none
"Append these DNS Suffixes" not available.

    Question

  • I have Windows 7 Professional 32-bit and 64-bit on home computers. I would like to be able to connect to the VPN at my office and use connection specifix DNS suffixes for the VPN connections. Under Windows XP you could simply add the additional connection suffixes to the Advanced options for the network connection properties. However, under Windows 7 this option is unavailable.

    I looked around and found the solution:

    1. Edit the Group Policy and do the following changes:
      start >run > type gpedit.msc
      Navagate to Computer Config > Administrative Templates > Network > DNS Client
     
    2. Enable the following two entries:
      - allow dns suffix appending to unqualified multi-label name queries
      - Primary DNS Suffix Devolution.

    3. Restart the computer or force apply the policy.

    This solution HAS NOT WORKED for me. The ability to append DNS Suffixes remains greyed out for all accept the default LAN connection.

    My home machines are NOT on a domain and are simply workgrouped. I do not wish to join my home machines to the company's domain as I do not wish to have all of the GPOs apply.

    Is there some additional configuration or some other way to have connection specific DNS suffixes apply to my VPN connections? There are a considerable amount of sub-domains and resources that I have to work with so a host file would become unwieldly quickly. It seems ridiculous to me that this functionality can't be enabled, so I must just not be checking the right boxes or something.

    Any help would be GREATLY appreciated.

    Thanks.
    Saturday, December 26, 2009 10:25 PM

Answers

  • Hi Jeff,

    If your system is Windows 7 Home Premium, you can configure it via Registry. The location is:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

    Under this branch, find the value SearchList. Please enter the search list in the value data. 


    Arthur Xie - MSFT
    Thursday, December 31, 2009 5:47 AM
    Moderator

All replies

  • This behavior is by design. We have found same behavior on our side. You can configure a DNS suffix search list as a workaround. The policy is under

    Computer Configuration\Administrative Templates\Network\DNS Client


    Arthur Xie - MSFT
    • Proposed as answer by cdobbs Thursday, December 31, 2009 6:40 AM
    Tuesday, December 29, 2009 9:28 AM
    Moderator
  • Ok... cool Mr. Xie,

    Same question, but in relation to Win7 Home Premium. I need to access our work VPN which requires a DNS suffix be added and I am unable to. Since there is no group policy management - no gpedit console (or any local user or group management whatsoever, so I just found out) am I SOL? I would think it's rather rediculous that I can not connect to a VPN which is, in part, the entire purpose of said VPN, from HOME with an OS with the name 'HOME' in it.

    Thx... here's keeping my fingers crossed.

    Jeff.
    Wednesday, December 30, 2009 3:23 AM
  • Hi Jeff,

    If your system is Windows 7 Home Premium, you can configure it via Registry. The location is:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

    Under this branch, find the value SearchList. Please enter the search list in the value data. 


    Arthur Xie - MSFT
    Thursday, December 31, 2009 5:47 AM
    Moderator
  • Thanks again for your attention to this thread Arthur!

    My only concern with this solution and the others I've seen from Microsoft is that they are not per-connection solutions. Adding in the search suffixes either in a GPO or the Registry seems to be equivalent to adding them in to the primary connection's search suffix fields. In essence making these suffixes apply to all connections and not specifically called/utilized when a VPN/Secondary connection is active.

    As you may imagine, there can be cases when these search suffixes may provide inconsistent and inaccurate results when private intranet suffixes are applied to the public internet (name collisions, lack of split horizon DNS resources). I understand the security concerns around split tunneling, but am I to understand that versions of Windows moving forward will be without per connection suffix inclusion and we are forced to using one set of suffixes for all connections?

    Thanks again!

    Christian Quackenbush
    Monday, January 04, 2010 6:05 PM
  • Hi Christian,

    Generally we consider that the DNS Suffix will be provided by your default gateway. I fully understand your concern. This was a change since Windows Vista as we know. Now I cannot tell you if we need to work with it in every later operation systems. We will report your concern to our proper department. 


    Arthur Xie - MSFT
    Wednesday, January 06, 2010 8:31 AM
    Moderator
  • Hi,

     

    I have the same issue. Any update on this considering its been about eight months now??

    Friday, August 13, 2010 4:20 PM
  • Hi Christian,

    Generally we consider that the DNS Suffix will be provided by your default gateway. I fully understand your concern. This was a change since Windows Vista as we know. Now I cannot tell you if we need to work with it in every later operation systems. We will report your concern to our proper department. 


    Arthur Xie - MSFT

    This is a really big problem for me at the moment...

    Due to the limitations of WINS , im unable to ping hostnames over a VPN connection, only FQDN names are pingable ! 
    some parts of this issue is discussed here:
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/075637fd-d32a-4cce-bd04-c380eba08980/

    I've been struggling over 3 days now, how to provide VPN clients with the DNS suffix, to resolve the issue of accessing hostnames using their short name rather then FQDN names.

    Edit: 

    apparently it can be solved : http://www.windowsreference.com/windows-vista/fix-for-append-these-dns-suffixes-is-grayed-out-in-vista-vpn/


    • Edited by Montago Saturday, May 12, 2012 1:23 PM
    Saturday, May 12, 2012 1:19 PM
  • The group policy reg keys for the searchlist are:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\"SearchList"="domain1,domain2,domain3"

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\DNSClient\"SearchList"="domain1,domain2,domain3"

    Wednesday, October 10, 2012 6:37 PM
  • Hmmm, the last link in Montago's post above ("apparently it can be solved") does NOT work for me using Win8.  I'm using a Win8 Pro 64-bit system at home (workgroup based), with a standard Microsoft PPTP VPN to my office (domain based).

    Not sure why Microsoft has changed the rules of engagement, but it sure sucks that there is no way to override the "greyed out" feature.  An ongoing reminder, in case anyone forgets, of the arrogance that is Microsoft.

    As (one of) the domain administrators at work I have been similarly frustrated by the converse problem, namely that the Windows DHCP servers will not allow sending a DNS search list (using the standard DHCP options for that purpose), with the rationale that "some Windows clients cannot utilize that information".   So we can no longer add a search list to the client, and we cannot add it to the server because some (really old I presume) Microsoft clients can't use the information.  Totally Brilliant!

    Saturday, January 05, 2013 10:36 PM
  • Another issue here is when you try to configure IPV4 the error "In order to configure TCP/IP you must install and enable a network adapter card" I have reinstalled my network card over and over, I can configure a search list one time then next reboot same error and my search list is broken... on a win8 surface pro.  Setting the search list in GPedit.msc would not work but in regedit tcpip parameters the searchlist with the domains you want searched worked for me.

    Note: Comma separated no spaces seems to work after a reboot.  Also this was for searching several domains with no VPN.

    The OS assumes you want to be connected to Microsoft at all times with very little care about domains and users, just move to the cloud your data is safe with us.


    • Edited by wonderbiff Wednesday, December 03, 2014 8:51 PM clarity
    Wednesday, December 03, 2014 8:39 PM