Re: Distjointed Namespace, And WideSpread Domain Problems

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 06/25/04 

Date: Thu, 24 Jun 2004 23:40:09 -0400

In news:uAHJngcWEHA.1656@TK2MSFTNGP09.phx.gbl,
omer maydan <omermaydan@yahoo.com> posted their thoughts, then I offered
mine
> hi all! my situation is like this. we are trying to take Control on
> the Dns. today we have a seperate team(inheritance from NT4) that
> deals with DNS. (we are the AD,Exchange,Etc...) team. the current
> structure of our domain/dns, is that we have a single-label, one
> domain named X for the organization, and in there all the DC's, Srv
> records and the A records of the Dc's are written. we have another
> zone, that do not correspond to the domain name, and his name is Y.
> We are moving to exchange 2003, and we know that we need to write the
> exchange servers to the standard correspondin Dns zone X. the other
> team, wants it to stay where it is today Under Y. On Y, we have
> Kerberos Problems Relating The Communication Between Exchange
> servers, and we have Errors also with Web Servers using Kerberos. we
> need to provide Written Profe(from Microsoft, or some other Know
> Organization), that you do not build Dns Zones That do Not Correspond
> To Domain Names(Y is just a custom made zone), and write's Servers
> and Services To that zone, because it creates and it is unsepported.
> we want that all the servers and services(and workstations) will be
> Written To X, which is the standart zone. any suggestion, or proff?

Trying to follow your logic, but having a little difficulty. I can tell you
this much:

SIngle Label AD DNS Domain names are problematic. The single label name does
not follow the hierarchal structure that DNS requires. Also, you didn't
specifcy what operating system or Exchange server version you are using.
There are registery entries to force registration, but this doesn't really
help in the long run.

With Windows 2000 SP4, and with Windows 2003, they do not allow registration
due to the excessive traffic DNS servers cause against the Internet Root
servers. Microsoft, the engineers and the MVPs all recommend that you DON'T
use a single label name and make plans on renaming your domain somehow. If
you have Windows 2000, you're options are limited. If you have Windows 2003,
there are renaming options you can fall back on. Either way, its highly
suggested to avoid more issues to rename it properly. Your current issues
are probably based on this, among other things.

You also need to remember that you only must use the internal DNS server (no
ISP's) and that the DNS zone name must match the AD DNS domain name and also
must match the Primary DNS Suffix on all machines for registration to work
properly. BUt single label names mess it all up.

About renaming the domain (ONLY IF THIS IS WINDOWS 2003), is the easy part.
Exchange complicates it.

819145 - Support WebCast Microsoft Windows Server 2003 Implementing an
Active Directory Domain Rename Operation:
http://support.microsoft.com/default.aspx?scid=kb;en-us;819145&Product=winsvr2003

Windows Server 2003 Domain Rename Tools, Procedure and Step by Step Guide:
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

838623 - TechNet Support WebCast Renaming domains when Microsoft Exchange
Server 2003 is in the Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;838623

Download details Exchange 2003 Domain Rename Fixup (XDR-Fixup):
http://www.microsoft.com/downloads/details.aspx?FamilyId=24B47D4A-C4B9-4031-B491-29839148A28C&displaylang=en

There have been numerous posts in the DNS and AD newsgroups concerning
single label names and the implications. You can see more about this in this
thread (in the other DNS newsgroup). Just look for James Long and June 18,
2004 and look for the subject line:

From: "James W. Long" <JamesLong@wowway.com>
Newsgroups: microsoft.public.win2000.dns
Subject: upgrade to win2000 adv server and DNS
Date: Fri, 18 Jun 2004 18:05:43 -0400

Also, here's a repost below from a previous thread with some valuable
information on this subject. Hope you have some time to read it.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++

----- Original Message -----
From: Ace Fekay [MVP]
Newsgroups:
microsoft.public.windows.server.dns,microsoft.public.windows.server.sbs
Sent: Tuesday, January 13, 2004 9:26 PM
Subject: Re: DNS, Single Label Domains and SBS2K3

In news:O1V9ujj2DHA.1704@tk2msftngp13.phx.gbl,
Aaron <1aaron1bav1@eln.net> posted their thoughts, then I offered mine
>
> Firstly, I would HAVE to convince my boss that this is REALLY, REALLY
> necessary.
>
> Just to play devils advocate here for a moment:
>
> My Boss would say: Why re-install? everything is working. The clients
> are registering in local DNS (with registry hacks),
> \\domain\sysvol\domain is accesable and group policies/scripts are
> being applied to the clients,Web browsing /e-mail is working to the
> outside world, VPN is working, Exchange is working, we can access all
> our files, etc. Where is the need?
>
> And I don't have a good argument to counter this, because it is true.
> This is SBS, so there is no need to have access to other AD/DNS
> servers for replication, zone transfers, etc. There are no forest, or
> trees, just SBS. We're not running an external DNS that needs to be
> RFC compliant (we use forwrders to the ISP for external resolution),
> and we still have legacy O.S.'s (95/98 - actually legacy O.S.'s was
> the reason our consultant gave for "maintaining" a single label
> domain - funny thing is those legacy O.S.'s seem to work just fine on
> my SBS testbed at home with "domain.lan" as my domain - go figure
> huh).
>
>
>> There are still alot of registrations errors, I'm afraid you are
>> going to have to rename it if you want it to work like it is
>> supposed to.
>
>
> But things do appear to be working. I need something to point to and
> say :
>
> "see it's SUSPOSED to do this, but because the DNS is BROKEN, it
> ISN'T doing what it should be doing"
>
> What is my SBS not doing that it should be?
>
> I need convincing arguments (as much to convince myself as my boss -
> this would be a really big deal to have to force the company to go
> through this again so soon). I need some TEST to show /prove, that if
> this isn't fixed "X" will be the result, and it ain't pretty if "X"
> happens (i.e. the network will come to a total, screeching, train
> wrecking halt)!
>
>
> I don't like the fact that the domain is semi-broken, but I believe I
> can live with it. I just really need to know what the downside
> is/will be.
>
> Any thoughts/arguments/recommendations greatly appreciated.
>
>
> Aaron
>
>
Aaron,

This has been a real big issue lately. Here's a copy/paste of a recent
thread (just search back on single label name and a whole bunch of them will
turn up). But go ahead and read it, including (way below) a re-post from one
of the MS guys, Alan Wood, with the company's take on it. Excessive queries
to the ISC Root Servers, AD doesn't work correctly, etc etc etc.

The whole thing is basically caused by, with all due respect, from not
properly planning or researching prior to your migration or upgrade .

/begin paste...
=================================
In news:083d01c3d9c6$0ed9e9a0$a601280a@phx.gbl,
Joe <anonymous@discussionsmicrosoft.com> posted their thoughts, then I
offered mine
> How do I rename my domain. I don't know how. I want to
> rename my domain without modifying other configurations
> like active directory.

Well, that's the whole thing. It's all about AD.

Instead of typing it all out again, check this post (below) from a recent
post I made. This is a common problem due to lack of proper pre-installation
planning and research into AD. Sorry to say that, with all due respect.

I hope it helps in understanding what is in front of you.
Begin:
=================================================

continued.....
This is a common problem lately. Many posts on it. Recently (yesterday) I
posted something similar that will apply to you. I copied/pasted it below.

> Yes, The DC is Windows Server 2000 SP4.
> And, yes, the computer in question is the only one having this issue.
> And, no, when I ping our domain I get "Unknown host"
>
> C:\>ping CREDENTALS
> Unknown host CREDENTALS.
>
> I have entered the two registry entries that were suggested in
> http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
> in the DC now, although I have not had a chance to reboot that
> machine yet. Once I do will this fix the "Unknown host CREDENTALS."
> problem as well or could this all be very simply fixed by adding a
> ".com" to my domain?
>
> -Scott Elgram
>

To ping a domain name, it would need the TLD suffix, since it will look
under the zone name for the (same as parent) record. If pinging a single
name, it will treat it as a host and may even suffix it with your Search
Suffix List, which is in your case, baswed on your ipconfig, "CREDENTIALS",
so it may be trying to ping, credentials.credentials.

Ideally, it would be advised to rename the domain, eitehr installing a new
domain in a new forest and migrate the users/groups/and computer accounts to
the new domain with ADMT. The user profiles will be translated to the new
domain user account on their workstations and will be automatically joined
to the new domain for you. This way you won;t have to disjoin/rejoin the
machines in the domain and lose the user profiles. Once that's done, you can
trash the old DC and rebuild it as a new DC in the new existing domain you
created.

Single label domain names are problematic, at best. Certain clients, such as
XP may balk at it and cause additional errors since they have problems
querying single lable name records in DNS. 

--
Regards,
Ace
First of all, you can try using
http://support.microsoft.com/?id=300684
for a reg entry to force it to update. Need to do it on your clients too,
but XP won;t work properly. You may still get problems with GPOs applying
since the  GetGPOList function onthe client side references the domain FQDN,
such as:
\\domain.com\sysvol\domain.COM\Policies
But when it tries to go to what you have, such as:
\\DOM\etc...
It perceives DOM as a host name, and may not resolve properly.
Here's my other post that may help in resolving this to help rename
it....Read the whole thing so you'll know what's involved.
==========================================
> Ace Fekay,
>     If I were to just rename the domain from CREDENTALS to
> CREDENTALS.net and disjoin all the affected workstations from
> CREDENTALS and join it to CREDENTALS.net would it reset the user
> profiles?
First, you can't just rename a domain, unless you're still in mixed mode
with an NT4 BDC still present. If still in mixed mode, you can add an NT4
BDC, trash the W2k DC, promote the NT4 BDC to a PDC, then manually set the
DNS Suffix in TCP/IP properties to the new domain name, credentials.net,
(which would be the name you choose for the AD DNS domain name, but keep the
NetBIOS domain name as CREDENTIALS for backward capatilibity), then upgrade
it to a W2k DC. This way the machines that are still joined will still be
joined to the same domain.
Otherwise if the domain is in Native mode, you'll need to follow the ADMT
method I previously mentioned.
And no about disjoining and rejoining to the new domain with the old
profiles. When you manually rejoin, a new profile is created. You may find
that you can manually force the new profiles to use the old profile one
machine at a time, but I don;t think that's what you want to do. ADMT will
do that for you.
Keep in mind you want to follow DNS naming methods. One thing I noticed is
you're using uppercase. It's not that it won't work, but to keep things
consistent with DNS RFCs (looks good too), name it credentials.net, not
CREDENTIALS.net.
> From what I have read in researching this problem it sure does seem
> that single label domains cause lots of problems and sometimes even
> questionable and/or slow connections.  But, likewise, I have also
> read things that lead me to think migrating AD off CREDENTALS and
> over to CREDENTALS.net could possibly cause more problems domain wide
> than just the one machine I have now.  If I ever have to set up a new
> domain or rebuild the old one for some reason other than one machine
> I'll defiantly use the appropriate formatting (I wasn't the one who
>     set this up anyway, that guy quit  ). For now should the 2
> registry entries discussed previously in
> http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1
> fix this problem for the one machine?
>
> -Scott Elgram
>
If the domain is in mixed mode, it will be alot easier for you. If not, the
ADMT will work, but I would read up on it first and test it. I can provide
links if needed. I've migrated quite a few domains and have to say it's the
easier method if the domain is presently in mixed mode. To find the present
mode, rt-click the domain name in ADUC, properties. Look at the bottom of
the general tab.
Also, Kevin has a big point about GPOs and how the GetGPOList function works
when a machine logs on and looks for the GPOs. That reg entry has to be made
system wide....
***************************************
***************************************
Here's a repost by Alan Wood from Microsoft describing the issue and
ramifications and the recommendations to rename it properly. I hope it helps
in understanding the issue at hand.
***************************************
***************************************
----- Original Message -----
From: "Alan Wood" [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS
Hi Roger,
       We really would preffer to use FQDN over Single labled.  There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products.  Exchange would be a great
example. Also note that the DNR (DNS RESOLVER)  was and is designed to
Devolve DNS requests to the LAST 2 names.
Example:   Single Labeled domain   domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA
If a client in the domain Child2 wants to resolve a name in domainA
Example.   Host.DomainA   and uses the following to connect to a share
\\host      then it is not going to resolve.  WHY,  because the resolver is
first going to query for first for  Host.Child2.child1.domainA,  then it
next try  HOST.Child1.domainA     at that point the Devolution process is
DONE.   We only go to the LAST 2 Domain Names.
Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.
Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.
Thank you,
Alan Wood[MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
****************************************
=================================
/end
-- 
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. -- 
=================================

Relevant Pages