Split Zone or no Split Zone - Can't access internal website with external name

AceFekay — Fri, 07 Aug 2009 14:51:00 GMT

How do I resolve my external website when my internal name is the same as my external name (split zone)?

We are hosting our webserver internally, on our LAN, and internet users can access the website without problems, but when we are inside the office, we can't access our domain name. This also applies to Exchange OWA.

By Ace Fekay, MCT
Updated 7/30/2009

There can be multiple scenarios. Choose your scenario.

Scenario 1

Your internal domain name and external domain name the same, and the webserver is hosted externally.
This type of same name scenario is called a split zone.

To handle a split-zone,
There are two ways to get to your website:

By http://www.yourdomain.com/, using 'www' in front of your domain name.
By http://yourdomain.com/, without the 'www'in front of the name.

1. The simplest way to allow your internal users to get to your external website is to simply create a "A" www record under your current internal AD zone name in DNS (DO NOT create an Alias or CNAME record), and provide the IP address of the external web server.

To create the 'www' record:
Open DNS console
Right-click your zone name, such as yourdomain.com, choose New Host Record
Type in www
Type in the IP address of the external website

2. However, if your web hosting provider uses more than one web servers, such as in a server farm, or they have multiple IP addresses for the website, and facing the possibility hey may change it without warning, you would have to do something different to account for this. Therefore, instead of creating an "A" 'www' record, I would suggest to create a delegation for 'www' to the public name servers that are authorative for your zone. What a delegation does, instead of providing a direct IP, DNS will query the SOA of your public domain name to get the current IP address of your website. To create a delegation, you will need to find the SOA name of your public zone. The SOA, or Start of Authority, are the public name servers on record that you want your delegation to query for your 'www' record.

Therefore, you would need to query an outside DNS server for your SOA record (your external DNS hostname servers hosting your public domain name)

How do you find the SOA for your public domain name? Use nslookup.

In a command prompt, type in nslookup, hit enter.
Then type in the following:
> set q=soa
> server 4.2.2.2
> typeInYourDomainNameHereWithoutTheWWW

Once you've found who the SOA names and IP are, you can create the delegation. To create the delegation, simply right-click your zone name, choose new delegation, type in www, and provide the SOA of your public domain.

As for resolving the domain name with http://domain.com/ (without the www in front of it), is a little more complex. Normally if you are not using Active Directory internally, you would simply create a new Host record (as in step#1), but without typing anything in for the hostname, and simply type in the IP address. This is called a blank domain name, which allows the name to resolve without the 'www' in front of it. However, if you are using Active Directory, this 'blank' domain name is actually used by the domain controllers in the domain. It's a unique record that each domain controller registers into DNS with an IP address, without a hostname, which appears under your internal zone name as:

(same as parent) A x.x.x.x

This record that the DCs register, is actually called the "LdapIpAddress." Each DC registers one for itself. AD uses these records for a number of things, such as DC to DC replication, Sysvol replication, GPOs and DFS. Don't mess with it please or expect problems. The DCs will re-register this record anyway if you delete it and thwart your attempt. If you create a blank record for your website, it will get cause problems with AD.

To get around that, you can use a workaround. The workaround is, on EACH DC, install IIS. Then open Internet Information Services console. In the default website properties, Directory tab, select redirect, and redirect it to http://www.domain.com/. This way when any one of your users type in http//domain.com, it will resolve to the www record you've created in Step#1 or #2 above. But this procedure must be performed on each DC.

Scenario 2

Your public domain name is different, and you are hosting your webserver internally.

In this scenario, internet users access your domain name by connecting to the WAN (outside) IP address of your router.

To make this scenario work, with a different domain name than your internal domain name, you would need to create the external domain name as a zone on your DNS server.

Create a new zone using your external domain name.
Open DNS console.
Click on Forward Lookup Zones.
Right-click, choose new Zone, type in the name of the external domain name.
Once created, right-click the zone you just created, choose New Host Record.
Type in 'www' (without the quotes), and provide the internal Private IP address of your internal webserver.

If you want to access the site with http://domain.com/ (without the www), you would need to create a 'blank' host record.

How?
Right-click the zone name you just created, choose New Host Record.
Leave the name field blank, and provide the internal Private IP address of your internal webserver.

Scenario 3

If you have a different internal domain name and external domain name, and the website is hosted externally:
There's nothing to do. Internet resolution will handle everything.

Don't forget, ALWAYS and ONLY use the internal DNS servers in your AD environment for all machins (DCs, member servers and workstations, including your VPN clients),or this won't work. Never use your ISP's DNS servers anyway, or your router's IP address as a DNS address in any internal machine's IP properties. Otherwise, expect AD problems as well.

Don't forget to configure a forwarder for more efficient internet name resolution. I've always used this as a best practice. It offloads internet name resolution to your ISP's DNS addresses so your server doesn't have to use the Root Hints to resolve external names.

Ace Fekay, MCT

Ace Fekay Blogging : external name same as internal

Split Zone or no Split Zone - Can't access internal website with external name

Scenario 1

Scenario 2

Scenario 3