Can root of Active Directory DNS be forwarded, like forwarding www requests?

NEMC used Ask the Experts™
Can root of AD DNS be forwarded, like forwarding www requests?

Client uses the same Active Directory domain and external corporate web presence, ie for both.

Had to create an internal DNS record (Server 2012) to forward their requests to an external web host to display their web page.  This all works correctly, however client now wants to be able to simply browse to as opposed to and have their web site resolve correctly.  

Can this change be made using internal DNS?  Is there any chance it will adversely affect Active Directory?


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2018
Distinguished Expert 2018
The AD domain's DNS name must resolve (only!) to a DC, full stop.
So this can only be done by adding the IIS feature to all of your Domain Controllers, and then creating a redirect to
This, obviously, will enlarge the DC's attack surface, since there's now a service running on it that actually doesn't need to be running there, and that can be accessed by basically everybody in the AD network.
It's up to the client to decide whether saving the exhausting effort of typing four characters every now and then is worth reducing his domain controllers' security. Maybe you should introduce them to the concept of Favorites/Bookmarks?
HTTP Redirects <httpRedirect>
Top Expert 2014
Simply put, no.

For clients connected to the domain, should only resolve to the domain controllers.  Anything else and you're asking for trouble.
In theory, you could set up IIS on all domain controllers and have them set to do URL rewrites or redirects to the site, but your DCs should only be DCs (don't install additional components) so I won't ever recommend that as a solution.

Your only options as I see them:
 - rename the domain or migrate to a new one, then you won't have a conflict
 - tell the client to suck it up and live with the "www" (in my opinion, www is preferable to the bare domain anyway)


Thanks for the quick answers.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

I will never install IIS on a DC. You can use netsh to do the forwarding without the need for IIS
netsh interface portproxy add v4tov4 listenport=80 connectport=80 protocol=tcp
netsh interface portproxy add v4tov4 listenport=443 connectport=443 protocol=tcp

Open in new window


Interesting suggestion, Shaun.  Thanks.


FYI, I implemented Shaun's solution with another client and it worked perfectly.

Not sure how persistent the netsh commands are, but for the time being the second client's issue is resolved and they are able to browse internally without including www in the URL.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial