Adding a UPN suffix to allow a current .Local domain to work with ad.company.us. Advice needed.

The domain I'm working on is a .local domain.  Due to expiring certs and this not being the correct way to do things, my goal is to enable a seperate UPN suffix to be used throughout the domain.  I thought I was going about this the right way but I'm not certain, looking for some advice.  

DC:  Win Server 2008 Standard
Current Domain:  company.local
Newly created AD Directory Domain and Trust UPN:  ad.company.us

The domain was previously established; I added the UPN domain without any problems.  I then take a look at the User Account properties.  I select the User Logon Name domain dropdown and select my @ad.company.us.  Everything looks good.  (I should note that I have not applied this UPN name to the entire domain, only the single account).

I go to the User Computer and attempt to add that to the domain with the newly created UPN and it fails.  


Remove alert
|
Edit
|
Delete
|
Change type
Question
You cannot vote on your own post
0

The domain in question is currently a .Local Active Directory Domain (company.local).  In order to get external certificates to function properly, we need to roll it over to a AD.company.us.  I realize that completely hosing the Domain is one way of going about this, but from what I've read I can also create a new UPN Suffix (Domains and Trusts) domain to accomplish this.

Scenario I have:

Current Domain: company.local

New UPN Suffix in AD Domains and Trust: ad.company.us

Username: tuser

I then go look at a user account properties, I can see my new @ad.company.us UPN listed in the drop down.  I select that and jump over to the machine.  My thought process says I need to add this account to the machine, which would prompt me to do the following:

Hit the client machine, go through System Properties > Network ID > Add the User & Machine to the Domain.  Upon doing so, I receive the following error message:

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "AD.COMPANY.US":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.AD.COMPANY.US

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.0.251
192.168.0.250

- One or more of the following zones do not include delegation to its child zone:

AD.COMPANY.US
COMPANY.US
US
. (the root zone)


I've never done this so don't know what to expect; some basic questions come to mind:
-The entire domain needs to be converted for this to function?
-The Computer still shows as a Member Of: Company.Local/Users {potential problem?}

Am I completely misunderstanding how the UPN suffix works and I should expect this?  

Any help is greatly appreciated.
Brian MilovichITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Rather than configuring a new suffix you should just need to configure Split DNS on your internal DNS servers. at this point you will then create DNS records in the new Externaldomain.com zone you create.

There is no need to completely set your users to use an entirely new suffix.

I have created a HowTo specifically for Exchange but setting up Split DNS out-of-the-box is basically the same. You just need to add all of your required records to the externaldomain.com zone.

http://www.wsit.ca/how-tos/exchange-server-2/configure-split-dns-and-exchange-2013-virtual-directories/



Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian MilovichITAuthor Commented:
Ok, that seams easy enough.  So I create a new New Zone, name it internal.company.us; add the appropriate records.  Simple.  

How do I handle any external SSL certificates that require internal and external usage?  For instance, my Exchange server is still listed at mail.company.local; with a certificate that's mail.company.us?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Exchange server is still listed at mail.company.local; with a certificate that's mail.company.us?

That is correct. You will need to have another cert with mail.doamin.us rather than local. From there for Exchange specifically you will also need to make sure that you update your virtual directories and also enable the Exchange certificate.

Will.
0
Brian MilovichITAuthor Commented:
Do I remove the machines from the company.local DNS zone and leave them only in my newly created zone?
0
Will SzymkowskiSenior Solution ArchitectCommented:
No leave the machines in the .local zone. All you need to do is create new DNS records in the new zone and point to the machines internally.

Do not do anything else.

Will.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.