Avatar of dongocdung
dongocdung asked on

User domain

I am in the process of integrating Microsoft Certification system into our VPN system. In order for it to work, the certification has to match the userdomain name.

When you type set command: there are two domain name: primary domain name and user domain name

Our system's FQDN is computername.xx.xx.xx.xx.xx but the user domain name is only xx

For example: our FQDN is K0341.us.fa.dd.aa.gov
                     for right now our user domain name is us.

how do it fix it so the user domain name is us.fa.dd.aa.gov

Active DirectoryWindows Server 2003Microsoft Legacy OS

Avatar of undefined
Last Comment

8/22/2022 - Mon

are you mixing up the netbios domain name (us) with the domain space (us.fa.dd.aa.gov)?
Are the users and servers in the same Active Directory tree? Is so then they will have the same fqdn.
If they are in different trees is that really a problem?

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question


What I meant is that when you type in the "set" command on a workstatio,  there will be two variables: primary domain name and userdomain name.

I just want them to match. How do I do that?

How is your AD setup? Do you have a computer/systems in one AD forest and the users in a differnet AD forest?
It could very well be like aterea said that the userdomain is a part of the AD i.e. US which gets fa.dd.aa.gov appended/assumed.
What is the siginificance of the difference?  Do you think this will prevent you from using certificate based VPN authentication?
Your help has saved me hundreds of hours of internet surfing.

Both computer and users are in the same forest. In face, us.fa.ff.ff.fx.gov and us domain are the same.

When I first log on the Window GUID, it show US instead of the hold thing.

I am thinking that there must be a feature on the AD that basically will be able to change the user domain variable to match user DNS domain variable. Is there anything like that?

What issue are you trying to cure?

You could use GPO policy to set the userdomain variable.  While the DNS domain and the AD domain use the same name, they are functionally not the same.

See if https://www.experts-exchange.com/Networking/Operating_Systems/Q_23042921.html



The problem I am trying to cure is that we need to have our machine cert's name matches exatly with the user domain name and user DNS domain name in order for our VPN's pre-logon sequence to work.

How do you setup the GPO policy to set the userdomain variable?

What is the different between DNS domain and the AD domain?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Functionality is the difference. An AD object can contain a DNS zone record.  You can not have a DNS zone contain AD records.  They are two different things and labeling (which is what a domain is) does not make them the same.

AD is a significant advancement over a Windows NT domain:
The below might clear up the differnece between DNS and AD domains.

Do You have an enterprise CA setup?

I do not see a significance since a user certificate identifies the user without regard to the username/password the user uses to login.

A user certificate is a license.
Your system issues the certificate, so as long as the certificate is not revoked via the CA, the certificate will be accepted by your system's VPN check.

There are different certificates.  You can have a machine certificate, you can also generate a request for a certificate where you can specify a common name which will be of the sort servername.us.fa.ff.ff.fx.gov you then in DNS configure a record for servername.us.fa.ff.ff.fx.gov to point to an IP.  The service on that IP will then be assigned the certificate.

You have to make sure that the certificate you request through the CA is the right certificate type for the purpose you plan to use it.

You can set a login script to set the USERDOMAIN variable as whatever you want.  

I do not think you need to go through setting the USERDOMAIN to match us.fa.ff.ff.fx.gov.



Is there a way to set userdomain using AD? group policy for example?
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.