My public website name and AD domain name are the same. How can I get to my external website from inside my network?
Solution 1
If you've named your Active Directory example.org
then you cannot prevent this. You've gone against Microsft's best practices for naming an AD and you're seeing one of the symptoms.
You have a few choices:
-
Migrate to a properly named AD. Something like
corp.example.org
. -
Install a web server on each DC and configure it to forward web requests for
example.org
towww.example.org
. This is dirty and shouldn't be done, but it's an option nonetheless. -
Train your users to go to
www.example.org
internally.
I've blogged about AD naming best practices multiple times and link to official Microsoft sources. You should read them:
- http://web.archive.org/web/20200214122247/http://www.mdmarra.com/2013/04/best-practices-for-configuring-new.html
- http://web.archive.org/web/20191201074255/www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html
- http://web.archive.org/web/20200122002118/www.mdmarra.com/2013/07/more-documentation-from-microsoft-about.html
If you want the short version:
Do not create new Active Directory forests with the same name as an external DNS name. For example, if your Internet DNS URL is http://contoso.com, you must choose a different name for your internal forest to avoid future compatibility issues. That name should be unique and unlikely for web traffic. For example: corp.contoso.com.
-http://technet.microsoft.com/en-us/library/jj574166.aspx
Solution 2
If you are running Exchange on the DC, do not set up a PortProxy - it may go without saying but it will break Exchange services hosted on port 80.
I realize this post is quite old, but you can still do this without installing IIS on the DC's. On every DC, run the following command to portproxy port 80 to the external web server.
netsh interface portproxy add v4tov4 listenport=80 listenaddress={Static IP v4 address of DC) connectport=80 connectaddress={IP Address of public Web Server}
Related videos on Youtube
Max
Updated on September 18, 2022Comments
-
Max over 1 year
I am using my domain
example.org
in my firm. I can usewww.example.org
to view my website. If I tryhttp://example.org
from outsite my firm there is no problem, but if I try it from inside, my windows DNS servers deliverthe IPs of domain controllers.How can I solve this? Can I prevent my DCs from registering as
example.org
in my DNS and will this be a problem for my enviroment?-
DanBig almost 11 yearsTo clarify, your internal network DNS name is example.org, and not something like example.local?
-
Philip almost 11 yearsYou can solve this by naming your domain correctly, it should be something like
ad.example.org
, orcorp.example.org
. If that's no longer possible you're stuck. The best you can do is setup a redirect towww.example.org
on any DCs that also have IIS installed (a bad idea, but a lot of domain controllers are setup poorly). -
mfinni almost 11 years"Can I prevent my DCs from registering as example.org in my DNS" - nope. "and will this be a problem for my enviroment?" - YES!
-
-
kralyk almost 11 yearsIn addition, you can setup a simple "example" CNAME in DNS (example.example.org technically) and have it point to www.example.org. Then you can just tell users to go to
http://example
. Silly of course, otherwise #3 in MDMarra's list is the only simple solution to the issue. I've been there (split-dns) and it isn't fun to deal with. -
mfinni almost 11 yearsAs long as "example" isn't the NetBIOS name for your domain. If it is, I can imagine what merry hell this would play in such an environment.
-
mfinni almost 11 yearsThis is included in MDMarra's answer; it's item 2.
-
Max almost 11 yearsI will get me some information about migration to a properly name, I am just a little bit afraid of getting problems through it. The problem is with my Nagios Monitoring which I use to make sure that
www.example.org
andexample.org
is fine from external. Here i will go and find an alternative for my setup as long i have/will not migrate. Thx -
Max over 9 yearsthis requires the webserver to be reachable from the DC. But non the less a nice way. Then you could redirect to www. version to take the work from the DC. (Pro tipp: i think portproxy needs "ip helper" service of windows)
-
Admin over 8 yearsI just want to update the answer... while it was once the best practice recommendation by Microsoft, RFC supercedes it, as it interferes with zeroconf (mDNS). Also, this TechNet article recommends against it (as of 2012), especially if you are looking to integrate your AD environment with Office 365 or using Macs on your domain, as we have both happening where I work. One noted workaround would be to use a split zone, as [detailed here](social.technet.microsoft.com/Forums/windowsserver/en-US/…
-
MDMarra over 8 years@stevenh read the article you linked to again. It echoes my answer completely. When moving to office 365 with a hybrid identity you should set the user principal name to match the primary SMTP address of each user. This is completely independent of your directory's name. My answer was valid when I posted it and it is still valid today.