Can root of Active Directory DNS be forwarded, like forwarding www requests?

NEMC
NEMC used Ask the Experts™
on
Can root of AD DNS be forwarded, like forwarding www requests?

Client uses the same Active Directory domain and external corporate web presence, ie abc.com for both.

Had to create an internal DNS record (Server 2012) to forward their www.abc.com requests to an external web host to display their web page.  This all works correctly, however client now wants to be able to simply browse to abc.com as opposed to www.abc.com and have their web site resolve correctly.  

Can this change be made using internal DNS?  Is there any chance it will adversely affect Active Directory?

Thanks,

Nathan
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
The AD domain's DNS name must resolve (only!) to a DC, full stop.
So this can only be done by adding the IIS feature to all of your Domain Controllers, and then creating a redirect to www.abc.com.
This, obviously, will enlarge the DC's attack surface, since there's now a service running on it that actually doesn't need to be running there, and that can be accessed by basically everybody in the AD network.
It's up to the client to decide whether saving the exhausting effort of typing four characters every now and then is worth reducing his domain controllers' security. Maybe you should introduce them to the concept of Favorites/Bookmarks?
HTTP Redirects <httpRedirect>
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httpredirect/
Top Expert 2014
Commented:
Simply put, no.

For clients connected to the domain, abc.com should only resolve to the domain controllers.  Anything else and you're asking for trouble.
In theory, you could set up IIS on all domain controllers and have them set to do URL rewrites or redirects to the www.abc.com site, but your DCs should only be DCs (don't install additional components) so I won't ever recommend that as a solution.

Your only options as I see them:
 - rename the domain or migrate to a new one, then you won't have a conflict
 - tell the client to suck it up and live with the "www" (in my opinion, www is preferable to the bare domain anyway)

Author

Commented:
Thanks for the quick answers.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
I will never install IIS on a DC. You can use netsh to do the forwarding without the need for IIS
netsh interface portproxy add v4tov4 listenport=80 connectaddress=www.contoso.com connectport=80 protocol=tcp
netsh interface portproxy add v4tov4 listenport=443 connectaddress=www.contoso.com connectport=443 protocol=tcp

Open in new window

http://blogs.catapultsystems.com/chsimmons/archive/2015/04/08/domain-controller-http-redirect/

Author

Commented:
Interesting suggestion, Shaun.  Thanks.

Author

Commented:
FYI, I implemented Shaun's solution with another client and it worked perfectly.

Not sure how persistent the netsh commands are, but for the time being the second client's issue is resolved and they are able to browse internally without including www in the URL.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial