Internal Active Directory Domain Matches Company Website Domain

I’ve had a situation recently (which is quite common particularly as Microsoft don’t support .local domains for things like SkypeForBusiness)

The issue arose when the company Active Directory domain matches the external website domain and the company isn’t using www. record for their site, so people can’t access the corporate website internally. e.g. http://joebloggs.com

My workaround is quite simple and I can’t see this solution elsewhere in this specific context so I thought I’d put it here.

 

In my example, my pretend company has a windows AD domain of joebloggs.com which all their users & computers are members of. Their website is http://joebloggs.com

  • For AD to work joebloggs.com must be pointing to the internal IPs of your Domain Controllers.
  • If you browse to joebloggs.com internally you’ll be greeted with either an error (if no IIS installed) or an IIS landing page.
  • You can’t change your internal joebloggs.com A record to match the public IP of your web host as AD will break completely.

The solution is to use a reverse proxy. I’d thought of setting up a Linux VM and using NGINX or Apache but I discovered IIS has reverse proxy functionality available through a couple of extensions. This is obviously much cleaner as it can run on the DCs themselves.

 

The rough steps are as follows:

1. Install IIS role on DC
2. Install URL Rewrite module from: http://www.iis.net/downloads/microsoft/url-rewrite
3. Install Application Request routing module from: https://www.iis.net/downloads/microsoft/application-request-routing
4. Create an IIS Site on your DC for joebloggs.com
5. Follow guide here: https://tecadmin.net/set-up-reverse-proxy-using-iis/# and use your website public IP for the inbound rules box on reverse proxy.
6. Fix gzip error with guide here: https://blogs.msdn.microsoft.com/friis/2016/08/25/iis-with-url-rewrite-as-a-reverse-proxy-part-2-dealing-with-500-52-status-codes/
7. Make sure following variables are allowed on Rewrite (Go to View Server Variables…): HTTP_ACCEPT_ENCODING, HTTP_HOST, HTTP_X_ORIGINAL_ACCEPT_ENCODING
8. To make sure the host header requested (joebloggs.com) passes through to the webhost from your reverse proxy, Run the following command: C:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webServer/proxy /preserveHostHeader:”True” /commit:apphost
9. Ensure Internal DNS A records for joebloggs.com are pointing to the DC IPs
10. Test site works

Happy Days.

Filed under: Uncategorised - @ 7 November 2017 21:58