Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Sunday, June 20, 2010

Change primary DNS suffix when Domain membership changes

What is the difference if it is checked or not?
With an XP machine on a Windows 2000 or 2003 domain, you can just leave them at the defaults, ie as they are shown in your screen shot. Once you've joined the domain, the DNS Suffix will automatically default to the domain you've joined, in your case and the NETBIOS name will be the same as your computer name pro10
NETBIOS is really only used with legacy (Pre NT) machines such as Windows 98.
Q How does modifiy registration (registering connections address in DNS & using DNS suffix in registration) affect Active directory?
A I guess I don't understand the question.  What do you mean by registration?
When your machine boots up you talk to your DHCP server and get a lease.  DHCP may then talk to DNS on your behalf and create an A record for your device in your DNS domain (NOT AD domain...) along with a pointer if there is a reverse zone available.
You get 2 things from DNS... name resolutions & service announcements.  DNS tells you that equals some IP address. It also tells you which server to go to to logon to your domain and where to find a Global Catalog server when you're browsing AD objects.
Changing your local DNS suffix affects none of these things.  All changing your local DNS suffix does is to automatically append that suffix to host names when talking on the network.
For instance... if my DNS suffix is ACME.COM and I type in "ping server1" I will get a reply that says "Pinging server1.ACME.COM".  My machine then contacts my DNS server and asks it how to get to to which the DNS server replies with the IP address of server1 in domain ACME.COM.
So... since you access resources most of the time in a single domain it makes sense for you to make that your primary DNS suffix.  It doesn't mean that you cannot resolve names in other DNS domains, it just means that the first one it tries... the one displayed to you... is the primary.
Does that help any more?  Changing your DNS suffix doesn't have anything to do directly with Active Directory.  If you mess up your name resolution you might not be able to connect to a particular resource though.
Q Normally the check box "register this connections address in DNS is checked" and one may also check "use this connections DNS suffix in registration".  So,  was wondering AD would function any differently when these options are used or not used?
Essentially, these affect what name your computer registers with DNS.  Your computer's DNS registration is primarily used when other devices on the network attempt to connect to your computer.  If you have "domainA.local" as your suffix, when you get your DHCP address your computer registers "name.domainA.local" with the selected DNS server and registers your IP address as a reverse lookup to that same name.
The default configuration is to use your local AD domain name in this fashion as well as to check the box.  This is because you are expected to be accessing resources in your own domain most often.  In addition, it is expected that other devices trying to connect to your computer would be expected to be in your own domain.
The only reason why you would want to use a domain other than your own default would be if you expected devices in another domain to connect to your computer and you wanted to make sure your DHCP-enabled computer registered a name within the OTHER DNS domain name in addition to or instead of your own AD DNS domain name.
So, unless you're publishing data on desktop computers to people in the other domains don't worry about this.  If someone in another domain needs to be able to connect to a server in your domain you may need to put a static entry in DNS for them to be able to connect by name, but you probably won't even need to do that.
Q What about the primary DNS suffix:  What if it were not used and we joined the AD domain with this box unchecked:  "Change primary DNS suffix when domain membership changes" ?
A Examples
You have 2 domains, DomainA and DomainB.
Your servers are in mostly in DomainA except for a domain controller in DomainB.
You have clients in both domains.  The clients all use resources in both domains.
Your clients in DomainA have their primary DNS suffix set to "DomainA" and your clients in DomainB have their primary DNS suffix set to "DomainB".
There is a trust between the domains.  All computers in each domain have a DNS server for their own domain selected in their IP configuration.  No WINS is available and broadcast traffic does not span the 2 domains (so NetBIOS won't work).  Basically we force all to use DNS for name resolution.
Scenario 1:
All clients have the "Change primary DNS suffix when domain membership changes" set.  You move a client from DomainA to DomainB.  Before the move, the primary DNS suffix for that client was "DomainA".  After the move, the primary DNS suffix automatically changes to "DomainB".
Scenario 2:
You do NOT check "Change primary DNS suffix when domain membership changes". You move a client from DomainA to DomainB.  Before the move, the primary DNS suffix for that client was "DomainA".  After the move, the primary DNS suffix remains "DomainA".
Scenario 3:
DNS is shared between both domains.  You have a client in DomainB trying to access Server1 in DomainA. The client queries DNS for the IP address of Server1.DomainA.  That address is returned to the client.
Scenario 4:
DNS is NOT shared between domains.  The client in DomainB tries to access Server1 in DomainA.  The client queries DNS for the IP address of Server1.DomainA.  The DNS server tells the client that it has no record of Server1.
Scenario 5:
Workstation1 in DomainB registers it's name with DNS using "DomainB" for the DNS suffix.  Workstation2 in DomainA attempts to access Workstation1.  Workstation2 queries DNS for ""
.  Since Workstation1 registered its name in DomainB but Workstation2 is querying for Workstation1 in DomainA the query fails and no resolution is made.
Scenario 6:
Workstation1 in DomainB registers it's primary suffix as "DomainB" but registers an additional DNS suffix for "DomainA".  Workstation2 queries DNS for "".  Since Workstation1 registered with both DNS domain names the query returns an IP address for Workstation1.
Q What about this scenario:  You do NOT check "Change primary DNS suffix when domain membership changes" AND not primary DNS suffix is blank to begin with?
A If you have no DNS suffix then when you go to a command line and type "ping server1" for instance. Then Windows does not automatically append "DomainA" to "server1".  The Change primary DNS suffix" option only applies when moving a client between domains.  The rest of the time it is ignored.
So then the question becomes... can you resolve "ping server1".  If you have no WINS and you cannot broadcast for "server1" and you don't have "server1" in cache then you cannot.
For more on how name resolution works on a Windows client check out
The best practice is to use DHCP to put your home AD DNS domain name in the DNS suffix.  You can add other domains also if you are likely to interact with them.  Never specify this kind of thing directly on the client unless you have some sort of special exception.

No comments: