hostname domain different from Active Diretory domain - kerberos problems

I have a machine, bobo.

1) it is a member server of xyz.org (Active Directory Domain) - so there is
a computer account BOBO in the xyz domain
2) it's primary DNS suffix is set to abc.def.org (for reasons that are
beyond my control)
3) I can log onto the xyz.org domain via this box, but I am getting Kerberos
errors (I think it is failing over to NTLM)

I have found some articles about this type of problem, but no real
solutions. I need AD Kerberos to recogize that bobo.abc.def.org is the same
machine as bobo.xyz.org. Can't I configure more than one 'Kerberos name'?

Thoughts?

Blake

Hello Blake,

Please post the different names for:

- Active directory domain
- Netbios name
- Forward lookup zone name
- _msdsc zone name
- DHCP scope options, if used, all DNS options that are configured

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I have a machine, bobo.
>
> 1) it is a member server of xyz.org (Active Directory Domain) - so
> there is
> a computer account BOBO in the xyz domain
> 2) it's primary DNS suffix is set to abc.def.org (for reasons that are
> beyond my control)
> 3) I can log onto the xyz.org domain via this box, but I am getting
> Kerberos
> errors (I think it is failing over to NTLM)
> I have found some articles about this type of problem, but no real
> solutions. I need AD Kerberos to recogize that bobo.abc.def.org is
> the same machine as bobo.xyz.org. Can't I configure more than one
> 'Kerberos name'?
>
> Thoughts?
>
> Blake
>

In news:%23tO%(E-Mail Removed),
Blake <(E-Mail Removed)> typed:
> I have a machine, bobo.
>
> 1) it is a member server of xyz.org (Active Directory Domain) - so
> there is a computer account BOBO in the xyz domain
> 2) it's primary DNS suffix is set to abc.def.org (for reasons that are
> beyond my control)
> 3) I can log onto the xyz.org domain via this box, but I am getting
> Kerberos errors (I think it is failing over to NTLM)
>
> I have found some articles about this type of problem, but no real
> solutions. I need AD Kerberos to recogize that bobo.abc.def.org is
> the same machine as bobo.xyz.org. Can't I configure more than one
> 'Kerberos name'?
> Thoughts?
>
> Blake

The Primary DNS Suffix is used by the DNS registration process, as well as
to identify itself, esecially if is a domain controller. Since this is a
member server, this specific type of suffix is used to register it's
information into DNS. It will look for a zone name identical to the Primary
DNS Suffix. If it doesn't exist, it doesn't register. Now the Search Suffix
is used for the DNS resolver devolution process. Kerberos uses the SPN
(Service Principal Name) to ID the machine. The SPN is the FQDN of the
machine as identified in it's properties and DNS. If the registration is not
in DNS or the machine's Primary DNS Suffix is incorrect, we've got a
problem, and no, it's not that easy, or at least I don't even believe it is
even possible to alter the SPN of a machine. It's part of security.

In short, for a machine to be part of an AD domain called xyz.org, the
Primary DNS Suffix MUST match the domain name it's a member of.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

Ace:

http://technet2.microsoft.com/window....mspx?mfr=true

Blake


"Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In news:%23tO%(E-Mail Removed),
> Blake <(E-Mail Removed)> typed:
>> I have a machine, bobo.
>>
>> 1) it is a member server of xyz.org (Active Directory Domain) - so
>> there is a computer account BOBO in the xyz domain
>> 2) it's primary DNS suffix is set to abc.def.org (for reasons that are
>> beyond my control)
>> 3) I can log onto the xyz.org domain via this box, but I am getting
>> Kerberos errors (I think it is failing over to NTLM)
>>
>> I have found some articles about this type of problem, but no real
>> solutions. I need AD Kerberos to recogize that bobo.abc.def.org is
>> the same machine as bobo.xyz.org. Can't I configure more than one
>> 'Kerberos name'?
>> Thoughts?
>>
>> Blake
>
> The Primary DNS Suffix is used by the DNS registration process, as well as
> to identify itself, esecially if is a domain controller. Since this is a
> member server, this specific type of suffix is used to register it's
> information into DNS. It will look for a zone name identical to the
> Primary DNS Suffix. If it doesn't exist, it doesn't register. Now the
> Search Suffix is used for the DNS resolver devolution process. Kerberos
> uses the SPN (Service Principal Name) to ID the machine. The SPN is the
> FQDN of the machine as identified in it's properties and DNS. If the
> registration is not in DNS or the machine's Primary DNS Suffix is
> incorrect, we've got a problem, and no, it's not that easy, or at least I
> don't even believe it is even possible to alter the SPN of a machine. It's
> part of security.
>
> In short, for a machine to be part of an AD domain called xyz.org, the
> Primary DNS Suffix MUST match the domain name it's a member of.
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
>

In news:eSGLH%(E-Mail Removed),
Blake <(E-Mail Removed)> typed:
> Ace:
>
> http://technet2.microsoft.com/window....mspx?mfr=true
>
> Blake

Yes, I realize this is a disjointed namespace, due to the mismatching
Primary DNS Suffix. If the computer is in xyz.org, but a user is in
abc.def.org, and they are of the same forest, then yes, it will work.
There's still cross domain/tree (assuming all in the same forest)
authentication working. The article you posted implies this.

Anyway, did the portion below help you out with your SPN issue?
--------
Manually configured Service Principal Names (SPNs) may no longer match DNS
names after a namespace change. This can cause authentication failures.
For more information, see Service Logons Fail Due to Incorrectly Set SPNs
(http://go.microsoft.com/fwlink/?LinkId=102304 ).
..If you use Windows Server 2003-based computers with constrained delegation,
those computers may require additional configuration to change SPNs. For
more information, see article 936628 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=102306 ).
..If you want to delegate permissions to modify SPNs to subordinate
administrators, see Delegating Authority to Modify SPNs
(http://go.microsoft.com/fwlink/?LinkId=106639 ).
--------

Ace