FAO: DNS Gurus

[Moby-Dick]

<john tickle>Here's one for you</john tickle>

supposing I have an active directory called company.local
I also have an exchnange 2003 setup with a primary mail address of company.com
DNS for company.com is externally hosted

I want to have a local "version" of the company.com DNS zone , that I want to contain some override entries , for example to reroute our OWA URL so that it does not go out via the proxies , and to add some extra SRV records for a live communication server environment. Any unresolved entries would need to be handled by the external DNS server.

I would rather not have to manually recreate a copy of the external zone on our internal DNS servers.

I'm sure there is a more elegent solution - I was looking along the lines of different NS records within the localised zone.

[Zak33]

get a mail boy....

he can make tea as well

/gets goat

[nameinuse]

If you've got the AD company.local you don't really need the entries for company.com for things to work - just add entries that need to be externally available to the company.com domain. Everything internal should be running off windows own DNS (unless you've got something else set up), so anything you enter in the DNS settings on the Domain Controller (or wherever else you have the clients asking for DNS, as set by DHCP I imagine) will be available to your local clients only.

So, for example, with local OWA access, you'd add the record owa.company.com on your DC to point to the local address the interface is hosted on and configure the address as a proxy exception in Group Policy. For external access, you'd forward everything that came in on that port or IP address to the appropriate box internally (though this does depend on you having the normal NAT router setup - if it's an odd topology you're working with, let me know).

Not sure how much of what you asked that covers, but should be a start...

[Moby-Dick]

If you've got the AD company.local you don't really need the entries for company.com for things to work - just add entries that need to be externally available to the company.com domain. Everything internal should be running off windows own DNS (unless you've got something else set up), so anything you enter in the DNS settings on the Domain Controller (or wherever else you have the clients asking for DNS, as set by DHCP I imagine) will be available to your local clients only.

Thats not the problem - this is a domain with currently about 350 DC's and a couple of thousand worstations. Local DNS is just peachy

So, for example, with local OWA access, you'd add the record owa.company.com on your DC to point to the local address the interface is hosted on and configure the address as a proxy exception in Group Policy. For external access, you'd forward everything that came in on that port or IP address to the appropriate box internally (though this does depend on you having the normal NAT router setup - if it's an odd topology you're working with, let me know).

Not sure how much of what you asked that covers, but should be a start...

in order to add any records for company.com , you need to add company.com as another forward lookup zone on the local DNS server ( of which we have 8 or 9 )

My problem is the need to add SRV records for company.com for use by Live Communications server.

having done some more research on split DNS structures, it looks like there is no automated way to create the local 'copy' of the external DNS zone and still have it writeable. We'll have to create the local copy manually, which is a bit of a pain , but I can live with it ( already requested a copy of the external zone from the hosts so that I know if there are any other records besides the usual www and mail ones. )

[nameinuse]

Sorry, rather underestimated the complexity of what you're doing there... with that large an organisation I'm surprised you're not running your own nameservers, though.

I've only recently moved to somewhere you could call a "large" organisation, with a few thousand workstations, but they're somewhat windows-phobic so my challenges are more make-AD-talk-to-everything-else... Helps to be at a university and have internet IPs for every host, though.

[Moby-Dick]

we do run our own internal name servers for the two domains we run, but host very little public facing services from our own WAN , so the need for external DNS isn't really there ( public webservers are colocated )

[Atomic]

Helps to be at a university and have internet IPs for every host, though.

Offtopic.

Anothe Uni techie Which uni you work at? I work at UEA here in Norwich. The IP structure is great, ask the DutyOp to punch a hole in the firewall and your server is on the internet, easy. Very useful for me as I work with remote sites alot.

[nameinuse]

I'm sure you know what you're doing better than I do with that many computers in your network! We're rather spoilt with bandwidth here, so everything is on site.

Atomic - I'm at Sussex, just outside of Brighton. Things are a little slower for us on the network side, and there is some resistance to using Windows at all as a server platform, which is a shame, as it does some things very well indeed (I'm just about to start operation Exchange - I've really struggled to get used to a place without it's calendaring). Aside from that, it's very good. Everything's stable, and there are people to do most of everything - it's completely different from the last place I worked, where it was a case of do everything yourself, for no cost!

[Moby-Dick]

Our External Bandwidth isn't up to much here - my home Fibre has more !

[nameinuse]

I don't think you're going to get much sympathy for that... I might have to move to Japan, apparently they do full-speed ethernet to homes now.

[jesta987]

Hi
I'm not sure how feasible this is as I don't know anything about windows but could you not run the primary dns on your WAN and just have that replicated out to the workload dns servers. That way you can have a split horizon setup on the primary and all your dns configuration is centralised.

Pete

[scottyman]

i tend to use split dns to create loical dns strucutres for internal servers only, anything else is done with a forward lookup (including co'lo servers) but it's safer replicating entire structure internally.