Splitting Zones

Similar Messages

• A question about DNS records and split DNS

  Hello
  Can someone please help me with the following question
  If I have an AD integrated DNS zone (currently running on Windows 2003 R2, soon to be updated to 2012 R2)
  lets call the domain MyDomain.Local and here I have all my local Server, Computer and related records (A, CNAME MX etc.)
  Also I have an external internet domain lets call is MyCorp.Com (both of these domain are completely separate)
  I have a requirement for an internal URL (Web Server) to point to an internal host, however for various reasons (which I will not go into here), the company wants the format of this internal URL to include the MyCorp.Com element in the overall URL
  Now the MyCorp.Com domain is hosted externally to the company by a dedicated provider (we just login via a secure portal if we want to add for example and A record to the MyCorp.Com domain) the MyCorp.Com domain is completely separate from the MyDomain.local
  domain which is hosted on internal DNS Servers
  Question:
  without using split DNS can I, create a zone called New.MyCorp.Com on our internal AD integrated DNS Servers (to live along side the standard MyDomain.local) than add an A record to this zone say Host.New.MyCorp.Com
  So internal users can locate Host.New.MyCorp.Com without being directed out to the internet (for MyCorp.Com) but internal users will still be able to resolve SomeOtherHost.MyCorp.Com as they do now
  Thanks very much in advance
  AAnotherUser__
  AAnotherUser__

  Hi AAnotherUser_,
  Based on your description, the internal domain name is different from the external domain name, and the web server is hosted internally. And the goal is that the internal user can
  access the web server by using an URL which include the MyCorp.com.
  In this scenario, internet users access your domain name by connecting to the WAN IP address of your router. However, to make the internal users access the website, you would need
  to create the external domain name as a zone on your internal DNS server.
  After creating the DNS zone, right click the zone you created, choose New Host Record.
  Type in the hostname, such as ‘www’, and provide the internal private IP address of your internal web server.
  For more details, please refer to Ace’s blog below, the
  Scenario 2: Different Internal and External but you are hosting the webserver internally
  http://blogs.msmvps.com/acefekay/2009/09/03/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name/
  Best Regards,
  Tina

• Office Web Apps server for Lync DNS question

  We are going to deploy an Office Web Apps server for our Lync 2013 clients, available internally and externally. We do not have a split-horizon DNS so it is not possible for wac.foo.com to have a different IP for internal vs. external clients. What is the
  best setup for our scenario? It looks like we can only add one address in the Lync topology builder, so would it make sense to send everybody to the external wac.foo.com regardless of whether they are internal vs. external? Or is there a better option?
  Thanks,
  Matt

  It might be easiest to use pin-point DNS.  Create an internal zone called wac.foo.com with a blank A record that points to the internal IP address of the OWAS/WAC server.  This way, wac.foo.com will resolve to the correct
  internal address, but you're not setting up a split zone for the rest of foo.com.
  This trick can come in handy for publishing other items without recreating the entire zone, it's a nice one to keep in your back pocket.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Same internal and external domain names - AGAIN!

  Hi all-
  Like many of you, I am confronting the problem of having the same FQDN for both my Active Directory domain and Internet domain.  For the sake of discussion, let's call the domain rlh.com.
  I need to access an externally-hosted website on the rlh.com domain.  The site is coded exclusively to use rlh.com and NOT
  www.rlh.com.  Therefore, the old trick of adding a static www A record on my internal DNS server will not work.
  It looks like another option is to install IIS on my DC and then configure some type of forwarding to the external site.  While this might work, frankly, I don't want IIS on my DC.  It's a DC, not a web server.
  Yet a third option, correct me if I'm wrong, looks to be using some type of "split DNS."  Though I have not read the particulars (yet) of this solution, I am suspicious of it causing DNS inefficiencies.
  All of these solutions look to me to be workarounds.  I am preparing to install a new DC (upgrading from 2003 to 2008 R2) and want to FIX the problem, not work around it.  That said, it looks like I have two options:
  1.  Rename my existing 2003 AD domain using rendom
  2.  Install the new 2008 R2 DC with the new domain name, setup domain trust between the old and new domains, and then use ADMT.
  Can someone please comment on my logic here?  Does anyone have experience with both of the two options?  Is one less painful than the other?
  As I preparatory step, I have migrated from my onsite Exchange 2003 server to Office 365.  Exchange is no longer present in my organization, though some slight "remnants" may remain in Active Directory.  Other than Exchange, I have a
  Hyper-V host, 2 SQL Servers, and 3 RDS servers present in my environment.
  Thanks.

  I realized this was answered, but I would like to add the following comprehensive blog on this subject.
  Can't Access Website with Same Name (Split Zone or no Split Brain)
  Published by Ace Fekay, MCT, MVP DS on Sep 4, 2009 at 12:11 AM  1278  0
  Note - In an AD same name as the external name (split zone) scenario, if you don't want to use WWW in front of URL, such as to access it by
  http://domain.com, then scroll down to "So you don't want to use WWW in front of the domain name"
  http://blogs.msmvps.com/acefekay/2009/09/03/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name/
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Internal & external Domain the same Cannot resolve Website

  Since moving my website from internal to a external hosting provider, I cannot browse the website from inside my LAN
  I have created the necessary A record with  www  and added the Public IP for the my website. 
  I have created a Delegation for the Zone in DNS and set it to my SOA dns server reported to me because the above would work. 
  I have seen this setup many times in other networks but i canot figure this one out.
  I verified there was no RDNS record anymore from the ISP as that was causing a issue before 
  From PC outside the LAN 
  C:\>dig -x 64.129.116.22
  ; <<>> DiG 9.3.2 <<>> -x 64.129.116.22
  ;; global options:  printcmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 138
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;22.116.129.64.in-addr.arpa.    IN      PTR
  ;; ANSWER SECTION:
  22.116.129.64.in-addr.arpa. 86400 IN    PTR     mail.evolutionimpressions.com.
  22.116.129.64.in-addr.arpa. 86400 IN    PTR     ftp.evolutionimpressions.com.
  ;; Query time: 93 msec
  ;; SERVER: 24.92.226.40#53(24.92.226.40)
  ;; WHEN: Tue May 08 07:11:29 2012
  ;; MSG SIZE  rcvd: 105
  C:\>dig evolutionimpressions.com a
  ; <<>> DiG 9.3.2 <<>> evolutionimpressions.com a
  ;; global options:  printcmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1120
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;evolutionimpressions.com.      IN      A
  ;; ANSWER SECTION:
  evolutionimpressions.com. 36945 IN      A       184.168.26.1
  ;; Query time: 21 msec
  ;; SERVER: 24.92.226.40#53(24.92.226.40)
  ;; WHEN: Tue May 08 07:13:18 2012
  ;; MSG SIZE  rcvd: 58
  From the DNS Server 
  C:\>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : EIS03
     Primary Dns Suffix  . . . . . . . : evolutionimpressions.com
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : evolutionimpressions.com
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
   VBD Client)
     Physical Address. . . . . . . . . : 00-19-B9-BC-3D-1E
     DHCP Enabled. . . . . . . . . . . : No
     IP Address. . . . . . . . . . . . : 172.16.1.5
     Subnet Mask . . . . . . . . . . . : 255.255.0.0
     Default Gateway . . . . . . . . . : 172.16.1.177
     DNS Servers . . . . . . . . . . . : 172.16.1.5
  C:\>ping www.evolutionimpressions.com
  Pinging www.evolutionimpressions.com [184.168.26.1]
  with 32 bytes of data:
  Reply from 184.168.26.1: bytes=32 time=67ms TTL=59
  Reply from 184.168.26.1: bytes=32 time=66ms TTL=59
  Reply from 184.168.26.1: bytes=32 time=61ms TTL=59
  Reply from 184.168.26.1: bytes=32 time=89ms TTL=59
  Ping statistics for 184.168.26.1:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 61ms, Maximum = 89ms, Average = 70ms
  C:\>nslookup
  Default Server:  eis03.evolutionimpressions.com
  Address:  172.16.1.5
  > www.evolutionimpressions.com
  Server:  eis03.evolutionimpressions.com
  Address:  172.16.1.5
  Name:    www.evolutionimpressions.com
  Address:  184.168.26.1
  > 
  I can make the users put the www in front of the domain name but i cannot for the life of me figure out why this isnt working... 

  Running either an nslookup or a DIG on my part shows the following:
  ==========================================
  c:\DIG>dig evolutionimpressions.com
  ; <<>> DiG 9.8.0 <<>> evolutionimpressions.com
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37852
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;evolutionimpressions.com.      IN      A
  ;; ANSWER SECTION:
  evolutionimpressions.com. 86400 IN      A       184.168.26.1
  ==========================================
  c:\DIG>dig www.evolutionimpressions.com
  ; <<>> DiG 9.8.0 <<>>
  www.evolutionimpressions.com
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55452
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;www.evolutionimpressions.com.  IN      A
  ;; ANSWER SECTION:
  www.evolutionimpressions.com. 86400 IN 
  CNAME   evolutionimpressions.com.
  evolutionimpressions.com. 86400 IN      A       184.168.26.1
  ==========================================
  A reverse on 64.129.116.22:
  c:\DIG>dig -x 64.129.116.22
  ; <<>> DiG 9.8.0 <<>> -x 64.129.116.22
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34360
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;22.116.129.64.in-addr.arpa.    IN      PTR
  ;; ANSWER SECTION:
  22.116.129.64.in-addr.arpa. 86305 IN    PTR    
  ftp.evolutionimpressions.com.
  22.116.129.64.in-addr.arpa. 86305 IN    PTR     mail.evolutionimpressions.com.
  ==========================================
  A reverse on 184.168.26.1
  c:\DIG>dig -x 184.168.26.1
  ; <<>> DiG 9.8.0 <<>> -x 184.168.26.1
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52143
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;1.26.168.184.in-addr.arpa.     IN      PTR
  ;; ANSWER SECTION:
  1.26.168.184.in-addr.arpa. 3600 IN      PTR     p3nlhg290c1290.shr.prod.phx3.secureserver.net.
  ==========================================
  In summary, it appears 184.168.26.1 is the record for both
  http://evolutionimpressions.com/ and
  www.evolutionimpressions.com.
  But I noticed, is that when I typed in
  www.eveolutionimpressions.com, it redirects it to
  http://evolutionimpressions.com/ .
  This is because www.evolutionimpressions.com is a
  CNAME for http://evolutionimpressions.com/ (without the www). 
  Therefore that concludes me to believe that's why internally you can't access the site. This is because no matter what you do, since evolutionimpressions.com, and the CNAME is always reverting it
  http://evolutionimpressions.com, and your AD name is
  evolutionimpressions.com, you are always accessing one of the internal DCs' LdapIpAddress. Note: each DC creates this record. You can't alter it!
  How do you get around that? Not so simple. What I would normally suggest (disregarding the security implications), is to install IIS on each DC, then in the default website properties, create a redirect to
  www.evolutionimpressions.com. HOWEVER, because the website is always redirecting to
  http://evolutionimpressions.com due to the CNAME, it won't work, and will create a redirect loop.
  I haven't seen this scenario before.
  The simple fix I would believe and suggest to ask whomever created the public records for the site to
  eliminate the CNAME and simply create two A records:
  evolutionimpressions.com            A     184.168.26.1
  www.evolutionimpressions.com    A     184.168.26.1
  Then either always only use www in front of it, or do the IIS trick/workaround above. Here'a little tidbit - in the browser, simply type in
  evolutionimpressions (without www or com), and then hit CTRL & <enter>, and the browser will add the WWW and COM to it.
  Here's more on that DC IIS trick/workaround:
  Can't Access Website with Same Name (Split Zone or no Split Brain)
  Published by Ace Fekay, MCT, MVP DS on Sep 4, 2009 at 12:11 AM  1278  0
  For no WWW in front of URL, scroll down to "So you don't want to use WWW in front of the domain name"
  http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx
  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• Exchange 2010/Outlook 2010 Security Alert (...there is a problem with the site's security certificate.)

  I've been looking to resolve this issue for a while now and was hoping someone could help me understand my options.
  We have Exchange 2010 & Outlook 2010 in our environment. I've created a SSL cert for our ActiveSync from a reputable CA and unfortunately, as you may not be surprised, we are seeing an alert each time we open Outlook that states:
  "Security Alert; Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
  The name on the security certificate is invalid or does not match the name of the site."
  Of course my internal server name does not match my external server name. So the SSL I had created for use with OWA and ActiveSync is rejected by my internal Outlook clients.
  After doing some research I believe this is related to the Autodiscover service being configured with my internal server name and not my external name. 
  I've found some info about adding New-AutodiscoverVirtualDirectory and Set-ClientAccessServer commands and then found this article that might help.  (Configure
  Outlook Anywhere to Use Multiple SSL Certificates) but nothing is specific to my configuration and I'm concerned about what will happen to my existing configuration if this fails. 
  What happens when you run Set-ClientAccessServer? Does it retain and keep the old server config in place and add a new one or does it wipe it out? Will all of my devices need to be reconfigured?
  Same with New-AutodiscoverVirtualDirectory.  Does this simply add another virtual directory or is it going to overwrite my existing config?
  Then there is the question of whether or not any of this will actually address my issue at all.
  absolutezero273c

  Sorry.
  "[PS] C:\Windows\system32>Set-ClientAccessServer -Identity MailExt -AutoDiscoverServiceInternalUri "https://MailExt
  .contoso.com/autodiscover/autodiscover.xml"
  The operation couldn't be performed because object 'MailExt' couldn't be found on 'DomainController2.contoso.local'.
      + CategoryInfo          : NotSpecified: (0:Int32) [Set-ClientAccessServer], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 4D980455,Microsoft.Exchange.Management.SystemConfigurationTasks.SetClientAccessServer"...is the error I get.
  I've created the split zones and populated the Forward Lookup Zones as follows:
  CONTOSO.COM
  MailExt(CNAME)MailInt.contoso.local
  _tcp _autodiscover(SRV)MailExt.contoso.com
  CONTOSO.LOCAL
  MailInt(A)192.168.1.10
  MailExt(CNAME)MailInt.contoso.com
  One thing I did notice is that there isn't a _tcp _autodiscover entry for MailInt in my Forward Lookup Zones.  It was recommended that I make that entry for _tcp _autodiscover(SRV)MailExt.contoso.com in another post I read somewhere.
  I believe what I am trying to do is create a new autodiscover object as is shown here:
  I see there is a Get-ClientAccessServer & Set-ClientAccessServer command but I need to add a CAS. Does the Set-ClientAccessServer add or simply modify?
  Or would that require the New-AutodiscoverVirtualDirectory command? I read
  this page that discussed creating new virtual directories but that seemed a little risky without knowing all the ins and outs of how this service functions and to what degree this would affect the existing configuration.
  I was able to use the Set-ClientAccessServer command and change the actual internal autodiscoverUri to https://MailExt.contoso.com/autodiscover/autodiscover.xml but the name still says MailInt and I continue to get the SSL cert warnings because it is looking
  at MailInt.contoso.local.
  absolutezero273c

• Do I need to open ports for my services if I am connecting through VPN

  Hi,
  I work in a small office and we are trying to connect people remotely to our server through VPN.
  Using the Server App I managed to make VPN work and successfully connected to our file share points, so that means file sharing worked without opening ports for afp on my Airport router.
  On the other side I cant connect to other services as iCal and Address Book as I am locally in the office. Does that mean I have to open the ports for those services on the router, if yes then why use VPN in the first place.
  Thanks,

  If I understood you correctly:
  External client -> (server.domain.name) -> Router -> Server: is working
  Internal client -> (server.domain.name) -> Router -> Server: is not working
  Internal client -> (local ip) -> Server: is working
  If yes, you can implement a-la "split zone DNS".
  1. On the external DNS your domain name server.domain.name resolved to the external router IP.
  2. You should add record (and zone) server.domain.name to your OS X Lion Server DNS pointing to local IP
  When you are connected to VPN, system sets DNS server to your Lion server and server.domain.name is resolving to local IP.
  When you are working without VPN, system use external DNS and server.domain.name is resolving to external IP.
  Of course, you should open ports for your services on the router is you want to use them from external network.
  I am using this configuration and it works perfectly.

• A question about DNS subdomain

  This is a question about DNS subdomain.
  The DNS server for the parent DNS domain is dns1.ours.com.
  The DNS server for the child/sub DNS domain is bee.child.ours.com.
  Configurations on dns1.ours.com:
  File: db.ours.com�F
  @IN SOA dns1.ours.com. postmaster.ours.com. (
  10051215 ; sn
  86400 ;refresh
  7100 ;retry
  777600 ;expire
  126000 ) ;min
  @ IN NS dns1.ours.com.
  dns1 IN A 210.x.x.15
  �c
  [color=Blue]child.ours.com. IN NS bee.child.ours.com.
  bee.child.ours.com. IN A 210.x.x.10[color]
  I did not changed anything in named.conf.
  Configurations on bee.child.ours.com:
  File db.child.ours.com:
  @ IN SOA bee.child.ours.com. test.child.ours.com (
  10051215 ; sn
  86400 ;refresh
  7100 ;retry
  777600 ;expire
  126000 ) ;min
  @ IN NS bee.child.ours.com.
  bee IN A 210.x.x.10
  test IN A 210.x.x.x
  File named.conf:
  options {
  directory "/var/named";
  zone "." {
  type hint;
  file "master/db.cache";
  zone "0.0.127.in-addr.arpa" {
  type master;
  file "master/db.0.0.127";
  zone "x.x.210.in-addr.arpa" {
  type master;
  file "master/db.child.ours.com.rev";
  zone "child.ours.com" {
  type master;
  file "master/db.child.ours.com";
  #nslookup
  Default Server: 210.x.x.10
  Address: 210.x.x.10
  // bee.child.ours.com: the DNS server for the child/sub DNS domain: child.ours.com
  www.ours.comServer: 210.x.x.10
  Address: 210.x.x.10
  *** localhost can't find www.ours.com: No response from server
  //failed to resolve A records in the parent domain, but can resolve A records in its own domain and other domains on the Internet.
  set type=ns
  ours.comServer: 210.x.x.10
  Address: 210.x.x.10
  Non-authoritative answer:
  ours.com nameserver = dns1.ours.com
  Authoritative answers can be found from:
  dns1.ours.com internet address = 210.x.x.15
  //find the DNS server for the parent domain
  > server 210.x.x.15
  // dns1.ours.com: the DNS server for the parent DNS domain: ours.com
  Default Server: dns1.ours.com
  Address: 210.x.x.15
  test.child.ours.comServer: dns1.ours.com
  Address: 210.x.x.15
  *** dns1.ours.com can't find test.child.ours.com: No response from server
  //failed to resolve A records in the child domain, but can resolve A records in its own domain and other domains on the Internet.
  set type=ns
  child.ours.comServer: dns1.ours.com
  Address: 210.x.x.15
  Non-authoritative answer:
  child.ours.com nameserver = bee.child.ours.com
  Authoritative answers can be found from:
  bee.child.ours.com internet address = 210.x.x.10
  //find the DNS server for the child domain
  > server 210.x.x.100
  // a public DNS server on the Internet
  Default Server: [210.x.x.100]
  Address: 210.x.x.100
  set type=a
  www.ours.comServer: [210.x.x.100]
  Address: 210.x.x.100
  Non-authoritative answer:
  Name: www.ours.com
  Address: 210.x.x.72
  //find the A record in the parent domain
  test.child.ours.comServer: [210.x.x.100]
  Address: 210.x.x.100
  Non-authoritative answer:
  Name: test.child.ours.com
  Address: 210.x.x.x
  //find the A record in the child domain
  I wonder why. It is BIND v8.2.2.
  Thanks.

  Hi AAnotherUser_,
  Based on your description, the internal domain name is different from the external domain name, and the web server is hosted internally. And the goal is that the internal user can
  access the web server by using an URL which include the MyCorp.com.
  In this scenario, internet users access your domain name by connecting to the WAN IP address of your router. However, to make the internal users access the website, you would need
  to create the external domain name as a zone on your internal DNS server.
  After creating the DNS zone, right click the zone you created, choose New Host Record.
  Type in the hostname, such as ‘www’, and provide the internal private IP address of your internal web server.
  For more details, please refer to Ace’s blog below, the
  Scenario 2: Different Internal and External but you are hosting the webserver internally
  http://blogs.msmvps.com/acefekay/2009/09/03/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name/
  Best Regards,
  Tina

• DNS Server Infrastructure Design

  Good day IT Folks,
  Currently I'm on the planning stage of designing DNS infrastructure of our company. I've read a lot of reading materials available online about DNS. According to what I've gathered, two (2) DNS server is the minimum and three (3) is the recommended for the
  usual set up of DNS. What I want to my DNS infrastructure is to have two (2) DNS servers for my LAN (internal network) and one (1) DNS for my LAN-to-Internet connection (external network).
  The two (2) DNS servers will resolve LAN request and will forward requests to the another one (1) DNS server if internet-related sites is requested. I would like to ask for your help to give me insights how am I going to do this, where to start and what
  are the things I should consider.
  Thanks.
  akosijesyang - the conqueror

  You could go with a secure design such as the following (click on it to open a larger image in a new page):
  See if the following threads help:
  Technet Thread: Problem with Windows 2008 R2 Dns Server getting SERVFAIL resolving one domain, 1/18/2012
  Includes a secure DNS forwarder in the DMZ image
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b00fc041-ba44-45b6-a8a1-a00374a20edf
  Technet Thread: DNS Structure to rebuild efficiently - Question about the resolution process, 10/27/2011
  Includes a secure DNS forwarder in the DMZ image
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/3a5fb6ac-6ab7-45b1-abab-e0d928a7e06c
  Good discussion on DMZ secured resolver design, and the use of "Unbound DNS Resolver (http://unbound.net/) to use on your DMZ DNS server instead of Windows DNS. (Note: IMHO, for AD, I would rather use Windows DNS. - Ace)
  Technet Thread: W2003 DNS cache snooping vulnerability for PCI-DSS compliance, 10/10/2011
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/67e9189b-606a-40d2-9944-8b4c7d084017/
  And dealing with internal and external names:
  Can't Access Website with Same Name (Split Zone or no Split Brain)
  Published by Ace Fekay, MCT, MVP DS on Sep 4, 2009 at 12:11 AM  1278  0
  Note - In an AD same name as the external name (split zone) scenario, if you don't want to use WWW in front of URL, such as to access it by
  http://domain.com, then scroll down to "So you don't want to use WWW in front of the domain name"
  http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-
  name.aspx
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• Point internal WWW address to external address

  We have Server 2012 R2 with the Essentials feature installed.
  When we go to our website www.xxxxxxx.com, we get pointed to the Remote Web Workplace.
  We need the www address to point to our company website which is hosted externally.
  How do I do this?
  I've tried to do a redirect in IIS, but it says access denied.
  I've also tried a few DNS tricks, but they aren't working.

  Well, that's very little information to start from, but let me guess: is your internal AD DNS domain name the same as your public DNS domain name? (xxxxxxx.com)
  If so, then you probably also have your public DNS root record xxxxxxx.com pointing to your web server, and www is a CNAME for it.
  If that's the case, then you need to create a split zone in your internal DNS for www.
  Please let us know if that's the case and if you need more instructions.
  Tero Leskinen - MVP (Windows Server for Small and Medium Business / SBS)

• Leopard server 10.5.6 with two nic card and two hostname

  Hi,
  Here is what I am intending to do but don't know how:
  -setup a Mac server that has 2 built-in nic.
  -nic1 is setup as a DHCP, has proper hostname, DNS, etc. and connects to internet and is easy when you configure it as a server while is connected.
  -But, my other nic2 is not DHCP and is cut off from outside and is intended for internal research, but given a proper IP and hostname.
  If I want to install the server, then without internet connection it is hard to complete the setup and If I do then it assigns the hostname pointing to the nic1 (which i don't want)
  How should I go about this? I tried both way, but Mac picks the hostname that is associated with nic1 always.
  Any help is appreciated!
  Thanks

  Can you do what you want? Sure. (If I understand what you're up to.) But it gets a little ugly.
  It's easier to use a firewall-router-NAT device here.
  Dual-NIC configurations and IP are an interesting case.
  A firewall-router-NAT configuration and the resulting IP routing works out of the box. It also avoids the case where users and software are active on the firewall (as is the case with a dual-NIC host system acting as a firewall), and where these activities happen to modify the firewall configuration; this whether by accident, by intention, or through an exploit. Firewalls are best kept locked down.
  If you want to learn IP routing and preferred paths and other network-level considerations, then by all means do continue to work with a dual-NIC host system. (This isn't specific to Mac, either. This is simply how IP and IP routing works. There's no concept of automatically returning the packets of a connection out the same controller that the connection arrived on, for instance. And various IP protocols don't use connections.)
  As for DNS and particularly with NAT, you'll probably end up with a split configuration. I'd tend to have an external DNS provider translate the public DNS domain and the public address, and have the NAT box (with port forwarding) map that to the appropriate private IP address. Within the private address space, a private DNS domain (a subdomain of a public registered domain, or a separate registered domain) uses the local (private) DNS server to resolve its queries, and that DNS server forwards queries for which it is not authoritative to the organization's public DNS server.
  Do use node.foo.example.com and node.example.com (where you own example.com) or use node.example.com and node.example.net (where you hold both domains), with the former being external and the latter being the internal address space. Having the same name resolve to two different IP addresses gets weird, as (for instance) a laptop moving between domains (particularly in the co-presence of that abomination known as NAT) may not end up routing its IP traffic where you expect. Having the convention of a specific internal subdomain or a specific internal domain also makes the "inside versus outside" distinction very clear, too. It's possible to use a completely private domain internally, but (given ICANN is opening up TLDs, and in the absence of an ICANN-reserved internal-only domain) I don't recommend that.
  If you want to continue with the original course of action, this IP routing and split DNS is a common question. Dig around in the forums, and dig around specifically for discussions of IP default routing, for split-brain or split-horizon or split-zone DNS, consider acquiring Cricket Liu's DNS book (which is what we all usually go read when we hit a DNS weirdness), and for tools such as the CutEdge Systems DNS Enabler tool.

• Calling all Logic environment masters can U help?

  Hi are there any Logic environment masters out there if so I pose this to you I am using an E90ES Yamaha synth as my mother keys and I want to make it play a split layer meaning bass in the lower part of the keyboard and piano on the upper part. I then assign a midi channel to each split Zone. No problem there as far as the E90ES is concerned.
  When I select 2 midi trks in Logic and go to record it uses the selected channel and records the whole thing as apposed to 2 separate recordings one the bass an the other the piano. I didn't want to have to mess with the environment in order to achieve this I thought it was a quick straight from the arrange page.
  Can you help me please on this thanx ahead of time

  Teebow62 wrote:
  Hi are there any Logic environment masters out there if so I pose this to you I am using an E90ES Yamaha synth as my mother keys and I want to make it play a split layer meaning bass in the lower part of the keyboard and piano on the upper part. I then assign a midi channel to each split Zone. No problem there as far as the E90ES is concerned.
  When I select 2 midi trks in Logic and go to record it uses the selected channel and records the whole thing as apposed to 2 separate recordings one the bass an the other the piano. I didn't want to have to mess with the environment in order to achieve this I thought it was a quick straight from the arrange page.
  Can you help me please on this thanx ahead of time
  Hi Teebow,
  You need to set up a simple pair of transformers, in your audio Layer.
  One transformer will feed MIDI channel 1, and one, MIDI channel 2, in your arrange page, for recording.
  First, create a simple Environment Object, and call it whatever you like (key splitter is good). This is so you can send one midi stream ot both Transformers.
  Cable this to the following two Transformers:
  The first Transformer will FILTER all notes BELOW your set parameter, ie whatever note you decide. This is the TOP of the keyboard split. Hook this up to your first Audio Instrument channel. this would be the melody instrument.
  The second transformer will FILTER all notes ABOVE your set parameter, ie whatever note you decide. this is the BOTTOM of the keyboard split.Hook this up to your second Audio Instrument channel. This would be the Bass instrument.
  In the Arrange Page, create your two instruments, and then select the TRANSFORMERS as the Instruments to be active. In other words, you'll see in the Arrange page "Transformer #1, Transformer #2" instead of the actual instruments. This is so you can record through them, and then the VIs just playback the correct notes.
  Cheers

• Splitting front and back end servers across time zones

  Weblogic Server 7.0
  EJB is in Memphis,
  jsp/servlets/web command classes are in Colorado
  sending a date to the DB (in Memphis) results in a date getting changed by about 13 hours.
  The change happens between the web command class in Colorado and the EJB command class in Memphis.
  Any ideas as to what might be causing this and how to eliminate this bug would be very much appreciated.
  Thanks.

  Solution was that someone had configured the WLS to always operate dates in GMT, therefore the time differences between time zones were blown out of proportion...

• How to copy file from global zone to non-global zone?

  Hi,
  I'm new in zone.
  I have installed a zone and I would like to install some programs.
  Could you please tell me how to copy downloaded file from internet to the new installed zone?
  Kind regards,
  Daniel

  I like to use zcp which came from BigAdmin I believe.
  #!/usr/bin/perl
  # zcp - copy a file from the global zone to a nonglobal zone. Solaris 10.
  # 10-Mar-2005, ver 0.50 (first release)
  # USAGE: zcp file1 zonename:file2
  # eg,
  # zcp /etc/syslog.conf workzone1:/tmp
  # Standard Disclaimer: This is freeware, use at your own risk.
  # 10-Mar-2005 Brendan Gregg Created this.
  $ENV{PATH} = "/usr/bin:/usr/sbin";
  $VERBOSE = 1;
  # Process arguments
  # check for arguments,
  if (@ARGV != 2) {
  die "USAGE: zcp file1 zonename:file2\n";
  # check source file exists,
  $srcpath = $ARGV[0];
  if (! -e $srcpath) {
  die "ERROR1: Can't find source file $srcpath\n";
  # check destination zone exists,
  ($destzone,$destpath) = split(/:/,$ARGV[1]);
  chomp(@Zones = `zoneadm list`);
  foreach $zone (@Zones) { $Zone{$zone} = 1; }
  unless ($Zone{$destzone}) {
  die "ERROR2: Can't find zone $destzone\n";
  # check if destination is a directory or filename,
  $dir = `zlogin -S $destzone '
  if [ -d "$destpath" ]; then echo 1; else echo 0; fi'`;
  if ($dir == 1) {
  $node = $srcpath;
  $node =~ s:.*/::;
  $destpath = "$destpath/$node";
  # Print message
  print "zcp from $srcpath, to zone $destzone, to file $destpath.\n" if $VERBOSE;
  # Copy File
  system("cat $srcpath | zlogin -S $destzone 'cat - > $destpath'");
  # Verify file copied
  $srcsize = -s $srcpath;
  $destinfo = `zlogin -S $destzone 'ls -l $destpath'`;
  @Fields = split(' ',$destinfo);
  $destsize = $Fields[4];
  if ($srcsize != $destsize) {
  print STDERR "ERROR3: Copy failed, size mismatch ".
  "($srcsize != $destsize)\n";
  } else {
  print "Copy successful ($destpath, $destsize bytes).\n" if $VERBOSE;
  }

• DNS Forwarding Same Internal and External Zone

  Hi,<o:p></o:p>
  So we have decided that we want our internal domain to be the same as our external domain e.g. domain.uk. I understand that split DNS can be used
  to fulfil this requirement but is it possible to set up a forward so if the DNS entry is not available in the internal zone it will forward onto one of our external name servers where it can resolve?<o:p></o:p>
  We are basically trying to avoid having to add the entry on both external and internal DNS servers for it to resolve. So far I have added the external name servers to
  the forwarders and disabled root hints which didn’t work. I’ve tried to add a conditional forwarder but it says the zone already exists. It seems the only to achieve the internal resolution is by creating the DNS entry both internally and externally.<o:p></o:p>
  Does anyone know if this is the case? It seems strange that you couldn’t point the DNS to another external name server for resolution? <o:p></o:p>
  Any help would be appreciated.<o:p></o:p>

  You must ask in networking forum
  https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverNIS&filter=alltypes&sort=lastpostdesc