DNS root and Domain Controllers

[jeff.sadowski]

example lets say I have a domain named "domainname.com" and I have domain controllers "dc1.domainname.com" and "dc2.domainname.com" and a webserver outside that has the name "domainname.com"

All the domain servers normally place them selfs in the DNS with A records for "domainname.com" as well as their names.

For now I changed my DNS servers to not receive dynamic updates, and removed the root DNS entries for the Domain Controllers and added the root entry pointing to the outside web server.

Now the DNS logs report errors. A fix for this would be to turn off the dynamic updates on the servers themselfs.

I can do this I know how to. My question is why do Domain Controllers add themselfs to the root of a domain.

Could I just turn off the part that adds the Domain Controller to the root of the DNS and turn back on dynamic updating?

Edited March 3, 2007 by jeff.sadowski

[jeff.sadowski]

One suggestion that someone gave me was not to name the Windows Domain the same as the DNS Domain. That seams to leave other issues. On this domain I have an exchange server and exchange servers like to have the same DNS name inside as outside in order to work correctly. Otherwise the exchange server would present itself as a name that does not exist on the outside and if a mail server goes to look up the DNS it would fail, gray listing it. I could go through exchange and try and fix all these issues but I already have the Domain and changing a Domain is next to impossible with out rebuilding the exchange server and exchange 2007 does not make it easy.

[nmX.Memnoch]

One suggestion that someone gave me was not to name the Windows Domain the same as the DNS Domain.

That's the correct answer. Your AD FQDN should never be the same as a valid DNS name on the internet. The Exchange "problem" is fixed by creating pointers in your internal DNS.

[jeff.sadowski]

The Exchange "problem" is fixed by creating pointers in your internal DNS.

That would not fix the Exchange problem. Unless you dig deeper into the exchange setup the exchange machine will introduce itself to the other mail servers as its machine name. <exchange machine name>.<internal Microsoft Domain Name> There are other places this would need fixed also. and it creates a nightmarish scenario of other changes that need to be done if you want an easy to maintain network. Turning off dynamic updates has resulted in a working and error free windows network that works as I would expect. I am told mixed things and am looking for documentation from microsoft on this issue if you know of any good reads please point me in the right direction.

[jeff.sadowski]

OK found it thanks you are right MS says I should have used a Different name according to the link below but then they mention nothing about the exchange server and it advertising itself as the internal name. Why is this so often left out in MS documentation?

http://technet2.microsoft.com/WindowsServe...3.mspx?mfr=true

[jeff.sadowski]

Another aspect that bothers me is email address creation. By default exchange creates email addresses with the username@<internal domain name>

[nmX.Memnoch]

Admittedly I'm not an Exchange Server Admin...but it's not that hard to find documentation.

http://technet.microsoft.com/en-us/library/aa997477.aspx

[jeff.sadowski]

If the information is there its buried deep and I cannot find it.

I'm guessing I want "Understanding SMTP Connectors" and I don't see anything on setting the outside appearing name of the machine.

And so that just leads me to believe you need it to be the same DNS name inside as out. leading right back to my issue.

Mail should be easy to setup it is not.

I would expect it to be close to the HELO, EHLO since it is here in the communications that it mentions its name to the other server. I don't see it here

I know it can be set(because currently my old inside mail server was setup by a previous admin and it was displaying different from its machine name) but I'm wondering where. By default it uses the AD name assigned thus setting it up on a AD that differs from the DNS outside name becomes complicated. Not to mention you need to create a group policy for all users added to have the outside email address with the domain and not the sub domain.

[jeff.sadowski]

Found how to make exchange display a different name.

In exchange 2003 under the Exchange system manager

Administrative Groups->First Administrative Group->Servers->SERVERNAME->Protocals->SMTP

right click on Default SMTP Virtual Server

select properties

click on deliveries tab click on Advanced down at the bottom

The name in Masquerade domain is the name that exchange will claim it is.

If left blank it will use its windows name that you gave the machine.

to verify I send mail to helocheck@cbl.abuseat.org

which will fail and give a discriptive email failure like the following

<MASQUERADED_NAME #5.5.0 smtp;550 Your HELO name for IP address 123.45.67.89 was DNS_REGISTERED_NAME_FOR_IP_ADDRESS>

So it is recommended that you put the DNS_REGISTERED_NAME_FOR_IP_ADDRESS in the "Masquerade domain" entry area.

WOW why was this so hard to find and no documentation on it. Well now there is thanks to free forums.

[jeff.sadowski]

As MS always does they cchanged it for exchange 2007

[jeff.sadowski]

It stopped working on exchange 2003 even; don't you just love Microsoft. Maybe that is why it is undocumented because it only works part of the time.

Masquerade was the correct option for now I will just replace the FQDN which is the incorrect way according to MS but they don't leave me with any options.

[Stoic Joker]

Put DNS back the way it (was to start with) before you break AD.

I've see MS KB articles both for and against using the public FQDN internally...There are some situations where you have to.

Internally you only need (needed...) to create a DNS record for the mail server mail.intDomain.com that will be used internally so the MAPI clients can find it.

Directly under the Masquerade domain entry is the FQDN field that is only used by external servers to confirm your servers identity during a send. So it should contain the same public domain name that your MX records will point to as having the IP address that you're sending from. As long as you have DNS forwarding (and your MX records) configured properly the check DNS button will give you a successfull lookup and all will work fine.

The default from address is (globally) configurable under recipient policies in Exchange System Manager.