Moving from a .local to .com - Domains and Trust ad.company.com is setup but uncertain of next step

The domain in question is currently a .Local Active Directory Domain (company.local).  In order to get external certificates to function properly, we need to roll it over to a AD.company.us.  I realize that completely hosing the Domain is one way of going about this, but from what I've read I can also create a new UPN Suffix (Domains and Trusts) domain to accomplish this.

Scenario I have:

Current Domain: company.local

New UPN Suffix in AD Domains and Trust: ad.company.us

Username: tuser

I then go look at a user account properties, I can see my new @ad.company.us UPN listed in the drop down.  I select that and jump over to the machine.  My thought process says I need to add this account to the machine, which would prompt me to do the following:

Hit the client machine, go through System Properties > Network ID > Add the User & Machine to the Domain.  Upon doing so, I receive the following error message: 

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "AD.COMPANY.US":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.AD.COMPANY.US

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.0.251
192.168.0.250

- One or more of the following zones do not include delegation to its child zone:

AD.COMPANY.US
COMPANY.US
US
. (the root zone)

Reading through the message tells me a couple of things.  It could be a lack of an SRV record for AD.COMPANY.US, but it states in the response that they're automatically added.  I've created an Internal Lookup Zone with AD.COMPANY.US (I'm not sure if this plays into any success/failure). 

Am I heading down the right path for making servers work with .AD.COMPANY.US?

September 8th, 2015 5:47pm

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "AD.COMPANY.US":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The error means your computer unable to find the Active Directory Domain Controller.
 
Actually, the alternative UPN suffixes that you created in Active Directory Domains and Trusts (AD.COMPANY.US) is not a valid DNS domain name. Company.local is still the actual DNS name of the domain to which the user belongs.
 
After you configure the alternative UPN suffixes and select it for users, you don't need additional operations, users should be able to use the credentials as username@domainname.com instead of Windows authentication method domainname\username to login.
 
More information about UPN Suffixes: https://technet.microsoft.com/en-us/library/cc772007.aspx
 

Regards,

Eth

Free Windows Admin Tool Kit Click here and download it now
September 11th, 2015 7:31am

If needed, here is a great post of step by step guide to rename a domain:

http://www.rebeladmin.com/2015/05/step-by-step-guide-to-rename-active-directory-domain-name/

September 11th, 2015 7:36am

Any idea how running through this affects Exchange / SQL services?  I'd have to imagine that every machine on the domain would need to be re-added to the domain (workstations & servers alike)?
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2015 6:26pm

Any idea how running through this affects Exchange / SQL services?  I'd have to imagine that every machine on the domain would need to be re-added to the domain (workstations & servers alike)?

No, you don't need to re-add machine and user to domain. Really should be no issues. Per the name "alternate" its just another naming convention that AD will accept. 

Applications like OWA may require some setup. In exchange for instance you can set the login name convention to what you want it to be.

September 13th, 2015 9:58pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics