Can root of Active Directory DNS be forwarded, like forwarding www requests?

Can root of AD DNS be forwarded, like forwarding www requests?

Client uses the same Active Directory domain and external corporate web presence, ie abc.com for both.

Had to create an internal DNS record (Server 2012) to forward their www.abc.com requests to an external web host to display their web page.  This all works correctly, however client now wants to be able to simply browse to abc.com as opposed to www.abc.com and have their web site resolve correctly.  

Can this change be made using internal DNS?  Is there any chance it will adversely affect Active Directory?

Thanks,

Nathan
NEMCAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
The AD domain's DNS name must resolve (only!) to a DC, full stop.
So this can only be done by adding the IIS feature to all of your Domain Controllers, and then creating a redirect to www.abc.com.
This, obviously, will enlarge the DC's attack surface, since there's now a service running on it that actually doesn't need to be running there, and that can be accessed by basically everybody in the AD network.
It's up to the client to decide whether saving the exhausting effort of typing four characters every now and then is worth reducing his domain controllers' security. Maybe you should introduce them to the concept of Favorites/Bookmarks?
HTTP Redirects <httpRedirect>
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httpredirect/
0
 
footechConnect With a Mentor Commented:
Simply put, no.

For clients connected to the domain, abc.com should only resolve to the domain controllers.  Anything else and you're asking for trouble.
In theory, you could set up IIS on all domain controllers and have them set to do URL rewrites or redirects to the www.abc.com site, but your DCs should only be DCs (don't install additional components) so I won't ever recommend that as a solution.

Your only options as I see them:
 - rename the domain or migrate to a new one, then you won't have a conflict
 - tell the client to suck it up and live with the "www" (in my opinion, www is preferable to the bare domain anyway)
0
 
NEMCAuthor Commented:
Thanks for the quick answers.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Shaun VermaakTechnical Specialist/DeveloperCommented:
I will never install IIS on a DC. You can use netsh to do the forwarding without the need for IIS
netsh interface portproxy add v4tov4 listenport=80 connectaddress=www.contoso.com connectport=80 protocol=tcp
netsh interface portproxy add v4tov4 listenport=443 connectaddress=www.contoso.com connectport=443 protocol=tcp

Open in new window

http://blogs.catapultsystems.com/chsimmons/archive/2015/04/08/domain-controller-http-redirect/
0
 
NEMCAuthor Commented:
Interesting suggestion, Shaun.  Thanks.
0
 
NEMCAuthor Commented:
FYI, I implemented Shaun's solution with another client and it worked perfectly.

Not sure how persistent the netsh commands are, but for the time being the second client's issue is resolved and they are able to browse internally without including www in the URL.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.