The University of Washington has an unusual and complex DNS configuration. The root is washington.edu. The next level of domain names are assigned to different organizations within the University. The UW-IT networking team is managing literally hundreds of DNS zones and IP address blocks under washington.edu. The DNS servers managing these UW zones are not AD-integrated.
I wanted to have a static IP on my main UW PC so I could run a test web server. I had to make a request to our Network Operations folks for this static IP. My department has long used the zone cac.washington.edu for its computers, so the IP for my PC was assigned out of that zone.
My department manages an Active Directory domain that is named netid.washington.edu. This domain provides Windows authentication services to the UW community, most of whom have a UW NetID which maps to a user object in our NETID domain. Consequently I wanted to join my PC to this domain for ease of accessing those services that leverage its authentication. The fact that I joined a computer with a DNS suffix that does not match the domain’s results in a non-standard AD configuration known as a disjoint DNS namespace.
What is a Computer DNS Suffix?
The DNS suffix of a computer is the part of the computer’s DNS name that follows the host name element. If you have a computer named mypc.accounting.contoso.com, the host name is mypc and the DNS suffix is accounting.contoso.com. Do not confuse this with the “connection-specific DNS suffix.” The latter is related to the Network Adapter TCPIP settings. The computer DNS suffix can be set or viewed in several different places. You can view the Full computer name on the System Properties Control Panel applet’s Computer Name page. You can use the netdom.exe tool with the command line “netdom computername <name> /enum” which BTW fails under some circumstances related to a disjoint DNS suffix. The Windows API GetComputerNameEx will also return it (this is the call that netdom is making under the covers). Finally you can use your favorite AD browsing tool to look at the computer object’s dNSHostName attribute. More below on setting and changing the computer DNS suffix.
Ramifications of a Disjoint DNS Namespace
Active Directory provides the means of limiting the DNS namespaces that joined computers can employ. There is an attribute on the domain object that exists for this purpose. You can set the msDS-AllowedDNSSuffixes attribute to contain the list of allowable computer DNS suffixes. If you do this, attempts to join a computer with a different DNS suffix will fail. Having said this, it must be pointed out that there is an enormous amount of misinformation around the use of this domain attribute. Unfortunately the biggest source of this misinformation is Microsoft’s Exchange team documentation and best practice analyzers. They claim that this attribute must be set to contain all DNS suffixes in your disjoint namespace or unspecified bad things will happen. Well, the reality is this is plain wrong. You can have computers with different DNS suffixes joined to your domain and it will have no effect at all on Exchange. The UW has no values set on its msDS-AllowedDNSSuffixes attribute for the NetID domain and it runs an Exchange 2010 service in that domain with no issues. However, I am not making any claims about the DNS names of the Exchange servers themselves. They may be limited to the domain DNS name for their suffixes, but I just don’t know one way or the other.
Setting or Changing a Computer’s DNS Suffix
When you initially install Windows there is no DNS suffix. If you name your PC “mypc” then the System Properties Computer Name page will say its full computer name is “mypc”. You can give it a DNS suffix by clicking the “Change” button on the Computer Name page. This will bring up the “Computer Name/Domain Changes” dialog (I am using Windows 7 as an example but Vista and Windows 8 are similar). Wait, don’t change anything, you aren’t there yet. You have to click the More button which brings up the “DNS Suffix and NetBIOS Computer Name” dialog. Yikes, dialogs opening dialogs opening dialogs! If I remember correctly, this behavior goes all the way back to Windows 2000. I worked on that team and can attest that much of the UI was designed by developers such as myself who had no real understanding of usability. But I digress. The “DNS Suffix” dialog is shown below:
Note the checkbox “Change primary DNS suffix when domain membership changes”. This is very important in relation to AD and disjoint namespaces. If you do not want a disjoint namespace, leave this box checked. The computer will automatically be given the domain’s DNS name as its DNS suffix when you join it to AD. In fact, this is the default. If you join a computer to a domain without every visiting this dialog, it will be named to conform with the domain’s DNS name. However, if you want your computer to have a different DNS suffix, then you must uncheck this checkbox and fill in the desired DNS suffix.
I will discuss more ramifications of a disjoint DNS namespace in a subsequent blog post. A particularly thorny issue is renaming an AD-joined computer that has a disjoint DNS suffix.