1. Introduction

If you run Active Directory it is vital that the DNS configuration is correct as issues with DNS can lead to problems with replication between domain controllers or to workstations that have problems finding servers or services. As it is so important, we provide detailed information on how to configure DNS to support Active Directory in these pages.

If you're running Active Directory it's helpful to understand of the basics of how DNS works. If you need a starting point try the Wikipedia entry on Domain name system, particularly the section on How DNS works in theory.

If you're already familiar with the Active Directory naming and DNS within Oxford University and need to skip straight to the configuration pages, then you can access them via

NB these pages were revised in 2008. If you need the DNS configuration pages that existed before then, you need the recommended solution (Option 1) above.

If you want to know more about the differences between the two options, read on.

2. Active Directory Domain Naming

2.1. Overview

Previously these pages described one option for naming your Active Directory domain (Option 1 below) and this remains the recommended option. However it is occasionally necessary to use a different name, or you may have taken over the management of a domain with a different name. This is described in Option 2.

Option 1: Use the existing DNS name of your unit for your Active Directory domain name (Recommended)
Using this configuration, the name of your domain must match the DNS name exactly, e.g. oucs.ox.ac.uk, chem.ox.ac.uk. This is generally easier to understand, easier to configure, avoids possible problems with disjoint namespaces (which may not necessarily fully supported by all applications) and is usually the best approach to take for domains that need to be accessed by remote systems. However it limits most units to a single Active Directory domain, unless you have more than one DNS subdomain assigned to your unit.
Option 2: Use a different name from the existing DNS name of your unit for your Active Directory domain name
This allows for additional domains in a unit which only has a single DNS domain name. It is more complicated to understand, and more care is needed to avoid possible clashes and name resolution problems. Additional configuration may be needed if systems that are not joined to the domain need to access domain resources. Systems could end up with disjoint DNS registrations and applications may not always be tested exhaustively as to whether they support this. This solution is likely to be most reliable in an environment that needs limited or no access from external systems.

The majority of installations will be using Option 1. If you are considering Option 2, a good understanding of DNS is helpful, and we'd suggest researching the possible implications for Active Directory (some links to Microsoft documentation are given below). Mixing the two options within the same forest is likely to be possible, but is beyond the scope of this documentation.

The next section explores the options in more detail, and Microsoft provide a wealth of further information such as Creating Internal and External Domains and Using an Internal Subdomain as well as Disjoint Namespace.

2.2. In Detail

Microsoft Active Directory is designed to use the DNS to enable servers and workstations to locate services (such as domain controllers) running within the Active Directory namespace.

To support an Active Directory domain called example.org, DNS servers that manage the example.org subdomain must be available to your domain controllers and workstations.

The following diagrams show the Active Directory and part of the DNS namespace that would correspond to example.org.

Active Directory for example.org
Figure 1. Active Directory for example.org

Part of DNS namespace showing example.org
Figure 2. Part of DNS namespace showing example.org

Microsoft Active Directory currently supports several possible DNS namespace configurations as follows.

  1. An external DNS namespace, used only on a public network such as the Internet (i.e. use the existing DNS name of your unit for your Active Directory domain name)
  2. An internal DNS namespace with referral and access to an external namespace (i.e. use a different name from the existing DNS name of your unit for your Active Directory domain name, but allow your DNS to talk to the internet DNS)
  3. An internal DNS namespace, used only on your own network

See Namespace planning for DNS for more information.

Within the University the third option is likely to be very rare, as workstations using this option would not be able to access the internet (or indeed access systems outside the unit). So we'll concentrate on the other two.

Option 1: Use the existing DNS name of your unit for your Active Directory domain name (Recommended)

Using the same namespace for both external and internal purposes (option 1) has been the recommended solution within the University environment since Active Directory was released. It is probably the easier to understand and you are less likely to run into name resolution issues. Many University installations of Active Directory are use this method successfully. In this scenario, a unit uses its existing DNS name (e.g. chem.ox.ac.uk, oucs.ox.ac.uk) as its Active Directory domain name. It continues to be the reommended solution.

There is one known limitation in that, as most units only have a single DNS name available, they are restricted to one Active Directory domain. As it is generally recommended to stick to a single domain if at all possible, for most locations this is not a problem. Occasionally a second domain is essential, in which case option 2 may be a way forward. There are different options on the choice of the internal name, which will be covered in subsequent sections.

In addition, because of the way in which DNS registrations are handled, occasional problems can result because the A records for the domain are not registered. Each domain controller will attempt to register an A record for the name of the domain (i.e. unit.ox.ac.uk) to resolve to its own IP address. However this issue can be normally be addressed where necessary. Refer to the configuring DNS to Support Active Directory using an Existing DNS Name (Option 1) pages for full details.

Option 2: Use a different name from the existing DNS name of your unit for your Active Directory domain name

For both options 1 and 2, within the context of Oxford University, the external namespace for a unit will be the existing subdomain already provided by the Domain Name System service run by the Computing Services (such as oucs.ox.ac.uk, chem.ox.ac.uk etc.). For option 1 your Active Directory domain is given the same name as your allocated DNS subdomain. However for option 2, while workstations and servers retain their existing public DNS identities, your Active Directory domain is configured to use a different internal name. Servers and workstations will have with dual identities, one in the usual external namespace, and the other in the internal private namespace.

Using this option, unlike option 1, the A records for the domain name are registered, and units can have multiple Active Directory domains. For machines that are part of the domain, everything should work as expected. On the other hand, people who are accessing domain resources from machines that are not part of the domain will need to use the external name of the resource, rather than the domain name, and if there is no equivalent (e.g. the domain name itself), this could lead to problems. We would recommend further reading via the links below before deciding to use this option. It is likely to work best in environments where little or no access is required from systems outside your unit and domain.

Further Information

For more information see Microsoft's pages on Creating Internal and External Domains and Using an Internal Subdomain as well as Disjoint Namespace.

If you are still unsure about which option is best for you or have further questions, please email OUCS via msad@oucs.ox.ac.uk, including Active Directory DNS on the subject line to discuss the options.

Once you've decided which naming scheme is best going to fit your needs, move on to the