Active Directory Domain Controller setup using external TLD (Godaddy)? - dns

I have been given a task to integrate Active Directory in order to authenticate users and manage group policies. My end-goal is to allow users to enroll their devices (Mac and PC) into Active Directory using their company email address (ie. bob#example.com).
Currently, our company uses Godaddy to manage our DNS for our TLD (example.com). I have used a subdomain to allow public access to our domain controller (dc.example.com - Windows Server 2019). Now, because I've made the Domain Controller a subdomain of example.com, when I create an AD user, I can only register them in the dc.example.com namespace. Rather, I want users to be able to login using the top-level domain example.com.
I have been reading up on domain naming best-practices and everything tells me to use a subdomain rather than duplicating the root domain name. I have actually done the latter... and it works. However, it creates conflicts when I am trying to register Mac computers to Active directory. I don't know why.
I dont want to move away from Godaddy since we have many records stored there, but there MUST be an easier way to do this?

Related

google/microsoft/etc auth from x.com domain to use in other domain (like y.x.com or even clientDomain.com)

We have an app that let our users use their own domain to access our platform.
For example, if our website domain is "abc.com", we allow our user to use their own domain (for example "external.net") by setting this domain to point to our server.
To achieve it, we need to set their domain each time in our "Google Console"(/Microsoft) so that the authentication (we do have a login of course) will work with their domain as well...
The thing is that we think maybe we could accomplish such a result by just forcing all our users to use our main domain (abc.com) and just after they log in, we will redirect them to their domain.
It will save us the time to add each time their domain to "Google Console"(/Microsoft).
The question is if it's something that we really can do, or google will disallow such auth if which user comes from A domain, and will use B domain with the token he got from A domain.
*If such a thing is not allowed, is it allowed by using my subdomains? like user1.abc.com / user2.abc.com etc... without having to fill those subdomains in the provider console (Google/Microsoft).
I hope the question is clear enough,
Thanks!
A note about verification of your applicaiton.
In order to have this application verified you are going to to Verify your site ownership for every domain listed as a redirect Uri or a JavaScript origin.
So the only way that is going to work is if you can prove you own those domains. By registering them in google search console.

how to make user able to connect custom domain to our service? (eg shopify, medium, wordpress)

Question
Using React for our Shopify-like service. basically the same functionality.
Where i am stuck is how do i Make user able to connect their domain to our websites specific domain or subdomain.
eg.
User owned domain
uniquedomain.com
Service domain
user.myservice.com
from shopify
shopify allows user to add their domain to their shop. how does this work?
conclusion
If user wants to add their domain to our specific url,
what tech should i be adopting for this feature?
currently using React, react-subdomain
react subdomain
https://github.com/bmullan91/express-subdomain
This can be done using CNAME records or giving your users the IP address of your server to add in there DNS records.
How shopify does this -
Shopify gives the IP addresses of there load balancer to the users who wants to connect to their domain to the shopify shop.
The end user (domain owner) need to point there domain to the given Ip address, and you will have to have the virtual host setup at your end to recognise each domain.

Error while Verifying Domain in AAD

I followed Quickstart: Add a custom domain name to Azure Active Directory to verify my custom domain but still experiencing difficulties. I owe a domain (something like www.example.com with the only difference is mine is not 'example') purchased at GoDaddy.com.
If I try to verify that domain and specify its name (in AAD portal) as www.example.com then I can successfully complete the verification, but if I use the name example.com (without www) - I am seeing an error saying
Unable to verify domain name. Ensure you have added the record above
at the registrar 'MyDomainNameIsHere.COM', and try again in a little
while.
I employed nslookup to make sure the TXT record was added, I also followed the section Troubleshooting, non of those 3 cases apply to me:
waited for few hours
made sure with nslookup that the dns record is
correct and exists
there is no existing domain with that name
Why does it work if I prefix it with www and doesn't without it? Do I need to make some changes at GoDaddy?
I need that custom verified domain to add AAD users associated with their emails at my domain, for instance, User1#example.com; User2#example.com and so on. That doesn't work when I verify the www option complaining that example.com is not verified domain but doesn't complain if I try to create a user User1#www.example.com and I cannot do that because there is no corresponding email address.

Custom domain is "not planned" for Single Sign-On in Azure Active Directory

We have Single Sign-on working for a test application in Azure, using Azure Active Directory and the on-premise server running DirSync to synchronise the user details.
I have added a Custom Domain and verified it, by adding TXT records to the DNS entries at my registrar's website. In order to do this, I followed advice (from stackoverflow questions) that I needed to untick the option that said "I plan to configure this domain for single sign-on with my local Active Directory", in order to gain access to the additional information that allows me to prove ownership of the domain.
As a result, the domain has been verified and Azure recognises this, allowing me to see the domain as being 'verified', but the Single Sign-On value for this custom domain is set to 'Not Planned'.
The problem is now, I want to be able to re-tick that check box, and enable this domain to be used with the single sign-on, as I don't want to have to tell my users to use their log-in email addresses as 'username#something.onmicrosoft.com' as they'll never get it and will pester me to change it.
So, my question is: Is there a way to re-tick this box, and change the status of this field away from that of 'Not Planned', and (hopefully) to allow my users to sign in using their username#domain.com instead?
I have tried to remove the domain and re-add it, but Azure stops me from deleting it, as it's probably already well utilised in the rest of the processes. Also, I have no ability (or at least that's how it seems!) to go back into this custom domain within Azure and modify it.
UPDATE: I have tried to Deactivate the Directory Integration directory sync - this allows me to adjust the sync'd user's email addresses, but they're reverted back to .onmicrosoft.com once the sync is Activated again.
UPDATE 2: I have tried to install PowerShell to remotely administer the custom domain to becoming active, but I just cannot connect, despite several hours of trying.
If you added (and verified) a domain without ticking the checkbox, your domain is considered "standard", or "managed". You can convert this domain to a "federated" domain with the Convert-MsolDomainToFederated cmdlet from the Azure Active Directory PowerShell module:
Convert-MsolDomainToFederated -DomainName "contoso.com"
Tip for next time: After you add the domain with the single sign-on tick, you can run the following to get the DNS records to verify the domain:
Get-MsolDomainVerificationDns -DomainName "contoso.com"

how to redirect any domain name to our web application

we have a saas web app, written in zend mvc (php) where users can enter their own domain name in their settings page.
When they enter e.g. www.customdomain.com we want this domain to redirect to our web application so we can serve up their own pages from our app.
We do the same already for subdomains by having a *.ourapp.com entry in our DNS configuration.
that works great for subdomains like customdomain.ourapp.com.
This doesn't seem to work for full domain names like www.customdomain.com.
What's the easiest way to have any domain address link to our application, so we can just read out the incoming domain name and act accordingly in our app?
For letting the DNS entry point at your servers:
Domain is already registered (and owned by the customer): Make him configure the CNAME entry to your server's IP. (Even google let this do the enduser by hand - so automating this might be hard)
Domain is free: Register it, configure the CNAME yourself (you own it)
If you only want a redirect, the user can upload a html file or .htaccess file, that performs the redirect. But this has to be done by the customer, too.

Resources