13.17. Allowing Computers to Use a Different Domain Suffix from Their AD Domain
Problem
You want to allow computers to use a different domain suffix than their AD domain.
Solution
Tip
The following solutions work only for Windows Server 2003 domains. Read the Discussion for a workaround for Windows 2000.
Using a graphical user interface
Open ADSI Edit.
Connect to the domain you want to edit.
Right-click on the
domainDNS
object and select Properties.Edit the
msDS-AllowedDNSSuffixes
attribute and enter the DNS suffix you want to add.Click OK.
Using a command-line interface
Create an LDIF file called add_dns_suffix.ldf
with the following contents:
dn: <DomainDN
> changetype: modify add: msDS-AllowedDNSSuffixes msDS-AllowedDNSSuffixes: <DNSSuffix
> -
then run the following command:
> ldifde -v -i -f add_dns_suffix.ldf.ldf
Using VBScript
' This code adds a domain suffix that can be used by clients in the domain. ' ------ SCRIPT CONFIGURATION ------ strDNSSuffix = "<DNSSuffix
>" ' e.g. othercorp.com strDomain = "<DomainDNSName
>" ' e.g. amer.rallencorp.com ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext") ) objDomain.Put "msDS-AllowedDNSSuffixes", strDNSSuffix objDomain.SetInfo WScript.Echo "Added " & strDNSSuffix & " to suffix list."
Discussion
Windows 2000, Windows XP, and Windows Server 2003 member computers
dynamically maintain the
dNSHostName
and
servicePrincipalName
attributes ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.