Pages

Sunday, October 2, 2011

Single ( Same ) Domain for Active Directory and Company Website

Almost every organization (except one) that I have worked at or done consulting complained about this issue. They want to use the same domain for Active Directory as for company's website but doing so does not allow internal users (behind the firewall) to get to the website using the top level domain format (i.e. google.com) which is hosted externally or in DMZ. This happens because AD member computers must have DNS servers set to those that  reslove AD domain to domain controllers for purposes of authentication, LDAP queries, etc. Since DC doesn't have a listener for port 80, it doesn't repsond to HTTP requests.

As a workaround these organizations' IT department has to educate their users to use www or another A (HOST) record when going to company's website when sitting in the office behind the firewall.  However, they don't have to do this when they are outside. While it works for majority, some users get annoyed as they are used to typing top level domain format becuase it's quick and so on and so forth.

There are two solutions to this problem:

1. Well known DSN Rewrite - Unless you have Cisco firewall on your edge or another device that support this feature you are pretty much out of luck.

2. Installing Web Server on Domain Controller - Using this option will require installing a web server on your domain controllers and perform a permanant redirect  to a fully qualified domain (i.e. google.com to www.google.com) This option is not a recommended one but works just fine.
It's not recommended because Micorsoft does not recommend installing mulitple roles on your domain controllers as a best practice for load, security, etc. However, since you will only be doing a redirect which doesn't cause server to consume many resources but you need to keep an eye on the servers to watch out for any unusual spikes after the permanent redirect. You also have be to be careful as to allow anyone from outside to connect to web servers on your DC as this may result into a security breach. Only internal users should be allowed.