Active Directory DNS Domain Name Single label names
Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
Originally Compiled 3/2005
Active Directory DNS Domain Name Single Label Name scenarios are slowly disappearing the more IT admins understand what they are. However, there are installations that are still plagued by this condition, whatever the original cause was, whether lack of research, planning or simply understanding AD’s DNS requirements. This article introduces what a single label name domain name is, and what can be done about it.
First, let’s discuss the FQDN. What is an FQDN?
It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:
What is a Single Label DNS Domain name?
The name is reminscent of the legacy style NT4 domain NetBIOS domain names, such as:
The reason this does not work with DNS, which Active Directory relies on.
DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).
Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as microsoft.com, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.
Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.
Unfortunately tHe old NT4 style names are not hierachal because there is only one level.
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single lable name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as domain.com, etc.
Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.
How did it happen? Most cases it’s due to lack of research on AD’s DNS requirements, or how it works, or it could have been a simple typo, yet costly typo, when originally upgrading from NT4 or promoting your new AD domain.
Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):
Single Label Name Explanation
Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:
The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.
Period. Why? good question. It’s based on the fact DNS is hierachal. Hierarchal meaning it must have multi levels, a minimum of two levels.
The TLD (top level domain) is the root name, such as the com, net, etc, names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in domain.com, etc). If the name is a single label name, it thinks THAT name is the TLD.
Therefore it then hits the Internet Root servers to find how owns and is authorative for that TLD.Such as when looking up microsoft.com. It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for microsoft.
If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.
How to fix it? Good question. Glad you’ve asked.
1. The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.
2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).
3. As a temporary resort, you can use the patch/bandaid registry entry to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.
Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
Microsoft’s Stance on Single Label Name AD DNS domain names.
The following is Microsoft’s stance on Single Label Names by Microsoft engineer Alan Woods.
Single label names, from Alan Woods, [MSFT], posted:
—– Original Message —–
From: “Alan Wood” [MSFT]
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS
We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.
Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.
Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.
Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:
DNS and AD (Windows 2000 & 2003) FAQ:
Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)