User domain

are you mixing up the netbios domain name (us) with the domain space (us.fa.dd.aa.gov)?
Are the users and servers in the same Active Directory tree? Is so then they will have the same fqdn.
If they are in different trees is that really a problem?

Aterea/Arnold:

What I meant is that when you type in the "set" command on a workstatio,  there will be two variables: primary domain name and userdomain name.

I just want them to match. How do I do that?

How is your AD setup? Do you have a computer/systems in one AD forest and the users in a differnet AD forest?
It could very well be like aterea said that the userdomain is a part of the AD i.e. US which gets fa.dd.aa.gov appended/assumed.
What is the siginificance of the difference?  Do you think this will prevent you from using certificate based VPN authentication?

Both computer and users are in the same forest. In face, us.fa.ff.ff.fx.gov and us domain are the same.

When I first log on the Window GUID, it show US instead of the hold thing.

I am thinking that there must be a feature on the AD that basically will be able to change the user domain variable to match user DNS domain variable. Is there anything like that?

What issue are you trying to cure?

You could use GPO policy to set the userdomain variable.  While the DNS domain and the AD domain use the same name, they are functionally not the same.

See if https://www.experts-exchange.com/questions/23042921/Designating-forest-root-domain-ADS.html
helps.

Arnold:

The problem I am trying to cure is that we need to have our machine cert's name matches exatly with the user domain name and user DNS domain name in order for our VPN's pre-logon sequence to work.

How do you setup the GPO policy to set the userdomain variable?

What is the different between DNS domain and the AD domain?

Functionality is the difference. An AD object can contain a DNS zone record.  You can not have a DNS zone contain AD records.  They are two different things and labeling (which is what a domain is) does not make them the same.

AD is a significant advancement over a Windows NT domain:
The below might clear up the differnece between DNS and AD domains.
http://www.techreviewcentral.com/?p=44


Do You have an enterprise CA setup?

I do not see a significance since a user certificate identifies the user without regard to the username/password the user uses to login.

A user certificate is a license.
Your system issues the certificate, so as long as the certificate is not revoked via the CA, the certificate will be accepted by your system's VPN check.

There are different certificates.  You can have a machine certificate, you can also generate a request for a certificate where you can specify a common name which will be of the sort servername.us.fa.ff.ff.fx.gov you then in DNS configure a record for servername.us.fa.ff.ff.fx.gov to point to an IP.  The service on that IP will then be assigned the certificate.

You have to make sure that the certificate you request through the CA is the right certificate type for the purpose you plan to use it.

You can set a login script to set the USERDOMAIN variable as whatever you want.  

I do not think you need to go through setting the USERDOMAIN to match us.fa.ff.ff.fx.gov.

Arnold:

Is there a way to set userdomain using AD? group policy for example?