|
|
The situation:
Locally I have domain.local (AD integrated) setup.
I also have domain.com NS provided by services provider.
However the server mail.domain.com is running in our network. It can be
accessed from the outside.
I need local workstations to resolve mail.domain.com to the local ip address
of the server (else they are loopbacked to the gateway and stopped by the
firewall). I cannot use name like mail.domain.local due to certificate issues.
If I add a new zone to the dns server called domain.com what happens is that
the server now fully services the domain domain.com and this is undesirable
(e.g. www.domain.com becomes unavailable to the local clients as the www
subdomain is not entered as a dns record - all other subdomains should be
resolved by an external dns).
Basically I want to ask the local dns, where is aaa.domain.com the wanted
behaviour is - it has its record, so returns the data in the record, it does
not have the record, forwards...
Thank you.
|
|
"Bobby Gontarski" <BobbyGontarski[ at ]discussions.microsoft.com> wrote in
message news:1F6E8142-3AB3-43DF-8B93-CED02C31BB80[ at ]microsoft.com...
[Quoted Text] > The situation:
> Locally I have domain.local (AD integrated) setup.
> I also have domain.com NS provided by services provider.
> However the server mail.domain.com is running in our network. It can be
> accessed from the outside.
> I need local workstations to resolve mail.domain.com to the local ip
> address
> of the server (else they are loopbacked to the gateway and stopped by the
> firewall). I cannot use name like mail.domain.local due to certificate
> issues.
> If I add a new zone to the dns server called domain.com what happens is
> that
> the server now fully services the domain domain.com and this is
> undesirable
> (e.g. www.domain.com becomes unavailable to the local clients as the www
> subdomain is not entered as a dns record - all other subdomains should be
> resolved by an external dns).
> Basically I want to ask the local dns, where is aaa.domain.com the wanted
> behaviour is - it has its record, so returns the data in the record, it
> does
> not have the record, forwards...
> Thank you.
I don't know what mail server and email client software you're using or have
enough information about your system to see the whole picture, but it seems
to me you're possibly over complicating the whole thing, and I think it's
probably not really necessary to do what you think you need to do with DNS,
although I can see some reasons why you might think yo need to.
What are you using as your mail server? Exchange?
|
|
ok, the simple way :-)
E.g. I want to resolve mail.domain.com to 192.168.1.10 when in my local
network.
The problem. Domain.com is handled by a public nameserver incl. the address
mail.domain.com which for everyone outside my net resolves to e.g.
70.70.70.70 - the public IP of my gateway (actually in the current
configuration it resolves to 70.70.... even from the local net).
It makes no difference what mailserver I am using (in my case kerio
mailserver), as I might want to do it with a webserver, ftp server or
anything else.
One way I can think of is to edit hosts file on every workstation - no way,
too complicated.
The other way - play with DNS server.
The catch, I cannot add a primary zone domain.com to the DNS and add A
record to mail.domain.com as the server would start resolving *.domain.com
which is undesirable. I just want to resolve mail.domain.com to 192.168.1.10
every else *.domain.com - ask the public nameserver for the address.
Thanks.
"nickm" wrote:
[Quoted Text] >
> "Bobby Gontarski" <BobbyGontarski[ at ]discussions.microsoft.com> wrote in
> message news:1F6E8142-3AB3-43DF-8B93-CED02C31BB80[ at ]microsoft.com...
> > The situation:
> > Locally I have domain.local (AD integrated) setup.
> > I also have domain.com NS provided by services provider.
> > However the server mail.domain.com is running in our network. It can be
> > accessed from the outside.
> > I need local workstations to resolve mail.domain.com to the local ip
> > address
> > of the server (else they are loopbacked to the gateway and stopped by the
> > firewall). I cannot use name like mail.domain.local due to certificate
> > issues.
> > If I add a new zone to the dns server called domain.com what happens is
> > that
> > the server now fully services the domain domain.com and this is
> > undesirable
> > (e.g. www.domain.com becomes unavailable to the local clients as the www
> > subdomain is not entered as a dns record - all other subdomains should be
> > resolved by an external dns).
> > Basically I want to ask the local dns, where is aaa.domain.com the wanted
> > behaviour is - it has its record, so returns the data in the record, it
> > does
> > not have the record, forwards...
> > Thank you.
>
> I don't know what mail server and email client software you're using or have
> enough information about your system to see the whole picture, but it seems
> to me you're possibly over complicating the whole thing, and I think it's
> probably not really necessary to do what you think you need to do with DNS,
> although I can see some reasons why you might think yo need to.
>
> What are you using as your mail server? Exchange?
>
>
|
|
In news:DD05EF1D-9849-423E-8A8D-ED09FBD65D1E[ at ]microsoft.com,
Bobby Gontarski <BobbyGontarski[ at ]discussions.microsoft.com> requesting
assistance, typed the following:
[Quoted Text] > ok, the simple way :-)
> E.g. I want to resolve mail.domain.com to 192.168.1.10 when in my
> local network.
>
> The problem. Domain.com is handled by a public nameserver incl. the
> address mail.domain.com which for everyone outside my net resolves to
> e.g.
> 70.70.70.70 - the public IP of my gateway (actually in the current
> configuration it resolves to 70.70.... even from the local net).
>
> It makes no difference what mailserver I am using (in my case kerio
> mailserver), as I might want to do it with a webserver, ftp server or
> anything else.
>
> One way I can think of is to edit hosts file on every workstation -
> no way, too complicated.
>
> The other way - play with DNS server.
>
> The catch, I cannot add a primary zone domain.com to the DNS and add A
> record to mail.domain.com as the server would start resolving
> *.domain.com which is undesirable. I just want to resolve
> mail.domain.com to 192.168.1.10 every else *.domain.com - ask the
> public nameserver for the address.
>
> Thanks.
>
You have a scenario with an AD domain name that is the same as your external
name.
You are hosting your mail services internally, with the MX record is
pointing to your outside WAN gateway address which is port remapped to the
internal mail server.
Your internal machines cannot get to www.domain.com, or mail.domain.com.
The way around this:
Assuming that your internal AD domain name is domain.com, and the zone is
already created, create the name "mail" and give it the internal IP address
of the mail server.
Actaully it does make a difference what mail server is being used. This is
because if it is Exchange, and you are using the Outlook mail client, then
it is using a MAPI connection to the mail server, therefore they are not
configured as POP or IMAP accounts. Now if you are using a server other than
Exchange, such as Kerio, then I understand why your internal clients are
setup as a POP or IMAP client, and will required an FQDN to access it.
I don't see why you cannot create the domain.com zone, if it is not already
created. In your scenario, why wouldn't you want it to resolve domain.com
for your internal clients? Your internal clients cannot use an external DNS
server, otherwise it will resolver your WAN address, and no firewalls out
there will do what we call a "U-Turn" to take a connection request from an
internal machine to the outside WAN interface, and redirect it back in.
Besides, what other services do you have internally that are running under
domain.com? Is there a web server, FTP or other server? Simply create those
records too. If the website is external, but mail is internal, simply create
the mail record with the private IP, and the www record with the external
IP.
Now if your DNS server is also hosting your public records, then you need to
get a separate DNS only for internal use. Using hosts records is
unconventional, legacy and not a real solution to this simple problem.
--Â
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.
|
|
|