Internal External Domain Name

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

I am currently running SBS2003 behind a Pix firewall and a VPN Concentrator
with NAT. I have an external registered domain name for our E-mail that
points to the external address of our SBS server.

I created a separate internal domain name for our network. Lets call it
abc.com.
Now (3 years later) I realize that I should have named it abc.local or
something else.

I want to register abc.com to prevent somone else from registering the name.

If I register abc.com, will it cause DNS problems for my internal network
users? Will it automaticall know to check the local internal DNS server to
resolve to the local address, or will it potentially attempt to resolve to
the external web address?

All users have direct access to the internet through th PIX firewall.

DHCP is configured to put our internal SBS server as the primary DNS server
and an internet server as the secondary server.

I don't plan to use abc.com for any web access, or mail. I just want to
park it so it is reserved.

Our users do use the VPN client to access our network remotely, but our VPN
client is configured to connect directly to the VPN concentrator via IP
address so I am assuming that VPN should not have a problem resolving to the
internal server.

I hope my question is clear. If not please let me know if you need
additional information.

Thanks for your help.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:973B4925-899B-4A6B-B491-52DDD36637CD@microsoft.com,
AFS <AFS@discussions.microsoft.com> commented
Then Kevin replied below:
> I am currently running SBS2003 behind a Pix firewall and
> a VPN Concentrator with NAT. I have an external
> registered domain name for our E-mail that points to the
> external address of our SBS server.
>
> I created a separate internal domain name for our
> network. Lets call it abc.com.
> Now (3 years later) I realize that I should have named it
> abc.local or something else.
>
> I want to register abc.com to prevent somone else from
> registering the name.
>
> If I register abc.com, will it cause DNS problems for my
> internal network users? Will it automaticall know to
> check the local internal DNS server to resolve to the
> local address, or will it potentially attempt to resolve
> to the external web address?
>
> All users have direct access to the internet through th
> PIX firewall.
>
> DHCP is configured to put our internal SBS server as the
> primary DNS server and an internet server as the
> secondary server.
>
> I don't plan to use abc.com for any web access, or mail.
> I just want to park it so it is reserved.
>
> Our users do use the VPN client to access our network
> remotely, but our VPN client is configured to connect
> directly to the VPN concentrator via IP address so I am
> assuming that VPN should not have a problem resolving to
> the internal server.
>
> I hope my question is clear. If not please let me know
> if you need additional information.
>

It won't cause a problem for the internal users. Internal users should never
get a direct look at the public name space. It may cause a problem for the
VPN users, since they must go through the public namespace to get to the
internal namespace. But putting the proper delegations in the public zone
will make it seamless.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks for the information. I'm not sure I understand "proper delegations
in the public zone" but I am assuming that since the IP address of our VPN
concentrator is hardcoded into our VPN clients, our VPN connection will not
use the public namespace to find our network. Is this a valid assumption?

Thanks again for taking the time to help.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:CA5EFDD3-C9C3-412D-889E-66C782F960CA@microsoft.com,
AFS <AFS@discussions.microsoft.com> commented
Then Kevin replied below:
> Thanks for the information. I'm not sure I understand
> "proper delegations in the public zone" but I am assuming
> that since the IP address of our VPN concentrator is
> hardcoded into our VPN clients, our VPN connection will
> not use the public namespace to find our network. Is
> this a valid assumption?
>
> Thanks again for taking the time to help.

This is a bad assumption, while you have the internal DNS hardcoded in the
VPN client, you must first connect to the internet before the VPN client can
connect. It is when you have made this connection that you can possibly
cache conflicting NS records for the domain name. This is what causes
connection failures to internal resources.
You can use hosts files to make sure the correct internal hosts addresses
are loaded in the cache. You can also make delegations in the public zone
for names in the internal DNS using the private IP of the internal DNS in
the delgation.
This delegation is useless until the the VPN is connected because the
delegation is to an internal address that should not be routable over the
internet.
Of course this delegation is only secure as your firewall is at keeping
un-authorised, not-authenticed users out.

Since you don't have a public site on this address, the only time the public
zone should be queried is for your VPN clients. I would delegate these name
in the public zone. Make these delegations to the private address.
_msdcs
_sites
_tcp
_udp

There is an article that tells you how to set this up.
Integrating Your Active Directory Namespace Into an Existing DNS
Infrastructure With Name Overlap:
http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns04_integ_adnspace_with_nameoverlap.asp

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================