INFO: Implementing a disjoint namespace

Allowing computers to use different DNS suffixes from their AD Domain name

As a general rule, it is usually stated that the authorative DNS zone should be exactly the same as the Active Directory Domain Name. There are, however, certain circumstances whereby this is not possible or desired.

Simply implementing a different domain name and DNS zone will cause problems. However, there is a work around.

The computer object attributes dNSHostName and servicePrincipalName are dynamically maintained by their corresponding Windows NT 5.x computer, with their hostname -which is made up of the following syntax:
    <NetBIOS name>.<Active Directory domain name>

Where NetBIOS name is the NetBIOS name of the computer and Active Directory domain name is the DNS-name of the Active Directory domain. For example, the computer wkstn01 in the domain testlab.com would have the following [fully qualified] hostname:
    wkstn01.testlab.com

By default, these attributes can only contain a fully qualified hostname with a DNS suffix that matches the Active Directory domain-name, and a hostname (just the prefix - the NetBT name in most instances) that is less than 15 bytes.

If this name is different either because the hostname is greater than 15 bytes or because a disjoint namespace has been decided upon, you will find that Kerberos, and other services that depend on Service Principal Names (SPNs), will not work and you will encounter lots of 5788 and 5789 events in the system event logs of the DCs. The way to configure Actiev Directory to support this varies in Windows 2000 and 2003. The following sections discuss how to enable this in both versions of Active Directory.

Windows 2000

To enable registration of the differing full computer name, the SELF security principal must be given write permissions on the attributes dNSHostName and servicePrincipalName. You do this by modifying the DACL of the appropriate domain:
  • Open the Active Directory Users and Computers snap-in (dsa.msc) and select Advanced features from the View drop-down list.
  • Right-click the domain that you wish to modify and click Properties and then the Security tab.
  • Click Add, click SELF, click Add and then OK. When you return to the original window click Advanced, click SELF and then click View/ Edit.
  • Click the Properties tab and select Computer Objects from the Apply onto drop-down list.
  • In the Permissions box, check Allow next to Write dNSHostName and Allow next to Write servicePrincipalName.
  • Click OK until all Windows are closed.

Windows 2003

In Windows Server 2003 this has been made easier by the inclusion of the new attribute msDS-AllowedDNSSuffixes. You add the alternate DNS suffix to this attribute (of the domain).

To do this, fire up adsiedit.msc (Windows Support Tools) and right-click on the domainDNS object DC=domain-name,DC=com and choose Properties. Select the attribute msDS-AllowedDNSSuffixes, choose Edit and add the DNS suffix and choose OK.

Document information

Author: Paul Williams
Date: 17-02-2005
Version: 2.0
Last updated: 01-08-2007
Last updated by: Paul Williams



Del.icio.us!Technorati!StumbleUpon!Furl!