3

My active directory domain's name is "mywebsite.com" instead of "mywebsite.local". I had to do this as a workaround to other issues, and to change it will be a pain. When people inside of my company visit "mywebsite.com", it redirects to our DC instead of our website. How can I make it redirect to our website?

Massimo
  • 68,714
  • 56
  • 196
  • 319
Reid
  • 401
  • 6
  • 17
  • I edited your question title and text to make it a little more clear. – Massimo Feb 14 '12 at 22:56
  • 1
    possible duplicate of [Sharing Domain name between domain controller and webserver](http://serverfault.com/questions/38208/sharing-domain-name-between-domain-controller-and-webserver) – ThatGraemeGuy Feb 15 '12 at 13:46

5 Answers5

9

You can't.

You can define any hostname or subdomain you want in your AD's main DNS zone, but for AD to work properly, the A records for the domain itself must point to your domain controllers.

So, having "www.mywebsite.com" pointing to your web site is fine, but having "mywebsite.com" do the same is not.

Addendum: hosting your web site on your DC would of course fix the issue, but I strongly advise you against that; DCs are definitely not meant to host web sites.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • 1
    In case your addendum is in response to my answer - I wasn't suggesting hosting the sites on the DCs, but rather installing IIS and hosting a redirect to www.site.com, which will work, but is definitely putting a bandaid on a broken arm. :) – MDMarra Feb 14 '12 at 23:05
  • @MDMarra: not directly related... more oriented to prevent someone from actually doing that :-) – Massimo Feb 14 '12 at 23:27
  • I cheated a little, and made my domain controller webpage redirect to www.mywebsite.com. This worked perfectly Thank you!!! – Reid Feb 16 '12 at 04:40
7

You really shouldn't use the .local TLD (or any made up TLD) or the address of a public website. You should use a sub-domain of a domain that you already own (i.e. internal.mywebsite.com).

The best thing to do is rename your Active Directory Domain. You can't do this if you have Exchange 2007 or 2010 installed, but you can certainly reinstall it in the new domain.

If you don't want to do a rename, which is really the best thing to do, you can do some voodoo like install IIS on all of the DCs that redirect to the external site, but that's a bad fix. Really, just do a domain rename and learn from your mistake.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • 2
    I think a little expansion on WHY they shouldn't use a .local or other made up TLD would be useful. – HostBits Feb 14 '12 at 23:06
  • It's been answered (by me) at least 3 times. [This](http://serverfault.com/questions/316323/migrating-active-directory-from-a-non-rfc-internal-domain-name/) is a quick overview. It's a topic that's been answered many times here already. – MDMarra Feb 14 '12 at 23:15
  • 4
    The short version is: Hard to get 3rd party SSL certificates for internal use. `.local` and others aren't reserved. At the rate that ICANN is selling TLDs, there's reason to think that your .local domain might be owned by someone else some day, causing a similar problem to this. It causes mDNS (bonjour) problems with OS X clients on the network. And, to top it off, *it's just plain wrong!* – MDMarra Feb 14 '12 at 23:22
  • But it has been standard practice (and even recommended by Microsoft!) for quite a while... it's normal to find lots of domains named this way, and lots of people who honestly think it's the correct to name them. – Massimo Feb 14 '12 at 23:26
  • 1
    @Massimo I completely agree. Microsoft has *(thankfully)* done a 180 on their position. With ICANN's buy-your-own-tld hair-brained scheme, it's only a matter of time before someone owns .local and all of these admins end up in tears. – MDMarra Feb 14 '12 at 23:28
  • @MDMarra I find it a bit harsh to throw a "HAND OF GOD" statement like "it's just plain wrong" in there. I could see if it was a glaring security risk, but that's not the case. There are plenty of environment's where this works and they may never run into the issue you are describing. – HostBits Feb 14 '12 at 23:50
  • @Cheekaleak While I agree that this *probably* doesn't adversely affect many people that use it, violating the relevant RFCs and best practices when it takes the same amount of effort to do it the right way doesn't make any sense. In some old legacy installs, I can see the appeal of not changing it, but there's no reason for new AD installs to have `.local`, `.internal`, `.lan`, or any other fake TLDs. – MDMarra Feb 14 '12 at 23:54
  • 1
    @MDMarra though I strongly agree with you (especially on the non-reserved non-public TLD argument), I wouldn't say that it's "Hard to get 3rd party SSL certificates for internal use.". I've had UC certs issued from VeriSign, GoDaddy, Thawte and (mis)TrustWave, all with non-public SAN's, no problem – Mathias R. Jessen Feb 15 '12 at 02:26
  • .local will never be issued as a tld. Its been requested to be a reserved - ostensibly to support bonjour and its mDNS derivatives. Not sure who will ever use mDNS but its there. – Ian Murphy Feb 15 '12 at 17:17
  • 1
    @Ian can you cite the relevent RFC? – MDMarra Feb 15 '12 at 18:00
  • It was discussed in another question on SF the other day by Jonathan de Boyne Pollard: http://serverfault.com/questions/354597/local-domain-dns-vs-global-dns-setup/354641#comment357052_354641. The details of mDNS are detailed here http://www.multicastdns.org/. – Ian Murphy Feb 17 '12 at 08:54
4

I always name my internal ad domains ad.companyname.com so I'm

  1. not using .local or a made up TLD.
  2. using a real TLD so I can get appropriate Certs and avoid DNS issues.
Ethan Wilson
  • 41
  • 1
-1

I'm going to repeat what uSlacker has mentioned above with a bit more detail as what he says will work. The rather pedantic arguments above are valid but I'll let you decide on whether you want a solution today or would prefer to spend several risky days migrating your domain or renaming it.

Its not much of a problem - you should be able to do this in 30 mins or less. It will not affect the operation of AD in the slightest.

  1. Add an entry in your local dns server on your DC for www (www.mywebsite.com). Put the public ip of your public web site.
  2. Install iis on your dc (if you have more than one you will need to do this on each one)
  3. On the default web page (of each dc) modify index.htm so that it redirects to www.mywebsite.com

Anyone in the office who types www.mywebsite.com will directly open the public site.

Anyone who types mywebsite.com will open the default web page on the DC and it will redirect to www.mywebsite.com

You could be more sophisticated and create an IIS site with a header of mywebsite.com and put the redirect there so as not to modify the default web site. If you already host other web apps on your DCs then this would be cleaner. Your call.

Ian Murphy
  • 1,329
  • 4
  • 19
  • 29
-2

I believe you can make this work, but it adds a bit of risk to your setup. You would need to add IIS to your domain controllers. Then redirect the index.asp to www.yourdomain.com. If you have multiple DCs, you'd need it on each.

I do not recommend this approach, but instead tell folks is cannot work as we have done. However I realize business needs may mandate a solution.

uSlackr
  • 6,337
  • 21
  • 36
  • This answer doesn't really add anything of value. Both Massimo and I covered this approach long before you posted this, and your post doesn't contain any new information/suggestions, making it noise. – MDMarra Feb 15 '12 at 13:59
  • Your answer started with why he shouldn't use .local which, IMO, is off-topic. Massimo's started with "you can't" which is just wrong. Then the answers move on the to reality and finally get around to an answer in the comments. I thought I'd try to directly answer the OP's question. – uSlackr Feb 15 '12 at 14:27
  • 1
    Then you didn't read either of our answers completely, I say that he can install IIS on the DCs and do a redirect and Massimo says something similar. Also, it's a little presumptuous to assume that his start page is `index.asp`. Massimo's answer **is** correct. You can't do what the OP wants. You *can* work around it with IIS redirects or hosting a copy of your site directly on the DCs, but you cannot just tell internal clients of a mydomain.com AD to connect to an external mydomain.com web server when they're using a browser, but still have AD work correctly. – MDMarra Feb 15 '12 at 14:30