Many enterprises face a common infrastructure challenge where their Active Directory (AD) domain name (e.g., example.com) matches their public website domain. This creates DNS resolution conflicts internally:
# Typical symptom:
# External users: example.com → Web server (correct)
# Internal users: example.com → Domain Controller (problematic)
Active Directory automatically registers its domain name in internal DNS zones. When internal clients query example.com, they receive AD domain controller IPs instead of the web server's IP.
Option 1: DNS Alias (CNAME) Redirection
Create a DNS alias in your internal DNS server:
; Internal DNS Zone File
www IN CNAME webserver.example.com.
@ IN A 192.0.2.10 ; Web server IP
Option 2: Split-Brain DNS
Maintain separate internal and external DNS zones:
# External DNS (public):
example.com. IN A 203.0.113.5
# Internal DNS (AD-integrated):
example.com. IN A 192.0.2.10 ; Web server IP
dc01 IN A 192.0.2.1 ; Domain Controller
Option 3: Hosts File Override
For temporary testing (not recommended for production):
# Windows hosts file entry
192.0.2.10 example.com www.example.com
- Exchange Server autodiscover may require additional SRV records
- Certificate validation issues if internal/external certs differ
- Group Policy updates might require DNS suffix adjustments
For an enterprise AD environment, we recommend this PowerShell script to verify DNS resolution:
# Test DNS resolution internally
$domains = @("example.com","www.example.com")
foreach ($domain in $domains) {
try {
$result = Resolve-DnsName $domain -ErrorAction Stop
Write-Host "$domain resolves to $($result.IPAddress)"
}
catch {
Write-Warning "Resolution failed for $domain"
}
}
For large deployments, configure via Group Policy:
# GPO setting path:
Computer Configuration → Policies → Administrative Templates → Network → DNS Client
Many organizations face a common infrastructure challenge where their Active Directory domain name (e.g., example.com) conflicts with their public website domain. Internally, requests to http://example.com resolve to domain controllers instead of the web server, while external users correctly reach the website.
The root cause lies in DNS resolution priorities. Active Directory automatically registers its domain controllers in the internal DNS zone for example.com, creating A records that point to DC IPs. Meanwhile, your public DNS has A/CNAME records pointing to web servers.
Here are three effective approaches to resolve this:
1. DNS Conditional Forwarding
Configure your internal DNS servers to forward web requests to external resolvers:
# PowerShell to configure DNS conditional forwarding
Add-DnsServerConditionalForwarderZone
-Name "example.com"
-MasterServers 8.8.8.8,8.8.4.4
-ForwarderOnly $true
2. Internal DNS Record Override
Create an explicit A record in your internal DNS that points to your web server:
# Windows DNS Server CLI
dnscmd /recordadd example.com @ A 192.168.1.100
3. IIS HTTP Redirection
Configure domain controllers running IIS to redirect to www:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to WWW" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^example.com$" />
</conditions>
<action type="Redirect" url="http://www.example.com/{R:0}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
- Kerberos authentication might be affected if SPNs reference the bare domain
- Certificate validation issues may occur if internal/external certs differ
- Some legacy applications might hardcode the domain name
For new deployments, always use a subdomain for Active Directory (e.g., ad.example.com). For existing environments, the DNS conditional forwarding approach typically causes the least disruption.