Recipe 13.17 Allowing Computers to Use a Different Domain Suffix from Their AD Domain

13.17.1 Problem

You want to allow computers to use a different domain suffix than their AD domain.

13.17.2 Solution

The following solutions work only for Windows Server 2003 domains. Read the Discussion for a workaround for Windows 2000. Using a graphical user interface
  1. Open ADSI Edit.

  2. Connect to the domain you want to edit.

  3. Right-click on the domainDNS object and select Properties.

  4. Edit the msDS-AllowedDNSSuffixes attribute and enter the DNS suffix you want to add.

  5. Click OK. Using a command-line interface

Create an LDIF file called add_dns_suffix.ldf with the following contents:

dn: <DomainDN>
changetype: modify
add: msDS-AllowedDNSSuffixes
msDS-AllowedDNSSuffixes: <DNSSuffix>

then run the following command:

> ldifde -v -i -f add_dns_suffix.ldf.ldf Using VBScript
' This code adds a domain suffix that can be used by clients in the domain.
strDNSSuffix = "<DNSSuffix>"       ' e.g.
strDomain    = "<DomainDNSName>"   ' e.g.
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext") )
objDomain.Put "msDS-AllowedDNSSuffixes", strDNSSuffix

WScript.Echo "Added " & strDNSSuffix & " to suffix list."

13.17.3 Discussion

Windows 2000, Windows XP, and Windows Server 2003 member computers dynamically maintain the dNSHostName and servicePrincipalName attributes of their corresponding computer object in Active Directory with their current host name. By default, those attributes can only contain host names that have a DNS suffix equal to the Active Directory domain the computer is a member of.

If the computer's DNS suffix is not equal to the Active Directory domain, 5788 and 5789 events will be generated in the System event log on the domain controllers the clients attempt to update. These events report that the dnsHostName and servicePrincipalName attributes could not be updated due to an incorrect domain suffix. For Windows Server 2003 domains, you can avoid this by adding the computer's DNS suffix to the msDS-AllowedDNSSuffixes attribute on the domain object (e.g., dc=rallencorp,dc=com).

With Windows 2000, the only workaround for this issue is to grant the Self principal the ability to write the dNSHostName and servicePrincipalName attribute for computer objects. Here are the steps:

  1. Open ADSI Edit.

  2. Right-click on the domain object and select Properties.

  3. Click the Security tab.

  4. Click the Add button.

  5. Enter Self in the object picker and click OK.

  6. Click the Advanced button.

  7. Under the Name column, double-click on SELF.

  8. Click the Properties tab.

  9. Beside Apply onto, select Computer objects.

  10. Under Permissions, check the Allow box for Write dNSHostName and Write servicePrincipalName.

  11. Click OK until you close all the windows.

It is worth noting that if you implement this method, it is possible for someone to cause a computer to write any name into those attributes, and, therefore, advertise itself as another computer.

13.17.4 See Also

MS KB 258503 (DNS Registration Errors 5788 and 5789 When DNS Domain and Active Directory Domain Name Differ)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List