Configure Disjoint Namespace


By default, the primary Domain Name System (DNS) suffix portion of a computer’s fully qualified domain name (FQDN) is the same as the name of the Active Directory domain where the computer is located. When the primary DNS suffix portion of a computer’s FQDN is different from the Active Directory domain where the computer is located, this is known as a disjoint namespace.

To run Exchange 2016/2013 in a disjoint namespace, you need to do two things:

  1. Configure the DNS suffix search list.
  2. Create a list of allowed suffixes by modifying the value for the msDS-AllowedDNSSuffixes attribute of the domain object container.

1- Configure the DNS suffix search list

You’ll use the Group Policy Management Console (GPMC) to get this task done. Learn more about Group Policy at Windows Server Group Policy.

  1. Open the GPMC , Start > Programs > Administrative Tools > Group Policy Management.
  2. Expand the forest and the domain in which you’ll apply Group Policy. Right-click Group Policy Objects, and then click New.
  3. In New GPO, type a name for the policy, and then click OK.
  4. Right-click the new policy that you created in Step 3, and then click Edit.
  5. In Group Policy Object Editor (Group Policy Management Editor in Windows Server 2008), expand Computer Configuration, (expand Policies in Windows Server 2008), expand Administrative Templates, expand Network, and then click DNS Client.

Right-click DNS Suffix Search List, and then click Properties.

On the DNS Suffix Search List Properties page, select Enabled. In the DNS Suffixes box, type the primary DNS suffix of the disjoint computer, the DNS domain name, and any additional namespaces for other servers with which Exchange may interoperate, such as monitoring servers or servers for third-party applications. Click OK.

In Group Policy Management, expand Group Policy Objects, and then select the policy that you created in Step 3. On the Scope tab, in the Security Filtering area, click Add to scope the policy so that it applies to only the computers that are disjoint.

2-Modify the msDS-AllowedDNSSuffixes attribute

To do this procedure, you’ll need to use the Active Directory® Service Interfaces (ADSI) Edit tool. Learn more at ADSI Edit.

For more information about the msDS-AllowedDNSSuffixes attribute, download Domain Rename Procedure from the Windows Server Help and Support Center.

Caution:

Be careful! If you make a mistake modifying the attributes of Active Directory objects, you may cause serious problems that may require that you reinstall Windows Server.

2a-Perform the following procedure on each Exchange 2016/2013 server:

  1. Open Control Panel, and then click System.
  2. In the Computer name, domain, and workgroup settings section, click Change settings.
  3. In the System Properties window, click Change.
  4. In the Computer Name/Domain Changes window, click More.
  5. Clear the Change primary DNS suffix when domain membership changes check box.
  6. Click OK to save the changes, and then click OK to exit the Computer Name/Domain Changes dialog box.
  7. Click OK to close the System Properties dialog box, and then restart the computer for the change to take effect.

2b-On a domain controller, do the following to modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container.

  1. Open ADSI Edit.
  2. Double-click the domain directory partition for the domain you want to modify.
  3. Right-click the domain container object, and then click Properties.
  4. On the Attribute Editor tab, in the Attributes box, double-click msDS-AllowedDNSSuffixes.
  5. In the Multi-valued String Editor dialog box, in the Value to add box, type a DNS suffix, and then click Add.
  6. When you’ve added all the DNS suffixes for the domain, click OK.
  7. Click OK to close the Properties dialog box for that domain.

Repeat these steps if you have multiple domains you want to similarly configure.

Advertisements