My public website name and AD domain name are the same. How can I get to my external website from inside my network?

Question

I am using my domain example.orgin my firm. I can use www.example.orgto view my website. If I try http://example.org from outsite my firm there is no problem, but if I try it from inside, my windows DNS servers deliverthe IPs of domain controllers.

How can I solve this? Can I prevent my DCs from registering as example.org in my DNS and will this be a problem for my enviroment?

Answer 1

If you've named your Active Directory example.org then you cannot prevent this. You've gone against Microsft's best practices for naming an AD and you're seeing one of the symptoms.

You have a few choices:

1. Migrate to a properly named AD. Something like corp.example.org.

2. Install a web server on each DC and configure it to forward web requests for example.org to www.example.org. This is dirty and shouldn't be done, but it's an option nonetheless.

3. Train your users to go to www.example.org internally.

I've blogged about AD naming best practices multiple times and link to official Microsoft sources. You should read them:

• http://web.archive.org/web/20200214122247/http://www.mdmarra.com/2013/04/best-practices-for-configuring-new.html
• http://web.archive.org/web/20191201074255/www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html
• http://web.archive.org/web/20200122002118/www.mdmarra.com/2013/07/more-documentation-from-microsoft-about.html

If you want the short version:

Do not create new Active Directory forests with the same name as an external DNS name. For example, if your Internet DNS URL is http://contoso.com, you must choose a different name for your internal forest to avoid future compatibility issues. That name should be unique and unlikely for web traffic. For example: corp.contoso.com.

-http://technet.microsoft.com/en-us/library/jj574166.aspx

Answer 2

If you are running Exchange on the DC, do not set up a PortProxy - it may go without saying but it will break Exchange services hosted on port 80.

I realize this post is quite old, but you can still do this without installing IIS on the DC's. On every DC, run the following command to portproxy port 80 to the external web server.

netsh interface portproxy add v4tov4 listenport=80 listenaddress={Static IP v4 address of DC) connectport=80 connectaddress={IP Address of public Web Server}

Answer 3

You can create new host (A or AAAA) in DNS Setting and set the IP of website to it. for example in internal network go to website by www2.example.org address instead of www.example.org.

Answer 4

So, I don't know if this evaded anyone else, but the best fix for this issue may just be getting a secondary domain with a different suffix, especially if you cannot PortProxy because of Exchange being on the DC(or because of hostheaders issues with your web host.)

ex: If the internal AD Domain is EXAMPLE.com - then you should simply purchase EXAMPLE.NET for internal use.

This is the cheapest and simplest workaround for internal web access.

That worked for us.

Answer 5

if you want to use the URL as a domain, use machine names such as dc1.example.com and dc2.example.com for each server

make sure the CNAME is setup for each server properly for the proper server IP address

I have been able to do this by making a CNAME first then setup the servers, wait a day for the DNS records to propogate

Answer 6

You may solve your problem two ways, but it involves placing an HTTP server on your DCs :

You can do the redirection with an URL redirect (HTTP 301 code), IIS 7 can do that for you, or you can install a reverse proxy (Apache for Windows) and use the following code :

ProxyPass / http://www.example.com/

ProxyPassRever / http://www.example.com/

ProxyPreserveHost On