none
UAG 2010 SP1 Direct Access and Single-Label DNS Domain. RRS feed

  • Question

  • It appears that since the release of SP1 for UAG 2010 Direct Access no longer works with Single-Label DNS Domain names.  Intially I noticed that when I attempted to Activate DirectAccess configuration I get the following error message, "An error occured while loading the configuration. Please configure DirectAccess again. I have now noticed that if I select Organizational Unit for the Client Group setting I get the following error, "The domain specified DOMAIN is not a valid domain Name".

    I have since moved the UAG server to a Trusted domain and it worked in that domain until I tried to add the original Single-Label DNS Domain name as a Client Domain.

    Does anyone know odf a workaround for this or should we just not upgrade to SP1?

    Monday, September 12, 2011 5:07 AM

All replies

  • Can you please explain your environment, as it is a little difficult to understand the issue without any topology context?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, September 12, 2011 9:29 AM
    Moderator
  • Hi Jason,

    a "single-label DNS domain name" AD environment, is a AD which uses just a DNS toplevel domain for access. Something like "com." or "domainname." without a second lvl domain specified.

    All i know regarding this issue is that is not recommended to use single-label DNS names. The official recommendations are...

    For the following reasons, the best practice is to create new Active Directory domains that have fully qualified DNS names:

    • Single-label DNS names cannot be registered by using an Internet registrar.
    • Client computers and domain controllers that are joined to single-label domains require additional configuration to dynamically register DNS records in single-label DNS zones.
    • Client computers and domain controllers may require additional configuration to resolve DNS queries in single-label DNS zones.
    • Some server-based applications are incompatible with single-label domain names. Application support may not exist in the initial release of an application, or support may be dropped in a future release.
    • Transitioning from a single-label DNS domain name to a fully qualified DNS name is non-trivial and consists of two options. Either migrate (http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx) users, computers, groups, and other states to a new forest. Or, perform a domain rename of the existing domain. Some server-based applications are incompatible with the domain rename feature that is supported in Windows Server 2003 and newer domain controllers. These incompatibilities either block the domain rename feature or make the use of the domain rename feature more difficult when you try to rename a single-label DNS name to a fully qualified domain name.

    The bold text states that single-label DNS names may break in future releases. So i guess UAG has never official supported this scenario and in SP1 finally fails (silently). 

    -Kai


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Monday, September 12, 2011 9:46 AM
  • Interesting, I have NEVER come across a customer with that scenario...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, September 12, 2011 9:58 AM
    Moderator
  • I've seen one in the past (around year 2000), but the customer migrated the single-label forest quickly after getting serious trouble with exchange 2000. Since then i've nevers seen a single-label domain again...

    -Kai


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Monday, September 12, 2011 10:13 AM