Ever wondered how to use the same domain name for both a normal website, say – hosted on some cheap hosting account with loads of features and scripts, but yet have it work as an Active Directory Controller too?
Well, I did – and I’m sure at one point or another of your time messing with Windows 2003/2008 servers and stuff you probably thought something like: “Hey, what’s the difference between those $9.99/year domain names and my Active Directory domain? Can they work together?”
Eeks. I feel corny geeky writing this post already. Never in my life have I ever written a largely technical post publicly on a Google-able page exclusively meant for me (at least for the past 2 years, I think…). Yes, but I contribute alot to forums and stuff, so… I do contribute!
Okay, okay, long story short – yes, it’s perfectly possible!
But as hardcore sysadmins, we always come across the question of “Why” it will work, and whether it will break anything if we do some quickfix which someone like Kelvin here suggested, and also who to blame if it doesn’t work, and whether Kelvin is liable should we breach some Service-Level Agreement (SLA) with our clients, blah blah.
This being my first technical post, my disclaimer is plain and simple:
Screw you. Do this at your own risk. Hah!
Here, let me introduce what we’re going to solve today. Given this scenario:
Say, I bought this domain, “kelvin.sg”, and I want to use it for my website/blog/place-of-rant hosted with my company (via cPanel), Zension – yet I wish to run my own Active Directory domain called “kelvin.sg” just so all the computers in my (personal) network can be named and access pretty “cool-ly” like, super-cool-server.kelvin.sg, or maybe mediaserver.kelvin.sg.
Traditional (deemed improper by Kelvin) Way of Solving this Problem:
Just call your new domain kelvin.local and get over it. kelvin.sg doesn’t really sound nice anyway.
Nah, Kelvin would never do it this way. Hahaha! Let’s move on…
Let’s throw a few more constraints/assumptions into the mix:
- You don’t want to touch the nameservers from the domain registry side (i.e, you STILL want to use your cPanel account)
- You want to be able to join the domain from anywhere, even if you are sitting on top of the Esplanade
- You *have* access to the DNS zone for your domain on the cPanel server (this is really important! – if you don’t have access, go get it now by asking whoever owns the server!)
So, what do we do now? Here’s the simple, quick workaround…
- Setup the Windows 2003 / 2008 server as your AD controller as per usual
- Yes, choose to install DNS services on your Windows server too
- Now you’ll end up with 2 servers replying for “kelvin.sg” – cPanel’s DNS servers and your AD server.. but you can’t have that as there would be no authoritative response! (and that’s bad, because mismatched DNS records aren’t exactly good…)
- Ok, next, go into your Windows AD’s DNS Server management panel, it should look something like:
- Now, change the zone of your domain, to a Secondary Domain. We are going to make it “copy” or clone the zone’s contents from your current DNS server with the hosting company.
- Of course, specify the nameservers…
- Ask your hosting company (or use whatever tools you have available inside cPanel – which is unlikely, as cPanel doesn’t support editing of NS records, however, WHM does…) to add an NS record for: _msdcs.[yourdomain.com] pointing to your AD nameserver’s hostname. In instance, I would use: _msdcs.kelvin.sg -> my-active-directory-nameserver.kelvin.sg
- You’re done!
Okay, now, when you try to use a computer at a remote site/network to join the “kelvin.sg” domain, it magically works!
The trick’s in the “_msdsc” NS record – and apparently, Google only gives little pieces of things which I’ve to put together to figure it out!