分開命名空間Disjoint Namespace

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

當一或多個網域成員電腦不符合的電腦的成員 Active Directory domain DNS 名稱主要網域名稱服務」(DNS) 尾碼時,就會發生分開命名空間。A disjoint namespace occurs when one or more domain member computers have a primary Domain Name Service (DNS) suffix that does not match the DNS name of the Active Directory domain of which the computers are members. 例如,使用名 na.corp.fabrikam.com Active Directory domain corp.fabrikam.com 主要 DNS 尾碼成員電腦使用分開命名空間。For example, a member computer that uses a primary DNS suffix of corp.fabrikam.com in an Active Directory domain named na.corp.fabrikam.com is using a disjoint namespace.

分開命名空間是來管理、維護,以及疑難排解連續命名空間比更複雜。A disjoint namespace is more complex to administer, maintain, and troubleshoot than a contiguous namespace. 主要 DNS 尾碼連續命名空間,符合 Active Directory 網域名稱。In a contiguous namespace, the primary DNS suffix matches the Active Directory domain name. 網路應用程式所撰寫假設 Active Directory 命名空間是相同的所有成員網域的電腦的主要 DNS 尾碼分開命名空間中無法正常運作。Network applications that are written to assume that the Active Directory namespace is identical to the primary DNS suffix for all domain member computers do not function properly in a disjoint namespace.

支援分開命名空間Support for disjoint namespaces

網域成員電腦,包括網域控制站,可以分開命名空間中運作。Domain member computers, including domain controllers, can function in a disjoint namespace. 網域成員電腦可以登記其主機 (A) 的資源記錄和 IP 版本 (IPv6) 6 主機 (AAAA) 資源記錄分開的 DNS 名稱區中。Domain member computers can register their host (A) resource record and IP version 6 (IPv6) host (AAAA) resource record in a disjoint DNS namespace. 網域成員電腦登記資源,如此一來,當網域控制站繼續登記 Active Directory domain 名稱相同 DNS 區域中的全域和特定網站服務 (SRV) 資源記錄。When domain member computers register their resource records in this way, domain controllers continue to register global and site-specific service (SRV) resource records in the DNS zone that is identical to the Active Directory domain name.

例如,假設的網域控制站的名使用 corp.fabrikam.com 主要 DNS 尾碼 na.corp.fabrikam.com Active Directory domain 暫存器主機 (A) 和 IPv6 (AAAA) 主機的資源記錄 corp.fabrikam.com DNS 區域中。For example, assume that a domain controller for the Active Directory domain named na.corp.fabrikam.com that uses a primary DNS suffix of corp.fabrikam.com registers host (A) and IPv6 host (AAAA) resource records in the corp.fabrikam.com DNS zone. 網域控制站持續登記全域和特定網站服務 (SRV) 資源記錄 _msdcs。na.corp.fabrikam.com 和 na.corp.fabrikam.com DNS 區域中,這可以讓位置服務。The domain controller continues to register global and site-specific service (SRV) resource records in the _msdcs.na.corp.fabrikam.com and na.corp.fabrikam.com DNS zones, which makes service location possible.

重要

Windows 作業系統可能支援分開命名空間,雖然寫入假設主要 DNS 尾碼 Active Directory domain 尾碼相同的應用程式可能無法運作這樣的環境中。Although Windows operating systems may support a disjoint namespace, applications that are written to assume that the primary DNS suffix is the same as the Active Directory domain suffix may not function in such an environment. 基於這個原因,您應該所有應用程式和他們各自的作業系統仔細部署之前測試分開命名空間。For this reason, you should test all applications and their respective operating systems carefully before you deploy a disjoint namespace.

分開命名空間應該可以正常運作(和支援)下列情形:A disjoint namespace should work (and is supported) in the following situations:

  • 當使用多個 Active Directory 網域樹系使用單一 DNS 命名空間,也就是也稱為 DNS 區域When a forest with multiple Active Directory domains uses a single DNS namespace, which is also known as a DNS zone

    一個範例是使用區域網域名稱,例如 na.corp.fabrikam.com、sa.corp.fabrikam.com,以及 asia.corp.fabrikam.com 及使用單一 DNS 命名空間,例如 corp.fabrikam.com 的公司。An example of this is a company that uses regional domains with names such as na.corp.fabrikam.com, sa.corp.fabrikam.com, and asia.corp.fabrikam.com and uses a single DNS namespace, such as corp.fabrikam.com.

  • 在單一的 Active Directory domain 分成不同的 DNS 命名空間When a single Active Directory domain is split into separate DNS namespaces

    一個範例是的使用 DNS 區域 hr.corp.contoso.com、production.corp.contoso.com,和 it.corp.contoso.com corp.contoso.com 的 Active Directory domain 的公司。An example of this is a company with an Active Directory domain of corp.contoso.com that uses DNS zones such as hr.corp.contoso.com, production.corp.contoso.com, and it.corp.contoso.com.

分開命名空間無法正常運作(和不支援)下列情形:A disjoint namespace does not work properly (and is not supported) in the following situations:

  • 使用網域成員分開尾碼符合這個或其他樹系的 Active Directory 網域名稱。A disjoint suffix used by domain members matches an Active Directory domain name in this or another forest. 這會中斷 Kerberos 名稱尾碼路由。This breaks Kerberos name-suffix routing.

  • 另一個森林中使用的相同分開尾碼。The same disjoint suffix is used in another forest. 如此可防止之間的樹系唯一路由這些尾碼。This prevents routing these suffixes uniquely between forests.

  • 當網域成員憑證授權時單位伺服器變更其會完全完整網域名稱 (FQDN),,讓它不再使用的相同的主要 DNS 尾碼所使用的網域控制站的所屬的網域的 CA 伺服器。When a domain member certification authority (CA) server changes its fully qualified domain name (FQDN) so that it no longer use the same primary DNS suffix that is used by the domain controllers of the domain to which the CA server is a member. 若是如此,您可能需要驗證憑證的問題 CA 伺服器發行,而定 CRL Distribution 點中使用何種 DNS 名稱。In this case, you may have problems validating certificates the CA server issued, depending on what DNS names are used in the CRL Distribution Points. 但是,如果您 CA 伺服器置於穩定分開命名空間,正確運作,以及支援。But if you place a CA server in a stable disjoint namespace, it works properly and is supported.

分開命名空間事項Considerations for disjoint namespaces

下列考量,可協助您選擇是否您應該使用分開命名空間。The following considerations may help you decide if you should use a disjoint namespace.

應用程式的相容性Application compatibility

如之前所述,分開命名空間可能會造成的任何應用程式與服務寫入假設電腦主要 DNS 尾碼是相同的名稱都是成員網域名稱的問題。As previously mentioned, a disjoint namespace can cause problems for any applications and services that are written to assume that a computer primary DNS suffix is identical to the name of the domain name of which it is a member. 部署分開命名空間之前,您必須檢查應用程式的相容性問題。Before you deploy a disjoint namespace, you must check applications for compatibility issues. 此外,請務必查看您執行分析當您使用的所有應用程式的相容性。Also, be sure to check the compatibility of all applications that you use when you perform your analysis. 這包括應用程式與 Microsoft 和其他軟體開發人員。This includes applications from Microsoft and from other software developers.

分開命名空間的優點Advantages of disjoint namespaces

使用分開命名空間可以有下列優點:Using a disjoint namespace can have the following advantages:

  • 因為主要 DNS 尾碼的電腦,可以表示不同的資訊,您可以從 Active Directory 網域名稱分開管理 DNS 命名空間。Because the primary DNS suffix of a computer can indicate different information, you can manage the DNS namespace separately from the Active Directory domain name.

  • 您可以將 DNS 命名空間商務結構或地理位置為基礎。You can separate the DNS namespace based on business structure or geographical location. 例如,您可以分開根據商務單位名稱或所在位置,例如出這片大陸、國家/地區或建置命名空間。For example, you can separate the namespace based on business unit names or physical location such as continent, country/region, or building.

分開命名空間的缺點Disadvantages of disjoint namespaces

使用分開命名空間可能會有下列缺點:Using a disjoint namespace can have the following disadvantages:

  • 您必須建立及管理針對每個成員電腦使用分開命名空間的樹系的 Active Directory 網域不同 DNS 區域。You must create and manage separate DNS zones for each Active Directory domain in the forest that has member computers that use a disjoint namespace. (也就是,需要其他及複雜的設定。)(That is, it requires an additional and more complex configuration.)

  • 您必須執行手動修改和管理允許使用指定、主要 DNS 尾碼網域成員 Active Directory 屬性。You must perform manual steps to modify and manage the Active Directory attribute that allows domain members to use specified, primary DNS suffixes.

  • 若要最佳化的名稱解析,您必須執行來修改及維護群組原則設定成員電腦與其他主要 DNS 尾碼手動。To optimize name resolution, you must perform manual steps to modify and maintain Group Policy to configure member computers with alternate primary DNS suffixes.

    注意

    此缺點位移解析單一標籤名稱,可 Windows 網際網路名稱服務」(WINS)。The Windows Internet Name Service (WINS) could be used to offset this disadvantage by resolving single-label names. 如需 WINS,查看 WINS 技術參考 (http://go.microsoft.com/fwlink/?LinkId=102303)。For more information about WINS, see the WINS Technical Reference (http://go.microsoft.com/fwlink/?LinkId=102303).

  • 當您的環境需要多個主要 DNS 尾碼時,您必須設定 DNS 尾碼搜尋的所有 Active Directory 網域順序森林中正確回應。When your environment requires multiple primary DNS suffixes, you must configure the DNS suffix search order for all of the Active Directory domains in the forest appropriately.

    若要設定 DNS 尾碼搜尋順序,您可以使用群組原則物件」或「動態主機設定通訊協定」(DHCP) 伺服器服務參數。To set the DNS suffix search order, you can use Group Policy objects or Dynamic Host Configuration Protocol (DHCP) Server service parameters. 您也可以修改登錄。You can also modify the registry.

  • 您必須仔細測試所有應用程式的相容性問題。You must carefully test all applications for compatibility issues.

如需詳細資訊,有關步驟,您可能需要地這些缺點,查看建立分開命名空間 (http://go.microsoft.com/fwlink/?LinkId=106638)。For more information about steps that you can take to address these disadvantages, see Create a Disjoint Namespace (http://go.microsoft.com/fwlink/?LinkId=106638).

規劃命名空間轉換Planning a namespace transition

您修改命名空間之前,先檢視的下列考量,可套用到轉換連續命名空間斷續命名空間(反之亦然)中:Before you modify a namespace, review the following considerations, which apply to transitions from contiguous namespaces to disjoint namespaces (or the reverse):

  • 手動設定服務主體名稱 (Spn) 可能無法再符合 DNS 名稱命名空間變更之後。Manually configured Service Principal Names (SPNs) may no longer match DNS names after a namespace change. 這可能會造成驗證失敗。This can cause authentication failures.

    如需詳細資訊,請服務登入失敗,因為不正確設定 Spn (http://go.microsoft.com/fwlink/?LinkId=102304)。For more information, see Service Logons Fail Due to Incorrectly Set SPNs (http://go.microsoft.com/fwlink/?LinkId=102304).

  • 如果您透過安全通訊端層 (SSL)(稱為 LDAPS)中部署具有分開命名空間中所設定的網域控制站 ca 使用輕量型 Directory 存取通訊協定 (LDAP),您必須使用主要 DNS 尾碼與適當 Active Directory domain 名稱,當您設定的 LDAPS 憑證。If you use Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) (known as LDAPS) with a CA in a deployment that has domain controllers that are configured in a disjoint namespace, you must use the appropriate Active Directory domain name and primary DNS suffix when you configure the LDAPS certificates.

    如需網域控制站憑證需求,查看 321051 中 Microsoft 知識庫 (http://go.microsoft.com/fwlink/?LinkId=102307)。For more information about domain controller certificate requirements, see article 321051 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=102307).

    注意

    使用 LDAPS 憑證的網域控制站可能需要重新憑證部署。Domain controllers that use certificates for LDAPS may require you to redeploy their certificates. 當您這樣做時,網域控制站可能選取適當的憑證直到時都重新啟動。When you do so, domain controllers may not select an appropriate certificate until they are restarted. 如需 Windows Server 2003 LDAPS 驗證和相關的更新的詳細資訊,請查看 932834 中 Microsoft 知識庫 (http://go.microsoft.com/fwlink/?LinkId=102308)。For more information about LDAPS authentication and a related update for Windows Server 2003, see article 932834 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=102308).

規劃分開命名空間部署Planning for disjoint namespace deployments

如果您要部署的分開命名空間環境中的電腦,請執行下列預防措施:Take the following precautions if you deploy computers in an environment that has a disjoint namespace:

  1. 通知與您進行商務他們必須測試,並支援分開命名空間的所有軟體廠商。Notify all software vendors with whom you do business that they must test and support a disjoint namespace. 請他們檢查它們的環境中使用分開命名空間支援自己的應用程式。Ask them to verify that they support their applications in environments that use disjoint namespaces.

  2. 測試分開命名空間 lab 環境作業系統和應用程式的所有版本。Test all versions of operating systems and applications in disjoint namespace lab environments. 當您這樣做時,請遵循這些建議:When you do, follow these recommendations:

    1. 您到您的環境中部署軟體之前,請解析所有的軟體問題。Resolve all software issues before you deploy the software into your environment.

    2. 可能的話,參與作業系統與要部署分開命名空間中的應用程式測試。When possible, participate in beta tests of operating systems and applications that you plan to deploy in disjoint namespaces.

  3. 確保系統管理員及服務支援人員知道分開命名空間,以及它的影響。Ensure that administrators and helpdesk staff are aware of the disjoint namespace and its impact.

  4. 建立可讓您轉換到命名空間,連續分開命名空間必要的計劃。Create a plan that makes it possible for you to transition from a disjoint namespace to a contiguous namespace, if necessary.

  5. 宣傳分開命名空間支援的作業系統和應用程式提供者的重要性。Evangelize the importance of disjoint namespace support with operating system and application providers.