I've recently taken over this network and am focusing on resolving some DNS problems that our internal users are experiencing when accessing our public site. Our public website is company.com, and our Active Directory (AD) domain is also company.com. This has led to some complications, particularly with HTTPS, where redirects don't always work. I've heard it suggested that it's better to set the internal domain as ad.company.com to avoid these issues. However, I understand that there's no straightforward way to rename a domain. My plan involves:
* Adding a new Domain Controller (DC) and setting it to ad.company.com.
* Setting up trusts between the old and new DCs.
* Migrating users, groups, and devices over to the new setup.
* Demoting the old DCs once the migration is complete.
Am I missing anything or oversimplifying this process?
6 Answers
Yeah, your high-level steps look good. Just remember that migrating users and devices is where you’ll really have to buckle down and put the work in. Just be prepared for some hiccups along the way!
The issue you're facing is quite common due to what’s known as split-horizon DNS. If the public website is your only concern, a simple reminder to your users to include 'www' when accessing might suffice. Configuring correct A-records can often resolve this without needing a whole overhaul of your setup. However, if you do want to go ahead with changing the domain structure, just make sure you have a clear design plan. You're on the right track with your steps if you're sticking with a single-forest-single-domain setup, but consider the implications if you're thinking of a more complex structure.
You really don't need to add new DCs. There’s a proper procedure for renaming your AD domain, but keep in mind it won’t work if you have Exchange servers on-premises, especially if it's a hybrid setup. I found a good guide on woshub.com that covers this, but they also caution against renaming if your structure is too complex, suggesting a migration instead.
Is this the guide you meant? [https://woshub.com/rename-active-directory-domain/](https://woshub.com/rename-active-directory-domain/) It mentions that renaming might not be the best for larger infrastructures.
Consider deploying a small Squid server to create a proxy.pac or wpad.dat. This way, you can funnel both company.com and www.company.com through a proxy that points to external DNS for resolution. It might simplify things too!
Why not just keep a separate internal and external domain? That might simplify things more for your setup.
That's exactly what I'm trying to achieve!
Instead of just creating an A record for your website, have you thought about using conditional forwarding in Windows DNS? It can direct all traffic for www.yourdomain.com to external DNS servers like Google or Cloudflare, ensuring that you always get the right IP, especially if your web server doesn’t have a static IP. Check out some YouTube tutorials on it for a clearer picture!
Thanks for the tip! I'll definitely check that out.
I would actually advise against your current setup. After years of working with this kind of configuration, I've learned that sticking to an internal domain really helps avoid complications, especially with logins for third-party tools and integration with Entra. A straightforward DNS change could’ve prevented many issues.