[OPLINTECH] Internal DNS issue

Nathan Eady oplintech at galionlibrary.net
Fri Sep 3 14:57:37 EDT 2010 

"Jim Lack" <J.Lack at rrpl.org> writes:

> this A record (same as parent folder) re-populates itself.
>
> What do I have to do to stop this from happening and to get rrpl.org
> to work internally all the time?

Well, this probably isn't what you want to hear, but you seem to be
warnocked, so I'll go ahead and say it anyway, on the theory that a
response different from what you hoped for is better than no response.

The good news is that your authoritative nameservers are separate from
the AD ones.  That's definitely a good thing.  Some sites try to use
an AD domain controller as their authoritative DNS for the internet,
and that approach would definitely not improve your situation.

However, the only way I know to completely fix the problem you are
experiencing, and a good idea in any case, is to NOT use your
internet-style DNS domain name in the global .org namespace as also
the name of your Active Directory domain.  For example, if your
internet domain name is rrpl.org you could name your AD domain
rockyriver.LOCAL or something like that.  Then AD would leave the
rrpl.org name records however you set them, or for that matter the AD
nameserver wouldn't necessarily even need to have records for rrpl.org
at all; it could just get them recursively from the upstream resolver
like it does for every other internet domain name.

There *may* be other workarounds I don't know about that will allow
rrpl.org to resolve the way you want, but if so they are inferior
approaches.  The problem you noticed is not the only problem, nor the
worst, that can be caused by conflating AD with DNS.  ActiveDirectory
is not the internet, and AD domains are not the same thing as DNS
domains, and they should not be treated as if they were.  Yes, AD uses
the DNS protocol for its own purposes, but the semantics of AD differ
from those of internet domains.  Mixing them up tends to confuse the
software (as you've noticed), to say nothing of the humans.

Ideally, Active Directory domains should be in the .LOCAL namespace.
That way there are no naming conflicts with ANY internet domain name.

And yes, I do realize that changing the name of an existing AD domain
is something you probably would prefer to avoid.

-- 
Nathan Eady
Galion Public Library

More information about the OPLINTECH mailing list