• Useful Resources
• Default Settings for an Active Directory DNS Zone
• Configure FQDN of Computers in an Organizational Unit with DNS Suffix

Useful Resources

• Active Directory Replication Status Tool
• Speeding up replication of AD-integrated DNS zones
• Designing OU structures that work

Also refer to the Windows Server 2012 R2 page.

Default Settings for an Active Directory DNS Zone

These are the default "Start of Authority (SOA)" settings for the DNS zone that is created for a new Active Directory forest with Windows Server 2012 R2. I write them down here just in case I ever wonder what the defaults have been:

The settings for the _msdcs sub-zone are the same.

Configure FQDN of Computers in an Organizational Unit with DNS Suffix

In order to structure the DNS zone and to avoid polluting the root of the Active Directory DNS zone with lots of names, it can be desirable to configure a separate DNS suffix for computers in different organizational units (OUs). For example, in the Active Directory domain ad.example.com we might have to OUs "Berlin" and "Frankfurt" (for the offices in the two cities). You might want the computers in Berlin to have the DNS suffix berlin.ad.example.com while the computers in Frankfurt should have the DNS suffix frankfurt.ad.example.com.

You can achieve this with by attaching a group policy to each of the organizational units. You can find the settings under Computer Configuration → Policies → Administrative Templates → Network → DNS Client. There you want to enable Primary DNS suffix end set to the complete suffix (e.g. frankfurt.ad.example.com) for the OU. You also might want to check the Allow DNS suffix appending to unqualified multi-label name queries, Primary DNS suffix devolution level, DNS suffix search list and Primary DNS suffix devolution settings and adjust them in order to improve the experience for your users.

You might have to restart affected computers up to two times in order for this setting to take effect.

However, when you only apply this setting, you will see that the DNS host names registered for the computer objects in Active Directoy will not match the actual FQDN set for the computer. This happens because usually, a computer account only has the Validated write to DNS host name privilege (and not the Write DNS host name attributes privilege). Usually validated writes are writes that match the name of the Active Directory domain (ad.example.com in this example). Therefore you have to add the suffixes to the list of allowed DNS suffixes for the Active Directory domain. On Windows Server 2012 R2 you can do this by opening Active Directory Users and Computers, enabling Advanced Features in the View menu and opening the properties of the domain object. In the Attribute Editor tab you will find the msDS-AllowedDNSSuffixes attribute, where you can add all allowed DNS suffixes.

The following articles helped me with figuring this out:

• http://ait.its.psu.edu/services/identity-access-management/ad/dns-suffix-for-computers-in-the-access-forest.html
• http://activedirectory.ncsu.edu/advanced-topics/advanced-domain-design/dns/
• http://technet.microsoft.com/en-us/library/cc755926.aspx
• http://support.microsoft.com/kb/258503