Re: Single label Domains

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 03/10/04 

Date: Tue, 9 Mar 2004 21:39:31 -0500

In news:d2261a81.0403090438.34a48451@posting.google.com,
Animesh <anim_sin@hotmail.com> posted their thoughts, then I offered mine
> Hi Ace,
>
> After I saw you speaking about, I knew I desperately need to refresh
> my memory about single label domains and other types. Although it
> might sound might very naive, but I really need to know it a little
> more better.
>
> So if you can put your opinions or give me some KB links, that would
> be absolutely great.
>
> Regards,
> Animesh

Hi Animesh,

There's alot of info on it. If you search back between myself and Kevin, you
can find alot on it. Anymore, I just repost my previous stuff to save me
typing time. Hope you got some time to read all of this.............

Here's a post from Mike Snyder about it from last year:
=====================================================
=====================================================
=====================================================
=====================================================
Michael Snyder [MSFT] wrote:
>> problem. DNS does not play well with single label names since a
>> single label name does not depict any sort of hierarchy, since DNS
>> is hierarchal based from the leaf nodes (such as "domainname) to the
>> next level (such as "com") to the top of the tree (the dot). DNS
>> cannot handle single label names, hence the issues revolving around
>> it.
Ace

> Ace, just a quick comment regarding your explanation below:
>
> Registration of single label names resulted in registration attempts
> hitting the root servers from so many mis-configured networks on the
> internet that a report on W2k prior to SP4 indicated that Windows
> DDNS updates were responsible for a significant portion of traffic to
> the root servers. To be better internet citizens, W2k3, XP, and W2k
> after SP4 stopped attempting DDNS updates on single label names by
> default.
>
> The recommendation to avoid single label names is simply a
> recommendation to be a good internet citizen. The system can handle
> single label names, but we highly encourage users to avoid using them
> because it is too easy for users to create problems for themselves
> and others when they use single label names and later want to
> interoperate with other organizations over the internet.
>
> "> Depends on your scenario. If all part of the same AD domain, yes.
> If not, no
=====================================================
=====================================================
=====================================================
=====================================================

Here's a repost from a conversation between Ulf and I:
 =====================================================
=====================================================
=====================================================
=====================================================
Ulf B. Simon-Weidner wrote:
> In article <eo7UHAL2DHA.1924@TK2MSFTNGP10.phx.gbl>, Ace Fekay [MVP]
> says...
>> In news:MPG.1a6bf6c1e04011ab989892@msnews.microsoft.com,
>> Ulf B. Simon-Weidner <nospam2-ulf@usw-consulting.com> posted their
>> thoughts, then I offered mine
>>> Hi Kevin,
>>>
>>> inline:
>>>
>>> In article <eAgBdtH2DHA.1684@TK2MSFTNGP12.phx.gbl>, Kevin D.
>>> Goodknecht [MVP] says...
>>>> Interesting idea, if it works. But my question is how do you get
>>>> the member OS to use the trailing dot when looking for the Domain
>>>> SYSVOL share?
>>>>
>>> I don't need to. During Netlogon the clients are putting the list of
>>> policies together they need to apply. This is done by querying the
>>> parent objects (like OUs and Domains,..) via LDAP. The
>>> GPLink-Attribute of the objects will give them the full LDAP-Path to
>>> the policys in AD: [LDAP://CN={E040C8F8-F40D-4D54-94BA-
>>> 33DFD82F9A88},CN=Policies,CN=System,DC=nwtraders,DC=msft;0][LDAP://CN=
>>> {6AC1786C-016F-11D2-945F-
>>> 00C04fB984F9},CN=Policies,CN=System,DC=nwtraders,DC=msft;0]
>>>
>>> Then they query the policy object in AD, and via the gPCFileSysPath
>>> they retrieve the full UNC-Path to the policys location on sysvol:
>>>
\\nwtraders.msft\SysVol\nwtraders.msft\Policies\{E040C8F8-F40D-4D54-94BA-
>>> 33DFD82F9A88}
>>>
>>> Now they have the full location of the policy in sysvol.
>>>
>>> So if I run a script against AD to replace a single lable UNC-Path
>>> like \\nwtraders\SysVol\nwtraders\Policies\{...}
>>> to
>>> \\nwtraders.\SysVol\nwtraders\Policies\{...}
>>>
>>> the client will most likely not exchange anything but querying the
>>> policy with the full UNC he retrieved from AD.
>>>
>>> The only bad thing is that you'll have to adjust every newly created
>>> policy once, but good thing is that is does not matter to how many
>>> locations it is or will be linked - the links remain the same.
>>>
>>>> There is another way it might be worth a shot to try in the single
>>>> label domain zone I just created a zone named domain then put in a
>>>> blank record added "domain" to my domain search list just as
>>>> Windows would do by appending the primary DNS suffix.
>>>>
>>> Also a great idea - I'm curious to see if it's working with policies
>>> or if it's running into timeouts going through the domain suffix
>>> search list for every policy.
>>>
>>> However, if the first method is working correctly (as I assume) it
>>> would be a easy fix for MS to have a "." behind every domain-fqdn in
>>> the GPO - makes it faster anyways since the clients do not try to
>>> append the primary dns-suffix if there's a dot at the end of the
>>> fqdn.
>>>
>>> Gruesse - Sincerely,
>>>
>>> Ulf B. Simon-Weidner
>>
>> Apparently the CNAME thing worked. I was curious too, after talking
>> to Kevin over the phone about this. I think we should forward it on
>> to our MVP Lead. I replied to Kevin's post in this thread concerning
>> this.
>>
>> --
>> Regards,
>> Ace
>>
> Hi Ace,
>
> that's OK if the CNAME worked, but I still think that it's a
> workaround which will be fixed more easily by adding a dot behind the
> fqdn in the policy:
>
> 1. the CNAME solutions requires configuration on every client or
> through policy
> 2. configuring the DNS-Suffix search order is something I try to
> avoid since you produce multiple DNS-Requests which is not necessary
> 3. the dot behind the fqdn in the policy will prevent the client
> adding the domain-suffix first and therefor increase security
>
> If it's possible with your contacts I'd recommend to have both
> solutions evaluated by MS. The CNAME is easier for the Administrator
> w/o a deep knowlegde to implement, the dot might be a hotfix easily
> to apply to the OS and a centralized solution. You just change what's
> not working instead of a workaround.
>
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner

=====================================================
=====================================================
=====================================================
=====================================================

Here's another:
=====================================================
=====================================================
=====================================================
=====================================================
---- Original Message ----
From: "Bala Natarajan [MSFT]" <balan@online.microsoft.com>
Newsgroups: microsoft.public.win2000.dns
Sent: Friday, June 20, 2003 12:20 AM
Subject: Re: WinXP, W2k Server DNS error

> If the client has proper Primary DNS suufix tuhsd.214 ( no manually
> configured suffix search list ) they should normally append their
> Primary DNS suffix to resolve a single name thro DNS
>
> I am not sure whether the xp client does not like the .214 in the
> domain name and so it fails to locate the DC thro DNS
>
> A netmon trace will show whether the client tried to send out the
> query thsdc.tuhsd.214 in the DNS query packet when you ping the
> single lable
>
> If it is not sending this , try this following section in the article
>
> Information About Configuring Windows 2000 for Domains with
> Single-Label WGID:162
> ID: 300684.KB.EN-US
>
> DCLocator Configuration
> -----------------------
> Windows XP Professional Active Directory domain members
> support single-label domain DNS names for Active Directory DNS
> names, but
> require additional configuration. Specifically, the domain
> controller locator
> on such domain members does not use DNS to locate domain
> controllers in a
> domain with a single-label DNS name, unless the domain member is
> joined to a
> forest that contains at least one domain with a single-label DNS
> name.
>
> Without modification, a domain member in a forest that does not
> contain any domains with single-label DNS names will not use DNS
> to locate
> domain controllers in domains with single-label DNS names in other
> forests.
> Client access to the domains with single-label DNS names fails if
> NetBIOS name
> resolution is not correctly configured.
>
> To enable such a domain
> member to use DNS to locate domain controllers in domains with
> single label DNS
> names in other forests, set the AllowSingleLabelDnsDomain
> (REG_DWORD) registry value to 0x1 under the following registry
> key on each domain member:
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
>
> --
> Bala Natarajan
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Please do not send email directly to this alias. This alias
> is for newsgroup purposes only.
>
>
> "Dave Masch" <dave.masch@tuhsd.org> wrote in message
> news:035d01c336b0$851621b0$a601280a@phx.gbl...
>> We have a lab set up and are testing a new domain. We
>> have Active Directory integrated DNS and are testing with
>> a windows XP machine and a windows 2000 machine both
>> pulling DHCP addresses from the domain controller. (the
>> domain controller is on a different network from the
>> workstations and we are using an IP helper to forward
>> DHCP requests). The domain controller that we have
>> created is named thsdc and the domain is tuhsd.214. When
>> we attempt to ping the domain controller using the
>> NetBIOS name with the 2000 machine, we have no problems.
>> When we ping the domain controller using the NetBIOS name
>> with XP, it fails to locate the name on the DNS server.
>> If we ping it with the fully qualified domain name,
>> (thsdc.tuhsd.214.), it will work. When we ping the 2000
>> workstation on the same network using the NetBIOS name,
>> it resolves and pings. We have set the DNS client to
>> append primary and connection specific DNS Suffixes, and
>> we have also tried explicitly defining which suffixes to
>> append.to no avail. The domain name is being distributed
>> by DHCP in the domain name scope option, and we have also
>> set the domain name of the client in the more button of
>> the computer name changes property screen. Do you have
>> any suggestions or Ideas on why this is not working?
>> Again, only our windows XP machine is being affected.
>> The 2000 machine works fine.

=====================================================
=====================================================
=====================================================
=====================================================

Another with renaming options:
=====================================================
=====================================================
=====================================================
=====================================================

The BIGGEST problem is that the domain is a single label name. That is NOT
good at all and creates mutliple problems. Your domain name is called "SOL".
It should be in the form of "sol.com" or "sol.net" or "sol.michael", but
not just "SOL". The single name does not follow the hierarchal tree
structure of DNS.

A single label named domain was probably due to (with all due respect) lack
of research and knowledge with the way AD and DNS must be designed PRIOR to
an upgrade/migration. It's very important to do your homework on this
because it becomes difficult to change. However, since you have W2k3 being
used, you may be able to change the name. But in order to do this, you must
upgrade the W2k server frst to W2k3 and raise the Forest Functional Level to
Native Mode. Here's a link on how to do that with W2k3:

Forest andDomain Functional Levels Explained:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/datacenter/sag_levels.asp

Renaming domains - rendom.exe found in valueadd-msft-mgmt-domren folder on
CD:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/datacenter/domainrename.asp

SP4 changed/stopped the fact of letting registrations work because MS found
that excessive DNS traffic was hitting the ISC Root servers with any machine
that had a single label name. It was just too much. So they stopped it. Now,
you can use a regsitry entry to force registration but this must be done on
ALL the machines in your domain.

Here is the fix that you can use for now. It's more of a bandaid, but will
not totally solve certain issues, but it will force registration of the SRV
records:
http://support.microsoft.com/?id=300684

This has to be done on all machines.

One BIG problem, however, if using single label names, GPOs will not work,
whether you use the registry entry metioned in that link above or not. This
is because they look for the domain name when the GetGPOList function runs
on a client when it tries to "find" the GPO. The path it looks for is such
as this because the policies are found in the domain share:
\\domain.com\sysvol\domain.COM\Policies

In your case, it would be querying for:
\\SOL\sysvol\SOL\policies

In that case, it will not be able to find that domain name because it;s
treating it as a HOST name. You can try to force this by ensuring there is a
blank HOST name called SOL with the IP addresses of one of the DCs, but from
other posters and tests, it doesn;t appear to really work correctly. Also,
XP clients have difficulty querying this method, whether you put the
registration fix in it or not.

Sorry to be the bearer of bad news. I hope this helps in understanding your
dilemma and what your options are.

=====================================================
=====================================================
=====================================================
=====================================================

One more before the last:

=====================================================
=====================================================
=====================================================
=====================================================
----- Original Message -----
From: "Alan Wood" [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS

Hi Roger,
       We really would preffer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
=====================================================
=====================================================
=====================================================

And finally......
=====================================================
=====================================================
=====================================================
=====================================================

----- Original Message -----
From: Ace Fekay [MVP]
Newsgroups:
microsoft.public.windows.server.dns,microsoft.public.windows.server.sbs
Sent: Tuesday, January 13, 2004 9:26 PM
Subject: Re: DNS, Single Label Domains and SBS2K3

In news:O1V9ujj2DHA.1704@tk2msftngp13.phx.gbl,
Aaron <1aaron1bav1@eln.net> posted their thoughts, then I offered mine
>
> Firstly, I would HAVE to convince my boss that this is REALLY, REALLY
> necessary.
>
> Just to play devils advocate here for a moment:
>
> My Boss would say: Why re-install? everything is working. The clients
> are registering in local DNS (with registry hacks),
> \\domain\sysvol\domain is accesable and group policies/scripts are
> being applied to the clients,Web browsing /e-mail is working to the
> outside world, VPN is working, Exchange is working, we can access all
> our files, etc. Where is the need?
>
> And I don't have a good argument to counter this, because it is true.
> This is SBS, so there is no need to have access to other AD/DNS
> servers for replication, zone transfers, etc. There are no forest, or
> trees, just SBS. We're not running an external DNS that needs to be
> RFC compliant (we use forwrders to the ISP for external resolution),
> and we still have legacy O.S.'s (95/98 - actually legacy O.S.'s was
> the reason our consultant gave for "maintaining" a single label
> domain - funny thing is those legacy O.S.'s seem to work just fine on
> my SBS testbed at home with "domain.lan" as my domain - go figure
> huh).
>
>
>> There are still alot of registrations errors, I'm afraid you are
>> going to have to rename it if you want it to work like it is
>> supposed to.
>
>
> But things do appear to be working. I need something to point to and
> say :
>
> "see it's SUSPOSED to do this, but because the DNS is BROKEN, it
> ISN'T doing what it should be doing"
>
> What is my SBS not doing that it should be?
>
> I need convincing arguments (as much to convince myself as my boss -
> this would be a really big deal to have to force the company to go
> through this again so soon). I need some TEST to show /prove, that if
> this isn't fixed "X" will be the result, and it ain't pretty if "X"
> happens (i.e. the network will come to a total, screeching, train
> wrecking halt)!
>
>
> I don't like the fact that the domain is semi-broken, but I believe I
> can live with it. I just really need to know what the downside
> is/will be.
>
> Any thoughts/arguments/recommendations greatly appreciated.
>
>
> Aaron
>
>
Aaron,

This has been a real big issue lately. Here's a copy/paste of a recent
thread (just search back on single label name and a whole bunch of them will
turn up). But go ahead and read it, including (way below) a re-post from one
of the MS guys, Alan Wood, with the company's take on it. Excessive queries
to the ISC Root Servers, AD doesn't work correctly, etc etc etc.

The whole thing is basically caused by, with all due respect, from not
properly planning or researching prior to your migration or upgrade .

/begin paste...
=================================
In news:083d01c3d9c6$0ed9e9a0$a601280a@phx.gbl,
Joe <anonymous@discussionsmicrosoft.com> posted their thoughts, then I
offered mine
> How do I rename my domain. I don't know how. I want to
> rename my domain without modifying other configurations
> like active directory.

Well, that's the whole thing. It's all about AD.

Instead of typing it all out again, check this post (below) from a recent
post I made. This is a common problem due to lack of proper pre-installation
planning and research into AD. Sorry to say that, with all due respect.

I hope it helps in understanding what is in front of you.
Begin:
=================================================

continued.....
This is a common problem lately. Many posts on it. Recently (yesterday) I
posted something similar that will apply to you. I copied/pasted it below.

> Yes, The DC is Windows Server 2000 SP4.
> And, yes, the computer in question is the only one having this issue.
> And, no, when I ping our domain I get "Unknown host"
>
> C:\>ping CREDENTALS
> Unknown host CREDENTALS.
>
> I have entered the two registry entries that were suggested in
> http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
> in the DC now, although I have not had a chance to reboot that
> machine yet. Once I do will this fix the "Unknown host CREDENTALS."
> problem as well or could this all be very simply fixed by adding a
> ".com" to my domain?
>
> -Scott Elgram
>

To ping a domain name, it would need the TLD suffix, since it will look
under the zone name for the (same as parent) record. If pinging a single
name, it will treat it as a host and may even suffix it with your Search
Suffix List, which is in your case, baswed on your ipconfig, "CREDENTIALS",
so it may be trying to ping, credentials.credentials.

Ideally, it would be advised to rename the domain, eitehr installing a new
domain in a new forest and migrate the users/groups/and computer accounts to
the new domain with ADMT. The user profiles will be translated to the new
domain user account on their workstations and will be automatically joined
to the new domain for you. This way you won;t have to disjoin/rejoin the
machines in the domain and lose the user profiles. Once that's done, you can
trash the old DC and rebuild it as a new DC in the new existing domain you
created.

Single label domain names are problematic, at best. Certain clients, such as
XP may balk at it and cause additional errors since they have problems
querying single lable name records in DNS. 

--
Regards,
Ace
First of all, you can try using
http://support.microsoft.com/?id=300684
for a reg entry to force it to update. Need to do it on your clients too,
but XP won;t work properly. You may still get problems with GPOs applying
since the  GetGPOList function onthe client side references the domain FQDN,
such as:
\\domain.com\sysvol\domain.COM\Policies
But when it tries to go to what you have, such as:
\\DOM\etc...
It perceives DOM as a host name, and may not resolve properly.
Here's my other post that may help in resolving this to help rename
it....Read the whole thing so you'll know what's involved.
==========================================
> Ace Fekay,
>     If I were to just rename the domain from CREDENTALS to
> CREDENTALS.net and disjoin all the affected workstations from
> CREDENTALS and join it to CREDENTALS.net would it reset the user
> profiles?
First, you can't just rename a domain, unless you're still in mixed mode
with an NT4 BDC still present. If still in mixed mode, you can add an NT4
BDC, trash the W2k DC, promote the NT4 BDC to a PDC, then manually set the
DNS Suffix in TCP/IP properties to the new domain name, credentials.net,
(which would be the name you choose for the AD DNS domain name, but keep the
NetBIOS domain name as CREDENTIALS for backward capatilibity), then upgrade
it to a W2k DC. This way the machines that are still joined will still be
joined to the same domain.
Otherwise if the domain is in Native mode, you'll need to follow the ADMT
method I previously mentioned.
And no about disjoining and rejoining to the new domain with the old
profiles. When you manually rejoin, a new profile is created. You may find
that you can manually force the new profiles to use the old profile one
machine at a time, but I don;t think that's what you want to do. ADMT will
do that for you.
Keep in mind you want to follow DNS naming methods. One thing I noticed is
you're using uppercase. It's not that it won't work, but to keep things
consistent with DNS RFCs (looks good too), name it credentials.net, not
CREDENTIALS.net.
> From what I have read in researching this problem it sure does seem
> that single label domains cause lots of problems and sometimes even
> questionable and/or slow connections.  But, likewise, I have also
> read things that lead me to think migrating AD off CREDENTALS and
> over to CREDENTALS.net could possibly cause more problems domain wide
> than just the one machine I have now.  If I ever have to set up a new
> domain or rebuild the old one for some reason other than one machine
> I'll defiantly use the appropriate formatting (I wasn't the one who
>     set this up anyway, that guy quit  ). For now should the 2
> registry entries discussed previously in
> http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
> fix this problem for the one machine?
>
> -Scott Elgram
>
If the domain is in mixed mode, it will be alot easier for you. If not, the
ADMT will work, but I would read up on it first and test it. I can provide
links if needed. I've migrated quite a few domains and have to say it's the
easier method if the domain is presently in mixed mode. To find the present
mode, rt-click the domain name in ADUC, properties. Look at the bottom of
the general tab.
Also, Kevin has a big point about GPOs and how the GetGPOList function works
when a machine logs on and looks for the GPOs. That reg entry has to be made
system wide....
***************************************
***************************************
Here's a repost by Alan Wood from Microsoft describing the issue and
ramifications and the recommendations to rename it properly. I hope it helps
in understanding the issue at hand.
***************************************
***************************************
----- Original Message -----
From: "Alan Wood" [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS
Hi Roger,
       We really would preffer to use FQDN over Single labled.  There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products.  Exchange would be a great
example. Also note that the DNR (DNS RESOLVER)  was and is designed to
Devolve DNS requests to the LAST 2 names.
Example:   Single Labeled domain   domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA
If a client in the domain Child2 wants to resolve a name in domainA
Example.   Host.DomainA   and uses the following to connect to a share
\\host      then it is not going to resolve.  WHY,  because the resolver is
first going to query for first for  Host.Child2.child1.domainA,  then it
next try  HOST.Child1.domainA     at that point the Devolution process is
DONE.   We only go to the LAST 2 Domain Names.
Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.
Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.
Thank you,
Alan Wood[MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
****************************************
=====================================================
=====================================================
=====================================================
=====================================================
/end
-- 
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
-- 
=================================
Quantcast