2

I'm a web developer at a large-ish organization and our web site is hosted by our IT department. Our website will not load without the "www" subdomain in front of it and IT says that it's because Active Directory must use the primary domain and so the web server must use a subdomain. They say it's not possible to fix it. I'm highly skeptical of this claim because this hasn't been a problem anywhere else I've worked or heard of but I'm not familiar enough with the technologies in question to argue the point.

So my question is, does this sound reasonable? Is it not possible to use AD on the same domain as a web server? Thanks!

dev_willis
  • 131
  • 5
  • 1
    Whomever set up your AD initially made a poor decision by using the root domain. They should have stuck to best practices and used something like ad.example.com instead of example.com – EEAA Mar 31 '16 at 20:01
  • I wondered about that. They said it HAD to use the root domain and could not use a subdomain. But it sounds like that's not true? – dev_willis Mar 31 '16 at 20:03
  • That's correct - it's most certainly not true. – EEAA Mar 31 '16 at 20:04
  • What's your dog in this race? – joeqwerty Mar 31 '16 at 20:05
  • @joeqwerty The website is my responsibility and we have issues with people not typing "www" and then not being able to reach the website. Our president even has business cards without the "www" that he hands out, so it's a bit embarrassing. – dev_willis Mar 31 '16 at 20:06
  • @Dave The problem (which I explained in details in my answer) only impacts internal users; external users don't see your internal DNS, they see your public DNS, and you can place anything you want in it without any impact on your Active Directory. – Massimo Mar 31 '16 at 20:20
  • 2
    I feel like this question is asked and answered about once a week. – MDMarra Apr 01 '16 at 00:51
  • @Massimo That's what IT says as well but I didn't believe them because I have experienced the problem on outside networks as well. I guess they were right after all. What I experience must be a different problem with a similar symptom. Sorry to have asked a duplicate. I searched but I guess I didn't use the right terms. – dev_willis Apr 03 '16 at 16:27

2 Answers2

3

In every Active Directory environment, the domain name is mapped in the DNS to all active domain controllers; there is an A record for each DC, mapping the domain name to the DC's IP address.

Let's say you have two DCs and your domain name is domain.com; your DNS will then contain something like this:

domain.com            192.168.0.1
domain.com            192.168.0.2
dc1.domain.com        192.168.0.1
dc2.domain.com        192.168.0.2

Now, if you add a web server, you'll need to add another A record:

www.domain.com        192.168.0.10

Unless your machine is actually called www, that will probably be handled better by an A record for the server's real name and a CNAME record for the web site name:

webserver.domain.com  192.168.0.10
www.domain.com        webserver.domain.com.

Ok, all fine and good; but now you would like users to type domain.com in their web browsers and access the web server. However, this can't possibly work: the domain name already points to all DCs, and it has to do so in order for Active Directory to work correctly. If someone tries to access domain.com in a web browser, the browser will try to connect to a random domain controller, which (hopefully!) doesn't even have a web server running; and even if it has IIS installed, it would not be your real web server.

If you really, really, really need to be able to use your AD domain name to reach your website, there is a horribly ugly workaround for this situation; I strongly advise against using it, but here it is: you could install IIS on all domain controllers and configure it to redirect incoming requests to www.domain.com; when a user types domain.com in a web browser, the request will reach a random DC; IIS running on that DC will then redirect the user to www.domain.com. Again: please avoid this solution if possible, because having IIS running on domain controllers is a really bad practice, even if it's used only to redirect requests elsewhere.

Massimo
  • 68,714
  • 56
  • 196
  • 319
-3

Wouldn't the real problem be that your AD domain is the same as your website domain?! Whomever made that decision is off their rocker.

Justin Goldberg
  • 173
  • 6