ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Internal domain name same as external domain - DNS issues!!

    Scheduled Pinned Locked Moved IT Discussion
    dnswindowslanactive directorydomain name
    58 Posts 8 Posters 19.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JoelJ
      Joel
      last edited by

      So for reference, the company is about 5 years old. They have 15 staff and growing (at reasonable pace) was mayhem to control users/passwords/group policies etc. Therefore having just joined the company myself, suggested getting some structure in place and to get the server...so yes, new server - established company.

      PS - What settings do I need to do to get the active sync working? I did have this problem on a few computers...I couldn't understand why some worked and some didnt!! The ones that didnt, I changed DNS to Google and that helped autodiscover. then put it all back to DHCP. Which is why I questioned if emails will be okay in the initial post.

      scottalanmillerS 2 Replies Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Joel
        last edited by

        @Our-Tech-Team said:

        So for reference, the company is about 5 years old. They have 15 staff and growing (at reasonable pace) was mayhem to control users/passwords/group policies etc. Therefore having just joined the company myself, suggested getting some structure in place and to get the server...so yes, new server - established company.

        That is awfully small, it might be worth putting the users back in manually so that you don't have this issue going into the future. How much do you have depending on Active Directory? This would require creating a whole new AD system and moving people over to it, one by one.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Joel
          last edited by

          @Our-Tech-Team said:

          PS - What settings do I need to do to get the active sync working? I did have this problem on a few computers...I couldn't understand why some worked and some didnt!! The ones that didnt, I changed DNS to Google and that helped autodiscover. then put it all back to DHCP. Which is why I questioned if emails will be okay in the initial post.

          Everything that you do with your public DNS (the one that Google DNS sees) you need to replicate manually in your own DNS system, always and forever. This is the penalty for having the overlapping names - there is no means for the desktops to talk to the public DNS. So just like you had to put in www manually, you need to do that with every entry.

          1 Reply Last reply Reply Quote 0
          • JoelJ
            Joel
            last edited by

            Not a lot in AD. Of course the usual such as users/groups, some group policies and file share permissions.

            So for example in my DNS, I'd need to manually add the office 365 records, such as MX records, autodiscover CNames etc?

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Joel
              last edited by

              @Our-Tech-Team said:

              So for example in my DNS, I'd need to manually add the office 365 records, such as MX records, autodiscover CNames etc?

              MX can be skipped unless you have an SMTP MTA somewhere on your LAN pointing to the DC for DNS resolution. But yes, all other entries need to be there.

              Remember MX is for mail and you are not using email, you are using a web application. It's for email, but it is not email itself.

              1 Reply Last reply Reply Quote 0
              • brianlittlejohnB
                brianlittlejohn
                last edited by

                With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

                JaredBuschJ 1 Reply Last reply Reply Quote 1
                • JaredBuschJ
                  JaredBusch @brianlittlejohn
                  last edited by

                  @brianlittlejohn said:

                  With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

                  I would agree with @brianlittlejohn here. You had no AD at all prior too few days ago.

                  Just remove all the machines from the domain. Nuke your DC and start over.

                  PSX_DefectorP DashrenderD 2 Replies Last reply Reply Quote 2
                  • PSX_DefectorP
                    PSX_Defector @JaredBusch
                    last edited by

                    @JaredBusch said:

                    @brianlittlejohn said:

                    With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

                    I would agree with @brianlittlejohn here. You had no AD at all prior too few days ago.

                    Just remove all the machines from the domain. Nuke your DC and start over.

                    As someone who does this a lot, even with more users than that, it's pretty simple.

                    I keep a few templates ready to go to deploy a base AD environment. Takes me ~3 minutes per end point to unjoin to the domain, about 2 hours to rebuild AD from template to completed environment, then ~3 minute per endpoint to rejoin. With that in mind, a 15 users environment, I could have it done in an afternoon while drinking beer.

                    Shit like this is easy as hell. Although I would be investigating the cost/benefit of having an AD environment for that few of users. Unless you have a case for it, Samba will do the job of authentication just fine. And a Samba domain is just as quick to deploy. Save quite a few bucks in the process. AD is great, I made my career around it, but it's not a need.

                    1 Reply Last reply Reply Quote 2
                    • JoelJ
                      Joel
                      last edited by

                      I've never used or worked with Samba so dont know anything about it. The AD I thought was great for them as they want to have more 'control' over users, add more security to the network and manage permissions on folders much better. I'm familiar with AD so thought it would suit them well.

                      The reason we named the domain name the same as their external domain is because a Microsoft technician advised me to do so if we wanted to Sync our Office365 tenant with the on-premise server.

                      I can easily nuke the DC and start over, but to re-configure the 15 computers and drag everything over to their new profile is easy, but frustrating to have to spend the extra time doing it as i've just done it for their new server!!!

                      scottalanmillerS brianlittlejohnB 4 Replies Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Joel
                        last edited by

                        @Our-Tech-Team said:

                        I've never used or worked with Samba so dont know anything about it. The AD I thought was great for them as they want to have more 'control' over users, add more security to the network and manage permissions on folders much better. I'm familiar with AD so thought it would suit them well.

                        Samba is just as much AD as Microsoft's DC is. Both are AD, just one is done from an open source project and one from Microsoft. It's not that Samba is not AD as well.

                        PSX_DefectorP 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Joel
                          last edited by

                          @Our-Tech-Team said:

                          The reason we named the domain name the same as their external domain is because a Microsoft technician advised me to do so if we wanted to Sync our Office365 tenant with the on-premise server.

                          Microsoft has been warning against this since the day AD was first released in 2000. It's, as far as I remember, the very first thing that they teach when starting hands on with AD in their courses and certs. Even in the NT4 era we were prepared to worry about it before upgrading to Windows 2000. This was a tech who actually worked for Microsoft and isn't aware of this? Something is fishy.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Joel
                            last edited by

                            @Our-Tech-Team said:

                            ... if we wanted to Sync our Office365 tenant with the on-premise server.

                            No such dependency.

                            JoelJ 1 Reply Last reply Reply Quote 0
                            • brianlittlejohnB
                              brianlittlejohn @Joel
                              last edited by

                              @Our-Tech-Team said:

                              I've never used or worked with Samba so dont know anything about it. The AD I thought was great for them as they want to have more 'control' over users, add more security to the network and manage permissions on folders much better. I'm familiar with AD so thought it would suit them well.

                              The reason we named the domain name the same as their external domain is because a Microsoft technician advised me to do so if we wanted to Sync our Office365 tenant with the on-premise server.

                              I can easily nuke the DC and start over, but to re-configure the 15 computers and drag everything over to their new profile is easy, but frustrating to have to spend the extra time doing it as i've just done it for their new server!!!

                              You can use the AD migration tool if you spin up a new DC. Then it keeps all the SIDs for the users. Just join PC to new domain and it will keep using the profiles, no need to rebuild them. I just don't know if the setup for ADMT will take more time than just doing it manually for 15 users.

                              1 Reply Last reply Reply Quote 2
                              • JoelJ
                                Joel @scottalanmiller
                                last edited by

                                I havent worked with ADMT before but will look into it and if I'm capable of doing it and the time frames make sense, I'll go with it.....Otherwise when I have a spare weekend will probably nuke and start from scratch...Again if the main problem is ONLY that staff cant view their website internally then as far as I'm concerned this isnt a urgent problem that warrants immediate action. I'll create the DNS entries manually for the moment so hopefully it'll be okay for now...see the dns entired below, is this all I'll need to create (as well as the www record for the website)? Thanks again for your replies and responses.

                                0_1453671727209_1.PNG

                                1 Reply Last reply Reply Quote 0
                                • J
                                  Jason Banned @JaredBusch
                                  last edited by Jason

                                  @JaredBusch said:

                                  @scottalanmiller said:

                                  @JaredBusch said:

                                  The only thing you could do is redo AD. Microsoft documentation uses ad.domain.com in their examples for this reason.

                                  He had asked me about this offline and it appears, from our brief conversation, that the only impacts he is seeing is that he needs to manually put in external addresses into DNS (like www.mysite.com) so that it will resolve and the default domain points to the DC, not the website. As long as users are okay with that one URL not being usable and he's okay with the small amount of manual DNS entries, it looks like that is his only impact and he is fine not changing the domain at this point.

                                  Unfortunate and not best practice, but it appears that the issues are minimal and his best option is to just remain with it as it is at this point. Not worthy modifying the domain now.

                                  Correct, Really it is just that users will have to be trained to enter WWW in front of domain.com to get to the website. All links to the website will have to explicitly use www or it will fail.

                                  You can also setup IIS on DCs to redirect domain.com to www.domain.com if you need to.
                                  I'm glad we don't use the same one internally and externally.

                                  JaredBuschJ 1 Reply Last reply Reply Quote 2
                                  • JaredBuschJ
                                    JaredBusch @Jason
                                    last edited by

                                    @Jason said:

                                    @JaredBusch said:

                                    @scottalanmiller said:

                                    @JaredBusch said:

                                    The only thing you could do is redo AD. Microsoft documentation uses ad.domain.com in their examples for this reason.

                                    He had asked me about this offline and it appears, from our brief conversation, that the only impacts he is seeing is that he needs to manually put in external addresses into DNS (like www.mysite.com) so that it will resolve and the default domain points to the DC, not the website. As long as users are okay with that one URL not being usable and he's okay with the small amount of manual DNS entries, it looks like that is his only impact and he is fine not changing the domain at this point.

                                    Unfortunate and not best practice, but it appears that the issues are minimal and his best option is to just remain with it as it is at this point. Not worthy modifying the domain now.

                                    Correct, Really it is just that users will have to be trained to enter WWW in front of domain.com to get to the website. All links to the website will have to explicitly use www or it will fail.

                                    You can also setup IIS on DCs to redirect domain.com to www.domain.com if you need to.
                                    I'm glad we don't use the same one internally and externally.

                                    True, but that is just another role to deal with on the DC that does not need to be there.

                                    J 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @JaredBusch
                                      last edited by

                                      @JaredBusch said:

                                      @brianlittlejohn said:

                                      With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

                                      I would agree with @brianlittlejohn here. You had no AD at all prior too few days ago.

                                      Just remove all the machines from the domain. Nuke your DC and start over.

                                      HUH - I think I would bail on having a local DC at all, Since you have O365, I'd upgrade everyone to Windows 10 (if you can) and then use Azure AD.

                                      What problems where you trying to solve by bringing in AD in the first place?

                                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said:

                                        @JaredBusch said:

                                        @brianlittlejohn said:

                                        With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

                                        I would agree with @brianlittlejohn here. You had no AD at all prior too few days ago.

                                        Just remove all the machines from the domain. Nuke your DC and start over.

                                        HUH - I think I would bail on having a local DC at all, Since you have O365, I'd upgrade everyone to Windows 10 (if you can) and then use Azure AD.

                                        What problems where you trying to solve by bringing in AD in the first place?

                                        If you cannot upgrade to Windows 10 or cannot do so yet, you can still but AD on Azure, it just isn't Azure AD. Using AD on Azure is an awesome way to stop gap to get AD today and be ready to quickly phase out down the road.

                                        DashrenderD 1 Reply Last reply Reply Quote 0
                                        • J
                                          Jason Banned @JaredBusch
                                          last edited by

                                          @JaredBusch said:

                                          @Jason said:

                                          @JaredBusch said:

                                          @scottalanmiller said:

                                          @JaredBusch said:

                                          The only thing you could do is redo AD. Microsoft documentation uses ad.domain.com in their examples for this reason.

                                          He had asked me about this offline and it appears, from our brief conversation, that the only impacts he is seeing is that he needs to manually put in external addresses into DNS (like www.mysite.com) so that it will resolve and the default domain points to the DC, not the website. As long as users are okay with that one URL not being usable and he's okay with the small amount of manual DNS entries, it looks like that is his only impact and he is fine not changing the domain at this point.

                                          Unfortunate and not best practice, but it appears that the issues are minimal and his best option is to just remain with it as it is at this point. Not worthy modifying the domain now.

                                          Correct, Really it is just that users will have to be trained to enter WWW in front of domain.com to get to the website. All links to the website will have to explicitly use www or it will fail.

                                          You can also setup IIS on DCs to redirect domain.com to www.domain.com if you need to.
                                          I'm glad we don't use the same one internally and externally.

                                          True, but that is just another role to deal with on the DC that does not need to be there.

                                          Yeah, I wouldn't want to deal with it but, I don't like doing split dns either.. just use ad.domain.com solves a lot of the issues.

                                          1 Reply Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said:

                                            @Dashrender said:

                                            @JaredBusch said:

                                            @brianlittlejohn said:

                                            With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

                                            I would agree with @brianlittlejohn here. You had no AD at all prior too few days ago.

                                            Just remove all the machines from the domain. Nuke your DC and start over.

                                            HUH - I think I would bail on having a local DC at all, Since you have O365, I'd upgrade everyone to Windows 10 (if you can) and then use Azure AD.

                                            What problems where you trying to solve by bringing in AD in the first place?

                                            If you cannot upgrade to Windows 10 or cannot do so yet, you can still but AD on Azure, it just isn't Azure AD. Using AD on Azure is an awesome way to stop gap to get AD today and be ready to quickly phase out down the road.

                                            That's true, didn't think of that, but there's expense if you spin up a VM, plus I have no idea how to get a secure connection back to your office.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 3 / 3
                                            • First post
                                              Last post