Microsoft KB Archive/300684

= Information about configuring Windows for domains with single-label DNS names =

Article ID: 300684

Article Last Modified on 11/20/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Service Pack 4
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q300684



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
This article contains information about configuring a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000 for Active Directory directory service domains that have single-label DNS names.

Note We do not recommend that you use domains that have single-label DNS names for the following reasons:
 * Single-label DNS names cannot be registered with an Internet registrar.
 * Domains that have single-label DNS names require additional configuration.
 * The DNS Server service might not be used to locate domain controllers in domains that have single-label DNS names.
 * By default, Windows Server 2003-based domain members, Windows XP-based domain members, and Windows 2000-based domain members do not perform dynamic updates to single-label DNS zones.
 * Microsoft Exchange Server 2007 is not supported in environments in which single-label DNS is used.



DNS name registration
Generally, we recommend that you register DNS names for internal and external namespaces with an Internet registrar. This includes the DNS names of Active Directory domains, unless such names are sub-domains of DNS names that are registered by your organization name. For example, &quot;corp.example.com&quot; is a sub-domain of &quot;example.com.&quot; Registering your DNS names with an Internet registrar may prevent possible name collisions if another organization tries to register the same DNS name, or if your organization merges with, acquires, or is acquired by another organization that uses the same DNS name.

DNS names that do not contain a suffix such as .com, .corp, .net, .org or companyname are considered to be single-label DNS names. For example, &quot;host&quot; is a single-label DNS name. Most Internet registrars do not allow the registration of single-label DNS names.

Possible symptoms when clients cannot dynamically register DNS records in a single-label forward lookup zone
If you use a single-label DNS name in your environment, clients may not be able to dynamically register DNS records in a single-label forward lookup zone. Specific symptoms vary according to the version of Microsoft Windows that is installed.

The following list describes the symptoms that may occur:   After you install Microsoft Windows 2000 Service Pack 4 (SP4), all domain controllers may not be able to register DNS records. The System log of the domain controller may consistently log NETLOGON 5781 warnings that are similar to the following example: Event Type: Warning

Event Source: NETLOGON

Event Category: None

Event ID: 5781

Description:

Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.

Data Words: 0000: 0000232a Note Status code 0000232a maps to the following error code:

DNS_ERROR_RCODE_SERVER_FAILURE

 The following additional status codes and error codes may appear in log files such as Netdiag.log:

DNS Error Code: 0x0000251D = DNS_INFO_NO_RECORDS

DNS_ERROR_RCODE_ERROR

RCODE_SERVER_FAILURE

  Computers that are running Windows 2000 with SP4 will not register in a single-label domain. A warning that is similar to the following example is recorded in the System log of the computer: Event Type: Warning

Event Source: DnsApi

Event Category: None

Event ID: 11151

Description: The system failed to register network adapter with settings:

Adapter Name : {89317B1A-C246-4C7B-81D5-2CA8930EB721}

Host Name : FileServer

Adapter-specific Domain Suffix : domain.local

DNS server list : 209.242.21.82, 209.242.0.2, 209.242.0.5

Sent update to server : None

IP Address(es) : 192.168.127.254

The cause of this DNS registration failure was because of DNS server failure.

This may be due to a zone transfer that has locked the DNS server for the applicable zone that your computer needs to register itself with.

(The applicable zone should typically correspond to the Adapter-specific Domain Suffix that was indicated above.)

You can manually retry registration of the network adapter and its settings by typing &quot;ipconfig /registerdns&quot; at the command prompt. If problems still persist, contact your network systems administrator to verify network conditions.  A Windows Server 2003-based computer is not updating its SRV records and its host records in the DNS zone.  Clients that have fresh installations of Windows XP cannot register with DNS dynamic update protocol on a DNS server. A message that is similar to the following example is recorded in the Windows XP System log: Event Type: Warning

Event ID: 11165

Source: DnsApi

Description:

The system failed to register host (A) resource records (RRs) for network adapter with settings:

Adapter Name : {8E866057-FDA9-4EBE-9F99-4D530A2933FD}

Host Name : SV2019

Primary Domain Suffix : mydom

DNS server list : 192.168.213.100, 204.246.1.20

Sent update to server :

IP Address(es) : 192.168.213.101

The reason the system could not register these RRs was because the DNS server contacted refused the update request.

The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.

To register the DNS host (A) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator. 

How to allow Windows-based clients to perform dynamic updates to single-label DNS zones
We do not recommend that you use Active Directory directory service domains that have single-label DNS names.
 * Starting with Windows 2000 SP4, the default setting for dynamically registering DNS records changed. In Windows 2000 SP4, Windows does not dynamically register DNS records in a single-label domain.
 * By default, Windows Server 2003, Windows XP, and Windows 2000 with SP4 and with later service packs do not send updates to top-level domains. However, you can change this behavior by using one of the methods that are described in this section.

If you want to keep your single-label DNS structure, use one of the following methods to allow Windows-based clients to perform dynamic updates to single-label DNS zones.

Domain controller locator configuration for Windows XP Professional
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

On a Windows XP Professional-based computer, an Active Directory domain member requires additional configuration to support single-label DNS names for domains. Specifically, the domain controller locator on the Active Directory domain member does not use the DNS Server service to locate domain controllers in a domain that has a single-label DNS name unless that Active Directory domain member is joined to a forest that contains at least one domain that has a single-label DNS name.

Without modification, an Active Directory domain member in a forest that does not contain any domains that have single-label DNS names does not use the DNS Server service to locate domain controllers in domains that have single-label DNS names that are in other forests. Client access to the domains that have single-label DNS names fails if NetBIOS name resolution is not correctly configured.

To enable an Active Directory domain member to use DNS to locate domain controllers in domains that have single-label DNS names that are in other forests, follow these steps: <ol> Click Start, click Run, type regedit, and then click OK.</li> Locate and then click the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

</li> In the right pane, locate the AllowSingleLabelDnsDomain entry. If the AllowSingleLabelDnsDomain entry does not exist, follow these steps: <ol style="list-style-type: lower-alpha;"> On the Edit menu, point to New, and then click DWORD Value.</li> Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER.</li></ol> </li> Double-click the AllowSingleLabelDnsDomain entry.</li> In the Value data box, type 1, and then click OK</li> Quit Registry Editor.</li></ol>

DNS client configuration
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Active Directory domain members and domain controllers that are in a domain that has a single-label DNS name typically must dynamically register DNS records in a single-label DNS zone that matches the DNS name of that domain. If an Active Directory forest root has a single-label DNS name, all domain controllers in that forest typically must dynamically register DNS records in a single-label DNS zone that matches the DNS name of the forest root.

By default, Windows XP-based DNS client computers and Microsoft Windows 2000 SP4-based DNS client computers do not attempt dynamic updates of the root zone &quot;.&quot; or of single-label DNS zones.

To allow Windows XP-based DNS client computers and Windows 2000 SP4-based DNS client computers to attempt dynamic updates of a single-label DNS zone, follow these steps: <ol> Click Start, click Run, type regedit, and then click OK.</li> Locate and then click the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters

</li> In the right pane, locate the UpdateTopLevelDomainZones entry. If the UpdateTopLevelDomainZones entry does not exist, follow these steps: <ol style="list-style-type: lower-alpha;"> On the Edit menu, point to New, and then click DWORD Value.</li> Type UpdateTopLevelDomainZones as the entry name, and then press ENTER.</li></ol> </li> Double-click the UpdateTopLevelDomainZones entry.</li> In the Value data box, type 1, and then click OK</li> Quit Registry Editor.</li></ol>

These configuration changes should be applied to all domain controllers and members of a domain that has single-label DNS names. If a domain that has a single-label domain name is a forest root, these configuration changes should be applied to all of the domain controllers in the forest, unless the separate zones _msdcs.ForestName, _sites.ForestName, _tcp.ForestName, and _udp.ForestName are delegated from the ForestName zone.

For the changes to take effect, restart the computers where you changed the registry keys.

Notes <ul> <li>For Windows Server 2003, the UpdateTopLevelDomainZones entry has moved to the following registry subkey:

</li> <li> On a Windows 2000 SP4-based domain controller, the computer will report the following name registration error in the system event log if the UpdateTopLevelDomainZones setting is not enabled: Event Type: Warning

Event Source: NETLOGON

Event Category: None

Event ID: 5781

User: N/A

Description: Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available.

Data: 0000: 0000232a </li> <li>On a Windows 2000 SP4-based domain controller, you must restart your computer after you add the UpdateTopLevelDomainZones setting.</li></ul>

Method 2: Use Group Policy
Using Group Policy, enable the Update Top Level Domain Zones policy under the ComputerConfiguration\AdministrativeTemplates\Network\DNS Client folder on the root domain container in Users and Computers, or on all organizational units (OUs) that host computer accounts for member computers and for domain controllers in the domain.

Note This policy is supported only on Windows Server 2003-based computers and on Windows XP-based computers.

To enable this policy, follow these steps on the root domain container:
 * 1) Click Start, click Run, type gpedit.msc, and then click OK.
 * 2) Under Local Computer Policy, expand Computer Configuration.
 * 3) Expand Administrative Templates.
 * 4) Expand Network.
 * 5) Click DNS Client.
 * 6) In the right pane, double-click Update Top Level Domain Zones.
 * 7) Click Enabled.
 * 8) Click Apply, and then click OK.
 * 9) Quit Group Policy.

For more information about how to use the Group Policy Object Editor to manage local computer policy, click the following article number to view the article in the Microsoft Knowledge Base:

307882 How to use the Group Policy Editor to manage local computer policy in Windows XP

On Windows Server 2003-based DNS servers, make sure that root servers are not created unintentionally.

On Windows 2000-based DNS Servers, you may have to delete the root zone &quot;.&quot; to have the DNS records correctly declared. The root zone is automatically created when the DNS Server service is installed because the DNS Server service cannot reach the root hints. This issue was corrected in Windows Server 2003.

Root servers may be created by the DCpromo Wizard. If the &quot;.&quot; zone exists, a root server has been created. For name resolution to work correctly, you may have to remove this zone.

New and modified DNS policy settings for Windows Server 2003
<ul> <li>The Update Top Level Domain Zones policy

If this policy is specified, it creates a REG_DWORD UpdateTopLevelDomainZones entry under the following registry subkey:

The following are the entry values for UpdateTopLevelDomainZones: <ul> <li>Enabled (0x1). An 0x1 setting means that computers may try to update the TopLevelDomain zones. That is, if the UpdateTopLevelDomainZones setting is enabled, computers that have this policy applied send dynamic updates to any zone that is authoritative for the resource records that the computer must update, except for the root zone.</li> <li>Disabled (0x0). An 0x0 setting means that computers may not try to update the TopLevelDomain zones. That is, if this setting is disabled, computers that have this policy applied do not send dynamic updates to the root zone or to the top-level domain zones that are authoritative for the resource records that the computer must update. If this setting is not configured, the policy is not applied to any computers, and computers use their local configuration.</li></ul> </li> <li>The Register PTR Records policy

A new possible value, 0x2, of the REG_DWORD RegisterReverseLookup entry was added under the following registry subkey:

The following are the entry values for RegisterReverseLookup: <ul> <li>0x2 - Register only if A record registration succeeds. Computers try PTR resource records registration only if they successfully registered the corresponding A resource records.</li> <li>0x1 - Register. Computers try PTR resource records registration regardless of the success of the A records registration.</li> <li>0x0 - Do not register. Computers never try PTR resource records registration.</li></ul> </li></ul>

<div class="references_section">