the mail server and web page.

To address this problem, we have repointed the DHCP
delivered primary and secondary DNS server names back to the
internal W2K server. However, this presents the problem
that some machines need to access the mail server.

I have the following options that I can think of, but I hope
for something better:

1) I can set static IP's and fixed DNS addresses on the
machines that need to access the mail. They are not the XP
machines, so they'd work as before. This is a pain, and
requires maintenance. Plus I have one XP machine that needs
mail, so it won't work there.

2) I could change the internal domain name - a pain to
reconfigure everything.

3) I could run an internal mail server and point the
internet records to my office.

4) I can use the hosts file on each workstation to steer
pop3.example.com to the external mail server. This is a
maintenance headache, and the mail server has multiple
numeric addresses when accessed via a normal Internet DNS
lookup, so I'd lose the redundancy.

5) What I'd like to do is force the DNS server in W2K AD to
steer DNS lookups for pop3.example.com to my ISP's DNS
server, and answer only the workstation.example.com or
W2Kserver.example.com itself.

I know 5 must be possible, but I can't seem to find where to
look it up. Can anyone steer me to the right place or help?
Thanks.

 

[CJ]

We run W2K Server AD in a small office. Assume our internal
domain name in the internal W2K network is example.com. We
also have a third party web hosting service hosting a
website and a mail server accessible on the Internet at
example.com and pop3.example.com, respectively.

Until today, the W2K DNS server inside our office didn't do
anything. The primary and secondary DNS records delivered
via DHCP internally pointed to our ISP's DNS servers.
Everything worked fine. We don't need to access anything
internally via the example.com names. All DNS lookups were
handled by the ISP nameservers.

You definitely do not want to do it that way. What you want is to have your
internal DNS servers do all of the name resolution, and forward all other
requests to your ISP DNS servers. And also, click the "Do not use
recursion" box so that way if for some reason the ISP DNS servers are down
that your internal servers don't try to resolve it.

See below for a solution to your #5 solution.

Recently, we've been adding XP machines. They are not happy
when pointed to the ISP's nameservers via DHCP. We have
intermittent problems with lost access to mapped drives and
messages like "The system detected a possible attempt to
compromise security. Please ensure that you can contact the
server that authenticated you." Research indicates that
this is probably related to timeout of the DHCP lease and
attempts by XP to do a DNS lookup of the authenticating
server 9example.com), which is internal, not out on the
internet with the mail server and web page.

To address this problem, we have repointed the DHCP
delivered primary and secondary DNS server names back to the
internal W2K server. However, this presents the problem
that some machines need to access the mail server.

This is where you need to add a host record in DNS manually

I have the following options that I can think of, but I hope
for something better:

1) I can set static IP's and fixed DNS addresses on the
machines that need to access the mail. They are not the XP
machines, so they'd work as before. This is a pain, and
requires maintenance. Plus I have one XP machine that needs
mail, so it won't work there.

2) I could change the internal domain name - a pain to
reconfigure everything.

3) I could run an internal mail server and point the
internet records to my office.

4) I can use the hosts file on each workstation to steer
pop3.example.com to the external mail server. This is a
maintenance headache, and the mail server has multiple
numeric addresses when accessed via a normal Internet DNS
lookup, so I'd lose the redundancy.

5) What I'd like to do is force the DNS server in W2K AD to
steer DNS lookups for pop3.example.com to my ISP's DNS
server, and answer only the workstation.example.com or
W2Kserver.example.com itself.

Yes, 5 is what you want to do.

Try adding to DNS a Host A record and type pop3 in the host box then of
course the IP address of that server.
Let the change replicate and see if that doesn't do it.

But you definitely want to use internal DNS servers for name resolution and
forward external requests to your ISP DNS.

Let me know if this helped.
CJ

 

[Mike Ninder]

And also, click the "Do not use
recursion" box so that way if for some reason the ISP DNS servers are down
that your internal servers don't try to resolve it.

Thank you for the reply. I can't find the "Do not use
recursion" box. I've checked all the right clicked
properties. Any suggestions on where to look?

Try adding to DNS a Host A record and type pop3 in the host box then of
course the IP address of that server.
Let the change replicate and see if that doesn't do it.

This worked great. Thanks. Now a related question. By
setting up the A record, I'm sending a specific IP address
for pop3.example.com, so when I do a:

nslookup pop3.example.com

I get my A-record defined static address back from my own
internal DNS server.

However, if I do a :

nslookup pop3.example.com ISPs.externalDNSserver.IP.address

it uses the ISP's DNS server for the lookup, and that lookup
brings back multiple addresses that seem to vary. I presume
there's some sort of load balancing going on.

Is there a way to have the internal DNS server ask for and
forward the whole load balanced reply from
ISPs.externalDNSserver.IP.address, instead of sending back
my own static defined IP address?