Our website is hosted externally, off our network. The canonical URL is a is intentionally lacking www, and will 301 redirect any requests containing www to the canonical URL. So far, so good.

The problem is providing access to the website from within our LAN. In theory, the answer is simple: add a host record in DNS pointing foobarco.org to the external webhost. (eg foobarco.org -->

However, Our active directory domain is the same as our public website (foobarco.org), and AD appears to periodically auto-create host (A) records in the domain root corresponding to our domain controllers. This causes obvious problems: users on the LAN attempting to access the website resolve the domain controllers instead.

As a stop-gap measure we're overriding DNS using the hosts file on clients, but this is a quick hack that doesn't scale well.

The hosts-file hack hasn't broken anything obvious, so I doubt that this behavior is essential to AD operations, but I haven't found a way to disable it.

Is it possible to override this behavior?

  • 103
  • 2

1 Answers1


Any solution that involves using a "hosts" file isn't a solution. Doubly so, in this case, because it will break domain DFS. It's very likely that your group policies aren't applying properly on computers where you've done this "hack". Check one of their Application Event Logs to see. If you ever hope to use domain DFS roots this will also preclude that option. It's not a long-term-viable strategy. (If it's not "obvious" to you that it's "broken" anything the its likely that you're not using Group Policy or domain DFS to any degree.)

This "issue" has been the source of some spirited and lively religious-sounding debates on Server Fault.

I would argue that someone has, against Microsoft-recommended best-practices, named your Active Directory domain incorrectly. An Active Directory domain should be named either:

  • A third-level (or deeper) subdomain of an Internet domain name you control
  • A second-level subdomain of an Internet domain name you control but don't use for any externally-accessible Internet resources

Your AD domain should have a globally-unique, non-single-label (i.e. "it at least one dot in it") name that you control that isn't assigned to any Internet-accessible resources.

The ".local" TLD is a bad idea because it can cause problems with the ZeroConf protocol. Don't use it.

You can do the stupid hack that I've seen in some hopeless situations whereby you run IIS on every domain controller computer sending out redirections to the http://www.domain.com name when clients request http://domain.com. It's horrid, but it'll do what you want.

If you are in a position to do it I'd consider renaming the Active Directory domain. It sounds drastic, but it will eliminate this headache down the road.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328