An Active Directory domain name that contains one or more labels separated by a dot is referred to as a fully qualified domain name with two or more names, in contrast there is the concept of single-label domain (SLD), which refers to Active Directory domain names with only one label.Given that SLD is not a commonly deployed configuration today.
Not that many Microsoft and third-party applications have not been tested under an SLD configuration as Microsoft recommends FQDN Active Directory deployments and companies who have deployed SLD should transition to an FQDN Active Directory deployment. This will ensure that they get the most value out of their deployed applications.
For companies that will be evaluating transition to FQDN from SLD configurations Microsoft has finally released a whitepaper describing the options and considerations that they will need to take into account. In particular it describes Domain Migration and Domain Rename operations and explains the different considerations of these two options, so that companies can build a transition plan that makes sense to them.
The complete whitepaper “Single-Label-Domains in Active Directory Domain Services (AD DS) – Considerations, Migration, and Co-existence” can be downloaded from http://www.microsoft.com/download/en/details.aspx?id=27143
What if you could add add group membership to a user's access token when the user is authenticated using a certificate-based logon method and making the policies included in the certificate to decide what groups should be added.
This is now possible using the Authentication mechanism assurance feature in Active Directory Domain Services (AD DS) in Windows Server 2008 R2. When enabling this feature a user's access to resources on the network when authenticated using certificate based logon can be treated as different from what that access would be when the user types a user name and password as the user's group membership is changed reflecting the authentication method used
This feature is intended for organizations that use certificate-based authentication methods, such as smart card or token-based authentication systems. Organizations that do not use certificate-based authentication methods will not be able to use authentication mechanism assurance, even if they have Windows Server 2008 R2 domain controllers with their domain functional level set to Windows Server 2008 R2.
The best part of this feature is that any client or server operating system that is able to interpret Windows access tokens can be used to grant or deny access based on the group membership or memberships that are added to a user's token by authentication mechanism assurance.