Using Single Label DNS Names for Active Directory

Prior to Active Directory, Windows NT Domain names were not fully qualified, but rather simply, single-label names. For Active Directory, it is not recommended to use a single label domain name. The best practice is to implement Active Directory domains that have fully qualified DNS names.

There are many reasons for not using a single label domain name such as:

• Single-label DNS names cannot be registered by using an Internet registrar. It is a general practice to register your Active Directory domain name with an Internet registrar even if you do not plan on having an Internet presence. If in the future, your organization creates an Internet presence, your domain name may no longer be available.
• Client computers and domain controllers that are joined to single-label domains require additional configuration to dynamically register DNS records in single-label DNS zones.
• Client computers and domain controllers may require additional configuration to resolve DNS queries in single-label DNS zones.
• Some server-based applications are incompatible with single-label domain names.
• Transitioning from a single-label DNS domain name to a fully qualified DNS name is very easy and generally disruptive. To move to an FQDN, your infrastructure would either be migrated to a new forest, or you would have to perform a domain rename of the existing domain. Some server-based applications are incompatible with the domain rename feature such as versions of Exchange, Live Communications Server, Operations Manager, SharePoint, SMS, etc…

The recommendation is for Active Directory domain names to consist of one or more sub-domains that are combined with a top-level domain that is separated by a dot (.). The following are some examples:

• itgeared.com
• internal.itgeared.com
• itgeared.local

While the domain can function using a single label name, getting dynamic DNS to work properly can be challenging. The issue is that by default, Windows does not send updates to top-level domains. In this case, the single-label name is considered the “top-level”. You can change this behavior by modifying the registry or creating a GPO to apply the settings to your systems.

The following registry edits must be performed on all domain members if you are using the registry method. To enable an Active Directory domain member to use DNS to locate domain controllers in domains that have single-label DNS names that are in other forests, follow these steps:

Domain Controller Locator Regedit.

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. In the details pane, locate the AllowSingleLabelDnsDomain entry. If the AllowSingleLabelDnsDomain entry does not exist, create the entry:
   • On the Edit menu, point to New, and then click DWORD Value.
   • Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER.
4. Double-click the AllowSingleLabelDnsDomain entry.
5. In the Value data box, type 1, and then click OK.
6. Exit Registry Editor.

DNS client configuration Regedit for Pre-Windows 2003 Server.

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters
3. In the details pane, locate the UpdateTopLevelDomainZones entry. If the UpdateTopLevelDomainZones entry does not exist, follow these steps:
   • On the Edit menu, point to New, and then click DWORD Value.
   • Type UpdateTopLevelDomainZones as the entry name, and then press ENTER.
4. Double-click the UpdateTopLevelDomainZones entry.
5. In the Value data box, type 1, and then click OK.
6. Exit Registry Editor.

DNS client configuration Regedit for Windows 2003 Server and Later.

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
3. In the details pane, locate the UpdateTopLevelDomainZones entry. If the UpdateTopLevelDomainZones entry does not exist, follow these steps:
   • On the Edit menu, point to New, and then click DWORD Value.
   • Type UpdateTopLevelDomainZones as the entry name, and then press ENTER.
4. Double-click the UpdateTopLevelDomainZones entry.
5. In the Value data box, type 1, and then click OK.
6. Exit Registry Editor.

Restart the computers where you modified the registry.

Alternatively, you can use Group Policy to enable the Update Top Level Domain Zones policy and the Location of the DCs hosting a domain with single label DNS name policy. Set these policies to ENABLED. This policy should be linked to the domain object.

Update Top Level Domain Zones: Computer Configuration\Administrative Templates\Network\DNS Client

Location of the DCs hosting a domain with single lable DNS name: Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records