Create DNS application directory partition to host DNS zone containing user account entries


This article describes a method to implement DNS Application Directory Partition.  The procedure requires use of NTDSUTIL.EXE and DNSMGMT.MSC tools.



SYNERGIX AD Client Extensions has a feature that allows the management of CNAME records that map the user account's sAMAccountName to the FQDN of the computer they last used.  The CNAME records can be managed in the domain DNS zone or in custom DNS zone users.<childDomainFQDN> ex. users.amrs.synergix.ds



For the purpose of this implementation, we will make references to various objects in Active Directory.  

Forest Root Domain:


Child Domains



Domain DNS Zones







Implementing DNS Application Directory Partition


  1. Login to the forest root domain controller using your forest root domain admin account or enterprise administrator account
  2. Start the command prompt.
  3. Type NTDSUTIL and hit enter
  4. Type PARTITION MANAGEMENT and hit enter
  5. Type CONNECTIONS and hit enter
  6. Type CONNECT TO SERVER <forestRootDomainControllerFQDN> or <childDomainDomainControllerFQDN>


  1. Type QUIT
  2. Type LIST to view all known naming contexts
  3. Type CREATE NC DC=dnsADPUsers,DC=Local domainControllerFQDN


  1. Type LIST to view all previously known naming context and the newly created DC=dnsADPUsers,DC=Local naming context
  2. Do NOT add another replica for the naming context DC=dnsADPUsers,DC=Local

This DNS Application Directory Partition is for a special purpose DNS zone and we wish to avoid Active Directory Replication delays.  A backup of this DNS zone's content can be maintained in a secondary DNS zone on any DNS server.


Implementing DNS zone


  1. Launch DNSMGMT.MSC
  2. Create an Active Directory integrated DNS zone called dnsADPUsers.Local ; the DNS zone data should replicate to 'All the DNS Servers in the domain: forestRootFQDN .  For the name server, add domainControllerFQDN that holds a replica of the DC=dnsADPUsers,DC=Local naming context. 
  3. Create another Active Directory integrated DNS zone that will have the DNS zone data replicate to 'All domain controllers specified in the scope of the directory partition: dnsADPUsers.Local. 
  4. Set the zone name as Users.<childDomainFQDN> ex users.amrs.synergix.ds.
  5. Configure the DNS zone properties as follows
    1. Allow only secure dynamic updates
    2. Set Scavenge stale resource records to 1 Hour
    3. Set Refresh Interval to 1 Hour
  6. Create DNS zone delegation and list one NS record for the newly created DNS zone.


Configuring SYNERGIX AD Client Extensions DNS Record Management Feature


  1. Launch GPMC.MSC
  2. Select the GPO that has SYNERGIX AD Client Extensions setting configured.
  3. Right mouse click on the GPO and select EDIT from the context menu to launch Group Policy Editor
  4. In the treeview in Group Policy Editor, expand the branch COMPUTER CONFIGURATION  \ SYNERGIX AD Client Extensions \ Network \ DNS Client
  5. Double click on "Manage DNS CNAME type record for user sAMAccountName" policy setting
  6. Click on ENABLE
  7. In the Zone Name, specify Users.<childDomainFQDN> ex. users.amrs.synergix.ds
  8. Leave the Default TTL Interval (in minutes) to 5
  9. Leave the Run Interval to 1440 minutes
  10. Click on APPLY to commit the settings and then, click on OK to close the dialog box
  11. Wait until the FRS replication cycle has completed and the GPO is available on all domain controllers




  1. Login a domain computer that has SYNERGIX AD Client Extensions installed
  2. Run GPUPDATE /FORCE. This should bring down the policy settings.
  3. Wait for at least one minute for SYNERGIX AD Client Extension service cycle
  4. From a command prompt, ping %username%.user.<childDomainFQDN> ex. john.users.amrs.synergix.ds
  5. The name should resolve to the computer where the user with sAMAccountName John is logged in
  6. When the group policy has refreshed on other domain computers with SYNERGIX AD Client Extensions installed, you should be able to ping those users' sAMAccountName too, in the specified DNS domain


For additional support on this article, please open a support incident via our product support portal

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk