locked
Web Services "A" Record at Root of Active Directory DNS Zone RRS feed

  • Question

  • I have a Windows Server 2008 Active Directory domain (i.e., domain.com), and I need to create an A record at the root of this domain that will point to a webserver. I know that domain controllers for this domain will require an A record that points to their respective IP addresses, however, I didn't know if there was a creative way around this issue. I already have an A record for "www.domain.com", however, we also need to enable users to go to the webserver if they forget the "www".

    Thanks!

    Darren

    Tuesday, January 3, 2012 8:28 PM

Answers

  • Thanks everyone for your feedback. I had actually thought about configuring IIS on the DC's, but we have over a dozen, and this would just be a real pain to manage, not to mention the security implications.

    I've encountered this issue before, and have always responded that they just need to remember to type the "www", but thought I would throw it out there to get a second opinion.

    Thanks everyone!

    • Marked as answer by Yan Li_ Monday, January 9, 2012 6:15 AM
    Sunday, January 8, 2012 6:42 PM
  • You're welcome!

    You can also remind them of the ctl+enter shortcut to fill in the www and .com portion, too.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Marked as answer by Yan Li_ Monday, January 9, 2012 6:15 AM
    Sunday, January 8, 2012 8:46 PM

All replies

  • You can't create an A record to point to a web server internally, this will break your AD.  You can use a Split Brain DNS for externally though.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, January 3, 2012 8:53 PM
  • You said before, you cannot create an A record for domain.com. This points to you domain controllers.
    Regards, Liran.
    Tuesday, January 3, 2012 9:14 PM
  • You can't create an A record to point to a web server internally, this will break your AD.  You

    I thought that clients and DCs were using SRV records to look for various domain services in DNS, not A host records.

    In my opinion, having the @ A host record will not break the AD. We had such a case - an admin added such a record to DNS by mistake - and noone even noticed it until after several weeks.

    Having such a record may slow down searching for DCs, but not significantly.

    However, this configuration is not recommended.


    • Edited by I.A Tuesday, January 3, 2012 11:18 PM
    Tuesday, January 3, 2012 11:17 PM
  • A records pointing to domain.com are used by non-SRV aware clients to locate a domain controller in a domain.

    A less intrusive approach would be to set www.domain.com as the home page for internal clients - and use split brain DNS for external ones. More at http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/6914cc00-aff8-4849-8deb-e3a38d23c075

    hth
    Marcin


    Tuesday, January 3, 2012 11:27 PM
  • I have a Windows Server 2008 Active Directory domain (i.e., domain.com), and I need to create an A record at the root of this domain that will point to a webserver. I know that domain controllers for this domain will require an A record that points to their respective IP addresses, however, I didn't know if there was a creative way around this issue. I already have an A record for "www.domain.com", however, we also need to enable users to go to the webserver if they forget the "www".

    Thanks!

    Darren


    In addition, If you absolutely, positively, MUST give your users the ability to access the same-name DNS domain name as your AD DNS domain name website by http://domain.com, (without the www), then one creative way is:

    • Install IIS on each DC.
    • Create a 'www' record under domain.com, give it the IP of the webserver.
    • In IIS properties for the default website, (on each DC), create a redirect to www.domain.com

    This way, you are not altering the LdapIpAddress, which each and every DC will register under domain.com. Note - the LdapIpAddress is used by DFS, client side CSEs, other DCs, and more, for AD functionality including GPOs, DFS, replication, etc. Do not alter them!!

    I usually don't like to suggest putting IIS on a DC, due to security issues, but it's one of the caveats of having the same name DNS domain name as your AD name, and if the boss and/or the users demand (IMO it's a political requirement) to access the website without the www in it, then there you have it.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Edited by Ace Fekay [MCT] Wednesday, January 4, 2012 1:33 AM
    • Proposed as answer by Yan Li_ Wednesday, January 4, 2012 5:19 AM
    Wednesday, January 4, 2012 1:32 AM
  • You can use split brain DNS to meet the requirement.

    Ace also have given good option but I would also not recommend to configure IIS on DC due to security reasons.

    In general, it's better to avoid this configuration if you can.It is better to train users to type www or add a favorite/bookmark to their web browsers by group policy. This is the most minor of inconveniences.

    It's three identical letters WWW. Not hard to remember, not hard to type. I think most people assume www is an absolute requirement for navigating to web sites anyway.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.
     

    Wednesday, January 4, 2012 6:49 AM
  • Thanks everyone for your feedback. I had actually thought about configuring IIS on the DC's, but we have over a dozen, and this would just be a real pain to manage, not to mention the security implications.

    I've encountered this issue before, and have always responded that they just need to remember to type the "www", but thought I would throw it out there to get a second opinion.

    Thanks everyone!

    • Marked as answer by Yan Li_ Monday, January 9, 2012 6:15 AM
    Sunday, January 8, 2012 6:42 PM
  • You're welcome!

    You can also remind them of the ctl+enter shortcut to fill in the www and .com portion, too.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    • Marked as answer by Yan Li_ Monday, January 9, 2012 6:15 AM
    Sunday, January 8, 2012 8:46 PM
  • Genius!
    Monday, December 24, 2012 2:13 PM