DNS for internal servers

Similar Messages

• Exchange 2013 DNS for internal and external domain

  Hi All,
  I have been assigned a task to implement Microsoft Exchange Server 2013. I need some help in setting up DNS namespaces and design a strategy to have same internal and external names. Let me share some details here.
  We have an Active Directory domain myinternaldomain.net, and we have a public domain
  mypublicdomain.com and we have setup email policy to have
  mypublicdomain.com as the SMTP domain for all the users. We have created another DNS zone in Active directory integrated DNS and created a records for
  mail.mypublicdomain.com and autodiscover.mypublicdomain.com which will point to CAS NLB IP. We have 2 CAS servers and 2 MBX servers, we have configured DAG for MBX High availability and planning to implement WNLB for CAS as
  hardware LB is out of scope due to budget constrains.
  We want to have same URLs for OWA, Autodiscover, ECP and other services from internal network as well as from public network. Users should not be bothered to remember two URLs, using one from internal and other from public networks. I also want to confirm
  that with this setup in place do i need to have myinternaldomain.net and server names in SAN certificate?
  Thanks

  Hi Sccmnb,
  You can easily achieve this using split DNS.
  Internal DNS hostname "mail.mypublicdomain.com" will be pointing to your internal CAS NLB IP and the external public DNS hostname"mail.mypublicdomain.com" will be pointing to the Network device or
  Reverse proxy server IP.
  Depending upon users access location(internal\external) the IPs would vary and they should be able to access the website with same name.
  The names that you would require on the certificate(Use EAC or powershell to raise the request) for client connectivity would be
  SN= mail.mypublicdomain.com
  SAN= autodiscover.mypublicdomain.com
  You don't need to have the active directory domain name present in the certificate.
  Additional  to this you need to update the AutodiscoverURI for all servers and OWA,ECP,Autodiscover Virtual Directories InternalURL and ExternalURL fields with appropiate public names.
  Some additional Info:
  *Internal vs. External Namespaces
  Since the release of Exchange 2007, the recommendation is to deploy a split-brain DNS infrastructure for the Internet-based client namespaces. A split-brain DNS infrastructure enables different IP addresses to be returned for a given namespace
  based on where the client resides – if the client is within the internal network, the IP address of the internal load balancer is returned; if the client is external, the IP address of the external gateway/firewall is returned.
  This approach simplifies the end-user experience – users only have to know a single namespace (e.g., mail.contoso.com) to access their data, regardless of where they are connecting. A split-brain DNS infrastructure, also simplifies the configuration of Client
  Access server virtual directories, as the InternalURL and ExternalURL values within the environment can be the same value.
  *Managing Certificates in Exchange Server 2013 (Part 2)
  *Nice step by step article
  Designing a simple namespace for Exchange 2013
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• DNS for internal network and Firewall ports?

  Hello,
  I don't know were to begin, so I guess I'll start with my setup.
  I have Mac OS X server 10.5.7 running DNS, Firewall, Mail, iChat, RADIUS, VPN, SMB. Behind an Airport Base Station in DMZ.
  My DSN setup is just for the server and local clients. I'm also setup to forward my ISP DNS.
  My question is do I need to open any ports in the firewall. I currently have my local subnet 172.16.4.x to allow all. The "Any" subnet to allow DNS outbound. Is this correct or am I creating a security risk?
  I dont want the public to be able to use my DNS server. (I would like to ONLY allow my local network, and VPN users.)
  Thanks!
  Message was edited by: Robert LaRocca

  I always recommend going with a hardware device (including the base station) over IPFW when running a server.
  The main reason is that when you're running behind a NAT device (such as the AirPort Base Station), ALL incoming traffic is blocked unless you specifically enabled it via port forwarding. A positive security model.
  In contrast, Mac OS X Server will open firewall ports based on the services you're running, without regard to whether that service should be publicly accessible or not.
  You then have to go through the motions of securing each service to either block external traffic at the service level (e.g. by telling the application what addresses it can listen to), or at the network level (by configuring the firewall to block external access). This is a bad security model since each service is public by default and you have to go out of your way to secure it.
  Also bear in mind that you might not think this is a problem today since you can just configure IPFW and be done, but what about next week? or next month? or next year when you add another service. Will you remember to reconfigure the firewall to secure it then?

• CISCO NAC deployment with ASA for internal servers (DMZ)

  We have deployed cisco ASA for our clients access to DMZ servers few months ago. Now we want to integrate cisco NAC solution without removing ASA
  from infrastructure. What will be the best deployment mode of cisco NAC so that clients can also pass through cisco ASA access list also for filtering before reaching to dmz servers.
  what gateway clients will use. Plz help.
  Should i use Virtual Gateway or Real Gateway for NAC. Client should first come to NAC(CAS) and then through ASA to reach DMZ servers.

  Hello,
  This should work. Please review the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
  HTH,
  Faisal

• Is anyone set up to use anycast for internal DNS?

  Good Afternoon,
  I've been considering using Anycast to provide some redundancy for internal DNS lookups. Configuring DNS and subsequent slave zones in Leopard is easy enough and as I understand it, Anycast is just a way of configuring routers so that one IP address can resolve to many different machines.
  I see some of the benefits of using Anycast in that we can have the same 2 dns ip addresses in perpetuity and that as long as one node is up, people will be able to get out.
  So my question to you guys: Has anyone done this? If so, is there anything I need to look out for before I start? Is there something you wish you'd known before you started down this path.
  I'd love to hear your experiences and read any documentation you might have kept. I thought Mr Hoffman's write up on his DNS services was really excellent btw.
  Cheers,
  dave

  Do you have a particularly large infrastructure?
  IP Anycast is usually implemented via BGP announcements from your router(s), with each router using the BGP tables to determine the 'best' server to use. If you're doing this for internal DNS then that assumes you're already running IBGP.
  Even then, BGP is a pretty dumb protocol - all it does is say 'hey, here's how to get to a.b.c.d IP address'. It has no idea whether the specific server/service you're after is available at that address.
  In other words, even if you setup IP Anycast via IBGP you'll still have clients routing to a dead server unless you can somehow update your BGP tables when a server goes down. Not a trivial task for most routers.
  It sounds like what you really want is more load balancing than IP Anycast. There are numerous load balancers than can do this. Another option (if your DNS servers are physically close) is to use some kind of failover process so that the second server assumes the role (and IP address) of the first server should it fail (and vice versa). That option is built-in to Mac OS X Server (although it takes a little command-line jiggling to get it working).
  Then again, the whole point of defining multiple DNS servers on the client is that the client will automatically fail over to alternate servers if it doesn't get a response from the first - in other words, the clients already have built-in failover for DNS (although the user will notice lookup delays when the primary server is offline).

• Using one public ip for ssh`ing to different internal servers using port-redirections

  Hi, we are having a requirement to use the same public IP to ssh into different internal servers using port re-direction. So lets say from outside, if a user does ssh @ root 4.4.4.4 2222, it should go to a sshsrv1 and then ssh @ root 4.4.4.4 2223 to sshsrv2
  My config is like this:-
  object network sshsrv1
  host 10.110.100.10
  nat (inside,Outside) static 4.4.4.4 service tcp 22 2222
  And then i allowed the object "sshsrv1" in my inbound acl from outside.
  It dosen`t seem to work. Is this doeable?
  Any suggestions??

  Hi,
  Would need to see your NAT configurations.
  There is a possibility that you have a NAT configuration that might be preventing this from working. Then again you are using an extra public IP address for this so it seems strange.
  Could you try the "packet-tracer" command
  packet-tracer input outside tcp 12345 2222
  This should tell us if there is some problem in the ASA configurations.
  - Jouni

• How to set up with cacheing DNS for local network?

  Our new Lion Server has a static IP Address pointed to over the internet by our registrar's zone file. Planning the Lion Server installation process with the intent of hosting Web, Mail and Open Directory services to a small number of users who are nearly all located off-site. I do also want Lion Server to be a caching DNS Server and DHCP authority on the local network to replace what dnsmasq does on our current Linux server.
  I am looking forward to offloading some of the lower level Linux administration tasks and putting myself in the hands of the Lion Server Setup Assistant and Server App :-) but at the same time don't understand some of  its assumptions and fear having to spend a lot of time experimenting and re-installing.
  So, specifically, I want the Server App to know that my Lion Server has a "Host Name for the Internet" but that the DNS it sets up will not be the DNS for my zone - I will be managing that through my registrar's interfaces.
  Second problem is my fnot understanding what name space devices on the local network will / should use. e.g.  The Linux server will be available for backups etc  on the local intranet (and optionally have a static ip address on the Internet) but MacBooks, PCs, iPads and iPhones will be served ip addresses by the Lion Server's DHCP. So will / should these dynamic devices have their machine names fully qualified by our domain name with RFC 1918 style ip addresses or something like .local?  How do I tell this to Lion's Server App / Setup Assistant? How easy is it to update these initial settings later?

  You do indeed need to have a master zone on lion server.  There's no way to get around that since Open Directory depends on Kerberos and Kerberos depends on the DNS.  LS scripts may see that the rDNS record exists, but I highly doubt that it'll auto configure everything for you... and given the number of possible variables, I bet that even if it worked something would need additional tweaking.
  Sounds like an interesting lab excersize.  You should try it on a test server!
  Again... you just need to folow the set up procedure that Lion Server presents you with. 
  It won't be smart enough to see your external records and use them to configure a key distribution center for your OD. 
  As far as your caching needs...  Could you set up your DHCP server to set the DNS server setting to show your internal server as the first hit, and your external as the second?  That way when the client requests a resolution it'll not get a hit on your local server but will from the external? 
  The question then is how long will it wait for a response from the first server?  Or will the first server respond with "I don't know" sending the client immediately to the second.
  The server set up that I have works similarly.  I have an internal master DNS that is replicated to a secondary.  The first DNS has an A record (community.server.com) that points to the INTERNAL ip address of the secondary server that's also running the web service.  The first server is running DHCP.  It tells the clients to use the first and second servers as it's DNS lookup. 
  Now...  Externally, my registrar hosts an A record for community.server.com that points to the external IP address of my router which then forwards the request to the proper port on the internal network.
  This way, the local clients internally look up and get a response locally when they go for community.server.com.  Externally, clients that look up community.server.com get the external connection to the router in my school.
  Yikes...  I fear that this is as clear as mud!
  -Graham

• Set up secondary DNS for mail?

  When I first configured my server using the advance setup, I successfully setup my DNS services using a domain name for the primary zone that is not a registered domain. I have no intention of ever using the domain name I use internally on the net.
  I usually host my mail services with third-party hosting company and just use my server for file and print services. However, I recently purchased a new domain name and have considered using the mail services to host the domain. My question is:
  Do I need to setup a secondary zone for this domain, or should I start over and reconfigure my server? I had read that once you configure your primary DNS, it is hard to go back and reconfigure it.
  Also, once I have the DNS properly configured, it is my understanding that I'll just need to point the MX records at my hosting company towards my server to make it work, correct?

  If you're just looking for mail then there's no need to start from scratch - you can just tell the mail server to accept mail for your new domain in addition to the existing domain.
  Before you do this, though, make sure you have a) a static IP address and b) working reverse DNS for your IP address. If you don't have this then remote mail servers may not accept your mail since you look like a spammer.
  Apart from that, once you setup postfix to accept mail for your new domain then, yes, all you need to do is change your MX records.

• Use Same URL for Internal and External Access for CRM 2015 IFD

  I have setup a CRM2015 server for IFD access.
  ADFS and CRM are on separate servers.
  CRM server all roles
  ADFS 2.0 server.
  Using the internal URL I am able to access CRM without entering my details (as expected)
  Using the external URL I am authenticated by ADFS as expected and can sign in.
  We have an internal domain domain.local
  We have an external domain domain.com (the certificate is for *.domain.com)
  We have a DNS zone created internally for domain.com.
  CRM URLs
  internal : internalcrm.domain.com
  External : externalcrm.domain.com
  I would like all users to use the same link regardless of them being internal or external, but I would like so that any user who is on the domain is automatically logged in without entering their username and
  password. What is the best way to do this?
  I have tried creating a cname record on the internal domain.com zone pointing externalcrm.domain.com to internalcrm.domain.com but that didn't work, I still get the ADFS sign in page.
  Thanks

  So fair warning, what you're asking for isn't really a supported deployment method of CRM.
  That said, you should be able to do some DNS trickery internal to your network that points your "crm.domain.com" to "crm.domain.local" and then hopefully CRM will treat the connection as if it came from an internal network.
  Otherwise, you're likely going to have to accept that everyone gets the ADFS login page internal and external to your network.
  The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.

• What is my DNS for my new website setup?

  What is my DNS for my new website setup?
  I am registering my new Domain name with an outside website service (not iWeb). Namecheap.com
  What Mac OS X 10.8.2 DNS do I use for my server setup with thru their business? They have asked me this question. Or do I use their default servers as they suggest?
  Please help. Thank you in advance for your advice.

  It's not entirely clear what you're asking. Are you asking what data you have to provide to your domain registrar? Or are you asking for some configuration data for your machine?
  Are you planning/hoping to use your Mac OS X Server as the authoritative DNS server for your domain? (this is usually a bad idea unless you really know what you're doing).
  If you're setting up the remote domain on your registrar's servers then there's nothing you need to do for your machine. For simplicity's sake you don't need to do any DNS for your domain on your own server - let the service provider do that. If you want to setup your domain internally as well, then I'd recommend disconnecting your public records (hosted by your service provider) from your private ones (running on your own machine) since you will likely want to hide your internal network addresses from the public.

• Cloudflare Public DNS and Internal AD Domain DNS conflict?

  I have a client whose web design team is using cloudflare for their public nameservers. At the clients location, we have an active directory domain with several servers, and we are running internal DNS for their domain (lets say "client.com" is the domain).The problem I'm seeing is that since PC's in their office need to point to internal DNS, every time CloudFlare changes the IP address of their website -- which seems to happen at least every other week, sometimes multiple times in a week, I have to manually update my internal DNS records with the new IP addresses so that the website is accessible again from within their office. Obviously those that are outside of the office have no problem since external users are looking to public DNS servers that then point to the cloudflare nameservers. But I'm not sure how to make this happen...
  This topic first appeared in the Spiceworks Community

  I ran the test again with the verbose switch. Relevant part in bold.
                 TEST: Basic (Basc)
                    The OS
                    Microsoft Windows Server 2008 R2 Standard  (Service Pack level: 1.0)
                    is supported.
                    NETLOGON service is running
                    kdc service is running
                    DNSCACHE service is running
                    DNS service is running
                    DC is a DNS server
                    Network adapters information:
                    Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
                       MAC address is redacted
                       IP Address is static
                       IP address: redacted
                       DNS servers:
                          redacted [Valid]
                          redacted [Valid]
                          redacted [Valid]
                    The A host record(s) for this DC was found
  The SOA record for the Active Directory zone was not found
  Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)
  Root zone on this DC/DNS server was not found
  So, I just need to know how to fix the SOA record.  Looking that up now.

• Set up reverse DNS for virtual mail hosting

  I need a bit of server configuation advice.
  I have a static IP and two public domains on a Snow Leopard server connected using NAT behind a firewall - with the necessary port forwarding to ensure all works. 
  1. abc.com is my primary domain on the server - server.abc.com
  2. I have xyz.com set up as a virtual domain and also as a virtual mail host
  This setup has worked well for a long time but I have found that emails to [email protected] are going missing.  If I check my mx records using one of the web based tools it show an error on the reverse dns for server.xyz.com showing a reverse DNS of server.abc.com.
  So the question - is it possible to have secondary 'virtual' DNS record on the server so reverse DNS works for the virtual mail host xyz.com?  If not how do I handle the reverse DNS problem which i think is causing some external mail server to reject mail due to the inconsistency on the reverse DNS lookup?
  Many thanks for any suggestions

  SMTP requires a DNS A record.
  A DNS A record is also known as a machine record.
  A DNS A record inherently means that forward DNS and reverse DNS will match.
  The forward translation translates the host name to the IP address.
  The reverse translation translates the IP address to host name.
  When the full translation produces the same host name, that's an A record.
  DNS CNAME records are aliases, and are used for virtual hosts.
  CNAME records inherently do not match the reverse DNS translations.
  To get your configuration to work, your server must have an A record.
  That means forward and reverse DNS will match.
  Any of the virtual hosts within your mail server then all use an MX pointing at the A record host.
  If you have your DNS hosted somewhere other than your ISP, then you'll need your ISP to set up a DNS PTR.
  The DNS PTR is the reverse translation; address to name.
  If you have your own DNS services within your network (as would be typical with a privately-addressed NAT'd network), set that up as a virtual host within SMTP.
  Here is some related reading on external (public) DNS, as related to SMTP servers and such.

• Policy based NAT to share 1 public between to two internal servers

  Hello all,
  I would like to implement a solution that allows me to share a single public IP amongst two internal servers. One service uses a range of tcp ports.
  I believe the below will address what I need however - can I use the ‘object-group’ command or do I need to specify each tcp port separately?
  This?
  object-group service A_Bunch_O_Ports tcp
  description Telemesis comms to-From Internet
  port-object eq https
  port-object eq www
  port-object eq 8060
  port-object eq 8070
  access-list policyNAT-share extended permit tcp host 172.20.40.100 object-group A_Bunch_O_Ports host 1.2.3.4 object-group A_Bunch_O_Ports
  access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
  nat (inside) 3 access-list policyNAT-share
  global (outside) 3 1.2.3.4 netmask 255.255.255.255
  Or this?
  access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 443 host 1.2.3.4 eq 443
  access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 80 host 1.2.3.4 eq 80
  access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8060 host 1.2.3.4 eq 8060
  access-list policyNAT-share extended permit tcp host 172.20.40.100 eq 8070 host 1.2.3.4 eq 8070
  access-list policyNAT-share extended permit tcp host 172.20.40.200 eq 25 host 1.2.3.4 eq 25
  nat (inside) 3 access-list policyNAT-share
  global (outside) 3 1.2.3.4 netmask 255.255.255.255

  Do you need both inbound and outbound connection for the server, or only outbound connection?
  If you only need outbound connection, then you don't even need to specify the port on the access-list. You can just configure the following:
  nat (inside) 3 172.20.40.100 255.255.255.255
  nat (inside) 3 172.20.40.200 255.255.255.255
  global (outside) 3 1.2.3.4 netmask 255.255.255.255
  However if you need both inbound and outbound connection for the server, then you should configure the following:
  static (inside,outside) tcp 1.2.3.4 443 172.20.40.100 443 netmask 255.255.255.255
  static (inside,outside) tcp 1.2.3.4 80 172.20.40.100 80 netmask 255.255.255.255
  static (inside,outside) tcp 1.2.3.4 8060 172.20.40.100 8060 netmask 255.255.255.255
  static (inside,outside) tcp 1.2.3.4 8070 172.20.40.100 8070 netmask 255.255.255.255
  static (inside,outside) tcp 1.2.3.4 25 172.20.40.200 25 netmask 255.255.255.255

• PAC file support for Proxy Servers

  When will AIR support PAC files for proxy servers?
  In our network, we can't point to a PAC file because the AIR app simply ignores it, and we experience comms issues because of it. The workaround is to configure the network settings to point directly at the proxy, bypassing the PAC file.
  This is a big problem as pointing directly at the proxy means a lot of manual configuration for each user that requires the use of the AIR app.
  Any clues or suggestions?

  Hi,
  Additional configurations (DHCP and DNS) are required when you use Automatically detect settings.
  For details, please refer to:
  Automatic Detection and Configuration of Browser Settings
  http://technet.microsoft.com/en-us/library/dd361887.aspx
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• DNS for ICM install

  Hi,
  We can install ICM using either IP address or Hostname. If using hostname ,we have to maintain LMHOST file on all the ICM servers. Without using LMHOST, can we use DNS for this hostname to IP resolution? Which is the best practice.? 
  Regards
  Krishna

  Personally, I prefer host files as they shouldn't ever really change and you have full control over them.  A lot of organizations have a seperate DNS group which can/will change things as they see fit.
  david