Hi,

Active Directory root zone is abccompany.com inside the firewall.
This (these) DNS server then uses forewarders to resolve Internet names.
But I need to resolve names for the DMZ webserver abc-company.com
which has the authouritative DNS server in the DMZ for abc-company.com.

So from the internet browser www.abc-company.com resolves fine to a static internet IP.
(our web server)
From behind the firewall I need to resolve www.abc-company.com to a non routable IP
192.168.x.x. This can be accomplished by each lan PC having an appropriate host entry.
But I would rather have the these entries statically resolved by the internal DNS Server.

The goal here is to have the external website resolve the same way from a client on the internet
as from clients behind the firewall.

I accidentally showed a fellow how conditional redirection could be used to make this work.
Now there are so many different asp. redirection pages I can't maintain these external virtual webs
without screaming.


externally
www.abc-company.com
www.def-company.com
www.ghi-company.com

all resolved by authouritative DNS in the DMZ to static Internet IP's

internally behind the firewall
www.abc-company.com 192.168.0.10
www.def-company.com 192.168.0.20
www.ghi-company.com 192.168.0.30

thanks





--
"it's definitely useless and maybe harmful".

In news:uDtT3XTGHHA.3268@TK2MSFTNGP04.phx.gbl,
John Sitka <johnsitka@REMOVEhotmail.com> stated, which I commented on below:
> Hi,
>
> Active Directory root zone is abccompany.com inside the firewall.
> This (these) DNS server then uses forewarders to resolve Internet
> names. But I need to resolve names for the DMZ webserver abc-company.com
> which has the authouritative DNS server in the DMZ for
> abc-company.com.
> So from the internet browser www.abc-company.com resolves fine to a
> static internet IP. (our web server)
> From behind the firewall I need to resolve www.abc-company.com to a
> non routable IP 192.168.x.x. This can be accomplished by each lan PC
> having an appropriate host entry. But I would rather have the these
> entries statically resolved by the
> internal DNS Server.
> The goal here is to have the external website resolve the same way
> from a client on the internet as from clients behind the firewall.
>
> I accidentally showed a fellow how conditional redirection could be
> used to make this work. Now there are so many different asp. redirection
> pages I can't
> maintain these external virtual webs without screaming.
>
>
> externally
> www.abc-company.com
> www.def-company.com
> www.ghi-company.com
>
> all resolved by authouritative DNS in the DMZ to static Internet IP's
>
> internally behind the firewall
> www.abc-company.com 192.168.0.10
> www.def-company.com 192.168.0.20
> www.ghi-company.com 192.168.0.30
>
> thanks

Confusion: Is the internal "abccompany.com" or "abc-company.com"?

I'm going to assume both are abc-company.com since you refer to that name
multiple times.

I wouldn't use hosts files. It's tedious. Under your internal
abc-company.com zone just create a www entry and provide the internal
private IP of the webserver. This will work assuming you are only using the
internal DNS servers for all internal machines (as it should be with an AD
infrastructure).

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

Wow thanks for the in this and the other group, really feel I'm making progress.
Internal is abccompany.com
External is abc-company.com DNS server for abc-company.com is in our DMZ as well as that web host.
(This is the single example, reality is there are multiple externals def-company.com, ghi-company.com)

nodash = INTERNAL AD
dash = EXTERNAL

there are two AD DCs each with a DNS server and each containing AD integrated zones for abccompany.com (the internal lan domain)

both of these use forwarders to our ISP's DNS, there are some here who get internet access and some who use a proxy and some
who get none.

So if an internal client needs to get to the DMZ located web server, they can get there with no name via 192.168.0.10.
if they request www.abc-company .com it won't work because that would go first to the ISP's DNS which would find the external facing
IP
which not everybody is allowed to go to. So rather than make a bunch of left turn routing rules on the firewalls. I just need
to have the internal DNS serve up www.abc-company.com as 192.168.0.10...

When I said you gave me a clue in the other thread, delegate, this is what I came up with.
It may be wrong in a lot of ways but I'm hoping it will in the understanding.



On Internal DNS
put in a new Zone abc-company.com (external) then right click that zone -> new delegation
and use the wizard to point it to the actual authoritative nameserver in the DMZ for abc-company.com
Then
Include another zone called www.abc-company.com with no names (data) and a single
entry 192.168.0.10

The idea is the internal nameserver answers for www.abc-company.com ONLY and only
for the clients who use the DC DNS server pair

all other abc-comapny.com requests; mail.abc-company.com for example would be handled by
the authoritative DNS server for abc-company.com

The first part is called delegation. (thanks to ACE FEKAY)

The second part is called a split brain DNS. Two DNS both with the same name for the zone, and both primary
but ONE is extremely limited even to the point on a single range which is in effect a single host!! and serving
a small group of clients. The other is out on the WEB and handles ALL other requests, even ones from
internal clients via forwarding.


"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message news:enL3j2gGHHA.1248@TK2MSFTNGP03.phx.gbl...
> In news:uDtT3XTGHHA.3268@TK2MSFTNGP04.phx.gbl,
> John Sitka <johnsitka@REMOVEhotmail.com> stated, which I commented on below:
>> Hi,
>>
>> Active Directory root zone is abccompany.com inside the firewall.
>> This (these) DNS server then uses forewarders to resolve Internet
>> names. But I need to resolve names for the DMZ webserver abc-company.com
>> which has the authouritative DNS server in the DMZ for
>> abc-company.com.
>> So from the internet browser www.abc-company.com resolves fine to a
>> static internet IP. (our web server)
>> From behind the firewall I need to resolve www.abc-company.com to a
>> non routable IP 192.168.x.x. This can be accomplished by each lan PC
>> having an appropriate host entry. But I would rather have the these entries statically resolved by the
>> internal DNS Server.
>> The goal here is to have the external website resolve the same way
>> from a client on the internet as from clients behind the firewall.
>>
>> I accidentally showed a fellow how conditional redirection could be
>> used to make this work. Now there are so many different asp. redirection pages I can't
>> maintain these external virtual webs without screaming.
>>
>>
>> externally
>> www.abc-company.com
>> www.def-company.com
>> www.ghi-company.com
>>
>> all resolved by authouritative DNS in the DMZ to static Internet IP's
>>
>> internally behind the firewall
>> www.abc-company.com 192.168.0.10
>> www.def-company.com 192.168.0.20
>> www.ghi-company.com 192.168.0.30
>>
>> thanks
>
> Confusion: Is the internal "abccompany.com" or "abc-company.com"?
>
> I'm going to assume both are abc-company.com since you refer to that name multiple times.
>
> I wouldn't use hosts files. It's tedious. Under your internal abc-company.com zone just create a www entry and provide the
> internal private IP of the webserver. This will work assuming you are only using the internal DNS servers for all internal
> machines (as it should be with an AD infrastructure).
>
> --
> Ace
> Innovative IT Concepts, Inc (IITCI)
> Willow Grove, PA
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, I suggest to use OEx (Outlook Express or any other newsreader), and configure a news account,
> pointing to news.microsoft.com. This is a direct link to the Microsoft Public Newsgroups. It is FREE and requires NO ISP's Usenet
> account. OEx allows you to easily find, track threads, cross-post, sort by date, poster's name, watched threads or subject.
> It's easy:
>
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Infinite Diversities in Infinite Combinations
> Assimilation Imminent. Resistance is Futile
> "Very funny Scotty. Now, beam down my clothes."
>
> The only constant in life is change...
>

Just to clarify, this is where I'm in the dark about how this works

(
>>Include another zone called www.abc-company.com with no names (data) and a single
>>entry 192.168.0.10

>>The idea is the internal nameserver answers for www.abc-company.com ONLY and only
>>for the clients who use the DC DNS server pair
)

I don't know how a zone and a host can result in the same thing because www is indeed a RR but I keep reading that it will somehow
work out, I guess I need to try it and see, not my authority though so I have to come up with the plan first before I present
it.


"John Sitka" <johnsitka@REMOVEhotmail.com> wrote in message news:u4kknWhGHHA.1232@TK2MSFTNGP05.phx.gbl...
> Wow thanks for the in this and the other group, really feel I'm making progress.
> Internal is abccompany.com
> External is abc-company.com DNS server for abc-company.com is in our DMZ as well as that web host.
> (This is the single example, reality is there are multiple externals def-company.com, ghi-company.com)
>
> nodash = INTERNAL AD
> dash = EXTERNAL
>
> there are two AD DCs each with a DNS server and each containing AD integrated zones for abccompany.com (the internal lan domain)
>
> both of these use forwarders to our ISP's DNS, there are some here who get internet access and some who use a proxy and some
> who get none.
>
> So if an internal client needs to get to the DMZ located web server, they can get there with no name via 192.168.0.10.
> if they request www.abc-company .com it won't work because that would go first to the ISP's DNS which would find the external
> facing IP
> which not everybody is allowed to go to. So rather than make a bunch of left turn routing rules on the firewalls. I just need
> to have the internal DNS serve up www.abc-company.com as 192.168.0.10...
>
> When I said you gave me a clue in the other thread, delegate, this is what I came up with.
> It may be wrong in a lot of ways but I'm hoping it will in the understanding.
>
>
>
> On Internal DNS
> put in a new Zone abc-company.com (external) then right click that zone -> new delegation
> and use the wizard to point it to the actual authoritative nameserver in the DMZ for abc-company.com
> Then
> Include another zone called www.abc-company.com with no names (data) and a single
> entry 192.168.0.10
>
> The idea is the internal nameserver answers for www.abc-company.com ONLY and only
> for the clients who use the DC DNS server pair
>
> all other abc-comapny.com requests; mail.abc-company.com for example would be handled by
> the authoritative DNS server for abc-company.com
>
> The first part is called delegation. (thanks to ACE FEKAY)
>
> The second part is called a split brain DNS. Two DNS both with the same name for the zone, and both primary
> but ONE is extremely limited even to the point on a single range which is in effect a single host!! and serving
> a small group of clients. The other is out on the WEB and handles ALL other requests, even ones from
> internal clients via forwarding.
>
>
> "Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message news:enL3j2gGHHA.1248@TK2MSFTNGP03.phx.gbl...
>> In news:uDtT3XTGHHA.3268@TK2MSFTNGP04.phx.gbl,
>> John Sitka <johnsitka@REMOVEhotmail.com> stated, which I commented on below:
>>> Hi,
>>>
>>> Active Directory root zone is abccompany.com inside the firewall.
>>> This (these) DNS server then uses forewarders to resolve Internet
>>> names. But I need to resolve names for the DMZ webserver abc-company.com
>>> which has the authouritative DNS server in the DMZ for
>>> abc-company.com.
>>> So from the internet browser www.abc-company.com resolves fine to a
>>> static internet IP. (our web server)
>>> From behind the firewall I need to resolve www.abc-company.com to a
>>> non routable IP 192.168.x.x. This can be accomplished by each lan PC
>>> having an appropriate host entry. But I would rather have the these entries statically resolved by the
>>> internal DNS Server.
>>> The goal here is to have the external website resolve the same way
>>> from a client on the internet as from clients behind the firewall.
>>>
>>> I accidentally showed a fellow how conditional redirection could be
>>> used to make this work. Now there are so many different asp. redirection pages I can't
>>> maintain these external virtual webs without screaming.
>>>
>>>
>>> externally
>>> www.abc-company.com
>>> www.def-company.com
>>> www.ghi-company.com
>>>
>>> all resolved by authouritative DNS in the DMZ to static Internet IP's
>>>
>>> internally behind the firewall
>>> www.abc-company.com 192.168.0.10
>>> www.def-company.com 192.168.0.20
>>> www.ghi-company.com 192.168.0.30
>>>
>>> thanks
>>
>> Confusion: Is the internal "abccompany.com" or "abc-company.com"?
>>
>> I'm going to assume both are abc-company.com since you refer to that name multiple times.
>>
>> I wouldn't use hosts files. It's tedious. Under your internal abc-company.com zone just create a www entry and provide the
>> internal private IP of the webserver. This will work assuming you are only using the internal DNS servers for all internal
>> machines (as it should be with an AD infrastructure).
>>
>> --
>> Ace
>> Innovative IT Concepts, Inc (IITCI)
>> Willow Grove, PA
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
>> Microsoft MVP - Directory Services
>> Microsoft Certified Trainer
>>
>> Having difficulty reading or finding responses to your post?
>> Instead of the website you're using, I suggest to use OEx (Outlook Express or any other newsreader), and configure a news
>> account, pointing to news.microsoft.com. This is a direct link to the Microsoft Public Newsgroups. It is FREE and requires NO
>> ISP's Usenet account. OEx allows you to easily find, track threads, cross-post, sort by date, poster's name, watched threads or
>> subject.
>> It's easy:
>>
>> How to Configure OEx for Internet News
>> http://support.microsoft.com/?id=171164
>>
>> Infinite Diversities in Infinite Combinations
>> Assimilation Imminent. Resistance is Futile
>> "Very funny Scotty. Now, beam down my clothes."
>>
>> The only constant in life is change...
>>
>
>

In news:uUVcIehGHHA.3616@TK2MSFTNGP02.phx.gbl,
John Sitka <johnsitka@REMOVEhotmail.com> stated, which I commented on below:
> Just to clarify, this is where I'm in the dark about how this works
>
> (
>>> Include another zone called www.abc-company.com with no names
>>> (data) and a single entry 192.168.0.10
>
>>> The idea is the internal nameserver answers for www.abc-company.com
>>> ONLY and only for the clients who use the DC DNS server pair
> )
>
> I don't know how a zone and a host can result in the same thing
> because www is indeed a RR but I keep reading that it will somehow
> work out, I guess I need to try it and see, not my authority though
> so I have to come up with the plan first before I present it.

John,

No prob for the . This is not really a split zone at all. But if you
want to get to it internally because you are hosting the website internally
( the web server is on a private IP), then you will have to create the
external zone internally and give it the internal private IP. No way really
around that for the inside folks.

Hosts files are dinosaur. :-) DNS was designed as a database of names to IP
or reverse, to replace hosts files.

Ace

In news:u4kknWhGHHA.1232@TK2MSFTNGP05.phx.gbl,
John Sitka <johnsitka@REMOVEhotmail.com> stated, which I commented on below:
> Wow thanks for the in this and the other group, really feel I'm
> making progress. Internal is abccompany.com
> External is abc-company.com DNS server for abc-company.com is in our
> DMZ as well as that web host. (This is the single example, reality is
> there are multiple externals def-company.com, ghi-company.com)
> nodash = INTERNAL AD
> dash = EXTERNAL
>
> there are two AD DCs each with a DNS server and each containing AD
> integrated zones for abccompany.com (the internal lan domain)
> both of these use forwarders to our ISP's DNS, there are some here
> who get internet access and some who use a proxy and some who get none.
>
> So if an internal client needs to get to the DMZ located web server,
> they can get there with no name via 192.168.0.10. if they request
> www.abc-company .com it won't work because that would
> go first to the ISP's DNS which would find the external facing IP
> which not everybody is allowed to go to. So rather than make a bunch
> of left turn routing rules on the firewalls. I just need to have the
> internal DNS serve up www.abc-company.com as
> 192.168.0.10...
> When I said you gave me a clue in the other thread, delegate, this is
> what I came up with. It may be wrong in a lot of ways but I'm hoping it
> will in the
> understanding.
>
>
> On Internal DNS
> put in a new Zone abc-company.com (external) then right click that
> zone -> new delegation and use the wizard to point it to the actual
> authoritative nameserver
> in the DMZ for abc-company.com Then
> Include another zone called www.abc-company.com with no names (data)
> and a single entry 192.168.0.10
>
> The idea is the internal nameserver answers for www.abc-company.com
> ONLY and only for the clients who use the DC DNS server pair
>
> all other abc-comapny.com requests; mail.abc-company.com for example
> would be handled by the authoritative DNS server for abc-company.com
>
> The first part is called delegation. (thanks to ACE FEKAY)
>
> The second part is called a split brain DNS. Two DNS both with the
> same name for the zone, and both primary but ONE is extremely limited even
> to the point on a single range
> which is in effect a single host!! and serving a small group of clients.
> The other is out on the WEB and handles ALL
> other requests, even ones from internal clients via forwarding.

Well, it is kind of a split zone, but usually use that term to indicate the
AD zone is the same as the public domain name. That is not your case, but
you need to provide a way for your internal folks to get to the website
using the private IP, so in essence it becomes a split zone. In this
scenario you won't need a delegation, just manually creating the external
zone name internally.

Make sense?

Ace

> Well, it is kind of a split zone, but usually use that term to indicate the AD zone is the same as the public domain name. That
> is not your case, but you need to provide a way for your internal folks to get to the website using the private IP, so in essence
> it becomes a split zone. In this scenario you won't need a delegation, just manually creating the external zone name internally.
>
> Make sense?
>
> Ace

Are you kidding me! I'm so amped over this I can't tell you

A perfect learning experience....
make mistakes, keep trying, get mad, keep asking, keep reading.

And the motivation came from a pure gut feel that there is no way we should be having to chop
up or enhance these websites just so they both work inside and outside. It just seemed like
a stupid way to solve a simple problem.

Last night before a read your reply, I went to see our IT guy, he was messing around with
those redirectors in asp code I was talking about, moving websites around etc.
I said "Did you read my DNS email?"
He said he didn't try it because I wrote it was "untested."
I kind of laughed explained I don't have a similar network topography back at my apartment
so I thought we (meaning him) would be excited to test it at the enterprise.

Anyways after some practice/test working together with less critical zones, we got it working, created a dozen or so zones
that resolved to a single IP and there we go, hundreds of hours in accrued work and maintenance saved.

Ace, you understood this post exactly and I quickly found out that a delegate was not required.

> just manually creating the external zone name internally.

And that's all it took.

I never saw it all these years (dealing with DNS is a twice yearly event for me, at most)
because it didn't piece together how an unnamed A RR would resolve to an IP.


Thanks.



"Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message news:e8L32dnGHHA.1216@TK2MSFTNGP05.phx.gbl...
> In news:u4kknWhGHHA.1232@TK2MSFTNGP05.phx.gbl,
> John Sitka <johnsitka@REMOVEhotmail.com> stated, which I commented on below:
>> Wow thanks for the in this and the other group, really feel I'm
>> making progress. Internal is abccompany.com
>> External is abc-company.com DNS server for abc-company.com is in our
>> DMZ as well as that web host. (This is the single example, reality is
>> there are multiple externals def-company.com, ghi-company.com)
>> nodash = INTERNAL AD
>> dash = EXTERNAL
>>
>> there are two AD DCs each with a DNS server and each containing AD
>> integrated zones for abccompany.com (the internal lan domain)
>> both of these use forwarders to our ISP's DNS, there are some here
>> who get internet access and some who use a proxy and some who get none.
>>



>> So if an internal client needs to get to the DMZ located web server,
>> they can get there with no name via 192.168.0.10. if they request www.abc-company .com it won't work because that would
>> go first to the ISP's DNS which would find the external facing IP
>> which not everybody is allowed to go to. So rather than make a bunch
>> of left turn routing rules on the firewalls. I just need to have the internal DNS serve up www.abc-company.com as
>> 192.168.0.10...
>> When I said you gave me a clue in the other thread, delegate, this is
>> what I came up with. It may be wrong in a lot of ways but I'm hoping it will in the
>> understanding.
>>
>>
>> On Internal DNS
>> put in a new Zone abc-company.com (external) then right click that
>> zone -> new delegation and use the wizard to point it to the actual authoritative nameserver
>> in the DMZ for abc-company.com Then
>> Include another zone called www.abc-company.com with no names (data)
>> and a single entry 192.168.0.10
>>
>> The idea is the internal nameserver answers for www.abc-company.com
>> ONLY and only for the clients who use the DC DNS server pair
>>
>> all other abc-comapny.com requests; mail.abc-company.com for example
>> would be handled by the authoritative DNS server for abc-company.com
>>
>> The first part is called delegation. (thanks to ACE FEKAY)
>>
>> The second part is called a split brain DNS. Two DNS both with the
>> same name for the zone, and both primary but ONE is extremely limited even to the point on a single range
>> which is in effect a single host!! and serving a small group of clients. The other is out on the WEB and handles ALL
>> other requests, even ones from internal clients via forwarding.
>
> Well, it is kind of a split zone, but usually use that term to indicate the AD zone is the same as the public domain name. That
> is not your case, but you need to provide a way for your internal folks to get to the website using the private IP, so in essence
> it becomes a split zone. In this scenario you won't need a delegation, just manually creating the external zone name internally.
>
> Make sense?
>
> Ace
>

there is one slight clarity, that just came to me.

Ace says

-- just manually creating the external zone name internally.

true....

but the thought process and hurdle I couldn't get over was that the
goal here wasn't to resolve 123.www.abc-company.com or
456.www.abc-company.com or 789.www.abc-company.com etc. which fits an
idea of a zone, The goal was just a single end point
www.abc-company.com. hence the single unnamed A record in the zone
www.abc-company.com works


New Zone via wizard, Primary www.abc-company.com
Right Click the newly created zone -> New Host
Name -> blank
IP -> 192.168.0.10
"are you sure you want to create the record with a blank name?"

Yes please

result Record type A, Name = same as parent folder, Data = 192.168.0.10




John Sitka wrote:
> > Well, it is kind of a split zone, but usually use that term to indicate the AD zone is the same as the public domain name. That
> > is not your case, but you need to provide a way for your internal folks to get to the website using the private IP, so in essence
> > it becomes a split zone. In this scenario you won't need a delegation, just manually creating the external zone name internally.
> >
> > Make sense?
> >
> > Ace
>
> Are you kidding me! I'm so amped over this I can't tell you
>
> A perfect learning experience....
> make mistakes, keep trying, get mad, keep asking, keep reading.
>
> And the motivation came from a pure gut feel that there is no way we should be having to chop
> up or enhance these websites just so they both work inside and outside. It just seemed like
> a stupid way to solve a simple problem.
>
> Last night before a read your reply, I went to see our IT guy, he was messing around with
> those redirectors in asp code I was talking about, moving websites around etc.
> I said "Did you read my DNS email?"
> He said he didn't try it because I wrote it was "untested."
> I kind of laughed explained I don't have a similar network topography back at my apartment
> so I thought we (meaning him) would be excited to test it at the enterprise.
>
> Anyways after some practice/test working together with less critical zones, we got it working, created a dozen or so zones
> that resolved to a single IP and there we go, hundreds of hours in accrued work and maintenance saved.
>
> Ace, you understood this post exactly and I quickly found out that a delegate was not required.
>
> > just manually creating the external zone name internally.
>
> And that's all it took.
>
> I never saw it all these years (dealing with DNS is a twice yearly event for me, at most)
> because it didn't piece together how an unnamed A RR would resolve to an IP.
>
>
> Thanks.
>
>
>
> "Ace Fekay [MVP]" <PleaseAskMe@SomeDomain.com> wrote in message news:e8L32dnGHHA.1216@TK2MSFTNGP05.phx.gbl...
> > In news:u4kknWhGHHA.1232@TK2MSFTNGP05.phx.gbl,
> > John Sitka <johnsitka@REMOVEhotmail.com> stated, which I commented on below:
> >> Wow thanks for the in this and the other group, really feel I'm
> >> making progress. Internal is abccompany.com
> >> External is abc-company.com DNS server for abc-company.com is in our
> >> DMZ as well as that web host. (This is the single example, reality is
> >> there are multiple externals def-company.com, ghi-company.com)
> >> nodash = INTERNAL AD
> >> dash = EXTERNAL
> >>
> >> there are two AD DCs each with a DNS server and each containing AD
> >> integrated zones for abccompany.com (the internal lan domain)
> >> both of these use forwarders to our ISP's DNS, there are some here
> >> who get internet access and some who use a proxy and some who get none.
> >>
>
>
>
> >> So if an internal client needs to get to the DMZ located web server,
> >> they can get there with no name via 192.168.0.10. if they request www.abc-company .com it won't work because that would
> >> go first to the ISP's DNS which would find the external facing IP
> >> which not everybody is allowed to go to. So rather than make a bunch
> >> of left turn routing rules on the firewalls. I just need to have the internal DNS serve up www.abc-company.com as
> >> 192.168.0.10...
> >> When I said you gave me a clue in the other thread, delegate, this is
> >> what I came up with. It may be wrong in a lot of ways but I'm hoping it will in the
> >> understanding.
> >>
> >>
> >> On Internal DNS
> >> put in a new Zone abc-company.com (external) then right click that
> >> zone -> new delegation and use the wizard to point it to the actual authoritative nameserver
> >> in the DMZ for abc-company.com Then
> >> Include another zone called www.abc-company.com with no names (data)
> >> and a single entry 192.168.0.10
> >>
> >> The idea is the internal nameserver answers for www.abc-company.com
> >> ONLY and only for the clients who use the DC DNS server pair
> >>
> >> all other abc-comapny.com requests; mail.abc-company.com for example
> >> would be handled by the authoritative DNS server for abc-company.com
> >>
> >> The first part is called delegation. (thanks to ACE FEKAY)
> >>
> >> The second part is called a split brain DNS. Two DNS both with the
> >> same name for the zone, and both primary but ONE is extremely limited even to the point on a single range
> >> which is in effect a single host!! and serving a small group of clients. The other is out on the WEB and handles ALL
> >> other requests, even ones from internal clients via forwarding.
> >
> > Well, it is kind of a split zone, but usually use that term to indicate the AD zone is the same as the public domain name. That
> > is not your case, but you need to provide a way for your internal folks to get to the website using the private IP, so in essence
> > it becomes a split zone. In this scenario you won't need a delegation, just manually creating the external zone name internally.
> >
> > Make sense?
> >
> > Ace
> >

In news:1165624912.455700.152730@n67g2000cwd.googlegr oups.com,
the principal <johnsitka@hotmail.com> stated, which I commented on below:
> there is one slight clarity, that just came to me.
>
> Ace says
>
> -- just manually creating the external zone name internally.
>
> true....
>
> but the thought process and hurdle I couldn't get over was that the
> goal here wasn't to resolve 123.www.abc-company.com or
> 456.www.abc-company.com or 789.www.abc-company.com etc. which fits an
> idea of a zone, The goal was just a single end point
> www.abc-company.com. hence the single unnamed A record in the zone
> www.abc-company.com works
>
>
> New Zone via wizard, Primary www.abc-company.com
> Right Click the newly created zone -> New Host
> Name -> blank
> IP -> 192.168.0.10
> "are you sure you want to create the record with a blank name?"
>
> Yes please
>
> result Record type A, Name = same as parent folder, Data =
> 192.168.0.10

For a single record like www.something.com, creating that as a zone and
creating a blank named entry, is the easiest way to do it.

:-)

Ace

In news:OOexehvGHHA.1468@TK2MSFTNGP04.phx.gbl,
John Sitka <johnsitka@REMOVEhotmail.com> stated, which I commented on below:
>
> Are you kidding me! I'm so amped over this I can't tell you
>
> A perfect learning experience....
> make mistakes, keep trying, get mad, keep asking, keep reading.
>
> And the motivation came from a pure gut feel that there is no way we
> should be having to chop up or enhance these websites just so they both
> work inside and
> outside. It just seemed like a stupid way to solve a simple problem.
>
> Last night before a read your reply, I went to see our IT guy, he was
> messing around with those redirectors in asp code I was talking about,
> moving websites
> around etc. I said "Did you read my DNS email?"
> He said he didn't try it because I wrote it was "untested."
> I kind of laughed explained I don't have a similar network topography
> back at my apartment so I thought we (meaning him) would be excited to
> test it at the
> enterprise.
> Anyways after some practice/test working together with less critical
> zones, we got it working, created a dozen or so zones that resolved
> to a single IP and there we go, hundreds of hours in accrued work and
> maintenance saved.
> Ace, you understood this post exactly and I quickly found out that a
> delegate was not required.
>> just manually creating the external zone name internally.
>
> And that's all it took.
>
> I never saw it all these years (dealing with DNS is a twice yearly
> event for me, at most) because it didn't piece together how an unnamed A
> RR would resolve to
> an IP.
>
> Thanks.

It's amazing how the solution can be so simple, but very easily overlooked.

My pleasure, John. Glad to out.

Now go and relaz with a Crown on the rocks, or a martini or something...

:-)

Ace