Need Help from DNS Expert on Subdomain DNS Records razor 6/11/2007 10:36:00 PM Hello-- We have an issue with being able to access a domain and it's sub domain from within and outside our firewall. We had it working with our old firewall, but we changed firewalls Friday and now it won't work. Here's our scenario: We have a namespace called 'domainname.com' with a DNS Host A entry for the IP address associated with the name of the website in our internal IIS server. We also have a sub domain named, 'dev' that we used to have the same IP address as the namespace, but since our new firewall will not allow more than one public IP to point to the same private IP, we had to change the IP address for the child Host A record as well as the website in IIS to something different than the parent IP. Now everything is whacky. Some of our clients inside the firewall can access the 'dev' site and some cannot. Some can access the parent site and some cannot, and those that can connect, can only do so intermittently. If we change the parent and the child Host A records to be the same IP, we cannot access the child site from outside the LAN/Firewall because of the new firewall policy with only one public IP per private IP pointer. Both the parent domain and child or sub domain IP addresses are in the IIS server's TCP/IP properties in it's NIC card. I looked up our DNS schema in O'Reilly's DNS 2nd edition for Windows 2003, and it said our convention is correct, but said nothing (that I can find) about IP addresses. All of our servers are Windows 2003 and our workstations are W XP /SP2. Any help would be greatly appreciated. sd

Re: Need Help from DNS Expert on Subdomain DNS Records "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 6/12/2007 1:29:33 PM Read inline please. In news:8249D014-49C8-4B12-9058-F495C27CAEA6[ at ]microsoft.com, razor <razor[ at ]discussions.microsoft.com> typed: [Quoted Text] > Hello-- > > We have an issue with being able to access a domain and it's sub > domain from within and outside our firewall. We had it working with > our old firewall, but we changed firewalls Friday and now it won't > work. > > Here's our scenario: We have a namespace called 'domainname.com' with > a DNS Host A entry for the IP address associated with the name of the > website in our internal IIS server. We also have a sub domain named, > 'dev' that we used to have the same IP address as the namespace, but > since our new firewall will not allow more than one public IP to > point to the same private IP, we had to change the IP address for the > child Host A record as well as the website in IIS to something > different than the parent IP. > > Now everything is whacky. Some of our clients inside the firewall can > access the 'dev' site and some cannot. Some can access the parent > site and some cannot, and those that can connect, can only do so > intermittently. > > If we change the parent and the child Host A records to be the same > IP, we cannot access the child site from outside the LAN/Firewall > because of the new firewall policy with only one public IP per > private IP pointer. > > Both the parent domain and child or sub domain IP addresses are in > the IIS server's TCP/IP properties in it's NIC card. I looked up our > DNS schema in O'Reilly's DNS 2nd edition for Windows 2003, and it > said our convention is correct, but said nothing (that I can find) > about IP addresses. > > All of our servers are Windows 2003 and our workstations are W XP > /SP2. > > Any help would be greatly appreciated. > > sd Is there an Active Directory domain named "domainname.com", too? -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================

Re: Need Help from DNS Expert on Subdomain DNS Records razor 6/12/2007 3:13:01 PM No. We host three websites on our webserver and this particualr one that we are having issues with is not the same as our AD domain name. sd "Kevin D. Goodknecht Sr. [MVP]" wrote: [Quoted Text] > Read inline please. > > In news:8249D014-49C8-4B12-9058-F495C27CAEA6[ at ]microsoft.com, > razor <razor[ at ]discussions.microsoft.com> typed: > > Hello-- > > > > We have an issue with being able to access a domain and it's sub > > domain from within and outside our firewall. We had it working with > > our old firewall, but we changed firewalls Friday and now it won't > > work. > > > > Here's our scenario: We have a namespace called 'domainname.com' with > > a DNS Host A entry for the IP address associated with the name of the > > website in our internal IIS server. We also have a sub domain named, > > 'dev' that we used to have the same IP address as the namespace, but > > since our new firewall will not allow more than one public IP to > > point to the same private IP, we had to change the IP address for the > > child Host A record as well as the website in IIS to something > > different than the parent IP. > > > > Now everything is whacky. Some of our clients inside the firewall can > > access the 'dev' site and some cannot. Some can access the parent > > site and some cannot, and those that can connect, can only do so > > intermittently. > > > > If we change the parent and the child Host A records to be the same > > IP, we cannot access the child site from outside the LAN/Firewall > > because of the new firewall policy with only one public IP per > > private IP pointer. > > > > Both the parent domain and child or sub domain IP addresses are in > > the IIS server's TCP/IP properties in it's NIC card. I looked up our > > DNS schema in O'Reilly's DNS 2nd edition for Windows 2003, and it > > said our convention is correct, but said nothing (that I can find) > > about IP addresses. > > > > All of our servers are Windows 2003 and our workstations are W XP > > /SP2. > > > > Any help would be greatly appreciated. > > > > sd > > Is there an Active Directory domain named "domainname.com", too? > > -- > Best regards, > Kevin D. Goodknecht Sr. [MVP] > Hope This Helps > > =================================== > When responding to posts, please "Reply to Group" > via your newsreader so that others may learn and > benefit from your issue, to respond directly to > me remove the nospam. from my email address. > =================================== > http://www.lonestaramerica.com/ > http://support.wftx.us/ > http://message.wftx.us/ > =================================== > Use Outlook Express?... Get OE_Quotefix: > It will strip signature out and more > http://home.in.tum.de/~jain/software/oe-quotefix/ > =================================== > Keep a back up of your OE settings and folders > with OEBackup: > http://www.oehelp.com/OEBackup/Default.aspx > =================================== > > >

Re: Need Help from DNS Expert on Subdomain DNS Records "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 6/12/2007 11:08:53 PM Read inline please. In news:509280B8-6130-4BE8-AA9A-B65176D491C2[ at ]microsoft.com, razor <razor[ at ]discussions.microsoft.com> typed: [Quoted Text] > No. We host three websites on our webserver and this particualr one > that we are having issues with is not the same as our AD domain name. When you use nslookup to resolve these names do you get the correct internal IP addresses? In addition, let's go in to further detail on your original post. >>> We have an issue with being able to access a domain and it's sub >>> domain from within and outside our firewall. We had it working with >>> our old firewall, but we changed firewalls Friday and now it won't >>> work. Internally or externally? >>> >>> Here's our scenario: We have a namespace called 'domainname.com' >>> with a DNS Host A entry for the IP address associated with the name >>> of the website in our internal IIS server. We also have a sub >>> domain named, 'dev' that we used to have the same IP address as the >>> namespace, but since our new firewall will not allow more than one >>> public IP to point to the same private IP, This is confusing, firewalls should not do this. If your talking about NAT mapping, you should be able to map multiple public IPs to on private IP, now you can not map one Public IP to more than one private IP. But the Private IP should be able to have as many public IPs mapped to it as you want, although it would seem to be a waste of Public IPs. >>> Now everything is whacky. Some of our clients inside the firewall >>> can access the 'dev' site and some cannot. Some can access the >>> parent >>> site and some cannot, and those that can connect, can only do so >>> intermittently. You need to verify that the all DNS servers assigned to a the DNS Client be able to resolve every name it needs to resolve to the correct IP address. Some people attempt to have the Preferred and Alternate DNS resolve different namespaces. I won't happen that way, the DNS client tends to stick to the last DNS Server that responds. If one is an internal DNS and one is an external DNS, this will get you into trouble because both cannot resolve both the internal and external namespaces. >>> >>> If we change the parent and the child Host A records to be the same >>> IP, we cannot access the child site from outside the LAN/Firewall >>> because of the new firewall policy with only one public IP per >>> private IP pointer. >>> >>> Both the parent domain and child or sub domain IP addresses are in >>> the IIS server's TCP/IP properties in it's NIC card. What do you mean "Both the parent domain and child or sub domain IP addresses are in the IIS server's TCP/IP properties in it's NIC card"? Are they or are they not on the same IP address? NAT is 1 to 1 IP mapping, On Public IP to one private IP, you can't map one public IP to two private IPs. But, you should be able to map two public IPs to one private IP using standard NAT IP/port mapping. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================

Re: Need Help from DNS Expert on Subdomain DNS Records razor 6/13/2007 5:36:03 PM Ah, that's what 'read inline' means. Sorry m8. I'll reply inline below. Thanks for the help. sd "Kevin D. Goodknecht Sr. [MVP]" wrote: [Quoted Text] > Read inline please. > > In news:509280B8-6130-4BE8-AA9A-B65176D491C2[ at ]microsoft.com, > razor <razor[ at ]discussions.microsoft.com> typed: > > No. We host three websites on our webserver and this particualr one > > that we are having issues with is not the same as our AD domain name. > > When you use nslookup to resolve these names do you get the correct internal > IP addresses? Yes. Both the namespace and the sub resolve. > > In addition, let's go in to further detail on your original post. > > > >>> We have an issue with being able to access a domain and it's sub > >>> domain from within and outside our firewall. We had it working with > >>> our old firewall, but we changed firewalls Friday and now it won't > >>> work. > > Internally or externally? Only internally now that we changed the subdomain to a different IP than the parent in both IIS and DNS. > > >>> > >>> Here's our scenario: We have a namespace called 'domainname.com' > >>> with a DNS Host A entry for the IP address associated with the name > >>> of the website in our internal IIS server. We also have a sub > >>> domain named, 'dev' that we used to have the same IP address as the > >>> namespace, but since our new firewall will not allow more than one > >>> public IP to point to the same private IP, > > This is confusing, firewalls should not do this. If your talking about NAT > mapping, you should be able to map multiple public IPs to on private IP, now > you can not map one Public IP to more than one private IP. But the Private > IP should be able to have as many public IPs mapped to it as you want, > although it would seem to be a waste of Public IPs. I agree, but I am not a Cisco expert and that's what they told me. Anyway, external is working now--so I believe we can exclude the firewall as a culprit to our inability to access a website from within the LAN (behind the firewall). > > > > >>> Now everything is whacky. Some of our clients inside the firewall > >>> can access the 'dev' site and some cannot. Some can access the > >>> parent > >>> site and some cannot, and those that can connect, can only do so > >>> intermittently. > > You need to verify that the all DNS servers assigned to a the DNS Client be > able to resolve every name it needs to resolve to the correct IP address. > Some people attempt to have the Preferred and Alternate DNS resolve > different namespaces. I won't happen that way, the DNS client tends to stick > to the last DNS Server that responds. If one is an internal DNS and one is > an external DNS, this will get you into trouble because both cannot resolve > both the internal and external namespaces. *Good point* This is where is gets weird. When I do an Nslookup on the primary DNS server to the subdomain IP address, it resolves to a different name each time-until it finally resolves to the right name--which is really weird because we have no problem accessing the subdomain from a web browser. It's the parent that we can browse and that one resolved correctly on the DNS server first try! Confusing. > > >>> > >>> If we change the parent and the child Host A records to be the same > >>> IP, we cannot access the child site from outside the LAN/Firewall > >>> because of the new firewall policy with only one public IP per > >>> private IP pointer. > >>> > >>> Both the parent domain and child or sub domain IP addresses are in > >>> the IIS server's TCP/IP properties in it's NIC card. > > What do you mean "Both the parent domain and child or sub domain IP > addresses are in the IIS server's TCP/IP properties in it's NIC card"? We added the internal IP address of the subdomain to the NIC card on the IIS server and left the parent IP there as well. > > Are they or are they not on the same IP address? No. The parent and the sub are differnt IP address now because of the firewall limitation. Before we switched firewalls they were the same and we had no problems. > > NAT is 1 to 1 IP mapping, On Public IP to one private IP, you can't map one > public IP to two private IPs. But, you should be able to map two public IPs > to one private IP using standard NAT IP/port mapping. I'm out of my element there, but I will revisit that with Cisco again because that is where all this started.