Thursday, November 27, 2014

Web Site Hosting Issue - Windows AD Domain Externally Resolvable




Up until recently we hosted our company web site on an internal Win 2008 IIS server. To ensure that it stayed online in case something happened to the office, we moved the site to some cheap shared hosting with a popular provider. For the most part things are fine but I have run into one problem...



Unfortunately when the Windows domain was set up the admin (not me, I swear to god) used an externally resolvable host name (eg 'example.net' rather than the best practice 'example.local'). This was never a problem as we always hosted our web site on an internal IIS server. Users inside the AD domain are now complaining that they cannot reach the web site from inside the network. I get why this is the case but I am cautious about what sort of DNS changes to make since I am well aware how DNS dependent an active directory domain can be. As a temporary measure I put in a 'www' A record pointing to the IP of the external web server so they can at least reach the site for now.



My question is this: Can I set up a wildcard dns entry on our internal AD DNS server for 'example.net' redirecting to our external web server? I am afraid that putting a wildcard entry for a server that sits outside the AD domain might cause serious problems.



Has anyone ever tried this?


Answer



Cliff,




Yea I know what you mean, been there and done that. The safest thing you can do is what you have already done by adding a www record.



You really can't add a wildcard record because any request for Domain.net will then redirect externally. This is especially true if you rely on DNS for all computer name based lookups and have disabled NetBIOS on the network.



Short term what you have done seems about right. Long term you may want to investigate changing your domain name, I'm not sure how many clients you have internally but this is at times no easy task, but in the longrun will save you so much time and effort.



I think MDMarra has posted before that he doesn't mind using the public DNS records for your internal domain but instead of a local domain extension (i.e. Domain.local) he uses a subdomain (corp.domain.net) or something like that. Just don't use the root, as you have found out.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...