I have to ask the question: Why, if you have Qwest hosting your domain as well, are you even hosting your own DNS?
That said, no, you have an issue with name resolution. When hosting multiple DNS domains on multiple networks, it would be common place to assign a separate NIC to each domain. However, because of what you are trying to accomplish, I would not want to have my internal DNS host and my external DNS host be the same machine. I'd prefer to separate to alleviate any addresses from leaking out, even if on a private subnet. Your records are currently showing your internal server. Common practice would be to use your Firewall's external port as the inbound point for all inbound traffic. Additionally, it's rare that you want to permit any traffic directly from the internet, but your security policy is the determining factor on that. Separating your functions can offer some reliability for you. Keeping it all on the same machine puts all of your eggs in one basket so to speak. My advice: Let Qwest host all of your DNS. Have it point your web and mail traffic to your external firewall interface. Map it from there to the appropriate host. Take it for what it's worth though. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of david spake Sent: Tuesday, June 22, 2004 10:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS newbie lost and desperate Hi, I've been having problems last couple weeks with my network. I inherited a working system - that has in the last few days stopped functioning. With everything that happens in the company i haven't proactively read up on DNS and AD enough to save me. I did read through about 8 pages of archived messages and didn't find what i was looking for, or just perhaps I don't know what to search for to find my answer. My Drama: My company uses windows2k servers with active directory integrated DNS. Very modest number of computers (45ish company wide). We host inhouse on one server our web site, and email. Internal naming is kimoto.com (192.168.x.x) while external naming is kimototech.com (65.114.55.x) There are currently 3 domain controllers. The primary one to this point is being retired soon as I'm able to figure this out :) which will leave 2. So, I have my server with 2 zones, kimoto.com and kimototech.com in the forward lookup. In kimoto.com are all our nonpublic ip addressed computers. And kimototech.com is our public ip addressed/refrenced computers. Our company only holds public record rights on kimototech.com (not the name we use internally - kimoto.com) This is where I'm going to start getting lost - forgive me if this isn't clear as should/could be. I'm not altogether sure how AD / DNS is sharing to the internet the correct name server info when my name servers are listed as they are internally, in my outside forward lookup zone. the following may be incorrectly done, but it is my best effort/guess and this is what is set at the moment. I'm attempting to run our dns as primary and internet connected dns server as secondary (was how i inherited it, trying to restore functionality at this point) My current kimototech.com zone looks as follows... I copy and pasted the exported info from a text file. (same as parent folder) Start of Authority [95], kimoto2.kimoto.com., admin.kimoto.com. (same as parent folder) Name Server bigkimoto.kimoto.com. (same as parent folder) Name Server kimoto1.kimoto.com. (same as parent folder) Name Server svl-ans-01.inet.qwest.net. (same as parent folder) Name Server dca-ans-01.inet.qwest.net. (same as parent folder) Name Server kimoto2.kimoto.com. mail Mail Exchanger [10] kimoto1.kimoto.com. ns1 Host 65.114.55.66 ns2 Host 65.114.55.67 www Alias kimoto1.kimoto.com. What i'm concerned with is the Nameserver is listed with INTERNAL names, not external - will this cause me problems, or is that correct? I have NS2 (kimoto2) as my hopeful replacement for ns1(kimoto1 -- which is server that is coming down soon as it is very very old and unstable). My firewall forwards ports for dns on correct ips to correct server. And if you telnet port 25 to ns1's address you correctly get presented with the mail welcome. Am I just being impatient in this not updating yet and propegating? It was last changed at 11:30am eastern. Is there a way for me to 'force' an update when things are desperatly bad? Is there a way for me to actually see when was the last update against my files? Thanks for your time and (hopefully) advice. I do hope there isn't any problem with posting this here in this form. I understand it is a risk but seemed to me most all of it is available with nslookup anyway :) I'm yours for the saving, David p.s. as of this writing when NS lookup is done on my company, many private (192.x.x.x) ip address are published in the record, and refrences to our internal network naming convention -- which is causing browsers and mail to go to never never land as they seem to be randomly scooped up in response by different people trying to sell it to me. _________________________________________________________________ MSN Movies - Trailers, showtimes, DVD's, and the latest news from Hollywood! http://movies.msn.click-url.com/go/onm00200509ave/direct/01/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
