In
Joseph said:
We have a split-brain DNS configuration. I'm looking for a way to
have
http://www.mycompany.com and
http://mycompany.com properly
display our website on internal clients when using the same domain
name for AD as our corporate site. Our corporate web site is hosted
externally. Everything is setup properly for
www.mycompany.com to
work, but still haven't been able to find a way for
http://mycompany.com to work internally.
I've read quite a bit and have tried several configurations in a lab,
but haven't seen anything 100% clear as to how to accomplish this.
Outside of AD DNS I would just add a (same as parent folder) entry
for the root of the domain that points to the external IP, but I'm
concerned this could affect AD operations since every domain
controller has the same type of entry (we have dns on all domain
controllers). I've read up on SRV records, but haven't seen anything
that clearly addresses this issue. In a lab, when adding a blank
(same as parent folder) "A" record that points to the external
address it seems to work, but intermittently and there is a delay on
resolution when it does work. The SRV record approach has not worked
at all up to this point.
Has anyone seen a documented solution or have a configuration that is
currently working in their environment?
Thanks,
Joseph
Here's one of my many previous posts with a how-to on this subject. But I do
recommend NOT to use the same name (Split Horizon) internal and external due
to the adminstrative overhead. Especially want to point out what Kevin
mentioned about the sysvol connection that GPOs use. Keep in mind, the
LdapIpAddress reg alteration must be done on ALL your DCs.
=======================================
This is good especially if you have a Split Horizon environment where the
internal and external domain names are the same and the users need to get to
their external name by
http://theirdomain.com but their DC/DNS server
responds and not the actual external website.
This one is done on the netlogon service parameters in the registry. This
will stop netlogon registering the blank FQDN with the internal private IP.
This stops the netlogon service from registering that "Blank Domain FQDN" IP
address. Those IPs are actually called the LdapIPAddress. Then you manually
create a blank FQDN with the IP that you do want, whether a local private IP
or some public IP, any or mutliple IPs, if you want.
If your ISP rotates or changes the website IP, then this will not work.
Usually we can delegate the www zone to the SOA of your external domain, but
this can;t be done with the blank domain record.
===========================================
Disabling the Same As Parent LdapIpAddress blank FQDN
[Taken from
http://support.microsoft.com/?id=295328]
You do this by adding a registry entry to the DC(s) and rebooting:
1) Add the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry Value: DnsAvoidRegisterRecords and add the "LdapIpAddress"
Mnemonic.
2) Do this on all DCs and restart netlogon or restart machine.
This will prevent the DC from adding the domain A records from netlogon.
And you can add multiple Blank Domain A records as you need.
====================================
====================================
If you want to create mutliples, you can do it manually as I mentioned
above, or use this method to force the system to do it for you. I would
rather create them manually but here;s the instructions if you feel up to
it....
Now you can also publish the IP you want instead of having to put it in
manually for the blank FQDN. Do this on the DNS service in the registry.
[Taken from
http://support.microsoft.com/?id=275554]
Configure the DNS service to publish a specific IP addresses to the DNS
zone.
To do so, make the following registry modification:
PublishAddresses
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Data type: REG_SZ
Range: IP address [IP address]
Default value: blank
This modification specifies the IP addresses that you want to publish for
the computer. The DNS server creates A records only for the addresses in
this list. If this entry does not appear in the registry, or if its value is
blank, the DNS server creates an A record for each of the computer's IP
addresses.
This entry is for computers that have multiple IP addresses, only a subset
of which you want to publish. Typically, this prevents the DNS server from
returning a private network address in response to a query when the computer
has a corporate network address.
====================================
See These Links for more info on it (the first one, IMO, is the best on this
subject):
Problems with Many DCs and Integrated DNS Zones [Q267855]
http://support.microsoft.com/?id=267855
Private Network Interfaces on a DC Are Registered in DNS [Q295328]
http://support.microsoft.com/?id=295328
Optimizing the Location of DC/GC That's Outside of Client's Site [Q306602]
http://support.microsoft.com/?id=306602
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory