I have a network setup with a 2008 R2 AD domain called internal.domain.org. Our externally hosted website uses www.domain.org and domain.org. I'd like users to be able to access our RDS server–machinename.internal.domain.org–using the same domain name whether inside or outside the LAN. This would be remote.domain.org. From outside is easy enough, but on the inside I'm lost. Trying split DNS, it's easy to get remote.domain.org to the internal RDS machine, but it breaks access to the external website from inside the LAN.
The trouble seems to be that when I create a Forward Lookup Zone called domain.org, it comes up with a subfolder called internal, instead of the normal set of folders. I add records for * and www, but can't get to the outside. I'm out of my league here. Any thoughts?
Thanks,
Best Answer
Use split DNS (split horizon), but not on a server running Microsoft software - it doesn't work.
On your local DNS recursor/cacher you can usually create a specific override for a FQDN to map to a different IP. This adds exactly one CI to your CMDB and isn't unusual or complex at all.
Depending on your setup, you usually do this on your network gateway system. For example on pfSense, it can be done using the GUI in Services->DNS Server at the bottom. Since you did not post what you are using, I cannot give you an example for your system.
Elaborating on my answer:
This is an exact case on why split-horizon DNS works and is needed. If you have multiple entry points to a service which require different IP's to access it, and you are using a FQDN to access it, DNS is exactly how this is solved.
Usually, there are 3 very common cases that depending on the places your staff works from come in to play:
Sometimes where are multiple VPN connections or tunnels, which can complicate things even further. In many cases this can be solved with routing and firewalling, but that creates so many more Configuration Items that your CMDB will simply be flooded with nonsense every time you need to configure a service to be reachable from multiple places.
In many setups, the zone for which the Windows server needs to be authoritative for can simply be configured on the main router, gateway or DNS server, so that you can have one high-performance single point of configuration for your entire DNS needs. The only drawback is that if zone transfers or remote DNS updates are needed to the default DNS server by clients, it will no longer work. This is, however, usually no longer the case in client-server setups.
The way split-DNS works in this case is simply this:
Because only two different DNS records are needed (public and LAN), this is easy and reliably configurable. There is no need for views like BIND has, or PowerDNS's views implementation, or Unbound with rewriting support. Views and Split-DNS is not implemented in Microsoft DNS, that's why that is not an option in this case. (See http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software for a comparison)
On a second note: if you have pfSense, you could simply create an L2TP over IPSec or OpenVPN tunnel so people can have remote access. While it does require installation of software on the client system, it removes the need of a WAN-accessible RDS.