1

Here is my situation. I have a 2012 Active Directory server with DNS installed on it. I also have a sonicwall nsa 240 router which i have acting as the DHCP server. On the sonic wall I set the dns entry to be the following:

primary - 172.16.0.6 (ip of the dns server) secondary - 4.2.2.1

Everything works and I can even join the domain on client machines. however if i try and go to sam.sightly.com which is a webserver we host my browser comes back saying that the page cannot be displayed and to check my dns settings. However regular internet browsing works

If i flip the dns entry and go:

primary - 4.2.2.1 secondary - 172.16.0.6

My issue goes away however i can no longer join the domain, and I can go to sam.sightly.com

thanks in advance.

Matt
  • 35
  • 2
  • 8

2 Answers2

6

What you've done is created a split-brain DNS namespace. This is bad.

First of all, let's establish a few things.

  1. You should have more than 1 Domain Controller.

  2. You should run DNS on at least two of your Domain Controllers.

  3. Active Directory clients (your internal domain-joined PCs) should only point to DCs for their DNS.

Why is this happening?

Ok, now that that's out of the way, let's talk about why you're experiencing what you are. You seem to have an internal Active Directory named sightly.com. It sounds like this is also your publicly registered web presence. Domain Controllers have SOA and NS records for the DNS zone that they hold. They are authoritative for this zone. This means that any internal client using them for DNS will assume that your DCs have all of the hosts in the sightly.com zone. If you have a public website called sightly.com that's hosted externally, you'll notice that your internal clients can't get there either unless you have a subdomain like www. configured for it. This is because your Domain Controllers register themselves as sightly.com with same as parent A records in DNS.

So, you can see that there's a problem here since you now have two sets of DNS servers that think they're authoritative for the same sightly.com zone. You'll never be able to get to an external sightly.com without prepending something like www. unless you run a web service on each DC to redirect traffic externally (don't actually do this, it's bad). You can get to subdomains of sightly.com only if you duplicate the external DNS records on your Domain Controllers' copy of the sightly.com zone.

How can you fix it?

  1. Change your Active Directory domain name to be an unused subdomain of sightly.com. Something like internal.sightly.com or ad.sightly.com. If you've got a lot of machines joined and GPO configured, this might not be the best bet. But, by the sound of it, this isn't the case. Seriously, if it's at all possible - start over and name your AD correctly. I wrote a blog post and a Q&A about naming Active Directory. I strongly encourage you to read them before you do anything else.

  2. If you can't or won't rename your existing domain (I still think you should), then you'll have to make a duplicate DNS entry on your internal DNS zone for each external resource in sightly.com. So, somewhere in the cloud, you probably have a DNS host that keeps track of the DNS records for sam.sightly.com and every other external resource. You now have to keep duplicate records on your Domain Controller for all of these.


TL;DR
Maintain duplicate records on your internal DNS or rename your AD domain. If I were you, I'd rename if possible.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • thanks Ill check this out tomorrow when i get in the office :) – Matt Feb 08 '13 at 00:38
  • By the way I just threw this domain together so its ok if i even rebuild it. I have no one joined outside of test systems. – Matt Feb 08 '13 at 00:40
  • Well that's good news. Definitely `dcpromo` that domain controller and rebuild your AD with a better name! – MDMarra Feb 08 '13 at 00:59
  • thanks everyone. I just rebuilt everything and gave it a new name for the domain. Everything is working as I was hoping for. – Matt Feb 11 '13 at 17:00
3

Naturally. Because your internal DNS server is authoritative for the sightly.com DNS namespace. When clients that use the internal DNS server ask for sam.sightly.com, the DNS server can't find a DNS record for that name in its sightly.com DNS zone. What you need to do is to add a DNS record in the internal sightly.com DNS zone for sam (sam.sightly.com) pointing to the external ip address of the sam.sightly.com web server.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171