Transition from a Disjoint Namespace to a Contiguous Namespace
Applies To: Windows Server 2003, Windows Server 2003 with SP2
If your network uses a disjoint namespace and you decide to change to a contiguous namespace, there are several tasks to complete:
Configure member computers to use a primary Domain Name System (DNS) suffix that is the same as the Active Directory domain name.
Remove any Group Policy objects (GPOs) that specify disjoint namespaces.
Clear DNS suffixes from the client search lists that no longer apply.
Remove no longer needed permissions for Active Directory.
The actual number of tasks that are required for the change depends on how much configuration was accomplished to make the disjoint namespace work. For example, if custom DNS suffix search lists were never created, there is obviously no need to remove them.
Note
If any of your servers have service principal names (SPNs) that were manually configured, you may have to modify them. For instructions on how to manually configure SPNs, see Setspn Overview.
Configure domain member computers to use the same DNS suffix as the Active Directory domain
You can configure the DNS client's primary DNS suffix by using Group Policy, manually through System Properties on each computer, or through a registry modification. These options are described in the following sections.
Configure primary DNS suffixes by using a GPO
On Windows Server 2003 servers, use a GPO to configure the primary DNS suffix for each member computer. Set the DNS Client policy for Primary DNS Suffix to the desired primary DNS suffix to match DNS suffix of the Active Directory domain name. The Primary DNS Suffix setting is located in the following GPO path: Computer Configuration\Administrative Templates\Network\DNS Client.
Note
For more information about managing Group Policy, see Group Policy Object Editor Tools and Settings (https://go.microsoft.com/fwlink/?LinkId=102368) and Enterprise Management with the Group Policy Management Console (https://go.microsoft.com/fwlink/?LinkId=29909)
Configure the primary DNS suffix by using System Properties
To change from a disjoint namespace that is created on a local computer running Microsoft Windows 2000, Windows XP, or Windows Vista, complete the following procedure.
Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To configure the primary DNS suffix by using System Properties
Open the System Properties dialog box:
To open the System Properties dialog box in Windows 2000 or Windows XP, click Start, click Run, type sysdm.cpl, and then press ENTER.
To open the System Properties dialog box in Windows Vista, click Start, in Start Search type sysdm.cpl, and then press ENTER.
On the Computer Name tab, click Change, and then click More.
Verify that the value in Primary DNS suffix of this computer is the same as the Active Directory domain name.
Verify that the Change primary DNS suffix when domain membership changes check box is selected, and then click OK twice.
Click OK to confirm that the computer must be restarted, and then click Close.
When you are prompted to restart your computer, click Restart Now.
If you choose to restart your computer later, any changes that you make will take effect at that time.
Change the primary DNS Suffix in the Registry
If you use a script (or directly modify the registry) to configure the Primary DNS suffix, there are two values to modify: Domain and SyncDomainWithMembership. Both of these values are in the Parameters key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip. To create a contiguous namespace, enable SyncDomainWithMembership by setting its value to 1, and then enter the primary DNS suffix that is identical to the Active Directory domain for the Domain value. If the SyncDomainWithMembership value does not exist, you can create it as a REGDWORD. For more information about registry scripts, see article 264584 in the Microsoft Knowledge base (https://go.microsoft.com/fwlink/?LinkId=102370). If you configure these values in the registry, be sure to restart the computers to have the settings take effect.
Remove unnecessary entries in the DNS suffix search list
When you change from a disjoint namespace to a contiguous namespace, there are likely to be several entries in the DNS suffix search list that clients no longer need. There may also be some different values that should be added to the DNS suffix search list. The following sections describe the three main methods for modifying the DNS suffix search list, which use:
Group Policy
Network Connections
The registry
Changing the DNS suffix search list with a GPO
On Windows Server 2003 servers, remove any GPOs or settings that were used to create custom DNS suffix search lists that applied to the disjoint namespace. Remove the DNS Suffix Search List or configure it with the correct DNS suffixes for the contiguous namespace. The GPO path for the DNS Suffix Search List policy setting is Computer Configuration\Administrative Templates\Network\DNS Client.
Changing the DNS suffix search list by using Network Connections
To change the DNS suffix search list by using the graphical user interface (GUI) on Windows 2000, Windows XP, or Windows Vista, complete the following procedure.
Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To change the DNS suffix search list by using Network Connections
Open Network Connections.
To open the Network Connections dialog box in Windows 2000 or Windows XP, click Start, click Run, type ncpa.cpl, and then press ENTER.
To open the Network Connections dialog box in Windows Vista, click Start, type ncpa.cpl in Start Search, and then press ENTER.
Right-click the icon that represents the computer's local network connection (Local Area Connection, by default), and then click Properties.
In This connection uses the following items, select Internet Protocol (TCP/IP), and then click Properties.
Click Advanced.
On the DNS tab, click Append these DNS suffixes (in order),and then click Add. Type the first DNS suffix that you want the client to use when it searches for single-label names (names that do not have DNS suffixes), and then click Add. Repeat this step for each successive DNS suffix that you want clients to use when they try to resolve a name.
Note
As an alternative, you can select Append primary and connection specific DNS suffixes and, as an option, also select Append parent suffixes of the primary DNS suffix, assuming that there is no longer a need for a custom list that includes other domains.
Click OK twice to confirm your changes.
Close the Local Area Connection Properties and the Network Connections dialog boxes.
Changing the DNS suffix search list in the registry
If you want to use a script (or directly modify the registry) to configure the DNS suffix search list, you can modify the SearchList value that is located in the Parameters key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip. For more information about registry scripts, see article 264584 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=102370) .
Remove no-longer-needed DNS suffixes from Active Directory
To remove permissions that may have been added to grant client computers permission to modify their primary DNS suffixes in Active Directory, complete the following procedure.
Note
The ADSI Edit tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (https://go.microsoft.com/fwlink/?LinkId=62270).
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To remove no-longer-needed DNS suffixes from Active Directory
On any domain controller in the Active Directory domain, click Start, click Run, type adsiedit.msc, and then press ENTER.
Note
If you recently installed the Support Tools to the default location, you may have to type C:\Program Files\Support Tools\ADSIEdit.msc, and then press ENTER. If you did not install the Support Tools to the default location, use the file path to which the tools were installed.
Expand the Domain Naming Context (NC) to expose the directory partition that relates to the Active Directory domain for which you want to allow a disjoint namespace.
Right-click the Active Directory domain partition, and then click Properties. For example, DC=fabrikam,DC=com is the domain partition for Fabrikam.com.
In Attributes, locate and click the msDS-AllowedDNSSuffixes attribute, and then click Edit.
If there are any DNS suffixes entered in Values, select each one separately, and then click Remove.
When all the unnecessary DNS suffixes have been removed, click OK on the two open dialog boxes to confirm your changes.
Close ADSI Edit.
Remove no-longer-needed permissions for Windows 2000 computers
If Active Directory was modified to allow member computers or domain controllers running Windows 2000 to update the dNSHostName and servicePrincipleName attributes of their Active Directory computer accounts, you can revert those changes by completing the following procedure.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To remove no-longer-needed permissions for Windows 2000 computers
Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then press ENTER.
Click View, and then ensure that the Advanced Features check box is selected. If it is not selected, click Advanced Features. If the domain to which you want to allow a disjoint namespace does not appear in the console, do the following:
In the console tree, right-click Active Directory Users and Computers, and then click Connect to Domain.
In the Domain box, type the name of the Active Directory domain to which you want to allow the disjoint namespace (or use the Browse button to locate it), and then click OK.
In the console tree, right-click the object that represents the domain to which you want to allow a disjoint namespace, and then click Properties.
Right-click the domain, and then click Properties.
On the Security tab, click Advanced.
On the Permissions tab, click Add.
In the Enter the object name to select box, type self, and then click OK.
Configure the Apply onto box for Computer objects.
At the bottom of the Permissions box, ensure that the Allow check boxes that correspond to the Validated write to DNS host name and Validated write to service principal name permissions are cleared, and then click OK on the three open dialog boxes to confirm your changes.
Close Active Directory Users and Computers.