Professional Documents
Culture Documents
Ac DC
Ac DC
Ac DC
We can't join any computers at the remote office to the main office domain controller.
The main office IP Address Range is 192.168.1.0/24 and the Remote office IP Range is 192.168.4.0/24.
The firewall is correctly routing back to the main office and I think the DNS is setup correctly unless I
need to add the remote office subnet into my DNS setup somehow.
At the remote office I can ping computers, servers, printers at the main office. I can map drives to the
domain controller and all our servers. I have had the company that setup the IPSEC VPN to look at the
traffic can there aren't any ports being blocked. I have added computers to the domain in the main
office and put them on the network at the remote office and I can login to that computer without my
profile and it will login to the domain and create a local Windows profile and automatically map my
network drives to the servers at the main office so I believe I am authenticating to the Domain
Controller.
When trying to add computers to the domain at the remote office the details are as follows:
The domain name "XYZ" might be a NetBIOS domain name. If this is the case, verify that the domain
name is properly registered with WINS.
If you are certain that the name is not a NetBIOS domain name, then the following information can help
you troubleshoot your DNS configuration.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain
controller for domain "XYZ":
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are
missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
Change the Data Value of the newly created registry entry from 0 to 1
Summary
This article contains information about the deployment and operation of Active Directory
domains that are configured by using single-label DNS names. The desire to remove the
single label domain configuration is a frequent reason to rename a domain. The application
compatibility information in this article applies to all scenarios in which you might consider
renaming a domain.
For the following reasons, the best practice is to create new Active Directory domains that
have fully qualified DNS names:
Examples of applications that are incompatible with domain renaming include, but are not
limited to, the following products:
More Information
Best-practice Active Directory domain names consist of one or more subdomains that are
combined with a top-level domain that is separated by a dot character ("."). The following
are some examples:
contoso.com
corp.contoso.com
Single-label names consist of a single word like "contoso."
The top-level domain occupies the rightmost label in a domain name. Common top-level
domains include the following:
.com
.net
.org
Two-letter country code top level domains (ccTLD) such as .nz
Active Directory domain names should consist of two or more labels for the current and the
future operating system and for application experience and reliability.
Invalid Top Level domain queries reported by the ICANN Security and Stablity Advisory
Committee can be found at http://www.icann.org/en/groups/ssac/documents/sac-045-
en.pdf
We recommend that you register DNS names for the top-most internal and external DNS
namespaces with an Internet registrar. This includes the forest root domain of any Active
Directory forests unless such names are sub-domains of DNS names that are registered by
your organization name (For example, the forest root domain "corp.example.com" is a sub-
domain of an internal "example.com." namespace.) When you register your DNS names with
an Internet registrar, this lets Internet DNS servers resolve your domain now or at some
point over the life of your Active Directory forest. And, this registration helps prevent
possible name collisions by other organizations.
If you use a single-label DNS name in your environment, clients may be unable to
dynamically register DNS records in a single-label forward lookup zone. Specific symptoms
vary according to the version of Microsoft Windows that is installed.
DNS_ERROR_RCODE_ERROR
RCODE_SERVER_FAILURE
Windows-based computers that are configured for DNS dynamic updates will not
register in a single-label domain. Warning events that resemble the following examples
are recorded in the System log of the computer:
By default, Windows does not send updates to top-level domains. However, you can change
this behavior by using one of the methods that are described in this section. Use one of the
following methods to enable Windows-based clients to perform dynamic updates to single-
label DNS zones.
Also without modification, an Active Directory domain member in a forest that contains no
domains that have single-label DNS names does not use the DNS Server service to locate
domain controllers in domains that have single-label DNS names that are in other forests.
Client access to the domains that have single-label DNS names fails if NetBIOS name
resolution is not configured correctly.
Important This section, method, or task contains steps that tell you how to modify the
registry. However, serious problems might occur if you modify the registry incorrectly.
Therefore, make sure that you follow these steps carefully. For added protection, back up
the registry before you modify it. Then, you can restore the registry if a problem occurs. For
more information about how to back up and restore the registry, click the following article
number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
On a Windows-based computer, an Active Directory domain member requires additional
configuration to support single-label DNS names for domains. Specifically, the domain
controller locator on the Active Directory domain member does not use the DNS server
service to locate domain controllers in a domain that has a single-label DNS name unless
that Active Directory domain member is joined to a forest that contains at least one domain,
and this domain has a single-label DNS name.
To enable an Active Directory domain member to use DNS to locate domain controllers in
domains that have single-label DNS names that are in other forests, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Paramete
rs
3. In the details pane, locate the AllowSingleLabelDnsDomain entry. If
the AllowSingleLabelDnsDomain entry does not exist, follow these steps:
1. On the Edit menu, point to New, and then click DWORD Value.
2. Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER.
4. Double-click the AllowSingleLabelDnsDomain entry.
5. In the Value data box, type 1, and then click OK.
6. Exit Registry Editor.
DNS client configuration
Important This section, method, or task contains steps that tell you how to modify the
registry. However, serious problems might occur if you modify the registry incorrectly.
Therefore, make sure that you follow these steps carefully. For added protection, back up
the registry before you modify it. Then, you can restore the registry if a problem occurs. For
more information about how to back up and restore the registry, click the following article
number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Active Directory domain members and domain controllers that are in a domain that has a
single-label DNS name typically must dynamically register DNS records in a single-label
DNS zone that matches the DNS name of that domain. If an Active Directory forest root
domain has a single-label DNS name, all domain controllers in that forest typically must
dynamically register DNS records in a single-label DNS zone that matches the DNS name of
the forest root.
By default, Windows-based DNS client computers do not attempt dynamic updates of the
root zone "." or of single-label DNS zones. To enable Windows-based DNS client computers
to try dynamic updates of a single-label DNS zone, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DnsCache\Paramete
rs
3. In the details pane, locate the UpdateTopLevelDomainZones entry. If
the UpdateTopLevelDomainZones entry does not exist, follow these steps:
1. On the Edit menu, point to New, and then click DWORD Value.
2. Type UpdateTopLevelDomainZones as the entry name, and then press ENTER.
4. Double-click the UpdateTopLevelDomainZones entry.
5. In the Value data box, type 1, and then click OK.
6. Exit Registry Editor.
These configuration changes should be applied to all domain controllers and members of a
domain that have single-label DNS names. If a domain that has a single-label domain name
is a forest root, these configuration changes should be applied to all the domain controllers
in the forest, unless the separate zones _msdcs.ForestName, _sites.ForestName,
_tcp.ForestName, and _udp.ForestName are delegated from the ForestName zone.
For the changes to take effect, restart the computers where you changed the registry
entries.
Notes
For Windows Server 2003 and later versions, the UpdateTopLevelDomainZones entry
has moved to the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
On a Microsoft Windows 2000 SP4-based domain controller, the computer will
report the following name registration error in the System event log if the
UpdateTopLevelDomainZones setting is not enabled:
On a Windows 2000 SP4-based domain controller, you must restart your computer
after you add the UpdateTopLevelDomainZones setting.
Use Group Policy to enable the Update Top Level Domain Zones policy and the Location of
the DCs hosting a domain with single label DNS name policy as specified in the following
table under the folder location on the root domain container in Users and Computers, or on
all organizational units (OUs) that host computer accounts for member computers, and for
domain controllers in the domain.
Policy Folder location
Computer Configuration\Administrative
Update Top Level Domain Zones
Templates\Network\DNS Client
Location of the DCs hosting a domain Computer Configuration\Administrative Templates\System\Net
with single label DNS name Logon\DC Locator DNS Records
Note These policies are supported only on Windows Server 2003-based computers and on
Windows XP-based computers.
To enable these policies, follow these steps on the root domain container:
1. Click Start, click Run, type gpedit.msc, and then click OK.
2. Under Local Computer Policy, expand Computer Configuration.
3. Expand Administrative Templates.
4. Enable the Update Top Level Domain Zones policy. To do this, follow these steps:
1. Expand Network.
2. Click DNS Client.
3. In the details pane, double-click Update Top Level Domain Zones.
4. Click Enabled.
5. Click Apply, and then click OK.
5. Enable the Location of the DCs hosting a domain with single label DNS name policy.
To do this, follow these steps:
1. Expand System.
2. Expand Net Logon.
3. Click DC Locator DNS Records.
4. In the details pane, double-click Location of the DCs hosting a domain with
single label DNS name.
5. Click Enabled.
6. Click Apply, and then click OK.
6. Exit Group Policy.
For more information about how to use the Group Policy Object Editor to manage local
computer policy, click the following article number to view the article in the Microsoft
Knowledge Base:
307882 How to use the Group Policy Editor to manage local computer policy in Windows XP
On Windows Server 2003-based and later versions DNS servers, make sure that root servers
are not created unintentionally.
On Windows 2000-based DNS servers, you may have to delete the root zone "." to have the
DNS records correctly declared. The root zone is automatically created when the DNS server
service is installed because the DNS server service cannot reach the root hints. This issue
was corrected in later versions of Windows.
Root servers may be created by the DCpromo Wizard. If the "." zone exists, a root server has
been created. For name resolution to work correctly, you may have to remove this zone.
New and modified DNS policy settings for Windows Server 2003 and later versions
References