Web Development

Configure a split DNS system on Windows Server 2003

A typical practice for organizations is to run servers for internal use separately from those for external use. But if the organization uses network address translation (NAT), the servers must be accessible from two different IP addresses. In this Windows Server 2003 tip, learn how to rectify this situation by using Windows Server 2003 DNS services.

A common practice for organizations is to run servers for internal use separately from those for external use. But in many instances, both internal and external clients use both servers. And if the organization uses network address translation (NAT), the servers must be accessible from two different IP addresses.

For example, consider Exchange 2003's Outlook Web Access (OWA) component. Assume that it's a small environment, and the OWA server is behind the organization's NAT-enabled firewall, which has rules that allow HTTP traffic to this server from anywhere outside the organization.

If you use a single DNS scenario, you have one of two situations. If you provide DNS entries for your external users to access the OWA server, your internal users can't use it because they're in the translated network.

However, if you provide DNS entries to enable your internal users to use OWA, then external users are unable to use the services. NAT addresses are generally in the RFC 1918 reserved IP address ranges, which aren't used on the Internet and aren't routable outside an organization's firewall.

You can rectify this situation by using Windows Server 2003 DNS services. Your internal users will use Windows Server 2003 DNS services, which will resolve your internal addresses and forward foreign requests to your ISP's DNS servers. On the internal DNS server, configure the internal NAT addresses, and at your ISP, provide name resolution for the external IP addresses.

If you're using Active Directory, you already have Windows-based DNS services installed. We'll assume that you're running a Windows Server 2003-based Active Directory server with DNS.

To manage the DNS servers, follow these steps:

  1. Go to Start | All Programs | Administrative Tools | DNS.
  2. Right-click the server name, and choose Properties.
  3. On the Forwarders tab, it should say All Other DNS Domains in the DNS Domain box. This means the server will automatically forward any requests for DNS domains that it doesn't handle to the servers listed in Selected Domain's Forwarder IP Address List.
  4. Add your ISP's DNS servers to this list. Type the server's IP address, and click Add.
  5. Repeat the process for each of your ISP's DNS servers.
  6. When you're finished, click Apply.

Next, add the appropriate entries to the domain for which you want to add services. Configure this server using the internal NAT IP addresses. Continue to update your ISP's DNS records with the translated or "real" IP address.

You'll also need to configure your internal workstations to use the Windows Server 2003 DNS system as their primary DNS server. You can accomplish this by using a DHCP option.

When your internal users try to access the server, they're resolving the address using the internal DNS server. External users will continue to perform name resolution based on the entries at your ISP, which has the translated, routable IP addresses.

Miss a tip?

Check out the Windows Server 2003 Archive, and catch up on the most recent tips from this newsletter.

Stay on top of the latest WS2K3 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!

0 comments