Using Group Policy to Specify a DNS Suffix

When a Group Policy exists, the suffix set in the Group Policy supersedes the local primary DNS suffix, which by default is the same as the Active Directory domain name. Users can still enter a suffix in the System Properties dialog box, but the suffix is not used unless the Group Policy is disabled or unspecified.

If you make the primary DNS suffix of the computer different from the Active Directory domain name, however, you must perform additional configuration in order to enable the modified full computer name to be registered in the DNS host name attribute and the Service Principal Name attribute for the computer object in Active Directory.

By default, the name registered in those attributes must have the following syntax:

<NetBIOS name>. <Active   Directory domain name>

where NetBIOS name is the NetBIOS name of the computer and Active   Directory domain name is the DNS name of the Active Directory domain. To enable registration of the modified full computer name, you must modify the access control list (ACL) for the appropriate domain by following the steps in the following procedure. You must also perform this procedure if any computers joined to the domain have host names of more than 15 bytes.

To modify the ACL to enable registration of the full computer name

  1. Click Start , highlight Programs , highlight Administrative Tools , and then click Active Directory Users and Computers .

  2. In the View menu, click Advanced Features .

  3. Right-click the domain you want to modify, and then click Properties .

  4. Click the Security tab.

  5. Click Add , click SELF , click ADD , and then click OK . This adds the SELF group to the ACL.

  6. Click the Advanced button.

  7. Click SELF and then click View/Edit .

  8. Click the Properties tab.

  9. In the Apply onto box, click Computer objects .

  10. In the Permissions box, check Allow next to Write dNSHostName , and then click OK until you have closed the Active Directory Users and Computers dialog box.



If you modify the ACL to enable registration of the modified full computer name, any computer in the domain can register itself under a different name.