+
1 3 3
  1. #1
    Status
    Offline
      Rise Company
    Engineering and Technology
    Apr 2014
    Egypt
    4,612
    10

    Window Server internal domain vs external website


    Window Server internal domain vs external website
    iis redirect internal domain to external
    Same internal/external domain name, used IIS redirect to ...
    Forward internal domain to external hosting... ...
    split-brian dns system

    Our internal domain name is called "abc.com" and our company website is called "abc.com". I have created an "A" record that points to www.abc.com so staff can browse the website from within the office. The problem is that if people enter "abc.com" from a web browser with the office it does not resolve in an efficient manner. Can someone please help?

    :

    1- put any public dns server as a primary and your internal dns as a secondary on the clients computers and it will work fine.

    I rebooted the DNS server/client services on both domain controller and user PC's. then ran the following commands on server/client machines and it kind of worked but it took some time to update. ipconfig /flushdns
    ipconfig /registerdns
    nbtstat -RR

    nbtstat -rr
    nbtstat -r
    arp -d
    the problem I had is different. my website opens inside my domain but recent changes done by web developers take a really long time to load up. the above command helped me with this issue but I would not recommend it though
    2-
    This scenario is called a Split Zone, where the name is the same internally and externally.
    As Jorge indicated, it requires a registry change, but it has to be done on all DCs. This is because it is altering the "same as parent" name in DNS. This record, which many refer to it as the 'blank domain entry' (where you don't need the 'www' in front of it), however, in AD, it's referred to as the LdapIpAddress. This record is used for DFS and GPOs. It's the record your client machines query for when the GetGpoList function runs to retrieve GPOs, among other things.
    You can get away with not altering the registry, but it would require installing IIS on each DC. Then in IIS, you can configure a redirect under the Default Website to point to www.abc.com. This is a quick way to handle it, but I don't condone or recommend IIS on a DC.
    The third option is to have your users simply live with using www, instead of altering anything on the DCs.
    I have more on it in my blog, which you can read at the link below.

    Split Zone or no Split Zone - Can't Access Internal Website with External Name
    http://msmvps.com/blogs/acefekay/arc...rnal-name.aspx
    I hope both my blog and Jorge's blog provides a greater understanding of what's going on in a same internal and external name domain name scenario.







    ------------------------------------------------------------------------
    Rise Company for Engineering & Technology
    ------------------------------------------------------------------------
    Web Hosting | Web Designing | E-Marketing

    # 1 Business Services

    Web Hosting - Business Emails

    Web Design - Google Adwords

    www.rise.company | www.rise.company/emails

    :
    ! .



  2. #2
    Status
    Offline
      Rise Company
    Engineering and Technology
    Apr 2014
    Egypt
    4,612
    10

    : Window Server internal domain vs external website

    Each of the proposed solutions are valid and each have their associated costs.
    1) simply tell users they must use the 'www' record.
    2) Install IIS on the DCs and redirect
    3) Prevent the DCs from registering of the domain host records

    All three are correct answers, when considering how to handle this issue. The solution that is actually implemented will depend on the organization. I can tell you certain factors such as user acceptance may rule out #1, security policies may rule out #2, and as Tiger indicated certain DFS and GPO operations may rule out #3, especially for those organizations that do not have alternate methods of name resolution, specifically NetBIOS where the domain name can be resolved using WINS 1C records.
    Interflex, you should select one or more of the proposed solutions based on the business needs of the organziation.
    ------------------------------------------------------------------------
    Rise Company for Engineering & Technology
    ------------------------------------------------------------------------
    Web Hosting | Web Designing | E-Marketing

    # 1 Business Services

    Web Hosting - Business Emails

    Web Design - Google Adwords

    www.rise.company | www.rise.company/emails

    :
    ! .



  3. #3
    Status
    Offline
      Rise Company
    Engineering and Technology
    Apr 2014
    Egypt
    4,612
    10

    : Window Server internal domain vs external website

    Choosing a Domain Name for your Active Directory

    Wednesday, October 19, 2011

    Windows Server 2008, Windows Server 2012


    It is a really important step in the planning phase when considering what Active Directory (AD) Domain Name to select. This is especially true when administrators find themselves in a situation that a bad name choice was made and now they may be considering a domain name rename. That is a really bad situation to be in, even though a domain name rename is supported as of AD 2003.
    Generally there are three choices to pick when deciding which name to use.

    1. Use the same internal and external DNS domain name (internal/external: company.com).
    2. Use a different internal and external DNS domain name (internal: company.loc vs. external: company.com)
    3. Use a sub-domain of the external DNS domain name for the internal namespace (internal: int.company.com vs. external: company.com).

    For this article, we are going to assume that you decided on option #1. Personally, I find the first option to be the best, even though it is least recommended by Microsoft. The main reason why it is not recommended is that if you are not very familiar with DNS administration, it is possible to expose your Active Directory records to the Internet. However, if you design the infrastructure correctly, you will transparently provide services to your internal and external users accessing resources using the same domain name. Proper DNS design will be discussed in a future article.
    I have experienced firsthand thisgotcha back with my first implementation of Active Directory using the same internal and external name. The problem was with internal users accessing the companys website using the same domain name. For example, lets say that the domain name is widgets.com. Our DNS administrators correctly separated the DNS environment so that a dedicated external DNS infrastructure supports the external Internet traffic, while the internal DNS infrastructure supports the Active Directory infrastructure. However, when internal users open a browser and type http://widgets.com, they are only able to access the web page a certain percentage of the time. Most of the time, the users would simply get a Page Not Found.
    While researching this issue, I noticed that the DOMAIN CONTROLLERS in the widgets.com domain where registering a blank, parent record for the domain name with the IP address of each DC. This is the default behavior of Active Directory Domain Controllers. This record is actually called the LdapIPAddress. Therefore, the internal DNS zone for Widgets.com had the following records:

    • widgets.com 65.85.0.1 (Public IP for website, simply an example)
    • widgets.com 192.168.0.1
    • widgets.com 192.168.0.2
    • widgets.com 192.168.0.3
    • www.widgets.com 65.85.0.1 (Public IP for website)

    As you may notice in this example, the private IPs 192.168.0.1-3 belong to the Domain Controllers. The 65.85.0.1 is the public IP of the external web server, created by the DNS Administrator. In this scenario, when a request would come into the internal DNS server for "widgets.com", the DNS server would respond with the four (4) records. Then your browser would connect on the first IP that it resolved the name to. In this hypothetical scenario, you would expect that only 25% of your internal users would be able to access the website (25% because of DNS round robin).
    There are a few ways to handle this situation:

    1. Educate your users to access the website by using the "www" record instead of the parent domain name.
    2. Install IIS on every domain controller and redirect users to the "www" page.
    3. Prevent the DCs from updating the LdapIPAddress.

    Educate your users

    Educating users may be challenging to do. In addition, in larger environments, this task becomes too difficult to keep up with because of the turn-around of employees. Also, non-technical users really don't understand the difference between the http://www.ITGeared.com and http://itgeared.com, so even if you educate them, they will most likely try either record until a page is displayed.
    Install IIS on DCs

    The second method of installing IIS on the DCs will easily mitigate this issue. The reason is because if the client resolves the domain name to the IPs of the DCs, the client will access the web services installed on the DCs. All you would need to do is either redirect the user via native IIS tools, or create a default page that redirects the user programmatically.
    Registry Edits

    The third method can work very well in situations where security policies do not allow IIS to be installed on Domain Controllers. Preventing the LdapIPAddress from registering in DNS can be an easy fix, but it does require a manual entry in the registry of each domain controller and a manually entry in DNS for those DCs that also server as the Global Catalog server. The registry entry should be created prior to the DCPROMO process.
    To prevent a DC from registering the domain name with its IP address, create a DWORD called RegisterDnsARecords in this location: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Pa rameters
    This DWORD Specifies whether the domain controller registers Domain Name System (DNS) A (address) records for the domain. If the domain controller is a global catalog resource, then this entry also determines whether the domain controller registers DNS A records for the global catalog. A value of 0 will not allow the DC to register these records (domain name and GC record if applicable), and a value of 1 will allow the DC to register the records.
    Since this also prevents the DC from registering the GC record in DNS, you will also have to create that record manually in the AD DNS zone. In our example, this record would be required for each DC that you modified the registry on. We will assume that all DCs in this example are also Global Catalog servers.

    • gc._msdcs.widgets.com A 192.168.0.1
    • gc._msdcs.widgets.com A 192.168.0.2
    • gc._msdcs.widgets.com A 192.168.0.3

    Refer to this Microsoft article for more information:
    Registration of gc._msdcs.dnsforestname Records in DNS Is Required
    http://support.microsoft.com/default.aspx/kb/258213?p=1
    Important NOTE regarding LdapIPAdress: If you are considering to prevent this record from being registered in DNS, there are some implications that may impact your ability to locate certain services in the domain. You should be fully aware what these implications are and how to overcome them.
    Read more about LdapIPAdress:
    AD DS: This domain controller must register its DNS host (A/AAAA) resource records for the domain: http://technet.microsoft.com/en-us/l...58(WS.10).aspx
    ------------------------------------------------------------------------
    Rise Company for Engineering & Technology
    ------------------------------------------------------------------------
    Web Hosting | Web Designing | E-Marketing

    # 1 Business Services

    Web Hosting - Business Emails

    Web Design - Google Adwords

    www.rise.company | www.rise.company/emails

    :
    ! .



  1. : 0
    : 25-05-2019, 18:32
  2. : 0
    : 25-05-2019, 17:56
  3. Window Server Starter GPO
    Rise Company Windows Server
    : 0
    : 25-05-2019, 14:03
  4. Window Server Starter GPOs templates
    Rise Company Windows Server
    : 0
    : 25-05-2019, 13:38
  5. Role domain controller windows server 2016
    Rise Company Windows Server
    : 0
    : 03-08-2018, 20:36