Active Directory

# Useful Resources

* [Active Directory Replication Status Tool](http://www.microsoft.com/en-us/download/details.aspx?id=30005)

* [Speeding up replication of AD-integrated DNS zones](http://blogs.technet.com/b/askpfeplat/archive/2013/03/22/mailbag-how-often-does-the-dns-server-service-check-ad-for-new-or-modified-data.aspx)

7

* [Designing OU structures that work](http://technet.microsoft.com/en-us/magazine/2008.05.oudesign.aspx)

8

9

Also refer to the [[Windows Server 2012 R2 page|doc:Windows.Windows_Server_2012_R2.WebHome]].

10

11

# Default Settings for an Active Directory DNS Zone

12

13

These are the default "Start of Authority (SOA)" settings for the DNS zone that is created for a new Active Directory forest with Windows Server 2012 R2. I write them down here just in case I ever wonder what the defaults have been:

14

15

| ------------------------- | ---------- |

16

| **Refresh interval** | 15 minutes |

17

| **Retry interval** | 10 minutes |

18

| **Expires after** | 1 day |

19

| **Minimum (default) TTL** | 1 hour |

20

| **TTL for this record** | 1 hour |

21

22

The settings for the `_msdcs` sub-zone are the same.

23

24

# Configure FQDN of Computers in an Organizational Unit with DNS Suffix

25

26

In order to structure the DNS zone and to avoid polluting the root of the Active Directory DNS zone with lots of names, it can be desirable to configure a separate DNS suffix for computers in different organizational units (OUs). For example, in the Active Directory domain `ad.example.com` we might have to OUs "Berlin" and "Frankfurt" (for the offices in the two cities). You might want the computers in Berlin to have the DNS suffix `berlin.ad.example.com` while the computers in Frankfurt should have the DNS suffix `frankfurt.ad.example.com`.

27

28

You can achieve this with by attaching a group policy to each of the organizational units. You can find the settings under _Computer Configuration_ → _Policies_ → _Administrative Templates_ → _Network_ → _DNS Client_. There you want to enable _Primary DNS suffix_ end set to the complete suffix (e.g. `frankfurt.ad.example.com`) for the OU. You also might want to check the _Allow DNS suffix appending to unqualified multi-label name queries_, _Primary DNS suffix devolution level_, _DNS suffix search list_ and _Primary DNS suffix devolution_ settings and adjust them in order to improve the experience for your users.

29

30

You might have to restart affected computers up to two times in order for this setting to take effect.

31

32

However, when you only apply this setting, you will see that the DNS host names registered for the computer objects in Active Directoy will not match the actual FQDN set for the computer. This happens because usually, a computer account only has the _Validated write to DNS host name_ privilege (and not the _Write DNS host name attributes_ privilege). Usually validated writes are writes that match the name of the Active Directory domain (`ad.example.com` in this example). Therefore you have to add the suffixes to the list of allowed DNS suffixes for the Active Directory domain. On Windows Server 2012 R2 you can do this by opening _Active Directory Users and Computers_, enabling _Advanced Features_ in the _View_ menu and opening the properties of the domain object. In the _Attribute Editor_ tab you will find the `msDS-AllowedDNSSuffixes` attribute, where you can add all allowed DNS suffixes.

33

34

The following articles helped me with figuring this out:

35

36

* [http://ait.its.psu.edu/services/identity-access-management/ad/dns-suffix-for-computers-in-the-access-forest.html](http://ait.its.psu.edu/services/identity-access-management/ad/dns-suffix-for-computers-in-the-access-forest.html)

37

* [http://activedirectory.ncsu.edu/advanced-topics/advanced-domain-design/dns/](http://activedirectory.ncsu.edu/advanced-topics/advanced-domain-design/dns/)

38

* [http://technet.microsoft.com/en-us/library/cc755926.aspx](http://technet.microsoft.com/en-us/library/cc755926.aspx)

39

* [http://support.microsoft.com/kb/258503](http://support.microsoft.com/kb/258503)

Wiki source code of Active Directory

Applications

Navigation

Need help?

author	version	line-number	content
		1	{{toc/}}
		2
		3	# Useful Resources
		4
		5	* [Active Directory Replication Status Tool](http://www.microsoft.com/en-us/download/details.aspx?id=30005)
		6	* [Speeding up replication of AD-integrated DNS zones](http://blogs.technet.com/b/askpfeplat/archive/2013/03/22/mailbag-how-often-does-the-dns-server-service-check-ad-for-new-or-modified-data.aspx)
		7	* [Designing OU structures that work](http://technet.microsoft.com/en-us/magazine/2008.05.oudesign.aspx)
		8
		9	Also refer to the [[Windows Server 2012 R2 page\|doc:Windows.Windows_Server_2012_R2.WebHome]].
		10
		11	# Default Settings for an Active Directory DNS Zone
		12
		13	These are the default "Start of Authority (SOA)" settings for the DNS zone that is created for a new Active Directory forest with Windows Server 2012 R2. I write them down here just in case I ever wonder what the defaults have been:
		14
		15	\| ------------------------- \| ---------- \|
		16	\| Refresh interval \| 15 minutes \|
		17	\| Retry interval \| 10 minutes \|
		18	\| Expires after \| 1 day \|
		19	\| Minimum (default) TTL \| 1 hour \|
		20	\| TTL for this record \| 1 hour \|
		21
		22	The settings for the `_msdcs` sub-zone are the same.
		23
		24	# Configure FQDN of Computers in an Organizational Unit with DNS Suffix
		25
		26	In order to structure the DNS zone and to avoid polluting the root of the Active Directory DNS zone with lots of names, it can be desirable to configure a separate DNS suffix for computers in different organizational units (OUs). For example, in the Active Directory domain `ad.example.com` we might have to OUs "Berlin" and "Frankfurt" (for the offices in the two cities). You might want the computers in Berlin to have the DNS suffix `berlin.ad.example.com` while the computers in Frankfurt should have the DNS suffix `frankfurt.ad.example.com`.
		27
		28	You can achieve this with by attaching a group policy to each of the organizational units. You can find the settings under _Computer Configuration_ → _Policies_ → _Administrative Templates_ → _Network_ → _DNS Client_. There you want to enable _Primary DNS suffix_ end set to the complete suffix (e.g. `frankfurt.ad.example.com`) for the OU. You also might want to check the _Allow DNS suffix appending to unqualified multi-label name queries_, _Primary DNS suffix devolution level_, _DNS suffix search list_ and _Primary DNS suffix devolution_ settings and adjust them in order to improve the experience for your users.
		29
		30	You might have to restart affected computers up to two times in order for this setting to take effect.
		31
		32	However, when you only apply this setting, you will see that the DNS host names registered for the computer objects in Active Directoy will not match the actual FQDN set for the computer. This happens because usually, a computer account only has the _Validated write to DNS host name_ privilege (and not the _Write DNS host name attributes_ privilege). Usually validated writes are writes that match the name of the Active Directory domain (`ad.example.com` in this example). Therefore you have to add the suffixes to the list of allowed DNS suffixes for the Active Directory domain. On Windows Server 2012 R2 you can do this by opening _Active Directory Users and Computers_, enabling _Advanced Features_ in the _View_ menu and opening the properties of the domain object. In the _Attribute Editor_ tab you will find the `msDS-AllowedDNSSuffixes` attribute, where you can add all allowed DNS suffixes.
		33
		34	The following articles helped me with figuring this out:
		35
		36	* [http://ait.its.psu.edu/services/identity-access-management/ad/dns-suffix-for-computers-in-the-access-forest.html](http://ait.its.psu.edu/services/identity-access-management/ad/dns-suffix-for-computers-in-the-access-forest.html)
		37	* [http://activedirectory.ncsu.edu/advanced-topics/advanced-domain-design/dns/](http://activedirectory.ncsu.edu/advanced-topics/advanced-domain-design/dns/)
		38	* [http://technet.microsoft.com/en-us/library/cc755926.aspx](http://technet.microsoft.com/en-us/library/cc755926.aspx)
		39	* [http://support.microsoft.com/kb/258503](http://support.microsoft.com/kb/258503)