locked
Where does DNS server specify search domains? RRS feed

  • Question

  • I'm having quite a time trying to get my DNS server to append our local domain to single word domain lookups, we have a server "tom" which when I ping tom it should return tom.mydomain.com yet instead I get: "Ping request could not find tom. please check the name and try again." but if i ping tom.mydomain.com it returns the ip.  I do have a forward lookup zone for mydomain.com with a host A record for tom.  I also have the ip in a reverse lookup zone.  Any ideas what setting I'm missing?
    Friday, February 11, 2011 5:16 PM

Answers

  • I understand that this can be set on the client side, in the location you specified, but surely it doesn't have to be done on the client side.  Isn't there a more automated way of specifying this?


    If you are in an AD environment, you can use a GPO to push out the suffixes. There are other options, as well, such as scripting and various DHCP options, depending on what type of DHCP you have and DHCP client OS types. Here you go:

     

    ==================================================================
    ==================================================================
    Using GPOs to configure DNS Search Suffixes

    At this time, DHCP Option 119, that populates Search Suffixes based on RFC xxxx,
    but it's not supported under Windows DHCP.

    However, you can assign a connection specific DNS suffix (option 015), which is added
    to the search list. But, you can assign only one DNS suffix per client.

    The Connection Specific Suffix is good for the specific connection that received a DHCP
    assignment.

    ANother option to populate a custom Search Suffix for all interfaces, is to use a GPO,
    which works for WIndows 2003, XP and all newer operating systems. If you're still using
    a Windows 2000 DHCP, you'll need to upgrade the GPOs using a Win2k3 or XP machine.

    Upgrading Windows 2000 Group Policy for Windows XP:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

    After the GPOs have been upgraded, or if the sysetm is already at the latests updates and
    version, expand the Group policy to apply the custom search list to the following location:

    Computer Configuration
       -Administrative templates
             -Network
                   -DNS Client

    Also...

    If you want to kill the devolution tickbox, have a look at this article:
    http://www.insidetheregistry.com/regdatabase/viewvalue.asp?valueid=320

    It refers to the registry key controlled by GPO - this will over-ride the standard internal registry setting at:
    HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\UseDomainNameDevolution

     

    ==================================================================
    Scripting the suffix by using WSH:

    You could also use populate the regkey by script if you didn't want to pull in the extra ADMX GPO template... and this will force your client to JUST resolve hosts on internal.domain.com or whatever:

    ---
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
    "SearchList"="domain1.com,domain2.com"

    ---
    Or use the command:
    reg add HKLM\system\currentcontrolset\services\tcpip\parameters /v "SearchList" /d "domain1.com,domain2.com" /f
    ---

    The key thing to observe with manual suffix lists, (from KB275553, link below), is that if you distribute a suffix list then it blocks devolution and use of
    primary or connection-specific suffixes... therefore you'll want to enter the list carefully with exactly what you need.

    How to configure a domain suffix search list on the Domain Name System clients
    http://support.microsoft.com/?id=275553

     

    ==================================================================
    DHCP Option 015

    I would like to point out that the 015 Option is the "Connection Specific Suffix." This means that the connection that receives a DHCP config from DHCP, will get this suffix as the Search Suffix.

    Just to illustrate what I mean, you can test it by setting a suffix in Option 015 that's different than the domain's zone name. First, if the AD domain's zone name is 'domain.com,' then the Primary DNS Suffix become 'domain.com' when you join the machine to the domain. The default Search Suffix becomes the default Search Suffix. Now in DHCP Option 015, configure 'domain1.com' as the connection specific suffix. Now go to the workstation and run a /release and /renew. You will now see the suffix you configured in 015 in addition to the machine's default.

    So if you are trying to simply add one additional suffix, this will work for your DHCP clients. However, if you're trying to add more than one additional suffix, and/or if you have numerous statically configured machines (such as servers), then a GPO will be the better alternative, which Tiger and JM already suggested.


    ==================================================================
    Setting the DNS Search Suffix using DHCP Option 135

    DHCP Option 135 is not supported by Microsoft DHCP. If I remember correctly,
    DHCP option 135 is for something else anyway such as a phone system, based
    on RFC 4578, unless it was superceded, or this one superceded a prior one
    defining such an option value. Take a look at the list of DHCP options in
    the following article, but keep in mind, Microsoft does not support all of
    them.

    DHCP and BootP Options
    http://www.networksorcery.com/enp/protocol/bootp/options.htm

    You can *possibly* create the option in DHCP, but that would require some testing on your part.
    http://www.isaserver.org/img/upl/isaedukit/5automate/5automate_files/image057.jpg

    However, you can use a GPO, which is a lot easier. Create and link a GPO for this purpose. Actually you really don't want to add anything to the default GPOs. Take a look at the following article. You will want to alter the Primary DNS Suffix Devolution value. Just make sure you document it, so when one day comes up you don't want it anymore, you don't go crazy trying to figure out where's it coming from. You would be surprised that this question comes up once in awhile, and one of the suggestions is to check if they're coming from a GPO.

    New group policies for DNS in Windows Server 2003
    http://support.microsoft.com/kb/294785

    You can also use DHCP Option 015, but as mentioned above, that is the "connection specific suffix," which only the interface that gets a config from this scope will apply to, meaning that if there are additional interfaces, they will not receive it. The GPO method applies to the machine for all interfaces.
    ==================================================================
    ==================================================================

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, February 12, 2011 4:30 PM
  • In addition, I have more info on suffixes, what they are, and how to configure them, etc, in my blog:

    Configuring DNS Search Suffixes
    http://msmvps.com/blogs/acefekay/archive/2011/02/12/configuring-dns-search-suffixes.aspx

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, February 12, 2011 5:53 PM

All replies

  • The appending of suffixes is a DNS client side function which can be set under the TCP/IP advanced properties DNS tab for a particular network adapter.


    Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+
    Friday, February 11, 2011 5:26 PM
  • I understand that this can be set on the client side, in the location you specified, but surely it doesn't have to be done on the client side.  Isn't there a more automated way of specifying this?
    Friday, February 11, 2011 5:37 PM
  • hello,

    Is tom part of an Active Directory Domain? You may want to add an A record of Tom to point to tom.mydomain.com on DNS server


    Isaac Oben MCITP:EA, MCSE Microsoft Community Contributor 2011 Award (MCC-2011)
    Friday, February 11, 2011 5:39 PM
  • Hi

    Make sure tom is part of the domain and that the pref dns server for the computers pinging tom is your dns server not an external dns server.


    tech-nique
    Friday, February 11, 2011 6:17 PM
  • I understand that this can be set on the client side, in the location you specified, but surely it doesn't have to be done on the client side.  Isn't there a more automated way of specifying this?


    If you are in an AD environment, you can use a GPO to push out the suffixes. There are other options, as well, such as scripting and various DHCP options, depending on what type of DHCP you have and DHCP client OS types. Here you go:

     

    ==================================================================
    ==================================================================
    Using GPOs to configure DNS Search Suffixes

    At this time, DHCP Option 119, that populates Search Suffixes based on RFC xxxx,
    but it's not supported under Windows DHCP.

    However, you can assign a connection specific DNS suffix (option 015), which is added
    to the search list. But, you can assign only one DNS suffix per client.

    The Connection Specific Suffix is good for the specific connection that received a DHCP
    assignment.

    ANother option to populate a custom Search Suffix for all interfaces, is to use a GPO,
    which works for WIndows 2003, XP and all newer operating systems. If you're still using
    a Windows 2000 DHCP, you'll need to upgrade the GPOs using a Win2k3 or XP machine.

    Upgrading Windows 2000 Group Policy for Windows XP:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

    After the GPOs have been upgraded, or if the sysetm is already at the latests updates and
    version, expand the Group policy to apply the custom search list to the following location:

    Computer Configuration
       -Administrative templates
             -Network
                   -DNS Client

    Also...

    If you want to kill the devolution tickbox, have a look at this article:
    http://www.insidetheregistry.com/regdatabase/viewvalue.asp?valueid=320

    It refers to the registry key controlled by GPO - this will over-ride the standard internal registry setting at:
    HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\UseDomainNameDevolution

     

    ==================================================================
    Scripting the suffix by using WSH:

    You could also use populate the regkey by script if you didn't want to pull in the extra ADMX GPO template... and this will force your client to JUST resolve hosts on internal.domain.com or whatever:

    ---
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
    "SearchList"="domain1.com,domain2.com"

    ---
    Or use the command:
    reg add HKLM\system\currentcontrolset\services\tcpip\parameters /v "SearchList" /d "domain1.com,domain2.com" /f
    ---

    The key thing to observe with manual suffix lists, (from KB275553, link below), is that if you distribute a suffix list then it blocks devolution and use of
    primary or connection-specific suffixes... therefore you'll want to enter the list carefully with exactly what you need.

    How to configure a domain suffix search list on the Domain Name System clients
    http://support.microsoft.com/?id=275553

     

    ==================================================================
    DHCP Option 015

    I would like to point out that the 015 Option is the "Connection Specific Suffix." This means that the connection that receives a DHCP config from DHCP, will get this suffix as the Search Suffix.

    Just to illustrate what I mean, you can test it by setting a suffix in Option 015 that's different than the domain's zone name. First, if the AD domain's zone name is 'domain.com,' then the Primary DNS Suffix become 'domain.com' when you join the machine to the domain. The default Search Suffix becomes the default Search Suffix. Now in DHCP Option 015, configure 'domain1.com' as the connection specific suffix. Now go to the workstation and run a /release and /renew. You will now see the suffix you configured in 015 in addition to the machine's default.

    So if you are trying to simply add one additional suffix, this will work for your DHCP clients. However, if you're trying to add more than one additional suffix, and/or if you have numerous statically configured machines (such as servers), then a GPO will be the better alternative, which Tiger and JM already suggested.


    ==================================================================
    Setting the DNS Search Suffix using DHCP Option 135

    DHCP Option 135 is not supported by Microsoft DHCP. If I remember correctly,
    DHCP option 135 is for something else anyway such as a phone system, based
    on RFC 4578, unless it was superceded, or this one superceded a prior one
    defining such an option value. Take a look at the list of DHCP options in
    the following article, but keep in mind, Microsoft does not support all of
    them.

    DHCP and BootP Options
    http://www.networksorcery.com/enp/protocol/bootp/options.htm

    You can *possibly* create the option in DHCP, but that would require some testing on your part.
    http://www.isaserver.org/img/upl/isaedukit/5automate/5automate_files/image057.jpg

    However, you can use a GPO, which is a lot easier. Create and link a GPO for this purpose. Actually you really don't want to add anything to the default GPOs. Take a look at the following article. You will want to alter the Primary DNS Suffix Devolution value. Just make sure you document it, so when one day comes up you don't want it anymore, you don't go crazy trying to figure out where's it coming from. You would be surprised that this question comes up once in awhile, and one of the suggestions is to check if they're coming from a GPO.

    New group policies for DNS in Windows Server 2003
    http://support.microsoft.com/kb/294785

    You can also use DHCP Option 015, but as mentioned above, that is the "connection specific suffix," which only the interface that gets a config from this scope will apply to, meaning that if there are additional interfaces, they will not receive it. The GPO method applies to the machine for all interfaces.
    ==================================================================
    ==================================================================

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, February 12, 2011 4:30 PM
  • In addition, I have more info on suffixes, what they are, and how to configure them, etc, in my blog:

    Configuring DNS Search Suffixes
    http://msmvps.com/blogs/acefekay/archive/2011/02/12/configuring-dns-search-suffixes.aspx

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, February 12, 2011 5:53 PM
  • I don't think ACE understands.  The question is not about the CLIENTS it is about the SERVERS.

     

    If you do a nslookup on a Windows DNS server and do a "set all" you will see a srchlist of the domains the server will look through.  You can then manually set that list just by using set srchlist=domain1.dom.nam/domain2.dom.nam/...

    My question is, WHERE is that srchlist set originally?  I have manually set that srchlist many times on all of our DNS boxes but there must be some setting that I cannot find that is regressing it back to the old settings.

    Monday, February 28, 2011 1:53 PM
  • I don't think ACE understands.  The question is not about the CLIENTS it is about the SERVERS.

     

    If you do a nslookup on a Windows DNS server and do a "set all" you will see a srchlist of the domains the server will look through.  You can then manually set that list just by using set srchlist=domain1.dom.nam/domain2.dom.nam/...

    My question is, WHERE is that srchlist set originally?  I have manually set that srchlist many times on all of our DNS boxes but there must be some setting that I cannot find that is regressing it back to the old settings.


    Oh, I understand perfectly well. Nslookup has nothing to do with any DNS server. It's just a resovler, btu it has it's own built-in client side resolver independent of the machine it is run on, but it takes the search suffix list from the machine it's run on.

    Go ahead and test it. Go into IP properties, Advanced, DNS tab, and add a couple of suffixes to the Append list. Exit out of nslookup, then invoke it again, run a set all, and you can see the ones you just added. 

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, February 28, 2011 2:00 PM
  • You are absolutely wrong.  We have ZERO entries on the suffixes append list on all of our Windows DNS servers and yet we continue to see the behavior.  AND the behavior propagates back to all of the servers (which are AD integrated.)
    Monday, February 28, 2011 2:38 PM
  • Believe me, it is NOT coming from DNS. Suffixes are ONLY client side, and a DNS server has a client side resolver, too, just like any other machine.

    At this time, to better assist, please post the following:

    • Unedited ipconfig /all from one of the servers
    • An nslookup result from this server

    Please check if there is a GPO applying to the severs that is populating the search suffixes or a connection specific suffix.

    Please check the registry in system\services\tcpip for each interface to see if anything was hardcoded in or applied to the server, such as if you used a base image that had it applied when first installed, or possibly some sort of reg script running (startup or logon) that is populating it.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, February 28, 2011 4:07 PM