Not only is being able to register it important, but also
that DNS resolves to the correct SPN. Let's say you have a SQL server that
is a member of the us.widget.net domain; however, in DNS it is registered as
sql1.sea.widget.net. If you look in AD it's likely that the SPN registered
will be: MSSql/sql1.us.widget.net. So when a user attempts to get a
service ticket, they will pass sql.sea.widget.net and it will fail and the
user will use NTLM auth instead. So if you're going to use a different DNS
domain model (like we do at my company, we us QIP with regionalized domains)
then make sure your SPNs match up.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 29, 2005 9:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?
The permission mod you need to make is to correct this.
Again, disjoint namespace works fine in the core OS. The
issues that crop up are around poorly written/tested
applications.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?
If you're also talking about servers don't forget that by
default computers register their SPN using the AD domain name. So if
you have a server that registers HOST/someserver.myadname.net and the server
actually resolves to someserver.mydnszone.net Kerberos will not work for the
clients that try to connect using the DNS name.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland
Sent: Tuesday, March 29, 2005 7:06 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Compelling arguments?
Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix.
Any thoughts welcome.