dongocdung
asked on
User domain
I am in the process of integrating Microsoft Certification system into our VPN system. In order for it to work, the certification has to match the userdomain name.
When you type set command: there are two domain name: primary domain name and user domain name
Our system's FQDN is computername.xx.xx.xx.xx.x x but the user domain name is only xx
For example: our FQDN is K0341.us.fa.dd.aa.gov
for right now our user domain name is us.
how do it fix it so the user domain name is us.fa.dd.aa.gov
Thanks
When you type set command: there are two domain name: primary domain name and user domain name
Our system's FQDN is computername.xx.xx.xx.xx.x
For example: our FQDN is K0341.us.fa.dd.aa.gov
for right now our user domain name is us.
how do it fix it so the user domain name is us.fa.dd.aa.gov
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Aterea/Arnold:
What I meant is that when you type in the "set" command on a workstatio, there will be two variables: primary domain name and userdomain name.
I just want them to match. How do I do that?
What I meant is that when you type in the "set" command on a workstatio, there will be two variables: primary domain name and userdomain name.
I just want them to match. How do I do that?
How is your AD setup? Do you have a computer/systems in one AD forest and the users in a differnet AD forest?
It could very well be like aterea said that the userdomain is a part of the AD i.e. US which gets fa.dd.aa.gov appended/assumed.
What is the siginificance of the difference? Do you think this will prevent you from using certificate based VPN authentication?
It could very well be like aterea said that the userdomain is a part of the AD i.e. US which gets fa.dd.aa.gov appended/assumed.
What is the siginificance of the difference? Do you think this will prevent you from using certificate based VPN authentication?
ASKER
Both computer and users are in the same forest. In face, us.fa.ff.ff.fx.gov and us domain are the same.
When I first log on the Window GUID, it show US instead of the hold thing.
I am thinking that there must be a feature on the AD that basically will be able to change the user domain variable to match user DNS domain variable. Is there anything like that?
When I first log on the Window GUID, it show US instead of the hold thing.
I am thinking that there must be a feature on the AD that basically will be able to change the user domain variable to match user DNS domain variable. Is there anything like that?
What issue are you trying to cure?
You could use GPO policy to set the userdomain variable. While the DNS domain and the AD domain use the same name, they are functionally not the same.
See if https://www.experts-exchange.com/questions/23042921/Designating-forest-root-domain-ADS.html
helps.
You could use GPO policy to set the userdomain variable. While the DNS domain and the AD domain use the same name, they are functionally not the same.
See if https://www.experts-exchange.com/questions/23042921/Designating-forest-root-domain-ADS.html
helps.
ASKER
Arnold:
The problem I am trying to cure is that we need to have our machine cert's name matches exatly with the user domain name and user DNS domain name in order for our VPN's pre-logon sequence to work.
How do you setup the GPO policy to set the userdomain variable?
What is the different between DNS domain and the AD domain?
The problem I am trying to cure is that we need to have our machine cert's name matches exatly with the user domain name and user DNS domain name in order for our VPN's pre-logon sequence to work.
How do you setup the GPO policy to set the userdomain variable?
What is the different between DNS domain and the AD domain?
Functionality is the difference. An AD object can contain a DNS zone record. You can not have a DNS zone contain AD records. They are two different things and labeling (which is what a domain is) does not make them the same.
AD is a significant advancement over a Windows NT domain:
The below might clear up the differnece between DNS and AD domains.
http://www.techreviewcentral.com/?p=44
Do You have an enterprise CA setup?
I do not see a significance since a user certificate identifies the user without regard to the username/password the user uses to login.
A user certificate is a license.
Your system issues the certificate, so as long as the certificate is not revoked via the CA, the certificate will be accepted by your system's VPN check.
There are different certificates. You can have a machine certificate, you can also generate a request for a certificate where you can specify a common name which will be of the sort servername.us.fa.ff.ff.fx. gov you then in DNS configure a record for servername.us.fa.ff.ff.fx. gov to point to an IP. The service on that IP will then be assigned the certificate.
You have to make sure that the certificate you request through the CA is the right certificate type for the purpose you plan to use it.
You can set a login script to set the USERDOMAIN variable as whatever you want.
I do not think you need to go through setting the USERDOMAIN to match us.fa.ff.ff.fx.gov.
AD is a significant advancement over a Windows NT domain:
The below might clear up the differnece between DNS and AD domains.
http://www.techreviewcentral.com/?p=44
Do You have an enterprise CA setup?
I do not see a significance since a user certificate identifies the user without regard to the username/password the user uses to login.
A user certificate is a license.
Your system issues the certificate, so as long as the certificate is not revoked via the CA, the certificate will be accepted by your system's VPN check.
There are different certificates. You can have a machine certificate, you can also generate a request for a certificate where you can specify a common name which will be of the sort servername.us.fa.ff.ff.fx.
You have to make sure that the certificate you request through the CA is the right certificate type for the purpose you plan to use it.
You can set a login script to set the USERDOMAIN variable as whatever you want.
I do not think you need to go through setting the USERDOMAIN to match us.fa.ff.ff.fx.gov.
ASKER
Arnold:
Is there a way to set userdomain using AD? group policy for example?
Is there a way to set userdomain using AD? group policy for example?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are the users and servers in the same Active Directory tree? Is so then they will have the same fqdn.
If they are in different trees is that really a problem?