1

Up until recently we hosted our company web site on an internal Win 2008 IIS server. To ensure that it stayed online in case something happened to the office, we moved the site to some cheap shared hosting with a popular provider. For the most part things are fine but I have run into one problem...

Unfortunately when the Windows domain was set up the admin (not me, I swear to god) used an externally resolvable host name (eg 'example.net' rather than the best practice 'example.local'). This was never a problem as we always hosted our web site on an internal IIS server. Users inside the AD domain are now complaining that they cannot reach the web site from inside the network. I get why this is the case but I am cautious about what sort of DNS changes to make since I am well aware how DNS dependent an active directory domain can be. As a temporary measure I put in a 'www' A record pointing to the IP of the external web server so they can at least reach the site for now.

My question is this: Can I set up a wildcard dns entry on our internal AD DNS server for 'example.net' redirecting to our external web server? I am afraid that putting a wildcard entry for a server that sits outside the AD domain might cause serious problems.

Has anyone ever tried this?

Tyson Navarre
  • 472
  • 3
  • 9
  • 23
  • What's wrong with the solution you've already implemented? If having an A record for www that resolves to the external ip address of the web server does the trick why go any further? – joeqwerty Aug 17 '12 at 13:58
  • In the end I wanted the cleanest solution possible that made it transparent for the internal users, so they would hit the web site regardless of whether or not they used www.example.net or simply example.com in the URL bar of their browser – Tyson Navarre Aug 17 '12 at 14:04

1 Answers1

3

Cliff,

Yea I know what you mean, been there and done that. The safest thing you can do is what you have already done by adding a www record.

You really can't add a wildcard record because any request for Domain.net will then redirect externally. This is especially true if you rely on DNS for all computer name based lookups and have disabled NetBIOS on the network.

Short term what you have done seems about right. Long term you may want to investigate changing your domain name, I'm not sure how many clients you have internally but this is at times no easy task, but in the longrun will save you so much time and effort.

I think MDMarra has posted before that he doesn't mind using the public DNS records for your internal domain but instead of a local domain extension (i.e. Domain.local) he uses a subdomain (corp.domain.net) or something like that. Just don't use the root, as you have found out.

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
  • Thanks! This was one of those cases where I saw that simply trying it out and seeing what happened was a little too risky :) One thing is certain, I am going to figure out how to safely change the AD domain name to avoid issues like this in the future. – Tyson Navarre Aug 17 '12 at 14:00
  • Yea, its a tricky process, depending on your environment. If you've got less than 20 PCs you can simply spin up a new DC and physically touch each machine, any more than that and you may want to look at automated tools and possibly consultant help. Although MSFT does provide some good information regarding this subject. – Brent Pabst Aug 17 '12 at 14:22