Renaming a Domain

[Kelvarr]

Long story short, we had a contractor help us move from Novell eDirectory to Microsoft Active Directory Domain Services. When naming the domain came up, we named it (with the help of the contractor) mycompany.com. Our public website is ALSO named mycompany.com. As we have found out, this is generally not a good thing (we didn't know it was against best practices). Normally, everything functions ok...but when we try to go to our web page and intranet (both externally hosted), it takes forever as the machines are trying to resolve to our domain controllers first.

Now, we are discussing how to handle this. Luckily, our domain is pretty simple. A single domain, with 3 domain controllers. No level changes or anything, simply renaming from one name to another. I don't think new trust certificates will have to be issued, but I very well could be wrong. I have been reading How to Rename a Domain, and it seems fairly straight-forward. However, I wanted to know if anyone has personally been through it and what kind of hell will we unleash should we proceed? Again, this is just one option.

 

[rand4505]

Why not just make a custom DNS entry for your web server on your local DNS/DHCP server? And leave your intranet alone?

 

[Kelvarr]

Why not just make a custom DNS entry for your web server on your local DNS/DHCP server? And leave your intranet alone?

How should I do that? Our website (externally hosted) is: www2.mycompany.com. Our Intranet (also externally hosted) is: www2.mycompany.com/intranet

I already have a forward lookup zone for mycompany.com. And I also have an A record for www2. All computers have a DNS suffix of mycompany.com.
I also have a reverse lookup zone for the last two octets of our externally hosted sites (X.X.in-addr.arpa) with a pointer record with the value of www2.mycompany.com

Admittedly, I am not as versed in DNS as I want to be, but what else should I be looking at adding?

 

[schizrade]

You have a spit brain DNS, big noob move oops. Who was the dumbass contractor that pulled that one??? I had to rename a domain about 15 years ago that was assigned the TLD by some dipshit contractor as well, it wasn't pretty. The rename was a pain, so read up as it is a multistep affair.

https://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

I have renamed a few in production for other reasons as well, and as long as you understand the doc I posted above, you should be good. It is a pain though, I wont lie and is a last resort under normal "i want a new domain name for no real reason" scenarios. For your scenario (split brain DNS) it is a necessity. You cannot have a TLD domain as your internal domain when that domain exists out on the net. It all breaks.

Rename it into a .pvt. mycompany.pvt

 

[Midvalley]

Actually, the best practice regarding that kind of stuff is changing to what you have (called "Split-Brain" DNS if you want to google). Largely due to internal infrastructure extending beyond company borders (federation between inside and cloud services, etc).

The way we do it is to maintain internal and external DNS zones with the same zone name, but distinct records. You divide this at your firewall. Outside, you resolve against DMZ based DNS servers that contain public IPs for your external services. Inside, DHCP routes you to the domain controllers acting as DNS servers that provide the local IPs from inside the LAN.

Sounds like you might already have done that, and created internal records pointing to your external resources. Where I have seen this trip up is if someone tried to use http://mycompany.com or http://mycompany.com/intranet. In that case the internal DNS servers are going to see the domain name, and assume you want to resolve the AD domain for some reason. Normally having an internal A record for www, or www2 and making sure it has the external IP AND users actually use that in their link is the fix.

You would need to recert if the certs have your FQDN or DN in them (depends on how the request that was generated). Lots of moving parts there. If you plan to rename make sure you have a good backup, or create a whole new domain on VMs then migrate users/servers between the two gradually.

 

[Kelvarr]

Where I have seen this trip up is if someone tried to use http://mycompany.com or http://mycompany.com/intranet. In that case the internal DNS servers are going to see the domain name, and assume you want to resolve the AD domain for some reason. Normally having an internal A record for www, or www2 and making sure it has the external IP AND users actually use that in their link is the fix.

I have seen some references to this in my googling. To fix that, if reads as if I would need to set up IIS on each domain controller, and have it forward http://mycompany.com or http://mycompany.com/intranet to http://www2.mycompany.com or http://www2.mycompany.com/intranet. Does that read correct? Or is it significantly more complicated due to them being externally hosted.

 

[thrash408]

Can you not just create CNAME's and A records pointing to your web hosts IP on your dns server? I have sites with the same internal and external domain, this always has worked for me.

 

[Midvalley]

I have seen some references to this in my googling. To fix that, if reads as if I would need to set up IIS on each domain controller, and have it forward http://mycompany.com or http://mycompany.com/intranet to http://www2.mycompany.com or http://www2.mycompany.com/intranet. Does that read correct? Or is it significantly more complicated due to them being externally hosted.

Seems like a complicated fix to a simple problem. I don't see an issue with doing that, as I can't think of any AD DS related service that would be hitting port 80 (wouldn't want AD related services resolving the domain to somewhere it wasn't).

For us, we just created the record for www in our forward lookup zone and told users to add the www to their http requests. That's across 14k desk/laptops with ~20k users.

Speaking from personal experience I can tell you that it's not always the best option to try and make everything just work the way it used to. I think it stems from the tinkering/curiosity aspect of working with technology that I know I have, and I see in many other techs. You've just gone through a massive overhaul of your infrastructure, I would say it's absolutely acceptable to tell your client base that something they interact with has changed, as long as this doesn't affect any public facing services. Just always remember to blame the vendor/contractor.

If you want to tinker with this your time is probably better spent writing a script or util to parse and replace contents of favorites/desktop shortcuts and deploying that with GPO.

Now, if you have already added that www record and www.mycompany.com is STILL painfully slow to resolve, you have other problems.

 

[Kelvarr]

Now, if you have already added that www record and www.mycompany.com is STILL painfully slow to resolve, you have other problems.

I do have a www2 record in DNS. It is still slow, but like you said, I believe we have other problems. In playing with this, it seems as if we bypass our proxy server (Fortigate), then it resolves fine/fast. This would lead to a problem with the Fortigate proxy. However, for the life of me, I cannot find any setting to give www2.mycompany.com an exception in Fortigate.

It might all be moot anyway. I recently had to push a list of proxy exceptions (IE and Firefox) to all machines, and mycompany.com was among them. It is gradually becoming an apparent non-issue.