4

My company has a website with the domain name of acme.com. It also used acme.com as the AD domain name. External DNS is set up properly. Internal DNS has to resolve to the DC, for obvious reasons.

As we know, visitors to acme.com from outside our network get the website and visitors to acme.com from within our network hit the domain controller, for obvious reasons.

I am familiar with the usual answers found here and here that state it goes against best practice to use the same name for DNS and AD domains and to either 1) migrant my AD domain to another name or 2) use http redirection via IIS on each of the DCs in my forest.

Based on what I have read on Wikipedia and Reddit, it seems possible to solve this problem with a SRV record.

So, I created the following SRV record but it does not seem to work:

_http._tcp.acme.com. 86400 IN SRV 0 100 80 www.acme.com.

Is it even possible to "redirect" internal http requests from acme.com to www.acme.com using only a SRV record?

Community
  • 1
Nimrod
  • 143
  • 1
  • 4
  • 1. I don't know of any browser that can make use of SRV records. 2. What is the problem you're trying to solve? Is it simply getting internal users to the website when they type `http://acme.com`? If so, then create an A record for `www` in your internal DNS for the external ip address of the web site and instruct your users to use `http://www.acme.com` when going to the web site. 3. Alternately you could rename the domain to something more appropriate, like ad.acme.com. – joeqwerty May 01 '14 at 20:52
  • www.acme.com is already set up and works fine. It's just when internal clients use acme.com instead. I had a feeling the web browser would have to specifically request the SRV record, but was hoping that wasn't the case and that the DNS server would "see" the SRV record and return the A record for www.acme.com instead. – Nimrod May 01 '14 at 21:12
  • 2
    DNS doesn't work that way either. Your DNS server doesn't know what protocol you intend to use to talk to the host that you're making the DNS request for (unless your software requests SRV records, which web browsers don't.) – mfinni May 01 '14 at 21:15

2 Answers2

4

No. Web browsers don't use SRV records, so this won't work.

https://stackoverflow.com/questions/9063378/why-do-browsers-not-use-srv-records

And that's why it's not listed as an answer to the problem.

Community
  • 1
mfinni
  • 35,711
  • 3
  • 50
  • 86
0

You've already linked to @MDMARRA's answer on SF which is what I was going to point you to, however he has a very helpful blog post on his personal blog that also explains in great detail AD domain names and choosing the right naming scheme here.

That being said, if all you're looking to do is get your your internal workstations/clients to be able to get to your website when they type in domain.com (in your case I'm sure acme is just an example) in their web browsers you can also use your DNS. On your DNS server create an A record in the ACME.COM Forward Lookup Zone and give it the name WWW and point it to the public IP of your website. It will create a record in that zone with www.acme.com that points to your public IP and will help your internal users resolve to the website when they type www.acme.com or just acme.com.

EDIT

Also, don't forget to add another A record in the same zone as above but give it no name and point it to your website's public IP as well. This will cover both www and non www queries.

I know I was late to the game with this answer but I wanted to make it known that there was another, albeit not always what I recommend, answer that fulfilled your request.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
Brad Bouchard
  • 2,507
  • 2
  • 12
  • 22
  • 1
    That will work for www.example.com, but not example.com – Grant May 01 '14 at 22:17
  • I forgot to add the 2nd part; he needs to make another A record in the same zone with no name and pointing to the public IP once again then it will work. Super easy. – Brad Bouchard May 02 '14 at 04:39
  • 2
    doing that will break DFS, group polocies, and probably other things...rather dangerous advice. See http://serverfault.com/questions/31686/active-directory-is-it-required-that-the-a-record-for-a-domain-point-to-a-dom – Grant May 02 '14 at 11:14
  • @BradBouchard - don't do that second part. As Grant says, that will break your AD domain, very very badly. Terrible advice. – mfinni May 02 '14 at 14:23
  • actually it isn't... I have done this for hundreds of our small business clients and never once had an issue... and also, in the referenced link from Grant, it says not to make a new zone, I didn't tell him to make a new zone but rather use the one that exists... – Brad Bouchard May 02 '14 at 14:48
  • Thanks for your suggestion in paragraph 2 but www.acme.com is already set up and works fine. – Nimrod May 02 '14 at 22:22