Is it possible for an AD domain's DNS name to point to a web server instead of the DCs?
Solution 1
You can't.
You can define any hostname or subdomain you want in your AD's main DNS zone, but for AD to work properly, the A records for the domain itself must point to your domain controllers.
So, having "www.mywebsite.com" pointing to your web site is fine, but having "mywebsite.com" do the same is not.
Addendum: hosting your web site on your DC would of course fix the issue, but I strongly advise you against that; DCs are definitely not meant to host web sites.
Solution 2
You really shouldn't use the .local TLD (or any made up TLD) or the address of a public website. You should use a sub-domain of a domain that you already own (i.e. internal.mywebsite.com
).
The best thing to do is rename your Active Directory Domain. You can't do this if you have Exchange 2007 or 2010 installed, but you can certainly reinstall it in the new domain.
If you don't want to do a rename, which is really the best thing to do, you can do some voodoo like install IIS on all of the DCs that redirect to the external site, but that's a bad fix. Really, just do a domain rename and learn from your mistake.
Solution 3
I always name my internal ad domains ad.companyname.com so I'm
- not using .local or a made up TLD.
- using a real TLD so I can get appropriate Certs and avoid DNS issues.
Related videos on Youtube
![Reid](https://i.stack.imgur.com/dRRpO.jpg?s=256&g=1)
Reid
I am a Software Engineer working primarily in the React, TS, Node, Elastic Search, and Serverless tech stack. However, I also have extensive experience with creating and programming embedded electronics and consumer products.
Updated on September 18, 2022Comments
-
Reid almost 2 years
My active directory domain's name is "mywebsite.com" instead of "mywebsite.local". I had to do this as a workaround to other issues, and to change it will be a pain. When people inside of my company visit "mywebsite.com", it redirects to our DC instead of our website. How can I make it redirect to our website?
-
MDMarra over 12 yearsIn case your addendum is in response to my answer - I wasn't suggesting hosting the sites on the DCs, but rather installing IIS and hosting a redirect to www.site.com, which will work, but is definitely putting a bandaid on a broken arm. :)
-
HostBits over 12 yearsI think a little expansion on WHY they shouldn't use a .local or other made up TLD would be useful.
-
MDMarra over 12 yearsIt's been answered (by me) at least 3 times. This is a quick overview. It's a topic that's been answered many times here already.
-
MDMarra over 12 yearsThe short version is: Hard to get 3rd party SSL certificates for internal use.
.local
and others aren't reserved. At the rate that ICANN is selling TLDs, there's reason to think that your .local domain might be owned by someone else some day, causing a similar problem to this. It causes mDNS (bonjour) problems with OS X clients on the network. And, to top it off, it's just plain wrong! -
Massimo over 12 yearsBut it has been standard practice (and even recommended by Microsoft!) for quite a while... it's normal to find lots of domains named this way, and lots of people who honestly think it's the correct to name them.
-
Massimo over 12 years@MDMarra: not directly related... more oriented to prevent someone from actually doing that :-)
-
MDMarra over 12 years@Massimo I completely agree. Microsoft has (thankfully) done a 180 on their position. With ICANN's buy-your-own-tld hair-brained scheme, it's only a matter of time before someone owns .local and all of these admins end up in tears.
-
HostBits over 12 years@MDMarra I find it a bit harsh to throw a "HAND OF GOD" statement like "it's just plain wrong" in there. I could see if it was a glaring security risk, but that's not the case. There are plenty of environment's where this works and they may never run into the issue you are describing.
-
MDMarra over 12 years@Cheekaleak While I agree that this probably doesn't adversely affect many people that use it, violating the relevant RFCs and best practices when it takes the same amount of effort to do it the right way doesn't make any sense. In some old legacy installs, I can see the appeal of not changing it, but there's no reason for new AD installs to have
.local
,.internal
,.lan
, or any other fake TLDs. -
Mathias R. Jessen over 12 years@MDMarra though I strongly agree with you (especially on the non-reserved non-public TLD argument), I wouldn't say that it's "Hard to get 3rd party SSL certificates for internal use.". I've had UC certs issued from VeriSign, GoDaddy, Thawte and (mis)TrustWave, all with non-public SAN's, no problem
-
MDMarra over 12 yearsThis answer doesn't really add anything of value. Both Massimo and I covered this approach long before you posted this, and your post doesn't contain any new information/suggestions, making it noise.
-
MDMarra over 12 yearsThen you didn't read either of our answers completely, I say that he can install IIS on the DCs and do a redirect and Massimo says something similar. Also, it's a little presumptuous to assume that his start page is
index.asp
. Massimo's answer is correct. You can't do what the OP wants. You can work around it with IIS redirects or hosting a copy of your site directly on the DCs, but you cannot just tell internal clients of a mydomain.com AD to connect to an external mydomain.com web server when they're using a browser, but still have AD work correctly. -
Ian Murphy over 12 years.local will never be issued as a tld. Its been requested to be a reserved - ostensibly to support bonjour and its mDNS derivatives. Not sure who will ever use mDNS but its there.
-
MDMarra over 12 years@Ian can you cite the relevent RFC?
-
Reid over 12 yearsI cheated a little, and made my domain controller webpage redirect to www.mywebsite.com. This worked perfectly Thank you!!!
-
Ian Murphy over 12 yearsIt was discussed in another question on SF the other day by Jonathan de Boyne Pollard: serverfault.com/questions/354597/…. The details of mDNS are detailed here multicastdns.org.
-
integratorIT almost 8 yearsMen! the best answer in this topic!