Is it possible for an AD domain's DNS name to point to a web server instead of the DCs?

active-directory windows-server-2008-r2 domain-controller domain-name
8,611

Solution 1

You can't.

You can define any hostname or subdomain you want in your AD's main DNS zone, but for AD to work properly, the A records for the domain itself must point to your domain controllers.

So, having "www.mywebsite.com" pointing to your web site is fine, but having "mywebsite.com" do the same is not.

Addendum: hosting your web site on your DC would of course fix the issue, but I strongly advise you against that; DCs are definitely not meant to host web sites.

Solution 2

You really shouldn't use the .local TLD (or any made up TLD) or the address of a public website. You should use a sub-domain of a domain that you already own (i.e. internal.mywebsite.com).

The best thing to do is rename your Active Directory Domain. You can't do this if you have Exchange 2007 or 2010 installed, but you can certainly reinstall it in the new domain.

If you don't want to do a rename, which is really the best thing to do, you can do some voodoo like install IIS on all of the DCs that redirect to the external site, but that's a bad fix. Really, just do a domain rename and learn from your mistake.

Solution 3

I always name my internal ad domains ad.companyname.com so I'm

  1. not using .local or a made up TLD.
  2. using a real TLD so I can get appropriate Certs and avoid DNS issues.
Share:
8,611

Related videos on Youtube

Reid
Author by

Reid

I am a Software Engineer working primarily in the React, TS, Node, Elastic Search, and Serverless tech stack. However, I also have extensive experience with creating and programming embedded electronics and consumer products.

Updated on September 18, 2022

Comments

  • Reid
    Reid almost 2 years

    My active directory domain's name is "mywebsite.com" instead of "mywebsite.local". I had to do this as a workaround to other issues, and to change it will be a pain. When people inside of my company visit "mywebsite.com", it redirects to our DC instead of our website. How can I make it redirect to our website?

  • MDMarra
    MDMarra over 12 years
    In case your addendum is in response to my answer - I wasn't suggesting hosting the sites on the DCs, but rather installing IIS and hosting a redirect to www.site.com, which will work, but is definitely putting a bandaid on a broken arm. :)
  • HostBits
    HostBits over 12 years
    I think a little expansion on WHY they shouldn't use a .local or other made up TLD would be useful.
  • MDMarra
    MDMarra over 12 years
    It's been answered (by me) at least 3 times. This is a quick overview. It's a topic that's been answered many times here already.
  • MDMarra
    MDMarra over 12 years
    The short version is: Hard to get 3rd party SSL certificates for internal use. .local and others aren't reserved. At the rate that ICANN is selling TLDs, there's reason to think that your .local domain might be owned by someone else some day, causing a similar problem to this. It causes mDNS (bonjour) problems with OS X clients on the network. And, to top it off, it's just plain wrong!
  • Massimo
    Massimo over 12 years
    But it has been standard practice (and even recommended by Microsoft!) for quite a while... it's normal to find lots of domains named this way, and lots of people who honestly think it's the correct to name them.
  • Massimo
    Massimo over 12 years
    @MDMarra: not directly related... more oriented to prevent someone from actually doing that :-)
  • MDMarra
    MDMarra over 12 years
    @Massimo I completely agree. Microsoft has (thankfully) done a 180 on their position. With ICANN's buy-your-own-tld hair-brained scheme, it's only a matter of time before someone owns .local and all of these admins end up in tears.
  • HostBits
    HostBits over 12 years
    @MDMarra I find it a bit harsh to throw a "HAND OF GOD" statement like "it's just plain wrong" in there. I could see if it was a glaring security risk, but that's not the case. There are plenty of environment's where this works and they may never run into the issue you are describing.
  • MDMarra
    MDMarra over 12 years
    @Cheekaleak While I agree that this probably doesn't adversely affect many people that use it, violating the relevant RFCs and best practices when it takes the same amount of effort to do it the right way doesn't make any sense. In some old legacy installs, I can see the appeal of not changing it, but there's no reason for new AD installs to have .local, .internal, .lan, or any other fake TLDs.
  • Mathias R. Jessen
    Mathias R. Jessen over 12 years
    @MDMarra though I strongly agree with you (especially on the non-reserved non-public TLD argument), I wouldn't say that it's "Hard to get 3rd party SSL certificates for internal use.". I've had UC certs issued from VeriSign, GoDaddy, Thawte and (mis)TrustWave, all with non-public SAN's, no problem
  • MDMarra
    MDMarra over 12 years
    This answer doesn't really add anything of value. Both Massimo and I covered this approach long before you posted this, and your post doesn't contain any new information/suggestions, making it noise.
  • MDMarra
    MDMarra over 12 years
    Then you didn't read either of our answers completely, I say that he can install IIS on the DCs and do a redirect and Massimo says something similar. Also, it's a little presumptuous to assume that his start page is index.asp. Massimo's answer is correct. You can't do what the OP wants. You can work around it with IIS redirects or hosting a copy of your site directly on the DCs, but you cannot just tell internal clients of a mydomain.com AD to connect to an external mydomain.com web server when they're using a browser, but still have AD work correctly.
  • Ian Murphy
    Ian Murphy over 12 years
    .local will never be issued as a tld. Its been requested to be a reserved - ostensibly to support bonjour and its mDNS derivatives. Not sure who will ever use mDNS but its there.
  • MDMarra
    MDMarra over 12 years
    @Ian can you cite the relevent RFC?
  • Reid
    Reid over 12 years
    I cheated a little, and made my domain controller webpage redirect to www.mywebsite.com. This worked perfectly Thank you!!!
  • Ian Murphy
    Ian Murphy over 12 years
    It was discussed in another question on SF the other day by Jonathan de Boyne Pollard: serverfault.com/questions/354597/…. The details of mDNS are detailed here multicastdns.org.
  • integratorIT
    integratorIT almost 8 years
    Men! the best answer in this topic!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

what does exactly infrastructure master role do?
Windows Domain Controller/DNS Failure
Exchange 2010 don't see its PDC (same machine)
Mutli-DC Environment DNS Error 4015
Reuse old domain controller IP address
running "netdom query fsmo" on domain controller fails
Cannot create a new domain in an existing active directory forest
Same domain names internal and external issue
Local user accounts have disappeared after installing Active Directory and running dcpromo
Server 2008 R2 failing DCDIAG - not advertising as a time server