none
How do you manage different internal and External Domain names?

    Question

  • Hello,

    How do you manage domains when you have domainname.local and domainname.com registered externally?

    I have TMG, AD with domainname.local, internal CA, Internal MSCRM etc.

    Tuesday, September 27, 2011 12:38 PM

Answers

  • Read it carefully and choose your scenario , how your environment is.

    There can be multiple scenarios. Choose your scenario.

    Scenario 1

    Your internal domain name and external domain name the same, and the webserver is hosted externally.
    This type of same name scenario is called a split zone.

    To handle a split-zone,
    There are two ways to get to your website:

    1. By http://www.yourdomain.com/, using 'www' in front of your domain name.
    2. By http://yourdomain.com/, without the 'www'in front of the name.

    1. The simplest way to allow your internal users to get to your external website is to simply create a "A" www record under your current internal AD zone name in DNS (DO NOT create an Alias or CNAME record), and provide the IP address of the external web server.

    To create the 'www' record:
    Open DNS console
    Right-click your zone name, such as yourdomain.com, choose New Host Record
    Type in www
    Type in the IP address of the external website

    2. However, if your web hosting provider uses more than one web servers, such as in a server farm, or they have multiple IP addresses for the website, and facing the possibility hey may change it without warning, you would have to do something different to account for this. Therefore, instead of creating an "A" 'www' record, I would suggest to create a delegation for 'www' to the public name servers that are authorative for your zone. What a delegation does, instead of providing a direct IP, DNS will query the SOA of your public domain name to get the current IP address of your website. To create a delegation, you will need to find the SOA name of your public zone. The SOA, or Start of Authority, are the public name servers on record that you want your delegation to query for your 'www' record.

    Therefore, you would need to query an outside DNS server for your SOA record (your external DNS hostname servers hosting your public domain name)

    How do you find the SOA for your public domain name? Use nslookup.

    In a command prompt, type in nslookup, hit enter.
    Then type in the following:
    > set q=soa
    > server 4.2.2.2
    > typeInYourDomainNameHereWithoutTheWWW

    Once you've found who the SOA names and IP are, you can create the delegation. To create the delegation, simply right-click your zone name, choose new delegation, type in www, and provide the SOA of your public domain.

    As for resolving the domain name with http://domain.com/ (without the www in front of it), is a little more complex. Normally if you are not using Active Directory internally, you would simply create a new Host record (as in step#1), but without typing anything in for the hostname, and simply type in the IP address. This is called a blank domain name, which allows the name to resolve without the 'www' in front of it. However, if you are using Active Directory, this 'blank' domain name is actually used by the domain controllers in the domain. It's a unique record that each domain controller registers into DNS with an IP address, without a hostname, which appears under your internal zone name as:

    (same as parent)   A   x.x.x.x

    This record that the DCs register, is actually called the "LdapIpAddress." Each DC registers one for itself. AD uses these records for a number of things, such as DC to DC replication, Sysvol replication, GPOs and DFS. Don't mess with it please or expect problems. The DCs will re-register this record anyway if you delete it and thwart your attempt. If you create a blank record for your website, it will get cause problems with AD.

    To get around that, you can use a workaround. The workaround is, on EACH DC, install IIS. Then open Internet Information Services console. In the default website properties, Directory tab, select redirect, and redirect it to http://www.domain.com/. This way when any one of your users type in http//domain.com, it will resolve to the www record you've created in Step#1 or #2 above. But this procedure must be performed on each DC.

    Scenario 2

    Your public domain name is different, and you are hosting your webserver internally.

    In this scenario, internet users access your domain name by connecting to the WAN (outside) IP address of your router.

    To make this scenario work, with a different domain name than your internal domain name, you would need to create the external domain name as a zone on your DNS server.

    Create a new zone using your external domain name.
    Open DNS console.
    Click on Forward Lookup Zones.
    Right-click, choose new Zone, type in the name of the external domain name.
    Once created, right-click the zone you just created, choose New Host Record.
    Type in 'www' (without the quotes), and provide the internal Private IP address of your internal webserver.

    If you want to access the site with http://domain.com/ (without the www), you would need to create a 'blank' host record.

    How?
    Right-click the zone name you just created, choose New Host Record.
    Leave the name field blank, and provide the internal Private IP address of your internal webserver.

    Scenario 3

    If you have a different internal domain name and external domain name, and the website is hosted externally:
    There's nothing to do. Internet resolution will handle everything.

    Don't forget, ALWAYS and ONLY use the internal DNS servers in your AD environment for all machins (DCs, member servers and workstations, including your VPN clients),or this won't work. Never use your ISP's DNS servers anyway, or your router's IP address as a DNS address in any internal machine's IP properties. Otherwise, expect AD problems as well.

    Don't forget to configure a forwarder for more efficient internet name resolution. I've always used this as a best practice. It offloads internet name resolution to your ISP's DNS addresses so your server doesn't have to use the Root Hints to resolve external names.

    Ace Fekay, MCT


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Wednesday, September 28, 2011 8:25 AM

All replies

  • How do you configure your DNS? see the below link.

    http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx

     


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Tuesday, September 27, 2011 12:41 PM
  • Tuesday, September 27, 2011 12:51 PM
  • What do you mean by manage, AD is created for internal purpose and a website hosted for publishing the information. If you are talking about DNS name conflict, create a host record of www pointing to your website and educate the users to access the website using www.domainname.com, if you use just domainname.com you request will land up to your DC w/o being querying your website.

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Tuesday, September 27, 2011 12:57 PM
    Moderator
  • You need to provide more information. What are you trying to accomplish?

    You can have different internal and external names.  In this case you need to maintain split-brain DNS structure.

    >>> How do you manage domains 

    Do you have more than one domain?

    >>> when you have domainname.local and domainname.com registered externally

    Domainname.local should be your internal AD domain name.  domainname.com should be the external DNS name.

    Anyway, please provide more information.

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    Tuesday, September 27, 2011 3:30 PM
  • Hello,

    That depends of what you want to achieve exactly:

    • If you want that internal users use www.domainname.local to access the public website then you have to add an A record in your domainname.local DNS zone that points to the website internal IP address
    • If you want that users access www.domainname.com using the website's internal IP address then you have to create a new zone on your internal DNS servers named domainname.com and then create an A record named www with the wanted IP address

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator 

    Tuesday, September 27, 2011 5:36 PM
  • For the external domain, domainname.com, you would want to host this zone on externally accessible DNS servers.  These DNS servers should be used strictly for internet users resolving your external domain name.  If you only have one domain, and do not already have external DNS servers, it usually makes sense to outsource this service to your domain name registrar (since you most likely already paid for this service when you registered the external name), or your ISP. 

    If you are going to host this external domain on your external DNS servers, keep in mind that you need to secure them.  I would pay close attention to the recursion settings.

    Do Not Use Recursion For This Domain vs Disable Recursion
    http://www.anitkb.com/2011/05/do-not-use-recursion-for-this-domain-vs.html

    For your internal domain namespace, it is customary to simply host this on your Active Directory domain controllers, by installing the DNS role on the same boxes. 

    Then, on your internal DC/DNS servers, you would want to configure conditional forwarding so that you directly send traffic regarding "domainname.com" to the external DNS servers hosting the external zone whether they be yours or hosted somewhere else.

    By conditional forward, you can cut down the amount of time it takes to resolve external names from your internal network.

    Configuring DNS Conditional Forwarding in Windows Server 2003
    http://www.anitkb.com/2010/03/configuring-dns-conditional-forwarding.html

    Configuring DNS Conditional Forwarding in Windows Server 2008
    http://www.anitkb.com/2010/03/configuring-dns-conditional-forwarding_01.html

     

    Hope this helps...

     


    Visit anITKB.com, an IT Knowledge Base.

    anITKB youtube
    Tuesday, September 27, 2011 5:51 PM
  • Thanks for replies.

    So this is how I do it,

    I create a new zone on my internal DNS Server named domainname.com that will resolve names for it.

    Then register external DNS and point it to my TMG external IP Address.

    Wednesday, September 28, 2011 5:07 AM
  • Read it carefully and choose your scenario , how your environment is.

    There can be multiple scenarios. Choose your scenario.

    Scenario 1

    Your internal domain name and external domain name the same, and the webserver is hosted externally.
    This type of same name scenario is called a split zone.

    To handle a split-zone,
    There are two ways to get to your website:

    1. By http://www.yourdomain.com/, using 'www' in front of your domain name.
    2. By http://yourdomain.com/, without the 'www'in front of the name.

    1. The simplest way to allow your internal users to get to your external website is to simply create a "A" www record under your current internal AD zone name in DNS (DO NOT create an Alias or CNAME record), and provide the IP address of the external web server.

    To create the 'www' record:
    Open DNS console
    Right-click your zone name, such as yourdomain.com, choose New Host Record
    Type in www
    Type in the IP address of the external website

    2. However, if your web hosting provider uses more than one web servers, such as in a server farm, or they have multiple IP addresses for the website, and facing the possibility hey may change it without warning, you would have to do something different to account for this. Therefore, instead of creating an "A" 'www' record, I would suggest to create a delegation for 'www' to the public name servers that are authorative for your zone. What a delegation does, instead of providing a direct IP, DNS will query the SOA of your public domain name to get the current IP address of your website. To create a delegation, you will need to find the SOA name of your public zone. The SOA, or Start of Authority, are the public name servers on record that you want your delegation to query for your 'www' record.

    Therefore, you would need to query an outside DNS server for your SOA record (your external DNS hostname servers hosting your public domain name)

    How do you find the SOA for your public domain name? Use nslookup.

    In a command prompt, type in nslookup, hit enter.
    Then type in the following:
    > set q=soa
    > server 4.2.2.2
    > typeInYourDomainNameHereWithoutTheWWW

    Once you've found who the SOA names and IP are, you can create the delegation. To create the delegation, simply right-click your zone name, choose new delegation, type in www, and provide the SOA of your public domain.

    As for resolving the domain name with http://domain.com/ (without the www in front of it), is a little more complex. Normally if you are not using Active Directory internally, you would simply create a new Host record (as in step#1), but without typing anything in for the hostname, and simply type in the IP address. This is called a blank domain name, which allows the name to resolve without the 'www' in front of it. However, if you are using Active Directory, this 'blank' domain name is actually used by the domain controllers in the domain. It's a unique record that each domain controller registers into DNS with an IP address, without a hostname, which appears under your internal zone name as:

    (same as parent)   A   x.x.x.x

    This record that the DCs register, is actually called the "LdapIpAddress." Each DC registers one for itself. AD uses these records for a number of things, such as DC to DC replication, Sysvol replication, GPOs and DFS. Don't mess with it please or expect problems. The DCs will re-register this record anyway if you delete it and thwart your attempt. If you create a blank record for your website, it will get cause problems with AD.

    To get around that, you can use a workaround. The workaround is, on EACH DC, install IIS. Then open Internet Information Services console. In the default website properties, Directory tab, select redirect, and redirect it to http://www.domain.com/. This way when any one of your users type in http//domain.com, it will resolve to the www record you've created in Step#1 or #2 above. But this procedure must be performed on each DC.

    Scenario 2

    Your public domain name is different, and you are hosting your webserver internally.

    In this scenario, internet users access your domain name by connecting to the WAN (outside) IP address of your router.

    To make this scenario work, with a different domain name than your internal domain name, you would need to create the external domain name as a zone on your DNS server.

    Create a new zone using your external domain name.
    Open DNS console.
    Click on Forward Lookup Zones.
    Right-click, choose new Zone, type in the name of the external domain name.
    Once created, right-click the zone you just created, choose New Host Record.
    Type in 'www' (without the quotes), and provide the internal Private IP address of your internal webserver.

    If you want to access the site with http://domain.com/ (without the www), you would need to create a 'blank' host record.

    How?
    Right-click the zone name you just created, choose New Host Record.
    Leave the name field blank, and provide the internal Private IP address of your internal webserver.

    Scenario 3

    If you have a different internal domain name and external domain name, and the website is hosted externally:
    There's nothing to do. Internet resolution will handle everything.

    Don't forget, ALWAYS and ONLY use the internal DNS servers in your AD environment for all machins (DCs, member servers and workstations, including your VPN clients),or this won't work. Never use your ISP's DNS servers anyway, or your router's IP address as a DNS address in any internal machine's IP properties. Otherwise, expect AD problems as well.

    Don't forget to configure a forwarder for more efficient internet name resolution. I've always used this as a best practice. It offloads internet name resolution to your ISP's DNS addresses so your server doesn't have to use the Root Hints to resolve external names.

    Ace Fekay, MCT


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Wednesday, September 28, 2011 8:25 AM
  • Thanks Biswajit Biswas,

    Real good explanation.

    This is what I exactly wanted to know!

    Wednesday, September 28, 2011 8:52 AM
  • You are most welcome and it is nice to here from you that explanation is helpful.
    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Wednesday, September 28, 2011 9:00 AM
  • Hi Biswajit,

    Your Scenario #1 is most like mine but not quite, I think. Can you tell me if this is possible?

    • the customer is using mycompany.com internally for their DC
    • for their new externally hosted web site, they want to use mycompany.com (without www) for simplicity.
    • the external website redirects www.mycompany.com to mycompany.com for consistency and to consolidate page rank.

    So the obvious issue is that internal requests for the website at www.mycompany.com are being redirected to mycompany.com, which is being internally resolved to the DC. Likewise, a request for mycompany.com also resolves to the internal DC.

    Is there a way to direct web traffic to the external DNS, or some other way to resolve this issue, or are they forced to either change their internal DC name from mycompany.com (not  likely), or re-add 'www' to their website name?

    Monday, January 21, 2013 2:03 AM