WWW A-record Hack for Internal Users No Longer Works on my Server 2022 AD Domain

I have one of those notorious public websites for my company running on a third-party host that has the same domain name as our internal Active Directory domain network. So that our internal users can browse to that site, we have long had an internal A record for "www" that points to the external website's static IP address. That used to work. But now, if an internal user types "www.my-company.com", the browser throws an error "NET:ERR_CERT_COMMON_NAME_INVALID", crosses out the "https: in the URL, and prevents access to the site. The "advanced" error message says "This server couldn't prove that it's my-company.com; its security certificate is from .my-company.com. This may be caused by a misconfiguration or an attacker intercepting your connection."

I'm baffled. If I do an nslookup to internal DNS on "www.my-company.com", it correctly returns the website's public IP address. If the HTTPS wants a certificate, why is it not getting the certificate from the public site, rather than our internal domain server? Clearly, I don't understand something fundamental!

Issue a certificate for DNS names example.com, www.example.com, and any other name for this web site. Use this certificate for https on all relevant web servers, both external and internal.

Some users will not remember www. in front. Unfortunately, to accommodate them it will be difficult to avoid web servers on AD DS directory controllers, if only to do a redirect. This is one of those internal web servers you might have, a hack to make things coexist even if the real hosting is external and not in your directory.

Add to your AD DS notes that the next time you build a domain, don't use the same domain name for internal and external. ad.example.com is a fine name, can exist with [email protected] email, and won't interfere with public web site example.com AKA www.example.com.