Hello World,
Recently, I’ve been asked to review an Active Directory Infrastructure to see if it would have been possible to introduce Exchange 2010 within the infrastructure without dramatically changing the Active Directory structure. Nothing special you would thing…keep reading
Background Information
Recently, I’ve been called by a customer to provide some help and guidances about installaing Exchange 2010 in a domain where the name was using an underscore. Another company has been hired to perform a migration project from exchange 2003 to Exchange 2010. The company ran the Exchange Best Practice Analyzer and fixed all the issues they would have found. That was time to perform the installation of the Exchange 2010 server. The consultancy company overlooked a small detail : the name of the domain contained an underscore
Have you have tried to install an Exchange 2010 in a domain where the domain name contains an underscore ? If you have already tried this kind of operation, you probably know the final result. The installation would fail miserably. That’s exactly what happened during this migration project. During the pre-requisites checks performed by the setup routine, the following error was thrown (see screenshot below) and the installation process failed.
Click Picture for better resolution
The message is quite clear. You cannot install an Exchange 2010 in a domain where the name contains unsupported characters. Such installation would work perfectly with Exchange 2003. However, since Exchange 2010 setup tries to create self-signed certificates during the installation process, the fact that the domain name contains an invalid characters leads to a failed setup.
You can find more information about this issue at this KB “Exchange 2010 setup process fails if you try to install Exchange Server 2010 into a domain that has an underscore character ( _ ) in the domain name”
To workaround the problem, the other company decided to add an additional domain in the forest (creating a domain tree structure). Because the new domain was not using any invalid characters, the installation procedure was successful. Obsviously, this solution was valid and would be supported by Microsoft. However, the customer was not happy with such solution simply because of the additional level of complexity that was added into the Active Directory infrastructure.
The Other Option
My assignement during this small consultancy job was to come up with an alternative to the current implementation. The customer wanted to get back the Single Forest/Single Domain infrastructure and still have Exchange 2010 installed. In fact, it exists another option that would allow you to install an Exchange 2010 in a domain with an underscore. The option is the Disjoint namespace approach
Disjoint namespace scenario
In most topologies, when a computer is joined into the Active Directory Domain, the computer will use as Primary DNS Suffix the name of the Active Directory domain is joined to. So, if your AD domain name is Domain_Name.lab, in a standard situation, the computer name will use this dns information to create its own FQDN (Fully Qualified Domain Name).
A disjoint namespace scenario is one in which the primary DNS suffix of a computer doesn’t match the DNS domain name where that computer resides. The computer with the primary DNS suffix that doesn’t match is said to be disjoint. Another disjoint namespace scenario occurs if the NetBIOS domain name of a domain controller doesn’t match the DNS domain name.
This scenario is fully supported by Microsoft and not too complex to implement. Using this approach, we are basically getting rid of the underscore character in the dns name and the installation of Exchange 2010 should go through.
for more information about Disjoint Namespaces, visit this link
Implementing disjoint namespace solution
Before installing your Exchange 2010 server, you will need to perform some configuration changes within your Active directory Forest. This section will describe the modifications that have been performed in order to implement this disjoint namespace scenario.
Step 1 – Create a DNS zone for the disjoint computer. In this example, we will create a new zone called domainName.lab (no underscore). We perform this step in order to have name resolution working in such scenario.
Click Picture for better resolution
Step 2 – Configure Active Directory to accept multiple DNS suffixes. Using adsiedit, you connect to the default Naming context, expand it and right-click on the top level of you domain. In the Attribute dialog box, locate the attribute called msDS-allowedDNSSUFFIXES and enter the DNS Suffixes for your domain.
Click Picture for better resolution
Step 3 – Change the primary DNS Suffix of the Future Exchange 2010 server. Open the system properties dialog box (by typing from run sysdm.cpl). In this dialog box, click on the change button. In the Computer Name/Domain Changes dialog box, click on more and the DNS Suffix dialog box will be displayed. Provide here the name of the disjoint namespace (in my example domainName.lab).
Click Picture for better resolution
Step 4 – Change the DNS Suffix. Right-click the network interface,select properties and then select internet protocol v4, click on properties. In the TCP/IP Properties page, click on Advanced, go the DNS tab, and there append dns suffixes to be used. Here, we have done it manually but in production you will use a Group policy to set this setting through your organization. When done, close everything
Click Picture for better resolution
Step 5 – Install Exchange 2010 on your computer. As you can see, the setup wizard will go through given that the DNS name of the computer does not contain anymore invalid characters (underscore)
Click Picture for better resolution
Final Notes
And Voila ! Using this special configuration, we have been able to install the Exchange 2010 into a single forest/single domain even if the domaine was using a underscore. The customer was pleased with this solution because he went back to its original situation. However, after this consultancy job, the customer was already looking forward and was planning to perform a inter-forest migration in order to bring its current (and obsolete) infrastructure to Windows 2012/Exchange 2013 environment. If I get the job, I might post something about inter-forest migration
Till next time
See ya
References
- Naming Conventions in Active Directory for computers,domains,sites and OU
- Exchange 2010 setup process fails if you try to install Exchange Server 2010 into a domain that has an underscore character ( _ ) in the domain name
- Understanding Disjoint namespaces
Hello. It’s been a while since you posted this but do you know if this scenario will work for a hybrid configuration with Office 365. Is there something that could be affected or not work? I don’t think there should be. Thank you!
Hello Angel;
I’m assuming that you are referring to the Disjoint namespace configuration….
This configuration should be working also with Hybrid deployment….
There should be recommendations/guidelines about this on the office 365 web site
I’ll try to find technical documentation to have confirmation of this statement..So, do not take it for granted that this will be working 100%…..
Hope this help
Till next time
See ya
Hello Griffon,
I work with Angel and this post has been very helpful because we have a customer with this exact same case. We have been trying to get a confirmation about the hybrid deployment with Microsoft but haven’t gotten a response yet, that’s why we were hoping you could know it works just for your experience. Just one more question: The DNS suffix in the network interfaces have to be added to every computer in the organization? It’s not enouugh to add it in the Exchange server?
Thank you again for your help.
Hello Giuliana,
As fas as i know this should be working also with hybrid scenario. But like you, I would like to have a confirmation from Microsoft about that. In the documentation, there is no restrictions related to disjoint namespaces. The single label name is not supported and not test by Microsoft. I have contact with Microsoft because we are working on some projects. I will see if I can get the info (but no guarantee)
For the dns suffix, yes, I would use a group policy to apply multiple dns suffix so I’m sure that my clients have not name resolution issues…..
Till next time see ya
Hello Griffon,
How about this solution work in Exchange 2013 ?
Thanks !
Hello Lingo,
This solution should be working as well for Exchange 2013…..
Till next time
See ya
Hello Griffon,
Thanks for writing up for this issue.
I’m exactly in the same situation like this – had underscore in domain, Ex 2003.
if it works with Ex2013, how about with Exchange 2007 ?
Hello there,
This process should be working with Exhange 2007,2010 and 2013. We never tested with exchange 2007 do but the logic is the same as for exchange 2010
hope this help
Till next time
see ya
It’s working !
Thank you Griffon .
Hello Nir,
No problem..Happy to hear that this post is still useful
Thank for the visit and the feedback
Till next time
See ya
Thanks a lot mate (y) it rocked…!!
Hello Farooz,
No problem. We are happy to see that his post is useful to a lot of people
Thank for the visit and positive feedback
Till next time
See ya