ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Internal domain name same as external domain - DNS issues!!

    Scheduled Pinned Locked Moved IT Discussion
    dnswindowslanactive directorydomain name
    58 Posts 8 Posters 19.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch @Jason
      last edited by

      @Jason said:

      @JaredBusch said:

      @scottalanmiller said:

      @JaredBusch said:

      The only thing you could do is redo AD. Microsoft documentation uses ad.domain.com in their examples for this reason.

      He had asked me about this offline and it appears, from our brief conversation, that the only impacts he is seeing is that he needs to manually put in external addresses into DNS (like www.mysite.com) so that it will resolve and the default domain points to the DC, not the website. As long as users are okay with that one URL not being usable and he's okay with the small amount of manual DNS entries, it looks like that is his only impact and he is fine not changing the domain at this point.

      Unfortunate and not best practice, but it appears that the issues are minimal and his best option is to just remain with it as it is at this point. Not worthy modifying the domain now.

      Correct, Really it is just that users will have to be trained to enter WWW in front of domain.com to get to the website. All links to the website will have to explicitly use www or it will fail.

      You can also setup IIS on DCs to redirect domain.com to www.domain.com if you need to.
      I'm glad we don't use the same one internally and externally.

      True, but that is just another role to deal with on the DC that does not need to be there.

      J 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @JaredBusch
        last edited by

        @JaredBusch said:

        @brianlittlejohn said:

        With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

        I would agree with @brianlittlejohn here. You had no AD at all prior too few days ago.

        Just remove all the machines from the domain. Nuke your DC and start over.

        HUH - I think I would bail on having a local DC at all, Since you have O365, I'd upgrade everyone to Windows 10 (if you can) and then use Azure AD.

        What problems where you trying to solve by bringing in AD in the first place?

        scottalanmillerS 1 Reply Last reply Reply Quote 1
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @Dashrender said:

          @JaredBusch said:

          @brianlittlejohn said:

          With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

          I would agree with @brianlittlejohn here. You had no AD at all prior too few days ago.

          Just remove all the machines from the domain. Nuke your DC and start over.

          HUH - I think I would bail on having a local DC at all, Since you have O365, I'd upgrade everyone to Windows 10 (if you can) and then use Azure AD.

          What problems where you trying to solve by bringing in AD in the first place?

          If you cannot upgrade to Windows 10 or cannot do so yet, you can still but AD on Azure, it just isn't Azure AD. Using AD on Azure is an awesome way to stop gap to get AD today and be ready to quickly phase out down the road.

          DashrenderD 1 Reply Last reply Reply Quote 0
          • J
            Jason Banned @JaredBusch
            last edited by

            @JaredBusch said:

            @Jason said:

            @JaredBusch said:

            @scottalanmiller said:

            @JaredBusch said:

            The only thing you could do is redo AD. Microsoft documentation uses ad.domain.com in their examples for this reason.

            He had asked me about this offline and it appears, from our brief conversation, that the only impacts he is seeing is that he needs to manually put in external addresses into DNS (like www.mysite.com) so that it will resolve and the default domain points to the DC, not the website. As long as users are okay with that one URL not being usable and he's okay with the small amount of manual DNS entries, it looks like that is his only impact and he is fine not changing the domain at this point.

            Unfortunate and not best practice, but it appears that the issues are minimal and his best option is to just remain with it as it is at this point. Not worthy modifying the domain now.

            Correct, Really it is just that users will have to be trained to enter WWW in front of domain.com to get to the website. All links to the website will have to explicitly use www or it will fail.

            You can also setup IIS on DCs to redirect domain.com to www.domain.com if you need to.
            I'm glad we don't use the same one internally and externally.

            True, but that is just another role to deal with on the DC that does not need to be there.

            Yeah, I wouldn't want to deal with it but, I don't like doing split dns either.. just use ad.domain.com solves a lot of the issues.

            1 Reply Last reply Reply Quote 1
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said:

              @Dashrender said:

              @JaredBusch said:

              @brianlittlejohn said:

              With only 15 users, personally, I would spend a weekend and reset up my AD environment just to avoid issues in the future.

              I would agree with @brianlittlejohn here. You had no AD at all prior too few days ago.

              Just remove all the machines from the domain. Nuke your DC and start over.

              HUH - I think I would bail on having a local DC at all, Since you have O365, I'd upgrade everyone to Windows 10 (if you can) and then use Azure AD.

              What problems where you trying to solve by bringing in AD in the first place?

              If you cannot upgrade to Windows 10 or cannot do so yet, you can still but AD on Azure, it just isn't Azure AD. Using AD on Azure is an awesome way to stop gap to get AD today and be ready to quickly phase out down the road.

              That's true, didn't think of that, but there's expense if you spin up a VM, plus I have no idea how to get a secure connection back to your office.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said:

                That's true, didn't think of that, but there's expense if you spin up a VM, plus I have no idea how to get a secure connection back to your office.

                Yes, not free, but you can spin it down whenever.

                Any normal VPN option works. IPSec, OpenVPN, Pertino, ZeroTier...

                1 Reply Last reply Reply Quote 0
                • PSX_DefectorP
                  PSX_Defector @scottalanmiller
                  last edited by

                  @scottalanmiller said:

                  @Our-Tech-Team said:

                  I've never used or worked with Samba so dont know anything about it. The AD I thought was great for them as they want to have more 'control' over users, add more security to the network and manage permissions on folders much better. I'm familiar with AD so thought it would suit them well.

                  Samba is just as much AD as Microsoft's DC is. Both are AD, just one is done from an open source project and one from Microsoft. It's not that Samba is not AD as well.

                  Samba is NOT AD. AD is a complete architecture including LDAP, DNS, and various other items. Samba functions in the old "Domain Controller" method, a single list of usernames and passwords in which to authenticate against. In AD, there is no DC, there are Global Catalogs. Domain controller emulation, a part of the FSMO roles, is not necessary to run and is only there for backwards compatibility. In an AD environment, Samba can function as a PDC emulator, but it cannot hold other GC roles, so it becomes kind of useless.

                  To the end user, they are functionally the same. To the admin, they are very different.

                  scottalanmillerS 1 Reply Last reply Reply Quote 1
                  • scottalanmillerS
                    scottalanmiller @PSX_Defector
                    last edited by

                    @PSX_Defector said:

                    Samba is NOT AD. AD is a complete architecture including LDAP, DNS, and various other items. Samba functions in the old "Domain Controller" method, a single list of usernames and passwords in which to authenticate against. In AD, there is no DC, there are Global Catalogs. Domain controller emulation, a part of the FSMO roles, is not necessary to run and is only there for backwards compatibility. In an AD environment, Samba can function as a PDC emulator, but it cannot hold other GC roles, so it becomes kind of useless.

                    To the end user, they are functionally the same. To the admin, they are very different.

                    Are you thinking of Samba from long ago before AD was implemented? Samba used to be that way, but Windows used to be that way too. Samba is full AD and has been for quite a long time now. LDAP, Kerberos, DNS, all there. (DNS is handled externally, of course, just like on Windows.)

                    PSX_DefectorP 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller
                      last edited by

                      Here is information on how to get the FSMO roles moved between Samba servers.

                      https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles

                      I assure you, Samba is full AD.

                      1 Reply Last reply Reply Quote 0
                      • PSX_DefectorP
                        PSX_Defector @scottalanmiller
                        last edited by

                        @scottalanmiller said:

                        @PSX_Defector said:

                        Samba is NOT AD. AD is a complete architecture including LDAP, DNS, and various other items. Samba functions in the old "Domain Controller" method, a single list of usernames and passwords in which to authenticate against. In AD, there is no DC, there are Global Catalogs. Domain controller emulation, a part of the FSMO roles, is not necessary to run and is only there for backwards compatibility. In an AD environment, Samba can function as a PDC emulator, but it cannot hold other GC roles, so it becomes kind of useless.

                        To the end user, they are functionally the same. To the admin, they are very different.

                        Are you thinking of Samba from long ago before AD was implemented? Samba used to be that way, but Windows used to be that way too. Samba is full AD and has been for quite a long time now. LDAP, Kerberos, DNS, all there. (DNS is handled externally, of course, just like on Windows.)

                        Yes, I know what 4 introduced, but it's still not functionally AD. It can be put in as a member controller, but god help you if you try to move FSMO roles to it. At best, it can be considered pseudo-Active Directory. If you only have Samba controllers, hell it might work. Never tried it by itself with multiple controllers functioning like AD. Although I can't imagine it is that indifferent than standard LDAP. I just know better than to mix the types together.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @PSX_Defector
                          last edited by

                          @PSX_Defector said:

                          If you only have Samba controllers, hell it might work.

                          that's the normal way to use it. Mixing it in would just be weird. Lots of companies run on just it, it works great from what I hear. I've never heard of a shop that had issues after moving to it. It's full AD with all the bells and whistles. You can even manage it from Windows and GPOs work great too.

                          stacksofplatesS 1 Reply Last reply Reply Quote 2
                          • J
                            Jason Banned
                            last edited by

                            As far as I know FSMO roles (operations masters) are a windows only thing, and aren't even needed for LDAP, Group Policy/File replication, NTP sync, etc. It's something Microsoft put on top of it.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Jason
                              last edited by

                              @Jason said:

                              As far as I know FSMO roles (operations masters) are a windows only thing, and aren't even needed for LDAP, Group Policy/File replication, NTP sync, etc. It's something Microsoft put on top of it.

                              I believe that that is true. But Samba replicated them too.

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                @Jason said:

                                As far as I know FSMO roles (operations masters) are a windows only thing, and aren't even needed for LDAP, Group Policy/File replication, NTP sync, etc. It's something Microsoft put on top of it.

                                I believe that that is true. But Samba replicated them too.

                                if the goal was to manage Windows endpoints, I'm sure the FSMO roles were needed in the implementation for compatibility.

                                1 Reply Last reply Reply Quote 0
                                • stacksofplatesS
                                  stacksofplates @scottalanmiller
                                  last edited by

                                  @scottalanmiller said:

                                  @PSX_Defector said:

                                  If you only have Samba controllers, hell it might work.

                                  that's the normal way to use it. Mixing it in would just be weird. Lots of companies run on just it, it works great from what I hear. I've never heard of a shop that had issues after moving to it. It's full AD with all the bells and whistles. You can even manage it from Windows and GPOs work great too.

                                  I saw somewhere online someone set up an environment that way and used RSAT from a Windows 7 computer to do GPO and users/computers.

                                  1 Reply Last reply Reply Quote 1
                                  • 1
                                  • 2
                                  • 3
                                  • 3 / 3
                                  • First post
                                    Last post