-2

What is best practice for this setting? It also goes by DNS Domain Name in DHCP scope settings.

The only documentation I can find about these suffixes and domain name settings specifies the the primary DNS name must match. (https://technet.microsoft.com/en-us/library/cc816716.aspx)

Lets say the AD domain is:

ad.example.com

DNS Zones include example.com. Some items, not all, that are joined to domain get aliases (either cname or a record) to domain joined machines. These are things link internal web servers and services that we don't want people to have to use service.ad.example.com.

Domain controllers are in several sites but FQDN of them would be something like loc-dc##.ad.example.com.

The issue isn't that I don't know what the setting does, but the above is our situation and we have some disputes about what this setting should be. I have my thoughts but I'd rather get some opinions or actual resources before I share them as to not bias any comments.

Windex
  • 52
  • 5
  • 1
    I'm really having a hard time understanding what you're asking. Are you asking what the DNS suffix should be for non-AD hosts? Why do you have an internal `example.com` DNS zone? You're going to break DNS name resolution of the external `example.com` zone for your internal clients. – joeqwerty Jun 13 '15 at 14:50
  • `Are you asking what the DNS suffix should be for non-AD hosts?` No, ad joined machines, joined to ad.example.com `Why do you have an internal example.com DNS zone?` That domain isn't used externally so that's not a problem. Reason was included in the question though. – Windex Jun 13 '15 at 15:46
  • Generally you do not need to use the Connection Specific Suffix. The only time I do use the CSS is when our network team creates a DHCP scope with the wrong suffix. It's hard to get them to fix things... Only other reason, and this is reaching, may be if you have a split DNS and you wanted the same hostname to dynamically register in two different zones? – Clayton Jun 13 '15 at 15:54
  • If when everything was configured the FQDN was used it wouldn't be so much of an issue, and in time we'll get there but one side thinks there are technical reasons that affect all manor of network performance from machine startup time to user logins and the other side disagrees and wants it set one way for obfuscation of the real domain name. – Windex Jun 13 '15 at 15:59
  • 1
    Honestly, (and I'm not trying to be difficult) this statement makes no sense to me: `DNS Zones include example.com. Some items, not all, that are joined to domain get aliases (either cname or a record) to domain joined machines. These are things link internal web servers and services that we don't want people to have to use service.ad.example.com.` – joeqwerty Jun 13 '15 at 16:03
  • Your AD DNS zone **should not** include `example.com`. I don't know what you mean when you say that `DNS zones include example.com`. If you intend to host an internal DNS zone named `example.com` then you're setting yourself up for headaches. – joeqwerty Jun 13 '15 at 16:09
  • `If you intend to host an internal DNS zone named example.com then you're setting yourself up for headaches` Then just go with it being example2.com. I don't really get why you think it'll be such an issue but that's really not important. The point is its a domain name other than the ad domain name. – Windex Jun 13 '15 at 16:18

1 Answers1

1

Domain joined clients don't need a connection specific DNS suffix. They derive their primary DNS suffix from their domain membership, as viewed on the Computer Name tab of System Properties. For non-domain joined clients you can set their DNS suffix via DHCP and you'll want to set it to match the DNS suffix of the AD domain so that they'll register in your AD DNS zone and will be resolvable from that zone. For non-domain joined hosts that have statically assigned ip addresses you can assign a connection specific DNS suffix to match your AD DNS suffix. Your AD DNS namespace begins and ends at ad.example.com. Any queries for example.com DNS records will be forwarded externally for resolution by whatever name servers are authoritative for the example.com DNS zone.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • So a domain (example.com) joined machine with the connection specific suffix set to example2.com will not search for a non-fqdn of server01 first for server01.example2.com and then failover to server01.example.com when it cannot find server01.example2.com? Isn't it better to search the primary source of information first instead of the secondary? – Windex Jun 13 '15 at 16:22
  • `and then failover to server01.example.com when it cannot find server01.example2.com?` erm, actually it doesn't fail over. If you set the connection specific suffix to example2.com it tries to find server01.example2.com, fails and then you can't resolv the server. – Windex Jun 13 '15 at 16:30
  • I have no idea what you're getting at. You have an AD domain named `ad.example.com` or `example1.com` or `example2.com` or whatever. What is it you're asking? Is it that you want to also use another DNS name and suffix internally? – joeqwerty Jun 13 '15 at 16:39
  • 1
    Not for nothing but I didn't earn the AD and DNS badges for **not** understanding AD and DNS. I'm just not understanding what you're asking and what your end goal is here. – joeqwerty Jun 13 '15 at 16:44
  • Here lets try this: All our external facing services use corpname.com. They are really unimportant to this though. Then we have ADDomain.com as our active directory domain. So we have servers like corpweb01.addomain.com and corpweb03.addomain.com. Then we have the connivance domain corpdomain.net. So we use utility named UtilityX hosted on corpweb03.addomain.com Because we like things to be pretty for the users we setup utilityx.corpdomain.net because its not external facing, if it were it would be setup for utilityx.corpdomain.com. – Windex Jun 13 '15 at 16:47
  • So, one group wants to set the suffix to match addomain.com and another group wants to configure it corpdomain.net. (It's currently corpdomain.net, and the one group wants it changed to match ad. But I'm having trouble finding anything that definitively states who's correct.) – Windex Jun 13 '15 at 16:48
  • `Not for nothing but I didn't earn the AD and DNS badges for not understanding AD and DNS. I'm just not understanding what you're asking and what your end goal is here.` No worries, I'm frustrated at myself for not being able to explain it better without giving too much away... – Windex Jun 13 '15 at 16:52
  • so does that new explanation make any more sense? – Windex Jun 13 '15 at 23:27