Let's look at an example to see how to set up these two sets of books. Suppose we have a domain named acme.com. On that domain, we have a few DNS addresses that we want the outside world to be able to see—two DNS servers (ns1.acme.com and ns2.acme.com), a mail server (mail.acme.com), and a Web server (www.acme.com). Our externally visible acme.com zone, then, is slim—fewer than a dozen records, all of which refer to routable IP addresses accessible through the public Internet. We create that zone file and put it on our two externally visible DNS servers, ns1.acme.com and ns2.acme.com. (We might not even run our own DNS servers—for a zone that small, many firms simply let their ISP host the files.) Network Solutions has the addresses of ns1.acme.com and ns2.acme.com in its database of all DNS servers, and any DNS server outside of Acme—the kind that a user on the Internet might query—will need to ask Network Solutions' DNS servers where to find the acme.com servers. Consequently, the only servers that outsiders will see are ns1 .acme.com and ns2.acme.com.
Inside Acme, however, we have an intranet built on nonroutable addresses—perhaps a 10.x.x.x network—that uses some kind of port address translation scheme to connect to the Internet. Anyone inside Acme can initiate communication to the Internet, but people on the Internet can't initiate communication to our internal 10.x.x.x addresses. (To keep this example simple, the port address translation is the only "firewall" that we'll imagine for Acme.)
On the intranet, we set up a group of DNS servers that act as preferred DNS servers for other machines on the intranet. Those DNS servers use the external acme.com DNS servers as forwarders, enabling people within the intranet to resolve names and surf the Internet. The internal DNS servers aren't simply caching-only DNS servers; those internal servers also hold a copy of an acme.com zone. However, that zone isn't the externally visible acme.com zone that ns1 .acme.com and ns2.acme.com hold. Rather, the internal DNS servers hold an acme.com zone that AD and DDNS built. If that internally visible acme.com zone is an AD-integrated zone, then the internal DNS servers are Win2K DCs for the acme.com AD domain.
If you've never set up a split-brain DNS structure, you should take a minute to review and think about what's going on. None of the systems within the Acme intranet use the external DNS servers as their preferred DNS-name resolvers—rather, the machines on the intranet look to the intranet's DNS servers to resolve names. Those internal servers hold copies of a zone called acme.com. But the acme.com zone that the internal servers hold is different from the acme.com zone that the outside world sees (although the zone on the internal servers presumably contains the same records that the external servers' zone contains—records that point to the Web and perhaps to mail servers). Instead, the internal zone contains the information that Win2K systems need to locate DCs.
The outside world will never find or refer to those intranet DNS servers because Network Solutions' DNS servers don't know about Acme's intranet DNS servers. So, an attempt to resolve an acme.com name from the Internet never reaches an intranet DNS server. Even if a user from outside Acme were to attempt to use an internal DNS server, that attempt would fail because the internal server has a nonroutable IP address.
Using Slave Servers to Protect Intranet Servers
Before leaving the Acme example, I want to note a potential security problem. I said that the intranet DNS servers use the external DNS servers as forwarders. But recall what happens when a forwarder doesn't respond quickly enough to a name-resolution request—the intranet DNS server searches the Internet's DNS servers to try to find the answer. Security experts say that action results in a potentially troublesome hole in security. Simply put, your DNS server could end up connecting to a computer that's masquerading as a DNS server. That false DNS server could exploit the connection to your intranet DNS server to do various kinds of mischief.
To avoid this exposure, you can tell your intranet DNS servers that if the external DNS servers timeout without resolving a name, the intranet servers must not attempt to resolve the name on their own. To configure your internal servers, go to the Forwarders tab in the DNS MMC snap-in and select the Do not use recursion check box. You then have what Microsoft calls a slave server.
Fitting into an Existing DNS Structure
What if Acme already has a DNS structure in place—perhaps some non-Win2K computers run by people who've been managing the DNS structure for years without having to worry much about Win2K and NT? Those folks might not be happy about having AD put a lot of information in their zones. Or maybe Acme's existing DNS infrastructure doesn't support DDNS or Internet Engineering Task Force (IETF) Request for Comments (RFC) 2782 service resource records (SRV RRs), making the infrastructure unacceptable for AD. If you're faced with an AD-unfriendly infrastructure, what can you do?
The simplest answer is that you can create a subdomain. Instead of giving the AD domain the same name as the organization's top-level domain (TLD)—acme.com, for example—you can create a subdomain named something like win2k.acme.com or ds.acme.com, where ds stands for directory service. The benefit of this approach is that it doesn't affect the TLD's zone very much. Creating a child domain, such as ds.acme.com, in acme.com requires only a few records in the acme.com zone file: an NS and an A record for each DNS server in the subdomain. The NS record points to a Win2K system that acts as the DNS server for the ds.acme.com subdomain.
The bottom line is that AD requires a well-built DNS underpinning to work correctly. But the techniques of DNS design aren't complex; they're just new to most of us. If you use the points in this article to build your DNS structure, you'll be well on your way to a sturdy AD domain.
This Split-Brain DNS Problem is one of the reasons, why I dit not set up until now a Win200 Domain in our company. I dit not know how to set up the DNS zones for internet and intranet on the Domain Controler. If I understand you right, it is not possible to use the same DNS Server (Win2K DC) for both the internet and the intranet zone when you use the same zone name (here acme.com for internet names and e.g. intern.acme.com for internal names).
Wolfgang Holesch October 22, 2001
Hey Wolfy!! That`s the whole point of DDNS man!!! It`s "DYNAMIC"!!!!
IT`S....GREATE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Morgan Hansen November 28, 2001
<br><br> I'm embarking on a Windows 2000 Active Directory (AD) and Microsoft Exchange 2000 Server upgrade. In preparation for domain-naming considerations, I read Mark Minasi's article about split-brain DNS configuration, which would let me use my public domain name, tharaldson.com, in domain naming. I subsequently read Douglas Toombs's "Single-Domain Migration" (July 2001, InstantDoc ID 21129), which advocates assigning a naming scheme such as tharaldson.internal. The Microsoft article "Considerations for Designing Namespaces in Windows 2000Based Domains" (http://support.microsoft.com/ default.aspx?scid=kb;en-us; q285983) also mentions using different internal and external naming conventions. In my current configuration, my ISP hosts both my primary and secondary DNS, and the only boxes that use DNS are my proxy, Web, and mail servers. The split-brain approach seems to be the most logical approach to me, but do any public and private name-confusion concerns exist with using my public domain name in AD?<br><br>
Kelly Kittelson<br> kkittelson@tharaldson.com<br><br>
Either naming scheme will work. I like split-brain for one reason: I get to call my machines something.minasi.com, rather than something.minasi.local. What you choose is simply a matter of taste.<br><br>
Mark Minasi<br>
Kelly Kittelson February 05, 2002
I've just read this article. I've found it via a search while trying to troubleshoot a split-DNS (split brain) problem.
I have a normal split-brain (same DNS zone internal and external)... but internally I have additional delegated sub-zones on additional servers. I want to be able to point clients at the DNS servers hosting the delegated sub-zones and for forwarding to occur from the parent domain. The trouble is forwarding doesn't seem to work when received via a referal.
I can't (don't want to) forward from my delegated sub-domains as this would result in internal clients resolving external addresses for hosts that have different internal/external addressing. I'd also rather forward externally from a single internal host than distribute forwarding across multiple sub-domains and locations.
A sub-domain referal to parent-domain then subsequent forwarding used to work with NT4 DNS. With Windows 2000 forwarding in this way doesn't seem to happen.
Any way to overcome / workaround this?
Ian Drew February 19, 2002
I've been reading over this AD & DNS, you guys have done a great job here. Please can someone help me with tips or how i can setup up a DNS server in our network, we have a Network using VSAT, I will be very grateful if anyone can be of help. or contact me with my email addy. Thanks and keep up the good work.
Stanley A. Jonathan December 26, 2002
****
Anonymous User January 28, 2005
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
If I understand you right, it is not possible to use the same DNS Server (Win2K DC) for both the internet and the intranet zone when you use the same zone name (here acme.com for internet names and e.g. intern.acme.com for internal names).
Wolfgang Holesch October 22, 2001