Port forward FQDN website requests on Active Directory domain controllers

I don't like to use (.local etc) for Active Directory domains. There are numerous problems with this and Microsoft stopped recommending it years ago. The problem for those of us who have moved to using sites without the oldschool www hostname is that AD requires the A records of the FQDN domain point to the domain controllers.

There are a number of ways to solve this IT headache that boil down to leveraging the servers or the network.

Thanks like:

• Install IIS on the DCs - A heavy handed approach and not recommended.
• Perform some network trickery to intercept and forward port 80/443 
• Use multiple DNS servers (inside, outside, etc)

The least complicated way I have found is to use the port forwarding capabilities of Windows 2008 R2.  This way you don't have to twist standard network services with an additional layer of complexity.

On Linux, I'd use iptables to redirect the HTTP and HTTPS ports like this:

iptables -I FORWARD -p tcp -d 192.168.1.31 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.1.31 --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.31:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.31:443 

From the command line on Windows 2008 R2, you can do the same using the netsh cli.

netsh interface portproxy add v4tov4 listenport=80 listenaddress=192.168.1.11 connectport=80 connectaddress=192.168.1.31
netsh interface portproxy add v4tov4 listenport=443 listenaddress=192.168.1.11 connectport=443 connectaddress=192.168.1.31

Now any browser requests using the FQDN root will be automatically forwarded through an AD controller. No extra software need be installed.


My thanks to Rick Wargo for sharing his example of port forwarding on Windows 2008 R2.

I tried to execute a dladm set-linkprop command on a Nexenta RSF-1 HA cluster and received a "link busy" error. Took a minute for me to remember that the Solaris family requires you to unplumb and interface before you administer its persistent properties.

The example below shows how to change the MTU settings using plumb and dladm commands. This allows the RSF-1 controlled interfaces and VIPs to use jumbo frames.

ifconfig ixgbe1 unplumb
ifconfig ixgbe0 unplumb
dladm set-linkprop -p mtu=9000 ixgbe0
dladm set-linkprop -p mtu=9000 ixgbe1
ifconfig ixgbe0 plumb
ifconfig ixgbe1 plumb

Dell PowerConnect Serial Console on Linux

Here's how to setup minicom on Linux to talk to a Dell PowerConnect.

Install minicom

sudo apt-get install minicom

Get your host's serial port.

dmesg | grep --color ttyS

Example output:

dmesg | grep --color ttyS
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
00:05: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
00:06: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A

If you don't see anything listed, check your BIOS and make sure the serial port is enabled.

Now configure minicom.

minicom -s

Select "Serial port setup" and configure your settings as follows:

    +-----------------------------------------------------------------------+
    | A -    Serial Device      : /dev/ttyS0                                |
    | B - Lockfile Location     : /var/lock                                 |
    | C -   Callin Program      :                                           |
    | D -  Callout Program      :                                           |
    | E -    Bps/Par/Bits       : 9600 8N1                                  |
    | F - Hardware Flow Control : No                                        |
    | G - Software Flow Control : No                                        |
    |                                                                       |
    |    Change which setting?                                              |
    +-----------------------------------------------------------------------+

Now you can either save these as dfl (default ) or something like dell_powerconnect.

Use your Dell setup like this.

minicom dell_powerconnect

I have a alot of servers that have padded numerics in their names. Here's a quick way to issue SSH commands to all of them. The key is to use good old printf

for i in {1..10}; do ssh cloud-host-$(printf "%02d" $i) iscsiadm -m node -T iqn.2004-04.com.megastorage:hyper-zfs-serv:iscsi.zabbix.c4c655 -u; done

The ccze utility is your friend for reading squid proxy logs. It's a nice colorizer and performs timestamp conversions with the -C argument.

sudo tail -f /var/log/squid-deb-proxy/access.log|ccze -CA

A Formal Introduction to The Ubuntu Orchestra Project

A Formal Introduction to The Ubuntu Orchestra Project

Force Replication Between All Active Directory Servers

Occasionally, I have to troubleshoot Active Directory issues between branch offices and I can never remember all of the resync arguments for the repadmin.exe command. So I'm posting it here.

repadmin /syncall /A /e /P

This will force the executing DC to sync with all NC's known to it.

You should see something like this * number of NC in your domain:

Syncing all NC's held on ATLAS.
Syncing partition: DC=ForestDnsZones,DC=my,DC=corp,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: c2fa9a13-bc15-419c-b416-21e6da3d5760._msdcs.my.corp.com
    To  : cee785b6-01fe-490c-8e50-5199841a1b58._msdcs.my.corp.com
CALLBACK MESSAGE: The following replication is in progress:
    From: c2fa9a13-bc15-419c-b416-21e6da3d5760._msdcs.my.corp.com
    To  : 62aa2e39-9c52-4eef-a789-f201350c0b02._msdcs.my.corp.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: c2fa9a13-bc15-419c-b416-21e6da3d5760._msdcs.my.corp.com
    To  : cee785b6-01fe-490c-8e50-5199841a1b58._msdcs.my.corp.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: c2fa9a13-bc15-419c-b416-21e6da3d5760._msdcs.my.corp.com
    To  : 62aa2e39-9c52-4eef-a789-f201350c0b02._msdcs.my.corp.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.