PHWinfo - Afficher un message - External query resolves internal IP address

03/10/2006, 04h29

Aha! I might have found something... Will this work??

__________________________________________________ __________________
This is good especially if you have a Split Horizon environment where the
internal and external domain names are the same and the users need to get to
their external name by http://theirdomain.com but their DC/DNS server
responds and not the actual external website.

This one is done on the netlogon service parameters in the registry. This
will stop netlogon registering the blank FQDN with the internal private IP.

This stops the netlogon service from registering that "Blank Domain FQDN" IP
address. Those IPs are actually called the LdapIPAddress. Then you manually
create a blank FQDN with the IP that you do want, whether a local private IP
or some public IP, any or mutliple IPs, if you want.

If your ISP rotates or changes the website IP, then this will not work.
Usually we can delegate the www zone to the SOA of your external domain, but
this can;t be done with the blank domain record.

===========================================
Disabling the Same As Parent LdapIpAddress blank FQDN
[Taken from http://support.microsoft.com/?id=295328]

You do this by adding a registry entry to the DC(s) and rebooting:
1) Add the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Netlogon\Parameters
Registry Value: DnsAvoidRegisterRecords and add the "LdapIpAddress"
Mnemonic.
2) Do this on all DCs and restart netlogon or restart machine.
This will prevent the DC from adding the domain A records from netlogon.
And you can add multiple Blank Domain A records as you need.
====================================

====================================
If you want to create mutliples, you can do it manually as I mentioned
above, or use this method to force the system to do it for you. I would
rather create them manually but here;s the instructions if you feel up to
it....

Now you can also publish the IP you want instead of having to put it in
manually for the blank FQDN. Do this on the DNS service in the registry.
[Taken from http://support.microsoft.com/?id=275554]

Configure the DNS service to publish a specific IP addresses to the DNS
zone.
To do so, make the following registry modification:
PublishAddresses
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\DNS\Parameters

Data type: REG_SZ
Range: IP address [IP address]
Default value: blank

This modification specifies the IP addresses that you want to publish for
the computer. The DNS server creates A records only for the addresses in
this list. If this entry does not appear in the registry, or if its value is
blank, the DNS server creates an A record for each of the computer's IP
addresses.

This entry is for computers that have multiple IP addresses, only a subset
of which you want to publish. Typically, this prevents the DNS server from
returning a private network address in response to a query when the computer
has a corporate network address.
__________________________________________________ __________________
"Ryan Faricy" <ryan@faricy.net> wrote in message
news:eOmOu2o5GHA.2264@TK2MSFTNGP02.phx.gbl...
> So everyone, I've spent hours scouring the net and haven't really come up
> with a definitive answer.
>
> I have:
> - a static IP from a local ISP
> - DSL through local telco, with router
> - Two boxes: 1) Win2K box, IP=10.0.0.2, w/ IIS, DNS, AD, and it's a PDC
> ... 2) is a mail server (Win2003 server), member of domain FARICY.NET,
> which is on box 1.
>
> Everything works GREAT. I only have one problem.
>
> I set up DNS on box 1 with primary zone FARICY.NET which is AD integrated
> and allows dynamic updates. Router forwards all traffic from 53 to box 1
> for resolution.
>
> FARICY.NET contains all proper information needed to run my web services
> and works great. EXCEPT ... AD insists on updating the zone with
> (same as parent folder) HOST 10.0.0.2 ............. *in addition* to what
> I REALLY want (to be the default at least) is:
> (same as parent folder) HOST my.public.ip.address
>
> They are both there, so I have two entries for FARICY.NET...
> @ IN A 10.0.0.2
> @ IN A my.public.ip.address
>
> Whenever I run an nslookup, it always returns two results:
> Non-authoritative answer:
> Name: faricy.net
> Addresses: my.public.ip.address, 10.0.0.2
>
> Unfortunately, when I try to ping or visit faricy.net via local DNS or
> after it propogates to my ISP, etc,, it tries to resolve 10.0.0.2.
>
> Is there ANY way I can stop AD from messing with just this particular
> entry?? Or any recommended solution?
>
> I would be very grateful!!! Thank you so much.
>

03/10/2006, 04h29	#2
Ryan Faricy Messages: n/a Hébergeur:	Re: External query resolves internal IP address Aha! I might have found something... Will this work?? __________________________________________________ __________________ This is good especially if you have a Split Horizon environment where the internal and external domain names are the same and the users need to get to their external name by http://theirdomain.com but their DC/DNS server responds and not the actual external website. This one is done on the netlogon service parameters in the registry. This will stop netlogon registering the blank FQDN with the internal private IP. This stops the netlogon service from registering that "Blank Domain FQDN" IP address. Those IPs are actually called the LdapIPAddress. Then you manually create a blank FQDN with the IP that you do want, whether a local private IP or some public IP, any or mutliple IPs, if you want. If your ISP rotates or changes the website IP, then this will not work. Usually we can delegate the www zone to the SOA of your external domain, but this can;t be done with the blank domain record. =========================================== Disabling the Same As Parent LdapIpAddress blank FQDN [Taken from http://support.microsoft.com/?id=295328] You do this by adding a registry entry to the DC(s) and rebooting: 1) Add the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Netlogon\Parameters Registry Value: DnsAvoidRegisterRecords and add the "LdapIpAddress" Mnemonic. 2) Do this on all DCs and restart netlogon or restart machine. This will prevent the DC from adding the domain A records from netlogon. And you can add multiple Blank Domain A records as you need. ==================================== ==================================== If you want to create mutliples, you can do it manually as I mentioned above, or use this method to force the system to do it for you. I would rather create them manually but here;s the instructions if you feel up to it.... Now you can also publish the IP you want instead of having to put it in manually for the blank FQDN. Do this on the DNS service in the registry. [Taken from http://support.microsoft.com/?id=275554] Configure the DNS service to publish a specific IP addresses to the DNS zone. To do so, make the following registry modification: PublishAddresses HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\DNS\Parameters Data type: REG_SZ Range: IP address [IP address] Default value: blank This modification specifies the IP addresses that you want to publish for the computer. The DNS server creates A records only for the addresses in this list. If this entry does not appear in the registry, or if its value is blank, the DNS server creates an A record for each of the computer's IP addresses. This entry is for computers that have multiple IP addresses, only a subset of which you want to publish. Typically, this prevents the DNS server from returning a private network address in response to a query when the computer has a corporate network address. __________________________________________________ __________________ "Ryan Faricy" <ryan@faricy.net> wrote in message news:eOmOu2o5GHA.2264@TK2MSFTNGP02.phx.gbl... > So everyone, I've spent hours scouring the net and haven't really come up > with a definitive answer. > > I have: > - a static IP from a local ISP > - DSL through local telco, with router > - Two boxes: 1) Win2K box, IP=10.0.0.2, w/ IIS, DNS, AD, and it's a PDC > ... 2) is a mail server (Win2003 server), member of domain FARICY.NET, > which is on box 1. > > Everything works GREAT. I only have one problem. > > I set up DNS on box 1 with primary zone FARICY.NET which is AD integrated > and allows dynamic updates. Router forwards all traffic from 53 to box 1 > for resolution. > > FARICY.NET contains all proper information needed to run my web services > and works great. EXCEPT ... AD insists on updating the zone with > (same as parent folder) HOST 10.0.0.2 ............. in addition to what > I REALLY want (to be the default at least) is: > (same as parent folder) HOST my.public.ip.address > > They are both there, so I have two entries for FARICY.NET... > @ IN A 10.0.0.2 > @ IN A my.public.ip.address > > Whenever I run an nslookup, it always returns two results: > Non-authoritative answer: > Name: faricy.net > Addresses: my.public.ip.address, 10.0.0.2 > > Unfortunately, when I try to ping or visit faricy.net via local DNS or > after it propogates to my ISP, etc,, it tries to resolve 10.0.0.2. > > Is there ANY way I can stop AD from messing with just this particular > entry?? Or any recommended solution? > > I would be very grateful!!! Thank you so much. >