Wildcard dns

Similar Messages

• Wildcard DNS entries

  Hello,
  in adition to this post: wildcard dns have anyone found a solution to get wildcard dns names properly working in os x server 4.1?
  When I manually modify this file /Library/Server/named/db.DOMAIN.com with an asterisk an then restart the dns server the wildcard domain works. But when I make any changes in the DNS-GUI my asterisk entry will be deleted.
  I have also tried with the $INCLUDE statement, but this will also be deleted.
  Have any one an idea?
  Thanks
  Oliver

  Shut down the DNS server, edit the zone file, restart the server.
  The zone files are in
  /var/named
  or
  /library/server/named
  depending on the OS X Server version.
  FWIW and for completeness, forwarding servers aren't necessary, outside of cases where you're using a nanny filter or other such tool that shims into your network name resolution as a DNS server.
  Given what you're up to over in that other thread, this seems to be a fairly complex network.  You're probably also past what Server Admin.app and Server.app can deal with, and are probably just going to have to hand-manage this configuration.
  The networksetup tool is probably the closest to what you want, and based on a quick search that doesn't manage DNS forwarders AFAICT.  In the same area, the sudo serveradmin fullstatus dns and sudo serveradmin settings dns commands also lack access to the forwarding settings here.  Which means it's off to the zone files...

• Routing DNS requests in a zone to a default host

  Hi,
  What I'd like to do is to direct all DNS requests for non-existent hosts to a single host by default. So even if I haven't defined a hostname in my zone, the request will still resolve (to this default host). Any ideas?
  Ben

  It's possible to do via wildcard DNS, but you cannot do it via Server Admin (it doesn't permit the * for the wildcard name), therefore you have to get under the hood and edit your zone file directly.
  You'll need to find your zone's domain file in /var/named and add a line like:
  *  IN  A  1.2.3.4
  (where 1.2.3.4 is, obviously, the IP address you want all unknown addresses to point to).
  You'll also need to increment the serial number in the SOA record near the top of the file (otherwise your change won't be noticed)
  Restart named (e.g. via killall -HUP named or via Server Admin), and now any lookup for an unknown host will return the specified address.

• Xcelsuis SWF - Not able to open in browser using Object TAG

  We want to open Xcelsuis analytic form outside InfoView, by providing user an option to click on link to open analytic directly from application.  We used SSO and Object tag in our custom JSP page. We were able to successfully pass SSO but couldnu2019t load SWF file. Although there wasnu2019t any error in browser while loading JSP page, but Adobe Flash object returns message that movie can't be loaded.
  Open Xcelsuis SWF using documentDownload and passing FlashVars like CELogonToken and CEWebServiceURL.
  Following are the steps:
  u2022     Created JSP file, which first generates logonToken and store in some variable.
  u2022     Generated Flashvars variable using following code:
  String Flashvars = "CELogonToken=" + Encoder.encodeURL(CELogonToken);
  Flashvars+= "&CEWebServiceURL=" + Encoder.encodeURL("http://winiadv22.ams.com:9085/dswsbobje/services/session")
  u2022     Used Flashvars in Object tag.
  <OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase=                                                         "http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" WIDTH="100%" HEIGHT="100%" id="myMovieName">
                 <PARAM NAME="movie" VALUE= ="../../opendoc/documentDownload?iDocID=18094&sKind=Flashu201D> <PARAM NAME="quality" VALUE="high"> <PARAM NAME="bgcolor" VALUE="#FFFFFF">
                 <PARAM NAME="play" VALUE="true"> <PARAM NAME="loop" VALUE="true"> <PARAM NAME=bgcolor VALUE="#FFFFFF">
  <PARAM NAME=FlashVars VALUE="<%=Flashvars%>">
                 <EMBED src="../../opendoc/documentDownload?iDocID=18094&sKind=Flash" FlashVars="<%=Flashvars%>" quality=high bgcolor=#FFFFFF WIDTH="100%" HEIGHT="100%" NAME="myMovieName" ALIGN="" TYPE="application/x-shockwave-flash" play="true" loop="true" PLUGINSPAGE=
                         "http://www.adobe.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">
                 </EMBED>
            </OBJECT>

  Have you set up a wildcard DNS entry for the spapps.com domain?
  Also if you're trying to connect from the server you might be hitting loop back check issues.

• Domained laptop - slow logon when connected to non-domain network

  Hi,
  I'm looking for ideas on how to solve or workaround this issue, so any help would be appreciated.  Please note that this doesn't appear to be the usual type of "slow login" problem - in fact I'm pretty certain the issue is caused by public DNS
  servers which return placeholder IP addresses for unknown domains, rather than correctly reporting them as being unknown, which is making XP "hang up" looking for servers which don't really exist.  Either way, it's causing a lot of problems for our remote
  users.
  The scenario is this.  When domain-member laptops are not on the domain network, they can take anywhere between 5-30 minutes to login.  This issue only occurs when the network they're connected to presents DNS servers which resolve unknown DNS
  hosts/domains to "placeholder" sites.  Whilst Windows 7 laptops do also seem to suffer from this, login delays on those are at worst a couple of minutes, whereas the Windows XP machines are affected for much longer.
  Maybe a bit more info will make it clearer :)
  The AD namespace shares the external domain, and there are public DNS records for the external domain, but obviously not for internal hosts (like DCs).  So internally, the FQDNs of the domain controllers are "DC1.company.com", "DC2.company.com" etc.
  When the laptop is connected to users home network, users can logon quickly (<30 seconds), as long as the DNS server offered by DHCP on that network doesn't return an IP for hosts/domains which don't exist publicly.  If they do, login takes 5-30 minutes.
  I've confirmed this by doing a lookup of the domain on the affected networks to ascertain which DNS servers return placeholder IPs rather than reporting that name resolution isn't possible.  For example, OpenDNS's servers (208.67.222.222, 208.67.220.220)
  return placeholders, Google's (8.8.8.8, 8.8.4.4) don't.  Using OpenDNS to lookup "dc1.company.com" returns their placeholder IP of 67.215.65.132, using Google's returns "can't find dc1.company.com: Non-existent domain".  OpenDNS is being used
  as an example, increasingly ISP's seem to be using redirection, we're getting this issue with BT and Virgin Media networks, plus a couple of others.
  So, if I manually set DNS on a laptop to use Google's servers, then connect it to one of the affected networks, login is virtually instantaneous.  I remove the manually configured DNS servers and allow DHCP to present the ISP's own servers, login is
  seriously delayed.
  From this I can only assume that the fact that the names are resolving at all is causing the delay.  I've removed possibly contributory factors from the equation, such as roaming profiles, redirected folders, mapped drives, group policy etc which the
  workstation might be trying to access and causing a delay, as well as checking that fast logon optimization is active.
  At the moment we're having to tell users to not connect to the network until after they've logged in, which you'd think wouldn't be that big a deal but you know what users are like :) 
  I appreciate this issue really seems due to bad practice by ISPs rather than with Windows itself, but we really need a fix we can apply ourselves.  Reconfiguring users' home networks really isn't an option, there's too many of them, plus that wouldn't
  solve the problem when they're using other networks (hotels etc).  I don't think setting "good" DNS servers manually is an option, certainly I can't think of a way that would still work when they're connected to our internal LAN. 
  I'm thinking there must be some way we can set a timeout or something on the workstations so they don't spend so long trying to communicate with what they think are domain servers, but dispite much searching, I've been unable to find anything that works.
  So, any help would be gratefully recieved.
  Thanks

  Thanks for the reply Martin, unfortunately it didn't help matters, but after pondering for a while (and eventually kicking myself for missing something so obvious) I did come up with a solution.
  Basically, just set up public DNS A records for the internal servers and point them to 127.0.0.1 (setting up a wildcard DNS entry for the domain also pointing to 127.0.0.1 would do the same thing).
  Sure enough logon now takes about 5 seconds, even on the Windows 7 machines (which were only taking a minute or so anyway).
  Loopback is the best place to point these to,  Pointing them to a public server didn't work, and pointing them at a non routeable private IP didn't work either. 
  To help anyone else confirming this is also the cause of their slow logon issue - when all three conditions are met it's time to mess with your public DNS!
  The FQDN of the domain is public (company.co.uk) and not local (company.local).
  The DNS servers in use on the network (or the ISP's DNS servers to which DNS requests are forwarded) return placeholder IPs for unknown host addresses, rather than a "non-existent domain or host" error.  This can be confirmed by pinging (or doing an
  nslookup) on the affected machine, for a host for which no public DNS record exists (ie ping wibble.microsoft.com) - if an IP address is returned then the DNS servers in use are resolving unknown hosts/domains to a placeholder IP.
  If you allow the machine to login on the external network, then run a
  ipconfig /displaydns you'll see entries for attempts to resolve internal servers themselves, plus lookups relating to the AD domain such as
  _msdcs.gc._tcp._ldap.internaldomain.co.uk and such - these shouldn't be there off-domain, and I believe they indicate the machine thinks it's on the domain, even though it isn't.
  Hope this helps someone else out.
  Ray Von

• Creating app scoped external content type using Provider Hosted App in sharepoint 2013 using visual studio 2012

  Hi,
  I am creating provider hosted app in visual studio 2012 using app scoped external content type having OData with Northwind url
  App manifest start page url  :
  ODataNewAppWeb/Pages/Default.aspx
  In XML it is:
  <StartPage>~remoteAppUrl/Pages/Default.aspx</StartPage>
  When i am deploying app pressing F5 the app gets deployed successfully....
  Now i am changing my start page url in Appmanifest like this:
  ODataNewApp/Lists/Employees
  In XML it looks like:
  StartPage>~appWebUrl/Lists/Employees</StartPage>
  When i am deploying app pressing F5 the app..
  Getting register SOD error.....
  I have followed all the steps like:
  1)Creating app domain
  2)Starting all the required services
  3)Creating root site collection
  But still no success.. Please help me on this.... I am struggling with this from two weeks...

  Have you set up a wildcard DNS entry for the spapps.com domain?
  Also if you're trying to connect from the server you might be hitting loop back check issues.

• App Store Setup

  I may be glossing these forums over, and most of MSDN or TechNet for that matter, but I can not for the life of me find any reasoning as to why the SharePoint App Store is configured the way it is.
  Why is this not a just a Site Collection Feature? Can someone explain why Microsoft chose for it is a requirement to set the App Store up on a separate domain?
  Thank you in advance,
  Matthew

  The app store doesn't get set up on a separate domain.  APPs run in a separate domain.  It has to be that way since Apps all run on a dynamically generated domain name.  The only way to resolve such a name effectively is to create a wildcard
  DNS entry so that all addresses in  a domain go to the SharePoint server.  But the AppStore in a corporate environment is just one Site Collection per web application.  Also, you don't have to actually set up apps to use a completely separate
  domain.  They can be set to run on a sub-domain or your existing domain.  That does open some security risks, but in a lot of environments they are controllable in other ways and a sub-domain is acceptable.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• Virtual Host Number

  How many virtual hosts can i have in WebLogic Web Server?
  I need more than 100.000, is it possible?
  Thank's

  Thank you Eric,
  Do you know who can help me more??
  Jacques
  "Eric Gross" <[email protected]> wrote:
  Ahh.. I think I do understand the problem at hand here.
  Definitely more complicated doing it the way I proposed when I think
  about
  it this way.
  I am now unsure!
  Wish I could be of more assistance here.
  Regards,
  Eric
  "jacques" <[email protected]> wrote in message
  news:[email protected]...
  Eric,
  I understand your explanation, but i need one more information.
  How do i configure my webserver intended to forward all requests(including root
  folder, subfolders and files) to a certain Servlet that will try locatethe file
  requested on the file system and return it back, if succeeded, to theclient.
  Examples:
  jacques.mysite.com
  jacques.mysite.com/test
  jacques.mysite.com/test/a.htm (this includes the gif below)
  jacques.mysite.com/test/gifs/a.gif
  Note that a single html file that has 10 <img src> tags will generate10
  new requests
  to the webserver->servlet. Got it?
  Regards,
  Jacques
  "Eric Gross" <[email protected]> wrote:
  I'm not sure on the way it would work, but I am assuming that this
  way
  would
  be more efficient than having that many virtual servers setup.
  I was just presenting an alternate idea. As for the servlet processing
  the
  request. It would just have to analyze the host part of the domainand
  do
  some logic based on that. Not sure you would need to do a redirect.
  It
  really all depends on what you want to do. Lot of factors involved.
  Yes, in the zone file at the DNS Server you can specifiy *.mysite.com
  IN
  A 1.2.3.4 and that will resolve all subdomains of mysite.com to1.2.3.4,
  even multiple levels down.
  For linking based on the host part of the domain, you can parse forthe
  host
  and do logic based on that to determine where the directory is.
  Regards,
  Eric
  "jacques" <[email protected]> wrote in message
  news:[email protected]...
  Eric,
  Answering your questions:
  I will have 1 IP address for all "virtual hosts/virtual servers".
  I can use wildcards dns and have a Servlet, but is it the better
  choice?
  Can you briefly describe how this Servlet works (redirect requestor
  not)?
  The webserver verifies host header on receive a request, my servletwill
  make
  the same thing again.
  Double-checking: "Anything that ends with .mysite.com will be set
  to
  a
  unique
  IP address. Is this the wildcard dns?". If so, my problem is how
  to
  tell
  the webserver
  to separate the existing URLs into separated folders, as shown:
  http://eric.mysite.com --> /usr2/mysite/allsites/eric
  http://jacques.mysite.com --> /usr2/mysite/allsites/jacques
  http://jacques.mysite.com/photos --> /usr2.../jacques/photos
  The question is how to tell the webserver to link, base on the
  hostheader,
  the
  request to the right folder (on file system).
  I can use a Servlet to redirect requests but i need show the correcturl
  in field
  address on client browser (jacques.mysite.com/photos), i don´t knowif
  this will
  happen using a servlet.
  Thank´s
  "Eric Gross" <[email protected]> wrote:
  I'm assuming that you are going to be using 1 IP address for all
  those
  virtual hosts? If so, then can't you use wildcard dns? Then maybehave
  a
  servlet parse the first part of the domain? I'm just taking a
  shot
  in
  the
  dark here, but maybe if you described how your application is goingto
  use
  those domains or subdomains, we could perhaps provide more insight.
  Regards,
  Eric
  "jacques" <[email protected]> wrote in message
  news:[email protected]...
  Kummar,
  I really need more than 100000.
  Another thing that i need is create a virtual host dynamically.
  How
  can i
  do that
  in WebLogic Server (Web Server)? Have i a command line to do
  this?
  I am developing a application like "www.tripod.com".
  First i thought use a Servlet to redirect my requests, but webservercan
  do that
  automatically using virtual hosts.
  Thank´s a lot.
  Sorry by my english.
  Kumar Allamraju <[email protected]> wrote:
  Unlimited..
  BTW, do you really need 100000?
  jacques wrote:
  How many virtual hosts can i have in WebLogic Web Server?
  I need more than 100.000, is it possible?
  Thank's

• Why don't TypeKit Fonts work with Edge Inspect

  I have a Typekit kit setup with localhost added to its allowed domains and all mobile options checked. Running the site locally on http://localhost:4567/ works fine. The fonts load and display correctly.
  However, when I connect an iPhone 4, 4s or iPad 2 using Edge Connect, the fonts do not load.
  How should I troubleshoot this? I've found technical note suggesting that republishing the kit should solve it, but it does not and it is a new kit anyway.
  I have tried adding the specific port to the allowed domains for the kit - /localhost:4567, but this has no effect.

  Hi,
  Yes. You're in luck. Had a couple of very helpful people from Adobe support look into it and here is their final response in full:
  TLDR: It won't work out the box but there are good workarounds.
  When you're browsing a local website via the hostname `localhost`, which would not be accessible to any other devices on your network, Edge Inspect automatically gets your machine's local IP address (which is not the same as the external IP as shown on sites like whatismyip.com) and sends that to the mobile apps. For instance, let's say I have a Sinatra application running in Chrome on my Mac as http://localhost:4567. My iPhone wouldn't be able to understand the hostname "localhost", but it can see my Mac using its IP address 10.1.10.1, so Edge Inspect will navigate to http://10.1.10.1:4567.
  So, to get fonts working, you could add both `localhost` and `10.1.10.1` to your kit. However, we don't recommend adding local IPs to kits because they tend to change without warning. (In my example above, the next time I turn on my computer its IP could have changed to 10.1.10.2, but all I would know is that fonts had stopped working on my devices again.)
  To work around this, we recommend using some form of "dynamic DNS" — basically, a domain name that is automatically updated with your current IP and therefore will always point to your computer.
  If you're using a Mac, the simplest thing would be to use your Mac's Bonjour hostname. Bonjour is a technology built into Mac OS X and iOS to help devices find each other automatically over networks.
  To find your Bonjour hostname:
  1. Open System Preferences on your Mac.
  2. Choose the Sharing icon.
  3. Your Bonjour hostname will be displayed in the top area, under the "Computer Name" field.
  You can add the hostname that appears there to your kit, and use it on any Apple device on your network. For example, my Bonjour name is Davids-rMBP.local, so I can browse to http://Davids-rMBP.local:4567 on any Mac or iOS device and see my Sinatra app.
  Unfortunately, this simple solution will only work on Apple devices or Windows PCs with Apple's Bonjour software installed — you can't use this hostname with Android phones or tablets. If you need a hostname that will work on any device, there are a couple of options I'd recommend:
  1. A third-party service called Forward offers a way to easily forward ports from your computer to other devices anywhere on the internet. You can learn more about them and sign up for a 30-day trial here: https://forwardhq.com. Forward will give you a permanent domain name for your forwarded app that you can add to your kit, such as `dev-yourcompany.fwd.wf`.
  2. 37signals has a free "wildcard DNS" service called xip.io that will automatically forward traffic to a local IP address. You can get your current local IP address by opening System Preferences, then choosing Network. The IP address should be shown in the small text underneath the connection status for whatever connection is active (i.e. has a green dot next to it). Once you have the IP, you can access your computer at [YOUR IP].xip.io. To get fonts working, add *.xip.io to your kit. Remember that your IP may change, so if your site stops being accessible you should check to make sure you have the correct IP address.
  I personally use xip.io if I need to test Typekit on multiple devices using Edge Inspect. It's certainly not the easiest option to use, but it works quite well with almost no setup and it's free.

• Wildcards or regex in CSS dns-record

  Hi, is it possible to use regex or wildcards in dns-record command in CSS?. I would like to use something like
  dns-record a *.example.com 10.10.10.10
  in order to CSS responds to test1.example.com and test2.example.com without introduce this last two dns-records in CSS.
  Thank you in advance.
  Samuel

  This can also happen if you do KAL-ICMP keepalive to your VIP
  CSCtj38660 Bug Details
  dns-record kal-icmp keepalive to vip could incorrectly go DOWN
  Symptom:The CSS is configured with a dns-record of type kal-icmp, querying a local VIP could incorrectly go DOWN when the service associated with that VIP is Alive.
  Conditions:The CSS is configured with a dns-record of type kal-icmp, querying a local VIP. The keepalive could incorrectly go DOWN if the service reports of a load of 254.
  Workaround:Configure "no load reporting" on the CSS

• DNS Alias Wildcard?

  Hello.
  Is it possible to create a DNS Alias Wildcard?
  For example, a DNS alias record something like *.mydomain.com?
  Regards,
  Kristin.

  The GUI won't let you do this, for sure. You can edit the zone files directly but I'd almost guarantee that the GUI would overwrite the file (thereby deleting the wildcard) if you edit the zone. If you don't edit the specific zone (i.e. you edit other zones, but leave this one alone) you should be OK.
  There is no easy way to lock out users from editing specific zones via the GUI. You may have to setup some kind of monitoring to alert you when the zone file changes and your wildcard disappears.

• Csa dns suffix wildcards in system state

  Has anyone tried using a dns wildcard in the system states ? I have a customer that uses something.net as common dns, but locally they get assigned to stuff like 123.something.net. If i use *.something.net it doesn't match, *something.net is a nogo as well, how is it supposed to be used ? do i really need to find all the subdomains and add these ?

  I think dns suffix matching field in system states sets can be used for this. Following link may help you
  http://www.cisco.com/en/US/docs/security/csa/csa51/user_guide/Chap5.html#wp1008928

• DNS Wildcard

  Hi,
  I need to set up a DNS Wildcard for my domain because WordPressMU requires this. I see from other posts that this needs to be done via the terminal. I have tried the following:
  sudo nano /var/named/zones/db.mydomain.com.zone.tapestry
  I have added the following line at the end:
  *.mydomain.com IN A 10.1.1.101
  I then restart the DNS Service via the Server Admin GUI
  I then flush the DNS Cache on the server and the client.
  dscacheutil -flushcache
  I then try a lookup:
  nslookup mydomain.com
  Server: 10.1.1.2
  Address: 10.1.1.2#53
  * Can't find mydomain.com: No answer
  I must being missing something - thanks

  Couple of points:
  nslookup mydomain.com
  If a lookup on your domain name fails, that's a problem with the DNS setup, not with the wildcard record - the server doesn't know anything about your domain.
  So either there's a typo in your post or you setup the zone incorrectly. Did you add the zone via Server Admin, then try to edit the zone file, or did you create the zone file from scratch (or by copying another zone file)?
  The reason I ask the latter is because you say:
  sudo nano /var/named/zones/db.mydomain.com.zone.tapestry
  That file name doesn't look right to me. It's been a while since I've used Server Admin to create zones, but I don't ever recall seeing a .tapestry in the file name. This could be another transcription error, or it could be something different.
  Beyond all that, your wildcard record isn't valid, anyway.
  *.mydomain.com IN A 10.1.1.101
  In any zone file, the first field on the line (in this case '*.mydomain.com' is prepended to the domain name. Therefore if this record is in the 'domain.com' zone file it would relate to '*.domain.com.domain.com' Probably not what you were looking for.
  There are two solutions to this one. The first is to not include the domain name in the record:
  * IN A 10.1.1.101
  The second is to tell the server that this is a fully-qualified hostname that should not be prepended to the domain name, which is done by adding a trailing . to the hostname:
  *.mydomain.com. IN A 10.1.1.101
  Either of these would be a valid wildcard record, but you still have to fix the above domain/zone issues first.

• New, Single Server - DNS, Web, Wiki, Mail Setup Issues

  I'm having some issues properly setting up 10.7.3 to host internal DNS and external Web, Wiki and Mail.  I'm having issues with the web and wiki hosting.  Since those are the most important right now, I haven't really had a chance to fully test the other features.  I was able to do some testing of the mail and iCal but it was limited.
  Long read below but I thought the specifics would be helpful...
  My goals and configuration are:
  ***GOALS***
  Primary:
  1) Host a public website: example.org and www.example.org
  2) Host a public wiki: main.example.org and www.main.example.org
  3) Host a public mail server: [email protected]
  4) Host a public, group calendar
  4a) Read only to majority - Read/Write to a group
  5) Host a global address book for authenticated users
  Secondary:
  6) Allow anonymous public access to a file share (read only)
  7) Allow authenticated access to the same file share (read/write)
  8) Do as much of this via GUIs as possible.
  ***SETUP AND CONFIGURATION***
  Physical:
  1) Business class Internet (no blocked ports)
  2) A single, public and static IP address
  3) Domain name and public DNS via GoDaddy
  4) Wildcard Cert: *.example.org from GoDaddy
  5) Late 2011 (bought in Jan 2012) MacMini Lion Server (the $1,000 one).
  5a) Upgraded the RAM to 16GB (need for VMware Windows clients)
  5b) Added two USB to Ethernet adapters.
  6) Using a new model AirPort Extreme Base Station (bought w/ the MM) as the main router.
  Initial Configuration:
  7) Setup a Mac Address reservation for the main and two USB Ethernet ports along with the wireless too.
  7a) Main port = 10.0.1.5 / Others are .6, .7 and .10
  8) During the setup, I chose the Host on the Internet (third) option and named my server: main.example.org
  9) After the setup completed, I upgraded the OS & Admin Tool to 10.7.3 from a clean install (on #5 now)
  DNS Config
  10) I used the admin tool to open DNS and change:
  11) "Primary Zone Name" from main.example.org to example.org.
  12) In the "Nameservers:" block, I changed the zone name there but left the nameserver name alone (zone: example.org /// Nameserver Hostname: main.example.org).
  13) The Machine Name and Reverse Zone was left alone.  RZ resolves to main.example.org.  sudo changeip -checkhostname is good.  dig on the example.org and main.example.org are good to go (NOERROR).
  OD Config
  14) From the server app, I clicked Manage/Network Accounts and setup the OD - No issues.
  SSL
  15) From the server app, I created self signed cert, generated a CSR, got a public Cert, then replaced the self-signed with the public one - No issues.
  16) Changed any service using the self-signed cert to the public one - No issues.
  17) Changed the cert in the OD to the public cert from server admin - No issues.
  In order: File Sharing, Mail, AB, iCal, Web, Wiki, Profile Manager, Network Groups, Network Users
  18) File Sharing was setup using the server app
  19) Setup mail using the server app to start it and the server admin app to configure it - No issues there (I think...)
  20) AB - Flipped the switch to on
  21) iCal - Flipped the switch to on - I setup the e-mail address to use after I added the network accounts.
  22) Web - Flipped the switch to on - Default site worked (main.example.org)
  23) Wiki - Flipped the switch to on - Default wiki worked. (main.example.org)
  24) PM - Checked the sign config profiles and enabled the device mgt.  I then flipped the switch to on - Default settings and pages worked.
  ***MY PROBLEMS***
  Website:
  Adding a website for example.org gave me the red dot in the server app.  To fix that, I added a Machine Name record to my primary zone (PZ = example.org Machine Name = example.org).  I first tried using the same 10.0.1.5 IP as the main.example.org and left the reverse mapping alone (still resolved to the NS of main.example.org).
  That gave me the green light in the server app when trying to add the website again.  From there, I changed the "Store Site Files In" to the location of my website files (and confirmed "Everyone" has Read Access in the folder's security settings).  I left the other info alone (all defaults accepted) and clicked done.
  Access to the website works on the server but external access doesn't (Network Error/timed out tcp_error).  Checked the AirPort settings using the AirPort utility (version 5.5.3) and the Port Mapping (under the "Advanced" icon) show serveral services all pointing to 10.0.1.5.  Thinking it could be DNS I tried main.example.org externally and it failed the same way.
  I ran the changeip command (good to go) and dig on example.org and main.example.org and they both resolved to 10.0.1.5 correctly.
  I removed the example.org Machine Record from the zone and it now looks like:
  PZ=example.org / ZONE=example.org / NS=main.example.org
  Machine Record=main.example.org / IP=10.0.1.5
  RM=10.0.1.5 / Resolves=main.example.org
  PLEASE HELP!

  The amount of users (if relevant):
  On site - 1 (Me)
  Off site - 16 (Windows clients - some have iOS devices too)
  Web site traffic - less than 50 regular visits per day (avg of 15) with a peek of ~125 once a month.
  This is for a 501c3 public nonprofit made of all unpaid volunteers (including the officers and directors).  All of us have paying day jobs and I just so happen to be the guy that knows just enough to get myself in trouble here.

• Can't delete primary zone in DNS after moving the server

  Woe is me!
  Our MacMini was hosted at a Colo site and working fine. No firewall in front of the machine, so we turned on the server firewall and only allowed mail, web, ftp, and a couple of other services. This worked great using our external public DNS wired to our domain names and public fixed IP address. Later, we got VPN up a running (the trick was to create a second, local IP address for the ethernet port), but this also required us to turn on the server's DNS to create a split-brained DNS server.
  Everything was working swimmingly... and then we had a hard drive crash. Since we were thinking about moving the server onsite anyway (our POS system was accessed through the VPN, but it could be slow and made our tasting room dependent on Internet access in order to run the POS), we ordered Comcast business class internet with a fixed IP address.
  We updated the external public DNS to the new public fixed ip. Rather than plug the mini directly to the Comcast router (which is in pass-through mode), we elected to put a AirPort Extreme in front of it, mainly so we could get all of the POS computers on the same local network without using the mini as a DHCP/NAT router. We created a DHCP reservation on the Extreme so that the mini had a fixed local IP address. We port forwarded everything we wanted to expose to the Internet. Email started to work again. However, web services and VPN are nada.
  This being Snow Leopard Server and having spent literally hours debugging DNS issues when we first got the server, I knew it wouldn't be straightforward. And it hasn't been. Even changing the IP address of the server has been a chore.
  We ran "sudo changeip <old IP address> <new IP address>".
  Then we ran "sudo changeip -checkhostname" and received:
  "$ sudo changeip -checkhostname
  Primary address     = 10.0.8.2 <new static internal IP address>
  Current HostName    = <servername>.<domainname>.com
  The DNS hostname is not available, please repair DNS and re-run this tool.
  dirserv:success = "success""
  Oh no, the black pit of death.
  Even though I tried to modify the machine record in the local DNS to reflect the new internal static IP address, Nada.
  So, looking back on my previous research from Mr Hoffman and others, I stopped the DNS service, and I deleted the primary zone and reverse lookups in order to rebuild them from scratch. Except that no matter what I do, I can't delete the primary zone - it comes back like Dracula (even though the reverse zone and all of the zone records are gone). I tried rebuilding everything using the undeletable zone, but after a few services (saved each one separately), they would suddenly disappear.
  I am leery of messing with the DNS files on the server as I don't want to hose up Server Admin (my command line skills are rudimentary and slow). I have so much installed on the machine now that I am concerned about someone saying "reinstall".
  Help!
  Related to this is that it is not clear to me in web services which IP address you should use for the sites. The internal IP? The public IP? I thought Apache cared about the external IP address. And I think Apache is hosed at the moment due to my DNS troubles anyway.
  Thanks in advance!

  Morris Zwick wrote:
  And does anyone know which IP you enter for your sites in the web service? The public static IP or the internal private static IP?
  For the external DNS server I am sure you have already deduced that it should be the static IP issued you by Comcast and this will be forwarded by your router to your server.
  For your internal DNS server you could use either the internal LAN IP, or the external IP although the later might be affected by your firewall so this you will need to test.
  For the Web Server service in Server admin, if your only running a single website you could avoid the issue by just using the wildcard entry which will respond to any IP address, so this would be an empty host name and an IP address of *
  In fact you don't have to specify an IP address you could just use the hostname, so it will listen to traffic arriving at your server addressed to any IP address and as long as the URL that was requested includes the hostname you define for the site it will get responded to. So if as an example you have two websites you want to serve
  www.example.com
  site2.example.com
  then as long as both have the IP address for the site as an * (asterisk) then both should work as separate sites for traffic addressed to either the LAN or WAN IP address of the server.
  You will still need to use two IP addresses on the server to enable VPN, you could use a USB Ethernet adapter for the second one. Port forwarding for VPN is not as simple as other traffic as VPN requires traffic different to the standard IP and UDP packets. Routers that support 'VPN Passthrough' are specifically designed to accomodate this but I don't know if the AirPort Extreme does this. I have also found PPTP copes better with this sort of setup than L2TP although PPTP is generally regarded as less secure.