The computer's primary DNS suffix does not match the FQDN of the domain where it resides

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2006-05-18

The Microsoft® Exchange Server Analyzer Tool reads the following registry entries to determine the primary Domain Name System (DNS) suffix for this Exchange Server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\NV Domain

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain

If the Exchange Server Analyzer finds that the values for NV Domain and Domain do not match, a warning is displayed.

The NV Domain registry value contains the computer's primary DNS suffix. The Domain registry value contains the computer's primary DNS domain. By default, the primary DNS suffix portion of a computer's fully qualified domain name (FQDN) must be the same as the name of the Active Directory® directory service domain where the computer is located. Mismatched names can prevent DNS registration from occurring correctly. If the DNS domain name for the computer does not match the Active Directory domain name, you will see errors in the computer's System event log every 22 minutes. Such a condition is known as a disjoint namespace. To allow different primary DNS suffixes, you can create a restricted list of allowed suffixes by creating an Active Directory attribute called msDS-AllowedDNSSuffixes in the domain object container.

The procedure for ensuring you have a correctly configured disjoint namespace depends on the operating system used for your Active Directory domain controllers.

  • If you are running a Microsoft Windows® 2000 Server operating system on your Active Directory domain controllers, you can use the procedure outlined in the Microsoft Knowledge Base article 258503, "DNS Registration Errors 5788 and 5789 When DNS Domain and Active Directory Domain Name Differ" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=258503) to correctly configure your namespace. This article includes procedures for correcting an unintended disjoint namespace, and for correctly configuring a disjoint namespace if one is intended.

  • If you are running Microsoft Windows Server™ 2003 on your Active Directory domain controllers and the disjoint namespace is unintended, you can use the first procedure below to correct the unintended disjoint namespace and resolve this warning. If you are running Windows Server 2003 on your Active Directory domain controllers and the disjoint namespace is intended, you can use the second procedure below to correctly configure it.

To perform the second procedure below, you will need to use an Active Directory editor such as Active Directory Service Interfaces (ADSI) Edit or LDP (Ldp.exe) tool. For more information about modifying Active Directory with the LDP tool, see the Microsoft Knowledge Base article 260745, "XADM: Using the LDP Utility to Modify Active Directory Object Attributes" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=260745).

Warning

If you incorrectly modify the attributes of Active Directory objects when you use ADSI Edit, the LDP tool, or another Lightweight Directory Access Protocol (LDAP) version 3 client, you may cause serious problems. These problems may require that you reinstall Windows Server 2003, Exchange Server 2003, or both. Modify Active Directory object attributes at your own risk.

If the disjoint namespace is unintended

  1. Right-click My Computer, and then click Properties. The System Properties dialog box will appear.

  2. Click the Computer Name tab.

  3. Click Change. The Computer Name Changes dialog box will appear.

  4. Click More. The DNS Suffix and NetBIOS Computer Name dialog box will appear.

  5. Select the Change primary DNS suffix when domain membership changes check box.

  6. Click OK to save the changes, and then click OK to exit the Computer Name Changes dialog box.

  7. Click OK to close the System Properties dialog box, and then restart the computer for the change to take effect.

If the disjoint namespace is intended

  1. Use the procedure above to ensure that the Change primary DNS suffix when domain membership changes check box is clear.

  2. Modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container. You can do this with ADSI Edit, by performing the following steps:

    1. Double-click the domain directory partition for the domain you want to modify.

    2. Right-click the domain container object, and then click Properties.

    3. On the Attribute Editor tab, in the Attributes box, double-click the attribute msDS-AllowedDNSSuffixes.

    4. In the Multi-valued String Editor dialog box, in the Value to add box, type a DNS suffix, and then click Add.

    5. When you have added all the DNS suffixes for the domain, click OK.

    6. Click OK to close the Properties dialog box for that domain.

    7. Repeat these steps if you have multiple domains you want to similarly configure.

For more information about the msDS-AllowedDNSSuffixes attribute, see the Windows Server 2003 Help and Support Center. For additional information about the procedure used to edit this attribute, see "Step-by-Step Guide to Implementing Domain Rename" (https://go.microsoft.com/fwlink/?LinkId=41359).