Why You Should Avoid Single Label Domains

16. March 2017 Technical 0

What is a Single Label Domain (SLD)?  This is a term that Microsoft uses to describe domains which have only a single name, and no suffix such as “.local” or “.com.”  For example, your Active Directory domain might have a name like “company.local,” but if it were Single Label, it might be just “company.”

The problem is, Single Label Domains fall into a grey area of Microsoft support. Read their support statement here. The way I read this statement is: yes, while they do offer support on these types of domains, that support may have its limits.  From experience I can tell you that an SLD will cause multiple issues when integrating with other applications, and even when performing something simple like joining a new computer to the domain.

How do you join a computer to a Single Label Domain? Here’s how:

  1. Open Regedit on the computer you wish to join to the SLD.
  2. Navigate to: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  3. In the right pane, locate the AllowSingleLabelDnsDomain entry. If it doesn’t exist yet, create it:
    • Right-click, New > DWORD Value.
    • Type AllowSingleLabelDnsDomain and press ENTER.
  4. Open the AllowSingleLabelDnsDomain entry, then type 1 for the Value and then click OK
  5. Now you can join the domain

Stupid, right? Another annoying thing is that certain applications that rely on LDAP lookups or AD integration may fail to work. We use the WatchGuard SSL VPN client in a lot of our deployments, and normally we would enable Single Sign-On with the local Active Directory Domain, so that you can manage your VPN access from within Active Directory.  Well, no such luck if you have an SLD–you will get an error that basically says the application expects to see at least two instances of “DC=” in the search base.  E.g. in a normal scenario your search base for users and groups might be “DC=company, DC=local.”  But if all you have is “DC=company,” then sorry, no LDAP lookups for you, my friend.

These are just two basic examples. You may run into a host of other issues as well. My advice? Just don’t do it. Grey areas of support should be avoided at all costs.  If you inherit a domain like this, then plan to migrate into a new domain soon. Get familiar with the ADMT–it’s your new best friend. But don’t be surprised if you run into some sticky issues when migrating objects across, because after all, you are coming from a Single Label Domain. Luckily however Microsoft will probably still support you in this move.

What about domain rename?

I will have another article on this topic, but the short version is: domain rename operations are not officially supported.  I cannot find any literature verifying this in any official TechNet/other published documentation, but I have personally experienced it–Microsoft Directory Services Support team straight up told me that they will not support this operation as recently as December of 2016. Now of course, you can still do it, but just know that if you run into issues, you might have trouble getting them to support whatever “fixes” are required.

Furthermore, domain rename operations are impossible (not just unsupported) if you have Exchange Servers in your environment, as well as a few other Microsoft products (System Center, SharePoint, etc.). If you have PKI deployed, that must be removed in advance, etc., etc. The list goes on. Therefore, to me it seems like the very last option when a migration would suffice.


Leave a Reply

Your email address will not be published. Required fields are marked *