13.17. Allowing Computers to Use a Different Domain Suffix from Their AD Domain

Problem

You want to allow computers to use a different domain suffix than their AD domain.

Solution

Tip

The following solutions work only for Windows Server 2003 domains. Read the Discussion for a workaround for Windows 2000.

Using a graphical user interface

  1. Open ADSI Edit.

  2. Connect to the domain you want to edit.

  3. Right-click on the domainDNS object and select Properties.

  4. Edit the msDS-AllowedDNSSuffixes attribute and enter the DNS suffix you want to add.

  5. Click OK.

Using a command-line interface

Create an LDIF file called add_dns_suffix.ldf with the following contents:

dn: <DomainDN>
changetype: modify
add: msDS-AllowedDNSSuffixes
msDS-AllowedDNSSuffixes: <DNSSuffix>
-

then run the following command:

> ldifde -v -i -f add_dns_suffix.ldf.ldf

Using VBScript

' This code adds a domain suffix that can be used by clients in the domain.
' ------ SCRIPT CONFIGURATION ------
strDNSSuffix = "<DNSSuffix>"       ' e.g. othercorp.com
strDomain    = "<DomainDNSName>"   ' e.g. amer.rallencorp.com
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext") )
objDomain.Put "msDS-AllowedDNSSuffixes", strDNSSuffix
objDomain.SetInfo

WScript.Echo "Added " & strDNSSuffix & " to suffix list."

Discussion

Windows 2000, Windows XP, and Windows Server 2003 member computers dynamically maintain the dNSHostName and servicePrincipalName attributes ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.