Any DNS experts out there? After reading Michael Dragone’s “Split-Brain DNS” (InstantDoc ID 99772), reader Jeff Krull shared a split-brain DNS configuration
problem with us. We've printed the problem here, as well as Michael's initial response. If you think you can further help Jeff, feel free to add your solution here! The first reader to solve Jeff’s problem will receive a Windows IT Pro baseball cap.
From: Jeff Krull
Subject: split brain dns article
Mike, we have a split-brain DNS zone, which is the root of our AD forest. Since it's an AD-integrated zone, when performing an Nslookup on the zone for mycompany.com, DNS returns a list of DNS servers (which are the DCs). That's just great for AD and associated GPO processing, etc. When a user browses the domain internally using a browser, we can't resolve the company's web site (i.e., companyname.com times out) because the DCs don't run IIS to redirect the query, nor do we want our DCs running IIS. Externally, this is not a problem because the DCs aren't listed in the external zone. Any ideas on how to resolve this issue whereby internal users don't have to use www.mycompany.com internally to reach our web site?
From: Michael Dragone
Hi Jeff, thanks for reading my article and writing in. To help answer your question, can you tell me a little more about your AD environment? Do you have one or more AD domains? What's the format of the domain names? Are you using company.local, company.com, or subdomains such as ad.company.com?
From: Jeff Krull
We've got an empty root with three child domains: mydomain.com root, host1.mydomain.com child, host2.mydomain.com child, host3.mydomain.com child. So, the web site in question would be mydomain.com, which we have to address as www.mydomain.com internally and can be accessed using mydomain.com externally. For other DNS domains (e.g., otherdivision.com), this isn't an issue because there aren't DCs for that domain...and we can access the web site internally using http://otherdivision.com rather than www.otherdivision.com.
From: Michael Dragone
Okay, now I understand: www.mydomain.com works both internally and externally, but mydomain.com only works externally. Right? There's no elegant fix that I know of for this issue short of renaming your AD domains. Even if you add a host (A) record for mydomain.com to the mydomain.com zone, DNS will resolve requests for mydomain.com in round-robin fashion. Therefore, some clients will hit the domain controllers while others will make their way to your website. Likewise, you can't remove the existing A records for mydomain.com-- they're required for AD to function correctly, and the DCs would just add them again anyway. You could create an A record or an alias (CNAME) record for a keyword such as "internal," "mydomaincom" (without the period) or "web" in the appropriate zone that resolves to the IP address of the web server hosting mydomain.com (if you use an A record) or www.mydomain.com (if you use a CNAME record). Although that still won't let your users enter mydomain.com from a browser address bar, it would shorten what they have to enter. I would probably use "web" and add an A record in my external DNS for "web" so that internal users can simply type web in their address bar and external users can use either web or www. In any event, it's likely you've already thought of these alternatives. I'm sorry I couldn't be of much help!
So, who can help?
End of Article
The problem can be solved by using a proxy server: 1) Proxy server uses external DNS server, so it resolves the mydomain.com to the actual DNS server, not DCs. 2) The Internet Explorer programs should be configured to use a proxy server, making use of the Group Policies.
After that, when the internal clients type mydomain.com in th address bar, proxy server resolves the name, get the actual address and proxies the request to the actual Web server.
Murat Yildirimoglu
muraty September 26, 2008 (Article Rating: )
I for one would never use the external domain as the root for AD. Rather, I'd create a subdomain ad.mydomain.com for AD. That way I can have my ISP do the external DNS of mydomain.com and my internal domain will be separated from the external zone while maintaining connectivity. If I later added some other subdomain, say corp.mydomain.com, whether it's AD or not, I could add glue records in the mydomain.com domain for both ad.mydomain.com and corp.mydomain.com to ensure that the domains could cross-resolve names.
Using a proxy server isn't a solution IMHO, more like a workaround, posing a whole other administrative challenge. Proxies should (again, IMHO) be transparent to the client computer as well as the user and administrator, ie traffic inspection and web caching on the default gateway.
Snowdon October 18, 2008 (Article Rating: )
I have the same setup and honestly don't think there is a viable solution. Our website is hosted externally so it effectively creates a split-brain DNS. The host handles external DNS and we handle internal DNS in an AD integrated zone. This seems to be one downside to using the same domain name internally and externally. I have set up a CNAME for "www" and that seems to be as good as it can get. The proxy solution does not really work (even with a stub zone) since the DNS lookup is going to hit the internal DNS servers first, realize the domain name should be resolved locally, but be unable to resolve a lookup with no "www". There is no provision in DNS to forward based on the subdomain, only on the second level domain.
pdiamond October 31, 2008 (Article Rating: )
I agree with Murat Yildirimoglu on this one also. I have worked with a govt agency that faced similar problems and they resolved it by utilizing a proxy server to resolve to the external DNS.
anthonycasillas November 14, 2008 (Article Rating: )
Murat & anthonycasillas - What happens when you try to resolve internal names through the proxy server? Wouldn't the proxy solution require listing all your internal servers in the external DNS zone?
Or more precisely, how do you configure it to resolve internal names using internal DNS servers but a single mydomain.com record using an external DNS server?
Apple CEO Steve Jobs made the right move in skipping out on his company's last appearance at Macworld: In a Tuesday keynote address at the conference, Apple had no interesting new products to sell, opting instead to spend mind-numbing amounts of time on ...
Microsoft on Tuesday announced that sales of its Xbox 360 video game console hit 28 million units by the end of 2008, a year that the company described as the console's "biggest ever." Microsoft also made the dubious claim that it has "expanded the ...
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Empower Your Processes with PowerShell 201 Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
New Release: Windows IT Pro Master CD 13 years of content archives, fast answers with advanced search tools, and full access to WindowsITPro.com—order today!
)
)
Register
1) Proxy server uses external DNS server, so it resolves the mydomain.com to the actual DNS server, not DCs.
2) The Internet Explorer programs should be configured to use a proxy server, making use of the Group Policies.
After that, when the internal clients type mydomain.com in th address bar, proxy server resolves the name, get the actual address and proxies the request to the actual Web server.
Murat Yildirimoglu
muraty September 26, 2008 (Article Rating: