First Dns Setup

[koga73]

Hi,

I'm configuring my dns for the first time and am having some problems. I have my domain pointing to ns1.mydomain.com and on my server I created a ns1 nameserver entry under the forward lookup zone for mydomain.com. My problem is in the SOA whenever I change my nameservers or the primary server from compname.mydomain.com to ns1.mydomain.com it takes effect... but then later I go back into it and it has changed back automatically to compname.mydomain.com

 

This leads me to the conclusion that I'm not doing this correctly! My question is... does ns1.mydomain need to be a physical server or just a nameserver entry for mydomain.com? Is there any way to change the primary server from being compname.mydomain.com (where my vm compname is ws2008r2x64-0).

 

intodns.com errors:

Missing nameservers reported by parent FAIL: The following nameservers are listed at your nameservers as nameservers for your domain, but are not listed at the parent nameservers (see RFC2181 5.4.1). You need to make sure that these nameservers are working.If they are not working ok, you may have problems!

ws2008r2x64-0.mydomain.com

 

IPs of nameservers are public ERROR:

ws2008r2x64-0.mydomain.com

 

^^^ I don't want ws2008r2x64-0 to be a nameserver at all... I want it to be ns1.

[ICTCity]

Hi,

 

Let's start from the beginning:

 

You have two keys components: DOMAIN NAME and DOMAIN CONTROLLER.

Once again,

You have two keys components: MYDOMAIN.COM and WS2008R2X64-0

 

You DC is WS2008R2X64-0 which is the provider of the domain MYDOMAIN.COM.

In order to RESOLVE names (both external and internal), the DNS query must point to WS2008R2X64-0.MYDOMAIN.COM OR the IP (private IP) of the DOMAIN CONTROLLER.

 

When you say: " I have my domain pointing to ns1.mydomain.com and on my server I created a ns1 nameserver entry under the forward lookup zone for mydomain.com." You say also where is your mistake: you can add ns1.mydomain.com, but WHAT IS ns1? The DNS / Domain doesn't know ANYTHING about NS1. So, you forward things to NOWHERE!

 

Then again:"My problem is in the SOA whenever I change my nameservers or the primary server from compname.mydomain.com to ns1.mydomain.com it takes effect... but then later I go back into it and it has changed back automatically to compname.mydomain.com"

 

Everything is correct here, your DNS knows WHO is responsible for name resolutions, when you change the NAMESERVER, it doesn't know HOW to resolve it, because the real nameserver is gone!

 

So, here you can find a resolution:

Add an ALIAS on your DNS: ns1.mydomain.com which points to: ws2008r2x64-0 OR IP_of_DC.

 

You can also create another server (physical) and call it NS1. You COULD also change the HOSTS file inside your DC and add a static in this way:

ns1.mydomain.com IP_of_DC

 

Now I hope you aren't too bored :P

 

Cheers

[koga73]

Thanks for the response!

Ok here is what my dns looks like now:

 

Alias entry for ns1/ns2 pointing to ws2008r2x64-0.mydomain.com (i know they should be on separate servers but I only have one server)

A entry for ws2008r2x64-0... however this always points to my private IP 192.168.1.174. Shouldn't this be my public static IP?

A entry for www pointing to my public static IP.

AAAA entry for ws2008r2x64-0 pointing to my private IPv6... I'm not using IPv6 so I really don't need this.

 

Then my SOA is using ws2008r2x64-0 for the primary server.

SOA nameservers are listed as ns1, ns2, and ws2008r2x64-0.

 

Domain name lists only ns1 and ns2

 

1. Should I add ws2008r2x64-0 as a nameserver for my domain name? If I don't intodns.com complains about it.

2. IPs of primary nameserver ws2008r2x64-0 are not public... If I change the IP to my public static IP it auto-changes back to my private one.

 

Thanks

[ICTCity]

Everything Is fine now :) and...

the name of your server must point to your PRIVATE ip.

Ipv6 doesn't matter here, but let it there.

SOA records usually don't show aliases, so it's ok.

 

Yes you should add that name to name server but is not mandatory because Ns1 and 2 are already the same server :)

 

Why your DNS should have a public IP? I don't think you need it...

[koga73]

It still doesn't seem to be working... I am able to hit the site from my own network but from an outside network it doesn't work.

Pinging any of the following returns the private IP 192.168.1.174 (or the IPv6 private IP).

mydomain.com

www.mydomain.com

ns1.mydomain.com

ns2.mydomain.com

ws2008r2x64-0.mydomain.com

[ICTCity]

Wait, this is correct based on what do your want to do...

 

On your LOCAL (PRIVATE) network, your DNS works like a charm, outside it's different. You DC is not published on internet, so you CANNOT ping it. For security purpose I don't suggest you to put the same DC also over the internet, instead use a RODC (Read only domain controller). But do you really need an external domain controller? If yes, be sure to set up a RODC OUTSIDE your LAN (in another VLAN or something like this).

[koga73]

I am going to be hosting sites from this server and also want the ability to use active directory.

[ICTCity]

So DO NOT IMPLEMENT the same DC for both inside and outside.

 

Use a RODC!

[koga73]

I only have a single server with WS2008R2 running as a VM. Doesn't a RODC require a separate DC? Can I do this with one server instance of WS2008?

[ICTCity]

You can't, but you really should install another VM... trust me.

[koga73]

Thanks...

I found this thread that has the same problems I'm facing: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/5d75acf0-3289-460d-ae24-68109114b103

 

"If you want to host your public domain name on your own DNS server, the registrar requires a minimum of two hostname servers, as well as that you have to run two separate DNS servers, one that host the public IP address for the public to use, and one for your internal use that has records with the internal privaate IP. This is because with WIndows DNS, you can't mix internal and public IPs for a record, such as a www.yourdomain.com record. Internally for you to get to it, it must be the private IP, but externally it must point to your WAN IP."

 

I can install another VM instance of ws2008... however its shit that windows server 2008 is unable to function by itself on a single stand alone server. I know in most cases there is more than one server... but it should also have the capability to stand alone.

 

On to the solution... Lets say I were to keep my current configuration for private network lookups and create a new ws2008 VM acting as a RODC for public network lookups?

Questions are:

1. How does the RODC fit into my network as I can only forward port 80/443 to one private static IP?

2. Assuming the domain name still registers ns1/ns2 would I register ns1 with the RODC and ns2 with the DC?

3. Could I port forward 53 (for dns right?) to the RODC which would intern return the public static IP and then the 80/443 requests would be port forwarded to my DC?

4. Would I need to register ns2 (my DC) as the DNS for computers on the same network?

5. Would the model above still provide security to my server and network across the internet?

 

I really appreciate the help. I'm still learning and am dedicated to getting this working.

[ICTCity]

Hi,

 

First, what does it mean?

windows server 2008 is unable to function by itself on a single stand alone server. I know in most cases there is more than one server... but it should also have the capability to stand alone.

 

Windows can work on a stand alone server...

 

Regarding all your questions, I really suggest you to read this article, it explains WHERE you can put a public DNS.

 

http://www.isaserver.org/tutorials/how_to_publish_a_dns_server_part_1__the_pathophysiology_of_the_same_internal_andexternal_domain_name.html

 

If you have other questions, feel free to ask!

[koga73]

Great article.

Before I do this I want to confirm my setup:

Use current ws2008 instance as private DNS server and AD controller and remove port forwarding rules to this IP.

Use new ws2008 instance as public DNS server and RODC granted DMZ access.

Put NS1/NS2 on new ws2008 instance and host all sites here.

Leave ws2008r2x64-0 nameserver on old ws2008 instance and point network computers to use this DNS.

 

Any other thoughts or considerations?

[ICTCity]

Mhhh I think this is a good list. Just one point more: a domain controller should be a domain controller. Not a DC and web server! Better for security AND performances!

[koga73]

Just one point more: a domain controller should be a domain controller. Not a DC and web server! Better for security AND performances!

Does that apply to the RODC that will also be hosting?

[ICTCity]

Yes.

 

When I have installed DCs, they were only DC or maximum with a print server, but not more and they were small environment. A domain controller must open many connections and a web server does the same thing but also uses resources. Think about this...

[koga73]

Hi,

I reconfigured my server! I got AD installed on my primary DC and am able to connect to it from network computers and just finished installing my RODC. Also got my network reconfigured with DMZ access for the RODC. My network is going to have a small number of users so I'm not too concerned with the DC also being a web server.

 

My next step is getting IIS installed for mydomain.com (the domain name of the DC). Earlier you had stated that I should install IIS on my RODC. If I do this will my site be accessible from within my network where the network computers DNS is pointing to the DC? Is it just a matter of DNS entries since the DNS is read-only on the RODC does that mean I need to make my DNS entries on the DC? When I create my CNAME entries for ns1/ns2 do these point to ws2008r2x64-0 (DC) nameserver or would I want to instead make A entries for them pointing to my public static IP since the RODC will be hosting and has DMZ access?

[ICTCity]

Yes and no. You should not have webserver and dc together... Anyway a RDOC is quite the same to config, so yes, create cname

[koga73]

What I don't understand is this... it seems I would need three servers to make this work. One internal dc and one external dc both inside the firewall with a rodc for the external dc outside the firewall (dmz). WIth my current two server configuration with one being the domain controller and the second being a rodc for the first... I can't add external dns entries for mydomain.com on the rodc because it mirrors the dns of the dc... and i can't add external dns entries for the dc because contains internal dns entries and can't handle both. I really don't want to have to add another VM but I can if I need...

[ICTCity]

Honestly I think you must use another vm. I never tried without a third server...

[koga73]

Thats what I figured. If I add the third server how do the three work together?

DC for mydomain.com handles internal dns requests

Is the server that handles external dns requests (not the rodc but the one behind the firewall) a domain controller? Are there two DCs for mydomain.com? How does this work?

Third server is RODC for the the DC that handles external dns requests. Where does my web server live, on the external DC not the RODC right?

If my webserver is on the external DC then how are web requests handled for computers connected to the internal DC?

 

Thanks for your help

[ICTCity]

Same story, rodc is like a normal DNS but it just prevents zone transfer. Is not really important where is your we server, you just need the IP.