DNS Issue:Websites not visible internally but work externally 1

[abhi1024]

We have a Active Directory on Windows 2003

The way our domain is configured
domain name : ds.xyz.com

We already have a forward look up zone:ds.xyz.com
We just created two new website sites
(a) xyz.com
(b) aa.xyz.com
These websites are visible externally but not from inside our domain.I am not sure if I need to create a new forward look up zone.
Could somebody please help?

Thanks,
Abhi

 

[ShackDaddy]

Please don't double-post.

Dave Shackelford
ThirdTier.net

 

[SimonDavies]

First of all you shouldn't be using an AD domain that will also be hosted on the Internet, it causes you all sorts of issues (MS even state it's not a best practice and strongly advise against it).

what happens if you do an nslookup internally.

Simon

The real world is not about exam scores, it's about ability.

 

[Ceez]

yes, create a new forward lookup zone and then create the Host(a) record for www

Once your fwd zone is created, create a new host(a) record, call it

http://www and

assign it the internal ip of your webpage.

 

[ttrsux]

I have somewhat of a similar issue. We host our own websites (about 150 of them using IIS 6 on Win2k3). We also host our own DNS -- active directory integrated. When I started here about a month ago, I was shocked to see, in our DNS, there were 4 nameservers:

ns51.domaincontrol.com
ns52.domaincontrol.com
dc1.ourdomain
dc2.ourdomain

I'm currently moving all our domain names (about 580) from us to godaddy. Why use our servers as nameservers when GoDaddy can do it for us -- we're already paying for it with the "executive account".

The problem we're having is occasionally (and it's very random), that when I browse to our website which we are hosting, it will come up. 15 minutes later it won't, but on some other computers within the same internal network, the website comes up. It's like IIS (or our router) randomly decides who can view our websites.

All of our DNS zones have A and

http://WWW records

that point to our external IP address. Our websites always work on the public side but randomly on the inside.

I've found that if I edit my host file and point our website to our web server's internal IP of 192.168.1.3, the website comes up every time. Does that mean that even after moving all my DNS records to GoDaddy, that I'll still need all these DNS zones on my DNS server? I was hoping to delete them once they've all propagated to GoDaddy.

Once I remove the entry in the host file and ping our website, the public IP comes up. I've worked at a company where we found a work around without having to create a zone record for every domain we host -- although there we had a nice Watchguard x1000. Here we have a Cisco RV016.

Any help would be appreciated. I'd rather not maintain two sets of DNS records.

 

[ShackDaddy]

As long as they exist on your internal DNS, your internal clients will use your local server to resolve those names, and not GoDaddy's server. Normally internal users will have trouble getting to an internal website using an external address. It's kind of like trying to see the outside of your front door while you're in your kitchen.

If internal users will need to use an internal IP to access the site and not an external IP, then you'll want to operate a split-DNS situation: the public will use GoDaddy to find the public IP of the server, while your internal users will query the internal DNS to find the internal IP of the web site. You will not be syncing the records between external and internal DNS: they will be two completely separate entities. That's best practice anyway, since you don't want your internal AD being queryable from the outside.

Dave Shackelford
ThirdTier.net

 

[ttrsux]

UPDATE:

I remember at my previous client's setup, their web server had the public IP bound to the NIC, and that's why the websites worked internally. The watchguard was set in "Drop-In" mode as well.

Here though, Our router's IP is that of the websites IP, and we're forwarding port 80 to 192.168.1.3. This server is also a secondary domain controller. With that, I don't believe I could simply add the public IP to the internal NIC w/out causing major problems -- if it would even allow me.

If anyone knows of a way around maintaining two sets of zone records (one for public with public IPs, and another internal zone set just for us with internal IPs), I'd be glad to hear it.

thanks,
Dan

 

[ttrsux]

Thanks for the verification ShackDaddy. I quiver at the thought of split-DNS x_X

 

[ShackDaddy]

I maintain split-DNS in several places, and while these aren't locations that host a lot of web-sites, I've found that it's not really that difficult to maintain.

If the external IP changes, you change the public DNS record.

If the internal IP changes, you change the internal DNS record.

If you create a new host, you create records in both locations.


Dave Shackelford
ThirdTier.net

 

[ttrsux]

I see. I'm just confused as to why it works sometimes, but not never or not always. How does it manage to see the "outside of the front door while in the kitchen" only sometimes? That fact led me to check max connections in IIS, max connections or "users" allowed outbound through the Cisco router, etc...

What's weird is when it doesn't work on my computer, I'll quick go to another computer and it works. Then it'll flip flop at random times. But, one constant, and this is why most of my users use the Terminal Server, is ALL websites will ALWAYS work on the terminal server. It has the same IP setup as the workstations (although it's static), and when I IPCONFIG /ALL from the TS vs. the workstations, the only difference is on the TS, "IP ROUTING ENABLED" & "WINS PROXY ENABLED" both say YES, whereas on the workstations, they're both NO.