Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to have your active directory domain and your web site domain be the same?


  • Please log in to reply
2 replies to this topic

#1 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:04:00 AM

Posted 17 June 2014 - 12:37 AM

Hi all,

I'm noticing something verry interesting. As you probably know, my computer is set up on a domain, for the sheer hell of it, honestly, and I'm wondering if any admins around here, for I know I've seen this done; my college did it when I was there, puts the same domain they use for their web site as their active directory domain? For instance, if someone registered test.org, how to make the web site be http://test.org as well as the root AD domain also be test.org without causing conflicts with DNS resolution either on the web site side or on the domain side? For instance, if your iis or Apache server had an IP address of 123.229.56.25, and your domain controlers had IPs of 123.129.56.223 and 24 respectively, what type of DNS setup would you have to do to ensure that both web surfers and domain logon requesters get the resources they need? So, in the setup we have, the domain internally would be ad.test.org while the site is just test.org. How to make the internal and external domain be able to be the same? Thanks.


The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


BC AdBot (Login to Remove)

 


m

#2 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:08:00 AM

Posted 17 June 2014 - 01:20 AM

Firstly. let's clear up a little confusion.... A bulk of your post talks about DNS domain names, but in one place you bring IP addresses into it.

 

.."if your iis or Apache server had an IP address of 123.229.56.25, and your domain controlers had IPs of 123.129.56.223"..

 

You would normally continue to use private addresses (from the ranges 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12) for your network. Even if you are publishing resources from your private network to the outside world, you would still do this - for any resources like that, you would end up with different IP addresses on the inside and outside, so we would need to deal with that after the fact....

 

The trickery would be how you deal with DNS.  You would have two separate DNS infrastructures.

 

Firstly, A normal external DNS setup (primary and secondary DNS server hosted on ISP DNS servers and containing ONLY the DNS records that you wish to publish to the outside world (MX, www, owa, autodiscover etc) This is exactly as you would have if your internal and external dns names were different.

 

You would also have your internal DNS zone on your internal DNS servers. This is almost exactly as you would normally have it if your DNS names were separate.

 

The "almost" refers to a very few records that refer to externally published resources. Any public resources that need to be accessed from the internal domain need to be included in this copy of the zone (for example www ), and (depending on how you want things to work) you may point certain records to the internal or external IP address of the resource ( owa / autodiscover etc). DNS records that have a Windows or AD special meaning should ONLY point to internal IP addresses ( ie myexchangeserver.test.org = 192.168.1.10 but owa.test.org =123.45.67.8 )

 

The other important point is that internal servers/workstations etc  ONLY refer to the internal DNS servers for name resolution NOTHING else. No exceptions!!! (really!)

 

So how to Internal machines resolve outside names (for other domains)? Set up forwarders on all internal DNS servers. Use the ISP DNS resolvers (the DNS servers specified with your connection but not necessary holding your external domain).

 

So... Internal machine only talk to internal DNS server  - these know how your AD domain works  (and a little info about how to access things like your external web server). External access (anyone outside) just see public DNS information as normal...

 

This also works for having your internal AD domain as a subdomain of your external name.. The Internal zone is ad.test.org, and the external just test.org... The external version needs tow nothing of the internal version - no delegations, nothing....

 

All of the above is only really worth doing if you are setting something up from scratch.. Changing an existing internal domain would be very difficult (if possible in your case at all) don't even consider that!.

 

x64



#3 JohnnyJammer

JohnnyJammer

  • Members
  • 1,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:06:00 PM

Posted 19 June 2014 - 12:22 AM

Simply add a www. referance in dns.

People have to type in www. or they will go to the domain controller, the only other work around i can quickly think off is to create a redirect page in IIS/AD Server.

 

Also you could add a second ip to the AD server on its ethernet adaptor and create a seperate pointer in IIS


Edited by JohnnyJammer, 19 June 2014 - 12:23 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users