How to configure the internal dns to resolve external resources

active-directorydomain-name-systemwindows-server-2008

I have an internal DNS as part of my AD setup. I have an hosted DNS for public resources (which are typically at some data centre somewhere)

Occasionally while on our internal network I need to get to a public resource — for example www.ourcompany.com since there isn't a www record in our internal DNS I cant get the name resolved.

How do I configure my DNS to forward names it doesn't recognise to the public DNS.

Update:
As per the comment yes I have a "split-horizon" dns (which seemed like a good idea at the time)
This AD setup is less than 24 hours old, and can be redone if need be — (although I would rather not)

Best Answer

It sounds like you have split-horizons DNS, where your AD namespace and public-facing namespace are the same. If this is the case, you'll need to make an A record for www in your internal AD zone and set the correct external IP. Without this, internal clients won't be able to resolve it. This is because you have two sets of servers with disjoint information that are both authoritative for your DNS zone.

This is the exact reason that Microsoft recommends using an unused third-level domain name for your AD namespace. For example, if you own mycompany.com and you host public websites on it, you should use something like corp.mycompany.com or internal.mycompany.com for your Active Directory namespace. If you can do a domain rename (i.e. you have a simple client/server infrastructure with no Exchange in the domain), you should look into it. If you can't do a domain rename to fix this, you're in for some headaches.

Edit: Per your update, you should absolutely redo this since the install is only 24 hours old. Absolutely no doubt about it. Having a split-horizon DNS situation is never a good idea when it can be avoided. You can still have mycompany.com be the NetBIOS name of the domain, so users see MyComapny\User instead of something like Corp\User, but the FQDN of your AD namespace and the FQDN of your public facing DNS namespace should not be the same.

Related Solutions

Internal and External DNS from Different Servers, Same Zone

What you'll want to do is create a DNS zone for testing.webdomain.com on your internal DNS server. This way the webdomain.com DNS isn't hosted by your internal server, but is instead hosted by dotster.

When someone queries for www.webdomain.com the request will be forwarded to dotster for the lookup (since your local DNS server isn't authoritative for that zone), while requests for testing.webdomain.com will be handled by your internal DNS server.

Active Directory DNS – Change Entry Only on One Site

I would recommend putting the zone back to non integrated and using forwarders to achieve what you want. In this scenario you can still keep 1 record of the zone that every site can use.

In the example.

SiteA
ourdomain.com - NS for the zone - AD replicated
entry.ourdomain.com - NS for the zone - no replication

SiteB
ourdomain - NS for the zone - AD replicated
entry.ourdomain.com - forwards to the internet DNS server
subdomain.entry.ourdomain.com - forwards to site A
ourdomain.com - forwards to site A
anyotherrecord.ourdomain.com - forwards to site A

Setting up forwards in DNS is very easy http://technet.microsoft.com/en-us/library/cc754941.aspx

Alternatively, you could use a secondary DNS server in site B that everyone used, but that sounds a bit silly for your purpose, or host files on local machines, but that might be a bit silly as well.

Also, it may be you do not want to have a single copy of the DNS records, in that case you could use a secondary DNS server in Site A or Site B that was also a nameserver for the domain, and you can configure 2 forwarder address for redundancy.

If you have trouble with the forwarders please comment so I can provide more info.

Hope this helps you.

Best Answer

Related Solutions

Internal and External DNS from Different Servers, Same Zone

Active Directory DNS – Change Entry Only on One Site

Related Topic