You want to allow computers to use a different domain suffix than their AD domain.
|
Open ADSI Edit.
Connect to the domain you want to edit.
Right-click on the domainDNS object and select Properties.
Edit the msDS-AllowedDNSSuffixes attribute and enter the DNS suffix you want to add.
Click OK.
Create an LDIF file called add_dns_suffix.ldf with the following contents:
dn: <DomainDN> changetype: modify add: msDS-AllowedDNSSuffixes msDS-AllowedDNSSuffixes: <DNSSuffix> -
then run the following command:
> ldifde -v -i -f add_dns_suffix.ldf.ldf
' This code adds a domain suffix that can be used by clients in the domain. ' ------ SCRIPT CONFIGURATION ------ strDNSSuffix = "<DNSSuffix>" ' e.g. othercorp.com strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext") ) objDomain.Put "msDS-AllowedDNSSuffixes", strDNSSuffix objDomain.SetInfo WScript.Echo "Added " & strDNSSuffix & " to suffix list."
Windows 2000, Windows XP, and Windows Server 2003 member computers dynamically maintain the dNSHostName and servicePrincipalName attributes of their corresponding computer object in Active Directory with their current host name. By default, those attributes can only contain host names that have a DNS suffix equal to the Active Directory domain the computer is a member of.
If the computer's DNS suffix is not equal to the Active Directory domain, 5788 and 5789 events will be generated in the System event log on the domain controllers the clients attempt to update. These events report that the dnsHostName and servicePrincipalName attributes could not be updated due to an incorrect domain suffix. For Windows Server 2003 domains, you can avoid this by adding the computer's DNS suffix to the msDS-AllowedDNSSuffixes attribute on the domain object (e.g., dc=rallencorp,dc=com).
With Windows 2000, the only workaround for this issue is to grant the Self principal the ability to write the dNSHostName and servicePrincipalName attribute for computer objects. Here are the steps:
Open ADSI Edit.
Right-click on the domain object and select Properties.
Click the Security tab.
Click the Add button.
Enter Self in the object picker and click OK.
Click the Advanced button.
Under the Name column, double-click on SELF.
Click the Properties tab.
Beside Apply onto, select Computer objects.
Under Permissions, check the Allow box for Write dNSHostName and Write servicePrincipalName.
Click OK until you close all the windows.
|
MS KB 258503 (DNS Registration Errors 5788 and 5789 When DNS Domain and Active Directory Domain Name Differ)