I wouldn't worry about it too much. The situation you are in may not be the optimal design, but it is not an uncommon design either. There are a pretty large number of AD installs that use a split level DNS structure the same way you are. I think you've got a pretty good setup right now with a script that replicated external DNS names in your internal DNS structure, most places would just leave that as a manual syncronization. I know of some very large companies that have split level DNS that replicate them manually.
I'd say that live with it the way it is now and the next time you see an opportunity to restructure your AD environment, take the time to redesign the forest and DNS structure the way you want it. Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, December 16, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Name and DNS Problems It looks like I am just going to have to deal with the DNS problem as it is. I can perform the upgrade as easy as it sounds but I have never done one before. I dont mind jumping in and doing the work but I dont think my superiors will let me. I know that I can setup a test environment to at least get me familiar with the process for the first time but I am sure that it will be deemed to risky by those who will make the ultimate decision of moving on with this or not. Aside from that there are licensing issues with the latest version of Exchange. I dont think that the money will be invested in the upgrade. One lesson definately learned is NEVER to use your already in use domain again for Active Directory. I guess next time management should have sent me to training instead of me having to come up with a solution on my own. Thank you all for your assistance. Edwin On Thu, 2004-12-16 at 14:58 +0100, Jorge de Almeida Pinto wrote: and be sure to have recovery procedure im place (up-to-date and tested) for your AD forest if something goes wrong! regards jorge ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, December 14, 2004 20:01 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Name and DNS Problems Edwin, You could theoretically upgrade your Exchange server to E2K3 followed by an upgrade of the OS to W2K3. At this point, even with the W2K Pro systems, you could perform a domain rename assuming your forest has a functional level of (2) Windows Server 2003 as a fix now exists for E2K3. Keep in mind that the domain rename process is not for the faint of heart and you should dedicate an entire weekend to it for your relatively small environment...just in case. Also be sure and read through the approx. 90 page white paper regarding the rename process. Aside from that, you are doing what many other organizations do when a split-brain DNS is implemented. Regards, Aric ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, December 14, 2004 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Name and DNS Problems That is why I mentioned the Perl script that is used. That is exactly what it does. But this is not what I would like to see. I would like for our internal AD DNS to only host records for our internal systems and forward any other unresolved requests. On Tue, 2004-12-14 at 09:29 -0500, Salandra, Justin A. wrote: Why don't you just duplicate the records in the public DNS zone to the private zone. That is what I do since both my internal and external namespaces are the same. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, December 14, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Name and DNS Problems Hello Everyone. I have an ongoing problem and would like to get some assistance please. The domain that I am currently responsible for is the first domain that I have ever configured. As a result there was a lot of trial and error and most things were resolved but there remains this one problem that still lingers. I will try to explain as best as I can the scenario. I work for a company (mycompany.net) and we host many web servers out on the public Internet. Our servers follow a naming scheme that is dependent on the type of OS or special purpose for that server. i.e. w39322.mycompany.net for Windows Web Servers and l23841.mycompany.net for Linux servers. There are other naming conventions that is not important for this topic. Throughout the every day work environment we are constantly accessing these servers for trouble shooting, investigations or other general use. The web servers are authoritative to public name servers ns1.mycompany.net and ns2.mycompany.net When the domain was put online within our internal network, I used mycompany.net as the domain name. I also have DNS services for the domain on a one of the DC's. Since I have named our internal domain the same as our public domain, we ran into problems where we were no longer able to connect to our web servers on the Internet. As a workaround solution we wrote a Perl script that goes out to our public name servers and reads the mycompany.net zone and grabs any information that it does not have. The data is then written to a text file that then runs DNSCMD to import the data into the DC's DNS zone for mycompany.net This is okay but still problematic and ultimately not the solution that I would like to have. Our domain consists of: 1. 2 Win2K3 Standard DC's 2. 1 Win2K3 Standard File Server 3. 1 Win2K Exchange Server with Exchange 2000 4. Win2K Professional Workstations >From what I understand Win2K3 has a new feature that will allow for you to change the domain name of an already configured network. But this will not apply to me since I have Win2K Pro Clients and an Exchange 2K Server. We do have an internal name server but it is a caching name server for the authoritative public name server. It is my understanding that AD requires for the nameserver to be authoritative for the domain and support SRV records. SRV records are not a problem but the authoritative part is since our public name server hold that role and it is not able to be changed. Also, to make the server authoritative would mean that our internal systems could be known by the public Internet. Can anyone offer any suggestions to overcome this problem? Ultimately, what I would like to have done is for the mycompany.net zone on the AD DNS Server only to contain entries for our internal network. Any requests not resolved by the AD DNS server then get forwarded to the public name server. This would allow me to then clean up the zone for the AD DNS server and still have the functionality that we require. Is this possible? Thank you all for your replies. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
