Split Zone or no Split Zone – Can’t Access Internal Website with External Name

“How do I resolve my external website when my internal name is the same as my external name (split zone)?”

Or

“We are hosting our webserver internally, on our LAN, and internet users can access the website without problems, but when we are inside the office, we can’t access our domain name. This also applies to Exchange OWA.”

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Updated 7/30/2009


There can be multiple scenarios. Choose your scenario.

Scenario 1: The Internal and External Domain Names are the Same

Your internal domain name and external domain name the same, and the webserver is hosted externally.
This type of same name scenario is called a split zone.

To handle a split-zone,
There are two ways to get to your website:

  1. By http://www.yourdomain.com/, using ‘www’ in front of your domain name.
  2. By http://yourdomain.com/, without the ‘www’in front of the name.

1. The simplest way to allow your internal users to get to your external website is to simply create a “A” www record under your current internal AD zone name in DNS (DO NOT create an Alias or CNAME record), and provide the IP address of the external web server.

To create the ‘www’ record:
Open DNS console
Right-click your zone name, such as yourdomain.com, choose New Host Record
Type in www
Type in the IP address of the external website

2. However, if your web hosting provider uses more than one web servers, such as in a server farm, or they have multiple IP addresses for the website, and facing the possibility hey may change it without warning, you would have to do something different to account for this. Therefore, instead of creating an “A” ‘www’ record, I would suggest to create a delegation for ‘www’ to the public name servers that are authorative for your zone. What a delegation does, instead of providing a direct IP, DNS will query the SOA of your public domain name to get the current IP address of your website. To create a delegation, you will need to find the SOA name of your public zone. The SOA, or Start of Authority, are the public name servers on record that you want your delegation to query for your ‘www’ record.

Therefore, you would need to query an outside DNS server for your SOA record (your external DNS hostname servers hosting your public domain name)

How do you find the SOA for your public domain name? Use nslookup.

In a command prompt, type in nslookup, hit enter.
Then type in the following:
> set q=soa
> server 4.2.2.2
> typeInYourDomainNameHereWithoutTheWWW.com

Once you’ve found who the SOA names and IP are, you can create the delegation. To create the delegation, simply right-click your zone name, choose new delegation, type in www, and provide the SOA of your public domain.

 

So you don’t want to use the WWW in front of the URL?

This question has arisen numerous time in scenarios where the external and internal AD names are the same, and the webserver is being hosted internally or externally. I usually look at it as a politics driving this request, because it’s not that hard to type in www in front of domain.com

However, if you absolutely need it to resolce http://domain.com/ without the www in front of it, there is a way, but it’s a bit more complex and warrants an explanation.

If you are not running an Active Directory infrastructure:

The easy solution is to simply create a new, blank hostname record (as in step#1 above), but without typing a name for the hostname field, and you would simply type in the IP address of the website. This is called a blank domain name record, which allows the name to resolve without the ‘www’ in front of it.

However, if you are using Active Directory:

This ‘blank’ domain name record is actually used by the domain controllers in the domain. It’s a unique record that each and every domain controller registers this record under the zone in DNS with an IP address, without a hostname, which appears under your internal zone name as:

(same as parent)   A   x.x.x.x

This record that each DC registers, is actually called the “LdapIpAddress.” Each DC registers one for itself. AD uses these records for a number of things, such as DC to DC replication, Sysvol replication, GPOs and DFS. Don’t mess with it please, or expect problems. The DCs will re-register this record anyway if you delete it and thwart your attempt. If you create a blank record for your website, it will get cause problems with AD.

To get around that, you can use a workaround. The workaround is, on EACH DC, install IIS. Then open Internet Information Services console. In the default website properties, Directory tab, select redirect, and redirect it to http://www.domain.com/. This way when any one of your users type in http//domain.com, it will resolve to the www record you’ve created in Step#1 or #2 above. But this procedure must be performed on each DC.

Steps summarized:

  1.  
    1. Install IIS on EACH domain controller. This must be done on each DC.
    2. Create a www record under your domain.com.
    3. Give it the private, internal IP of the webserver, or if the webserver is external, give it the public IP address of the webserver. If you don’t know the external IP, see the nslookup steps below to find it.
    4. In the IIS console, default website properties, create a redirect, and redirect it to www.domain.com.
    5. This way when any one of your users type in http//domain.com, it will resolve to the www record you created in Step 2.

 

If your website is external, for the above, you need to use Nslookup to find your external webserver IP

c:\>nslookup
server 4.2.2.2          (use this command for nslookup to use an external DNS server to get your public webserverIP address)
www.domain.com

Note: Installing IIS on a Domain Controller has security implications:

Due to security reasons. I do not condone installing IIS on a DC. Normally with some of my customers, I simply tell them to use the www in fromt of the domain name. If it is a .com name, you can simply instruct them to type in domain in the URL, and then hit <CTRL> + <Enter>. This shortcut will automatically populate the www in front and the .com in the end.

Otherwise, if the boss demands to have it work with a www in front, (usually a political and not a technical requirement), then follow the above, but take note on the security implications.

Scenario 2: Different Internal and External but you are hosting the webserver internally

Your public domain name is different, and you are hosting your webserver internally.

In this scenario, internet users access your domain name by connecting to the WAN (outside) IP address of your router.

To make this scenario work, with a different domain name than your internal domain name, you would need to create the external domain name as a zone on your DNS server.

  1. Create a new zone using your external domain name.
  2. Open DNS console.
  3. Click on Forward Lookup Zones.
  4. Right-click, choose new Zone, type in the name of the external domain name.
  5. Once created, right-click the zone you just created, choose New Host Record.
  6. Type in ‘www’ (without the quotes), and provide the internal Private IP address of your internal webserver.

If you want to access the site with http://domain.com/ (without the www), you would need to create a ‘blank’ host record.

How?
Right-click the zone name you just created, choose New Host Record.
Leave the name field blank, and provide the internal Private IP address of your internal webserver.

Scenario 3 : Different Internal & External Domain Name

If you have a different internal domain name and external domain name, and the website is hosted externally:
There’s nothing to do. Internet resolution will handle everything.

Don’t forget, ALWAYS and ONLY use the internal DNS servers in your AD environment for all machins (DCs, member servers and workstations, including your VPN clients),or this won’t work. Never use your ISP’s DNS servers anyway, or your router’s IP address as a DNS address in any internal machine’s IP properties. Otherwise, expect AD problems as well.

Don’t forget to configure a forwarder for more efficient internet name resolution. I’ve always used this as a best practice. It offloads internet name resolution to your ISP’s DNS addresses so your server doesn’t have to use the Root Hints to resolve external names.

Ace Fekay, MCT

Leave a Reply