[ Team LiB ] |
Recipe 13.17 Allowing Computers to Use a Different Domain Suffix from Their AD Domain13.17.1 ProblemYou want to allow computers to use a different domain suffix than their AD domain. 13.17.2 Solution
13.17.2.1 Using a graphical user interface
13.17.2.2 Using a command-line interfaceCreate an LDIF file called add_dns_suffix.ldf with the following contents: dn: <DomainDN> changetype: modify add: msDS-AllowedDNSSuffixes msDS-AllowedDNSSuffixes: <DNSSuffix> - then run the following command: > ldifde -v -i -f add_dns_suffix.ldf.ldf 13.17.2.3 Using VBScript' This code adds a domain suffix that can be used by clients in the domain. ' ------ SCRIPT CONFIGURATION ------ strDNSSuffix = "<DNSSuffix>" ' e.g. othercorp.com strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext") ) objDomain.Put "msDS-AllowedDNSSuffixes", strDNSSuffix objDomain.SetInfo WScript.Echo "Added " & strDNSSuffix & " to suffix list." 13.17.3 DiscussionWindows 2000, Windows XP, and Windows Server 2003 member computers dynamically maintain the dNSHostName and servicePrincipalName attributes of their corresponding computer object in Active Directory with their current host name. By default, those attributes can only contain host names that have a DNS suffix equal to the Active Directory domain the computer is a member of. If the computer's DNS suffix is not equal to the Active Directory domain, 5788 and 5789 events will be generated in the System event log on the domain controllers the clients attempt to update. These events report that the dnsHostName and servicePrincipalName attributes could not be updated due to an incorrect domain suffix. For Windows Server 2003 domains, you can avoid this by adding the computer's DNS suffix to the msDS-AllowedDNSSuffixes attribute on the domain object (e.g., dc=rallencorp,dc=com). With Windows 2000, the only workaround for this issue is to grant the Self principal the ability to write the dNSHostName and servicePrincipalName attribute for computer objects. Here are the steps:
13.17.4 See AlsoMS KB 258503 (DNS Registration Errors 5788 and 5789 When DNS Domain and Active Directory Domain Name Differ) |
[ Team LiB ] |