"Ace Fekay [MVP]" <PleaseSubstituteMyFirstName&(E-Mail Removed)>
wrote in news:OFFb#(E-Mail Removed):
> In news:(E-Mail Removed),
> Rob McShinsky <(E-Mail Removed)> posted his concerns then I replied
> down below:
>> Currently we have our client computers in a different DNS zone than
>> what their Fully Qualified Domain Name is. Example below:
>>
>> Machine belongs to domain: dhmcmaster.dh.hitchcock.org
>> Machines DNS record is in: dhcp.hitchcock.org.
>
> So you are saying the the machine's Primary DNS Suffix is set to
> dhcp.hitchcock.org, but joined to dhmcmaster.dh.hitchcock.org?
>
>>
>> What are some of the implications/limitations of having these client
>> record in a different zone than what their fully qualified domain
>> says. We currently have 5000+ clients and 160+ servers in our
>> environment. In smaller environments that I have worked for I have
>> always had them in the same zone following the fully qualified name.
>> I am trying to make a case for moving these records to the fully
>> qualified domain name.
>>
>> Thanks
>> Rob McShinsky
>
> It can lead to some confusion,m but I don't think it's critical for a
> client machine. I remember one other gentelmen that has this same
> setup but you would need to add in the NIC properties toallow to
> register the machine under the zone it belongs in. This is not a
> requirement, since after all many companies don't want to register
> their clients since they believe either that it clutters up DNS with
> all the client registrations, which are not really needed in most
> cases, or it maybe a University or some other school where laptops,
> PDA, etc, are constantly signing on and off and to have their records
> registered is just overhead and not needed. .
>
> On a DC, the Primary DNS Suffix is what the netlogon service uses and
> what the client machines use to register into DNS. If you do need
> registration, you would need to provide that (especially on the DCs)
> the extra suffix to register into. It's recommended at least on a DC
> to set the proper Primary DNS Suffix of the domain that it's a domain
> controller for, otherwise, it's your choice and your adminstration
> overhead to have clients register in the zone or some other zone that
> it's not a member of.
>
> --
> Regards,
> Ace
>
> Please direct all replies to the newsgroup so all can benefit.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
> --
> =================================
>
>
In MS terms, this is known as a 'disjoint namespace' and there are a
couple of issues that *may* occur because of it. In particular, updates
to the 'dnsHostName' and 'servicePrincipalName' attributes of Computer
objects are 'validated writes' and will fail if the client DNS name
doesn't match the AD DNS domain name. The symptoms are usually 5788 and
5789 errors from NETLOGON.
The fix is fairly simple; change the permissions on the above mentioned
attributes to grant 'Self' R/W access. This bypasses the validated write
restriction and allows the clients to udpate their own attrbutes. There
is a potential denial of service with this approach since any computer
could update the SPN and advertise services. Exchange 2000, SQL Server
and many other applications need to update the SPN so it's required in
some circumstances...
Search the MS support site with "disjoint namespace" for further
information.
Wayne
--
Standard Disclaimer: I said it, they didn't, so blame me, not them!
Spam Avoidance: My reply address is invalid to confuse the spambots.
You can reach me at 'Wayne_Tilton at yahoo dot com'
|
Similar Threads
