locked
DNS (internal domain has same name as external website) RRS feed

  • Question

  • Our internal domain name is called "abc.com"  and our company website is called "abc.com".  I have created an "A" record that points to www.abc.com so staff can browse the website from within the office.  The problem is that if people enter "abc.com" from a web browser with the office it does not resolve in an efficient manner.  Can someone please help?


    Interflex
    Monday, June 14, 2010 6:13 PM

Answers

  • Hi Interflex,

    This scenario is called a Split Zone, where the name is the same internally and externally.

    As Jorge indicated, it requires a registry change, but it has to be done on all DCs. This is because it is altering the "same as parent" name in DNS. This record, which many refer to it as the 'blank domain entry' (where you don't need the 'www' in front of it), however, in AD, it's referred to as the LdapIpAddress. This record is used for DFS and GPOs. It's the record your client machines query for when the GetGpoList function runs to retrieve GPOs, among other things.

    You can get away with not altering the registry, but it would require installing IIS on each DC. Then in IIS, you can configure a redirect under the Default Website to point to www.abc.com. This is a quick way to handle it, but I don't condone or recommend IIS on a DC.

    The third option is to have your users simply live with using www, instead of altering anything on the DCs.

    I have more on it in my blog, which you can read at the link below.

    Split Zone or no Split Zone - Can't Access Internal Website with External Name
    http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx

    I hope both my blog and Jorge's blog provides a greater understanding of what's going on in a same internal and external name domain name scenario.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Wednesday, June 16, 2010 2:41 PM
  • All,

    Each of the proposed solutions are valid and each have their associated costs.

    1) simply tell users they must use the 'www' record.
    2) Install IIS on the DCs and redirect
    3) Prevent the DCs from registering of the domain host records

    All three are correct answers, when considering how to handle this issue.  The solution that is actually implemented will depend on the organization.  I can tell you certain factors such as user acceptance may rule out #1, security policies may rule out #2, and as Tiger indicated certain DFS and GPO operations may rule out #3, especially for those organizations that do not have alternate methods of name resolution, specifically NetBIOS where the domain name can be resolved using WINS 1C records.

    Interflex, you should select one or more of the proposed solutions based on the business needs of the organziation.

     


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, June 17, 2010 6:04 PM
  • Hi Interflex,

     

    I agree with Ace’s option 2 and 3 just like what I thought.

    I still consider the idea which Jorge provided about prevent register DC’s A record . This probably cause some un-expected issues, because this record is used for DFS and GPOs. So I don’t recommend this method.

    Meanwhile , I have thought as same as Ace’s second suggestion, if the environment or policy of your company allow deploy IIS on your DC server , I thought this could be a possible resolution.

    And I have a tips for your reference. If client’s browser is IE, by default, when you type web address in address bar, and press “ Ctrl + Shift +Enter “,IE will auto add Prefix WWW to the beginning of typed web address. In your case , users just type “abc” in address bar, and press  “ Ctrl + Shift +Enter “ .

    You can set this at “Prefix and Suffix option” which located at  “Internet Options”/ “General” Tab / ”language” button.

     

    Thank.

     

    Tiger Li

    Thursday, June 17, 2010 6:04 AM

All replies

  • This can be easily fixed by applying a simple registry edit (RegisterDnsARecords) on your DC(s).  The problem is that your DCs will register their IPs for the name of the domain.  Of course, when your users open a browser they will not reach the website since the records in DNS are pointing to your DCs.

    You will find the steps needed to fix this in this article. 

    Active Directory Domain Name Considerations when Using the Same Internal and External Domain Name
    http://www.anitkb.com/2010/03/active-directory-domain-name.html

     


    Visit: anITKB.com, an IT Knowledge Base.
    Monday, June 14, 2010 7:33 PM
  • Hi Interflex,

    This scenario is called a Split Zone, where the name is the same internally and externally.

    As Jorge indicated, it requires a registry change, but it has to be done on all DCs. This is because it is altering the "same as parent" name in DNS. This record, which many refer to it as the 'blank domain entry' (where you don't need the 'www' in front of it), however, in AD, it's referred to as the LdapIpAddress. This record is used for DFS and GPOs. It's the record your client machines query for when the GetGpoList function runs to retrieve GPOs, among other things.

    You can get away with not altering the registry, but it would require installing IIS on each DC. Then in IIS, you can configure a redirect under the Default Website to point to www.abc.com. This is a quick way to handle it, but I don't condone or recommend IIS on a DC.

    The third option is to have your users simply live with using www, instead of altering anything on the DCs.

    I have more on it in my blog, which you can read at the link below.

    Split Zone or no Split Zone - Can't Access Internal Website with External Name
    http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx

    I hope both my blog and Jorge's blog provides a greater understanding of what's going on in a same internal and external name domain name scenario.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Wednesday, June 16, 2010 2:41 PM
  • Hi Interflex,

     

    I agree with Ace’s option 2 and 3 just like what I thought.

    I still consider the idea which Jorge provided about prevent register DC’s A record . This probably cause some un-expected issues, because this record is used for DFS and GPOs. So I don’t recommend this method.

    Meanwhile , I have thought as same as Ace’s second suggestion, if the environment or policy of your company allow deploy IIS on your DC server , I thought this could be a possible resolution.

    And I have a tips for your reference. If client’s browser is IE, by default, when you type web address in address bar, and press “ Ctrl + Shift +Enter “,IE will auto add Prefix WWW to the beginning of typed web address. In your case , users just type “abc” in address bar, and press  “ Ctrl + Shift +Enter “ .

    You can set this at “Prefix and Suffix option” which located at  “Internet Options”/ “General” Tab / ”language” button.

     

    Thank.

     

    Tiger Li

    Thursday, June 17, 2010 6:04 AM
  • Hi Interflex,

     

    I agree with Ace’s option 2 and 3 just like what I thought.

    I still consider the idea which Jorge provided about prevent register DC’s A record . This probably cause some un-expected issues, because this record is used for DFS and GPOs. So I don’t recommend this method.

    Meanwhile , I have thought as same as Ace’s second suggestion, if the environment or policy of your company allow deploy IIS on your DC server , I thought this could be a possible resolution.

    And I have a tips for your reference. If client’s browser is IE, by default, when you type web address in address bar, and press “ Ctrl + Shift +Enter “,IE will auto add Prefix WWW to the beginning of typed web address. In your case , users just type “abc” in address bar, and press  “ Ctrl + Shift +Enter “ .

    You can set this at “Prefix and Suffix option” which located at  “Internet Options”/ “General” Tab / ”language” button.

     

    Thank.

     

    Tiger Li


    Hi Tiger,

    I've actually found by default, just hitting Ctrl + Enter (without the shift key) puts in the 'www' and 'com.' but it only works for the 'com' TLD' by deffault. I guess you could add 'net' in the General tab, Language, suffix option to use ctrl-shift-enter, or whatever the actual internal TLD name is.

    Cheers!

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Thursday, June 17, 2010 2:46 PM
  • All,

    Each of the proposed solutions are valid and each have their associated costs.

    1) simply tell users they must use the 'www' record.
    2) Install IIS on the DCs and redirect
    3) Prevent the DCs from registering of the domain host records

    All three are correct answers, when considering how to handle this issue.  The solution that is actually implemented will depend on the organization.  I can tell you certain factors such as user acceptance may rule out #1, security policies may rule out #2, and as Tiger indicated certain DFS and GPO operations may rule out #3, especially for those organizations that do not have alternate methods of name resolution, specifically NetBIOS where the domain name can be resolved using WINS 1C records.

    Interflex, you should select one or more of the proposed solutions based on the business needs of the organziation.

     


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, June 17, 2010 6:04 PM
  • All,

    Each of the proposed solutions are valid and each have their associated costs.

    1) simply tell users they must use the 'www' record.
    2) Install IIS on the DCs and redirect
    3) Prevent the DCs from registering of the domain host records

    All three are correct answers, when considering how to handle this issue.  The solution that is actually implemented will depend on the organization.  I can tell you certain factors such as user acceptance may rule out #1, security policies may rule out #2, and as Tiger indicated certain DFS and GPO operations may rule out #3, especially for those organizations that do not have alternate methods of name resolution, specifically NetBIOS where the domain name can be resolved using WINS 1C records.

    Interflex, you should select one or more of the proposed solutions based on the business needs of the organziation.

    Jorge,

    I agree.

    Or worse, if neither of the suggestions can be implemented for whavtever political or security policy reasons, then a Domain Rename is in order to change the internal AD TLD. However, that's like taking a broad sword to the problem, and it's something I don't really suggest for such a simple fix or user acceptance, no matter how angry the users or management reacts on it.

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Thursday, June 17, 2010 7:00 PM
  • Hi, Interflex

    If there is any update on this issue, please feel free to let us know.

    We are looking forward to your reply.

    Thanks.

    Tiger Li

    Friday, June 18, 2010 1:34 AM
  • Can this change be applied to an existing domain controller with an active dns or does it need to be performed on a server where one would be installing a new dns?  Is there a restart required?

    Thanks, Dennis


    Interflex
    Thursday, June 24, 2010 4:19 PM
  • We had this same problem, where our internal and external domain were same and unable to open our own website in the network.

    So what we did is, we added a public DNS address (from our ISP - Bell) in the forwarders tab. After that did a ipconfig /flushdns and this problem was resolved. 

    I didn't follow any step from the above and was able to resolve this.

    I hope this will help someone. 

    Thanks,

    Raj

    Monday, May 20, 2013 12:32 AM
  • Raj,

    I can't see how that would resolve it with a same exact internal and external name. If DNS hosts a zone, say company.com, then it will NEVER forward a request to a forwarder because it hosts the zone, or what we refer to as "being authoritative for that zone."

    Thereforef, it tells me you may have a either a DNS misconfiguration and/or your are mixing internal and external DNS addresses on your internal computers and servers.

    Of course without specifics, I am not able to know without specifics about your environment.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, May 20, 2013 5:42 AM
  • Aside from running IIS on the Domain to host a single website so that you can redirect your request, simply portproxy port 80 to the webserver.

    netsh interface portproxy add v4tov4 listenport=80 listenaddress=dc1.abc.com connectport=80 connectaddress=www.abc.com

    Or

    netsh interface portproxy add v4tov4 listenport=80 listenaddress={Static IP v4 address of DC) connectport=80 connectaddress={IP Address of public Web Server}





    • Proposed as answer by aerocontrols Wednesday, July 5, 2017 5:13 PM
    Thursday, October 30, 2014 11:54 PM
  • This is the BEST/EASIEST solution given by HayashiTech
    Wednesday, July 5, 2017 5:14 PM
  • Aside from running IIS on the Domain to host a single website so that you can redirect your request, simply portproxy port 80 to the webserver.

    netsh interface portproxy add v4tov4 listenport=80 listenaddress=dc1.abc.com connectport=80 connectaddress=www.abc.com

    Or

    netsh interface portproxy add v4tov4 listenport=80 listenaddress={Static IP v4 address of DC) connectport=80 connectaddress={IP Address of public Web Server}






    Just to point out, I would recommend to use the FQDN (www.domain.com) and not the IP address of a website, since as we all know, many ISPs change IPs occasionally without warning.

    Ace Fekay
    MVP, MCT, MCSE, 2016/2012/2008/2003/2000/NT4, Exchange 2016/2013/2010/2007/2003/2000/5.5
    Microsoft Certified Trainer
    Microsoft MVP: Enterprise Mobility
    Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, July 5, 2017 5:44 PM
  • I faced the same dilemma, internally to access the site you will need to create an "A" (WWW) record point it to the external site. as name resolution is done internally by your DNS server. Your users will have to use www.whateveryourdomainis.com They just have a few more keystrokes.
    Saturday, March 10, 2018 10:13 AM
  • I know this post is old, but I need a kick in the right direction.  I have done a lot of work on this site and the only thing left is to allow the internal systems to access the external web page.

    So in this example we are working with domain.com internally and externally.  I have created an A record to the correct external IP but the pages will not resolve.  If I change the dns server settings on the NIC to an external I can get the external web page https://www.domain.com to load.  But now all local dns doesn't resolve on the DC.  Of course I have to change this back but then I no longer can get to https://wwww.domain.com.

    Is there a solution?  I don't want to have to create domain.local.  There is only one web page that is host with a website company.

    Sunday, August 18, 2019 8:09 PM
  • I added a DNS A record with blank name pointed at the IP of the external webserver.  This is the only blank name record in our internal dns and it resolves to the website now.
    • Proposed as answer by jr9999 Thursday, September 19, 2019 5:48 PM
    Thursday, September 19, 2019 5:38 PM