Active Directory: Is it required that the "A" record for a domain point to a Domain Controller?

Currently we have an Active Directory setup, and say the name is 'example.com'. The DNS entries for example.com has two A records pointing to the two domain controllers. I would like internal users to be able to access our website by using http://example.com/ but, we don't run the site off the domain controllers and I don't want to install IIS or some other service just todo a redirect to www.example.com.

If I understand correctly, I should be able to delete those entries, and add a new A record pointing to the IP of the web server and things will not break, as clients typically use the SRV records to locate domain controllers and whatnot.

Is this correct? I don't want to cause an outage is the reason I'm asking before just changing it. :)


Solution 1:

You're learning why you shouldn't use the same domain name for your Active Directory as you're using for your external Internet presence.

The "A" records for the domain referring to the domain controllers are used for DFS to resolve the name of the domain to a domain controller (primarily for client computers to access the SYSVOL). If you delete those "A" records you're going to see group policy break, amongst other things.

If you can't rename the AD domain, I think you're stuck putting IIS (or some other HTTP server) up on those boxes to redirect client computers to the right host.

This is why I name my AD domains "ad.domain.com". You should have a really, really good reason before you create a DNS zone on a private DNS server that matches a zone that the Internet has authoritative DNS servers for already. You've done that, and added Active Directory into the mix.

Solution 2:

It is required that those A records point to domain controllers. They are must for DFS (SYSVOL, Netlogon access) and replication. In this case you can live dangerously and use some redirection tool or live with asking users to type www.domain.com. You can relieve their pain someways by making a favorites entry for domain in IE or making that home page for them. So they have to type it seldom.

Solution 3:

This is the Active Directory equivalent of putting a gun to your servers and pulling the trigger multiple times.

If the entries were created by AD then do not mess with them. You will regret it.