What you've done is created a split-brain DNS namespace. This is bad.
First of all, let's establish a few things.
You should have more than 1 Domain Controller.
You should run DNS on at least two of your Domain Controllers.
Active Directory clients (your internal domain-joined PCs) should only point to DCs for their DNS.
Why is this happening?
Ok, now that that's out of the way, let's talk about why you're experiencing what you are. You seem to have an internal Active Directory named sightly.com
. It sounds like this is also your publicly registered web presence. Domain Controllers have SOA and NS records for the DNS zone that they hold. They are authoritative for this zone. This means that any internal client using them for DNS will assume that your DCs have all of the hosts in the sightly.com
zone. If you have a public website called sightly.com
that's hosted externally, you'll notice that your internal clients can't get there either unless you have a subdomain like www.
configured for it. This is because your Domain Controllers register themselves as sightly.com
with same as parent A records in DNS.
So, you can see that there's a problem here since you now have two sets of DNS servers that think they're authoritative for the same sightly.com
zone. You'll never be able to get to an external sightly.com
without prepending something like www.
unless you run a web service on each DC to redirect traffic externally (don't actually do this, it's bad). You can get to subdomains of sightly.com
only if you duplicate the external DNS records on your Domain Controllers' copy of the sightly.com
zone.
How can you fix it?
Change your Active Directory domain name to be an unused subdomain of sightly.com
. Something like internal.sightly.com
or ad.sightly.com
. If you've got a lot of machines joined and GPO configured, this might not be the best bet. But, by the sound of it, this isn't the case. Seriously, if it's at all possible - start over and name your AD correctly. I wrote a blog post and a Q&A about naming Active Directory. I strongly encourage you to read them before you do anything else.
If you can't or won't rename your existing domain (I still think you should), then you'll have to make a duplicate DNS entry on your internal DNS zone for each external resource in sightly.com
. So, somewhere in the cloud, you probably have a DNS host that keeps track of the DNS records for sam.sightly.com
and every other external resource. You now have to keep duplicate records on your Domain Controller for all of these.
TL;DR
Maintain duplicate records on your internal DNS or rename your AD domain. If I were you, I'd rename if possible.