Hi all,

I have VDI infrastructure and I want to get rid of certificate warnings when connecting from the outside.

VDI is in the local domain which certificates are not trusted outside the domain. I have additional domain that i plan to use to connect VDI from outside. I have wildcard certificate for external domain.

I can add wildcard certificate of my external domain as RDP certificate to vdi VMs (using registry) and vdi connection broker and RDG servers (in server manager).

The last step is to use external domain name as suffix for internal VMs to avoid names mismatch. I have created AD integrated DNS zone with external domain name. I have changed DNS suffix for first VDI machine and seems it running fine. I plan to add external domain name as additional DNS search suffix for whole domain.

My question is: Could it cause any problems in AD if I start using another suffix for computers? Should I add external domain name to msDS-AllowedDNSSuffixes attribute on domain level?

There are no problems to add an extra suffix for DNS resolution. You can apply the new suffix by GPO and put it on the top: http://www.techrepublic.com/blog/the-enterprise-cloud/manage-dns-suffix-configuration-through-group-policy/

Hi  Mr X,

Thank you for the reply.

Any considerations about msDS-AllowedDNSSuffixes attribute or should I add something else to support two domain names in single AD domain? 

Any problems with 'computer to AD' communication if I change the primary DNS suffix for computer in System properties?

• Edited by Sergey Stepanov Friday, March 27, 2015 11:22 AM

Hi  Mr X,

Thank you for the reply.

Any considerations about msDS-AllowedDNSSuffixes attribute or should I add something else to support two domain names in single AD domain? 

Any problems with 'computer to AD' communication if I change the primary DNS suffix for computer in System properties?

No need to update the attribute. Just add an additional DNS suffix and put it as the primary.

Hi Sergey,

How is it going? Agree with Mr X. If you need further help regarding the question, please don't hesitate to let us know.

Best regards,
Frank Shen

Hi Frank,

I'm currently adding DNS suffixes search policy in my domain. If no additional actions required for domain to serve two different computer names in single domain then we are done.

Thanks!

Hi Mr X,

I have a problem with Computer primary DNS suffix GPO. If I change DNS suffix manually in System settings then everything is OK, but if I use policy mentioned in article from your link I got an error that the security database on the server does not have a computer account for this wotkstation trust relationship.

Hello Sergey

FYI..

have a look..

http://www.sjkingston.com/blog/changing-the-primary-dns-suffix-of-a-domain-computer/

"If you change the primary DNS suffix of a computer (e.g. to sub.example.com, yielding pc.sub.example.com) and attempt to log on to the domain, the domain controller servicing the request will look in its security database for a matching SPN but will find none (as expected) and refuse the log on, returning the above error"

Hi Devaraj,

Thank you for the link. The main point in this article is msDS-AllowedDNSSuffixes attribute that I mentioned in first post. I'll test and share the results.

Hi,

Seems that it's ok now. I plan to check with pilot users this week.

You can do it also via DHCP Option 135.

1. Open the DHCP MMC.

2. Expand DHCP and select DHCP server name.

3. Right Click IPv4

4. Select "Set Predefined Options"

5. Click Add.

6. Name: "Domain suffix search order" (without the quotation marks)

Data Type: String

Code: "135" (without the quotation marks)

Description: "List of domain suffixes in order" (without the quotation marks) 

String: enter your search suffixes separated by comma with no spaces

- domain1.crop.com,domain2.petun.com

7. Click OK.

8. Close DHCP MMC and restart DHCP Server Service.

9. Reopen DHCP MMC and now scope option 135 is there.