Any DNS experts out there? After reading Michael Dragone’s “Split-Brain DNS” (InstantDoc ID 99772), reader Jeff Krull shared a split-brain DNS configuration
problem with us. We've printed the problem here, as well as Michael's initial response. If you think you can further help Jeff, feel free to add your solution here! The first reader to solve Jeff’s problem will receive a Windows IT Pro baseball cap.
From: Jeff Krull
Subject: split brain dns article
Mike, we have a split-brain DNS zone, which is the root of our AD forest. Since it's an AD-integrated zone, when performing an Nslookup on the zone for mycompany.com, DNS returns a list of DNS servers (which are the DCs). That's just great for AD and associated GPO processing, etc. When a user browses the domain internally using a browser, we can't resolve the company's web site (i.e., companyname.com times out) because the DCs don't run IIS to redirect the query, nor do we want our DCs running IIS. Externally, this is not a problem because the DCs aren't listed in the external zone. Any ideas on how to resolve this issue whereby internal users don't have to use www.mycompany.com internally to reach our web site?
From: Michael Dragone
Hi Jeff, thanks for reading my article and writing in. To help answer your question, can you tell me a little more about your AD environment? Do you have one or more AD domains? What's the format of the domain names? Are you using company.local, company.com, or subdomains such as ad.company.com?
From: Jeff Krull
We've got an empty root with three child domains: mydomain.com root, host1.mydomain.com child, host2.mydomain.com child, host3.mydomain.com child. So, the web site in question would be mydomain.com, which we have to address as www.mydomain.com internally and can be accessed using mydomain.com externally. For other DNS domains (e.g., otherdivision.com), this isn't an issue because there aren't DCs for that domain...and we can access the web site internally using http://otherdivision.com rather than www.otherdivision.com.
From: Michael Dragone
Okay, now I understand: www.mydomain.com works both internally and externally, but mydomain.com only works externally. Right? There's no elegant fix that I know of for this issue short of renaming your AD domains. Even if you add a host (A) record for mydomain.com to the mydomain.com zone, DNS will resolve requests for mydomain.com in round-robin fashion. Therefore, some clients will hit the domain controllers while others will make their way to your website. Likewise, you can't remove the existing A records for mydomain.com-- they're required for AD to function correctly, and the DCs would just add them again anyway. You could create an A record or an alias (CNAME) record for a keyword such as "internal," "mydomaincom" (without the period) or "web" in the appropriate zone that resolves to the IP address of the web server hosting mydomain.com (if you use an A record) or www.mydomain.com (if you use a CNAME record). Although that still won't let your users enter mydomain.com from a browser address bar, it would shorten what they have to enter. I would probably use "web" and add an A record in my external DNS for "web" so that internal users can simply type web in their address bar and external users can use either web or www. In any event, it's likely you've already thought of these alternatives. I'm sorry I couldn't be of much help!
So, who can help
