I have seen many companies over the years who have their internal domain set as the same domain that their corporation uses publicly. For example, if my company is Example, Inc, my primary web and e-mail presence might be example.com. When my Windows NT 3.5 domain was set up in 1997, we called it EXAMPLE, as it seemed logical. When Windows 2000 came out and we upgraded to Active Directory, it became logical to create example.com as the AD DNS Name. The recommendation is to NOT do that, but for many it was done before the recommendations were widely published (or they didn't think to look), and they simply have to live with it.
Years ago, most non-technical users (in my estimation) believed there was something magical about the “www” portion of a web address. For example, “www.example.com” was any given company’s web site. However, more and more people are dropping the “www” and just going to “example.com”. It’s the responsibility of the IT people (DNS and web administrators) to make sure the DNS A record for @ (domain root) points to the web server address, and the web admin must make sure the site answers for www.example.com and example.com and presents the same content to both (or redirects one to the other).
Here comes the problem in the first paragraph. For one thing, it requires split DNS: there is a public “version” of all the example.com records, and a private version. Within an Active Directory infrastructure, the private version of example.com (with no host name specified) should resolve to the IP address of all the domain controllers. For example, if I have three domain controllers, nslookup example.com should return 10.1.1.5, 10.1.2.5, and 10.1.3.5, assuming those are the addresses of my DCs. Most likely, the domain controllers are also not hosting the public web site (and they sure shouldn’t be!). This means that if I’m inside the network, pointing to internal DNS servers and I type example.com into my web browser, I won’t get anywhere.
The simplest solution I found in that case is to redirect the request to www.example.com, which can point to the public address of the public web server--what people expect to hit when they type in example.com internally. To do this, we could install IIS on every domain controller and set up a HTTP 301 or 302 redirection to www.example.com. But installing IIS on every domain controller adds overhead, etc, to the box, as well as lots of new DLLs and other things to introduce security problems (anyone remember Code Red?).
Another solution is to use ncat and NSSM (the Non-Sucking Service Manager). ncat can sit in memory with the help of NSSM and simply redirect http queries to the box to www.example.com. All that is needed is two exe files and one batch file to be copied to each server. Here’s how it could be done.
redir.cmd
Put all three files (ncat.exe, nssm.exe, redir.cmd) in c:\redir. Then install the service using nssm with the following command (run as administrator):
nssm install "Web Redirector" c:\redir\redir.cmd
You could even deploy it to all your DCs remotely. You could do it your way, or using something like this:
deploywebredir.cmd
If you’re not familiar with psexec or nltest, you should get up to speed! Just search for them in your favorite search engine.
If you want to make this more secure, define a user with no particular privileges (besides Log on as a Service) and set the service to run as that user. Even if someone buffer overruns ncat.exe, they will only have basic user access.
Years ago, most non-technical users (in my estimation) believed there was something magical about the “www” portion of a web address. For example, “www.example.com” was any given company’s web site. However, more and more people are dropping the “www” and just going to “example.com”. It’s the responsibility of the IT people (DNS and web administrators) to make sure the DNS A record for @ (domain root) points to the web server address, and the web admin must make sure the site answers for www.example.com and example.com and presents the same content to both (or redirects one to the other).
Here comes the problem in the first paragraph. For one thing, it requires split DNS: there is a public “version” of all the example.com records, and a private version. Within an Active Directory infrastructure, the private version of example.com (with no host name specified) should resolve to the IP address of all the domain controllers. For example, if I have three domain controllers, nslookup example.com should return 10.1.1.5, 10.1.2.5, and 10.1.3.5, assuming those are the addresses of my DCs. Most likely, the domain controllers are also not hosting the public web site (and they sure shouldn’t be!). This means that if I’m inside the network, pointing to internal DNS servers and I type example.com into my web browser, I won’t get anywhere.
The simplest solution I found in that case is to redirect the request to www.example.com, which can point to the public address of the public web server--what people expect to hit when they type in example.com internally. To do this, we could install IIS on every domain controller and set up a HTTP 301 or 302 redirection to www.example.com. But installing IIS on every domain controller adds overhead, etc, to the box, as well as lots of new DLLs and other things to introduce security problems (anyone remember Code Red?).
Another solution is to use ncat and NSSM (the Non-Sucking Service Manager). ncat can sit in memory with the help of NSSM and simply redirect http queries to the box to www.example.com. All that is needed is two exe files and one batch file to be copied to each server. Here’s how it could be done.
redir.cmd
@echo off
echo HTTP/1.1 302 Found >%temp%\redir.txt
echo Location: http://www.example.com/ >>%temp%\redir.txt
c:\redir\ncat -l 80 < %temp%\redir.txt
Put all three files (ncat.exe, nssm.exe, redir.cmd) in c:\redir. Then install the service using nssm with the following command (run as administrator):
nssm install "Web Redirector" c:\redir\redir.cmd
You could even deploy it to all your DCs remotely. You could do it your way, or using something like this:
deploywebredir.cmd
@echo off
setlocal ENABLEDELAYEDEXPANSION
set DCLIST=\\
for /f "delims=. " %%a in ('nltest /dclist:%USERDNSDOMAIN% ^|findstr /c:"[DS]"') do (
md \\%%a\c$\redir
for %%b in (ncat.exe nssm.exe redir.cmd) do copy /y %%b \\%%a\c$\redir
set DCLIST=!DCLIST!%%a,
)
set DCLIST=%DCLIST:~0,-1%
psexec %DCLIST% -e c:\redir\nssm install "Web Redirector" c:\redir\redir.cmd
If you’re not familiar with psexec or nltest, you should get up to speed! Just search for them in your favorite search engine.
If you want to make this more secure, define a user with no particular privileges (besides Log on as a Service) and set the service to run as that user. Even if someone buffer overruns ncat.exe, they will only have basic user access.
