0

Quick question, we have a Windows AD domain "company.com" Computers are joined to this Windows domain "company.com" and we also have a web server at "www.company.com". A request has come in that the higher ups also want our website to respond to "company.com" (without the www). Since this is our AD Domain name, is there some sort of trick where I can point only port 80 traffic on "company.com" to a web-server, or would I have to run IIS/redirect on all the AD servers?

BillMorton
  • 104
  • 1
  • 6
  • 1
    `Since this is our AD Domain name, is there some sort of trick where I can point only port 80 traffic on "company.com" to a web-server, or would I have to run IIS/redirect on all the AD servers?` No and No. While you could probably install IIS on your DC's and implement a redirect, that would be very bad practice and would not be something anyone would suggest to you in good conscience, so I'm strongly advising you not to go down that path. – joeqwerty Aug 16 '16 at 19:29
  • This gets asked and answered about once a week. Did you search previous questions for an answer? – MDMarra Aug 16 '16 at 20:14
  • Thanks MDMarra, I did search, but unfortunately did not come up with relevant results. Sorry for the duplication. – BillMorton Aug 19 '16 at 13:43

1 Answers1

6

This is a common mistake that AD admins and architects make. It was a mistake to name your AD domain the same as your company's public domain. I'm not saying that you personally made the mistake, but whoever decided to name the Active Directory domain "company.com" made the mistake.

You should have named your AD domain something like "internal.company.com" or "corp.company.com" or something to that effect. But unless you feel good about undertaking an AD rename, then I guess that's water under bridge now.

Others have installed IIS on their domain controllers for the sole purpose of redirecting requests on TCP port 80 to their external company's website.

I strongly discourage this because IIS is a large, full-featured web server that adds a lot of unnecessary attack surface to your DCs. (Nothing against IIS or its security, but adding any other roles to your DCs is technically adding potential attack surface.)

Maybe you might consider using something like this:

https://github.com/ryanries/TinyWebRedirector

Disclaimer: I wrote that, and it does not come with any guarantees or warrantees.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Thank you for your response. I agree that it is an architectural problem, however, as you suspected we sometimes walk into environments with these issues created by those before us. I also agree that IIS on an AD server (especially a non RO) would be a bad idea for many reasons. I'll check out the redirector. Thank you for your helpful response. – BillMorton Aug 19 '16 at 13:46