Issue:
When you view the DNS suffix search order list via IPConfig /all only the primary DNS suffix is listed, even when you have a 3 tier (child.parent.com) primary DNS domain, and you have the Append parent suffixes of the primary DNS suffix setting enabled.
Example:
Windows IP Configuration
Host Name . . . . . . . . . . . . : server
Primary Dns Suffix . . . . . . . : child.parent.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cihld.parent.com
This is a different behavior than you would see under Windows 2003 and older operating systems. On those systems with the exact same setting you would see the following.
Windows IP Configuration
Host Name . . . . . . . . . . . . : server
Primary Dns Suffix . . . . . . . : child.parent.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cihld.parent.com
parent.com
However, these same symptoms may also happen on these operating systems that have a new DNS update installed as described here: http://support.microsoft.com/kb/957579
Cause:
Windows 2008 and Windows 7 by default have changed the way the Append parent suffixes of the primary DNS suffix (aka: devolution) setting works.
For years, DNS devolution has been the behavior of DNS client that allows computer’s that are assigned Primary DNS suffixes of child DNS domain’s to easily access parent DNS namespaces without the need to explicitly provide the fully qualified domain (FQDN) of the resource.
Example:
Primary DNS Domain: child.parent.com
In Windows 2003 and prior the DNS client would automatically append child.parent.com and parent.com to any DNS lookup, regardless of associated Active Directory domain hierarchy.
By default, in Windows 7/2008 Microsoft as seen fit tie DNS devolution directly to the Active Directory domain design, which causes issues if your DNS architecture is not in a single domain tree with standard parent child associations, or your forest root domain is a three tier (child.domain.com) DNS name.
Example 1:
Primary DNS Domain: child.cousin.com
Forest Root Domain: parent.com
Other AD Domains: child.cousin.com and cousin.com
Result: In Windows 7/2008 the DNS client will only search child.cousin.com and will ignore parent.com because it is not the Forest Root Domain, even though a parent domain of cousin.com exists. In this case you are not in a single domain tree with standard parent child associations.
Example 2:
Primary DNS Domain: child.parent.com
Forest Root Domain: child.parent.com
Other AD Domains: none
Result: In Windows 7/2008 the DNS client will only query child.parent.com and will ignore parent.com because it is not the Forest Root Domain. In this case your forest root domain is a three tier (child.domain.com) DNS name, and DNS devolution will not work.
Solution:
To configure DNS devolution to work the same as Windows 2003 and earlier you should do the following.
Configure the DomainNameDevolutionLevel to the following
Key: HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Dnscache\Parameters
Value Name: DomainNameDevolutionLevel
Type: DWORD
Value: 2
Range: 1-50
This change is real time (no reboot required), so you can run ipconfig /all and immediately see the change.
To push this change to multiple computers you can use the following GPO setting.
Location: Computer Configuration\Administrative Templates\Network\DNS Client
Setting: Primary DNS Suffix Devolution
Value: 2
Range: 1-50
Workaround:
As a workaround you can configure a DNS Suffix search order list. You can do this on a per server basis or use a GPO to push the setting to multiple servers.
Enter your global suffix search list here.
More Information:
Windows 2008/7 DNS Devolution
This new functionality only affects how the DNS Client uses devolution. It will not affect utilities that use their own method of determining a DNS search order. For example nslookup is not affected by Windows 2008/7 default settings as described above. Below are examples of how ping and nslookup my differ under these default settings.
Example 1:
Primary DNS Domain: child.cousin.com
Forest Root Domain: parent.com
Other AD Domains: child.cousin.com and cousin.com
server1.cousin.com = 10.1.1.1
ping server1
nslookup server1
Results: ping fails, nslookup is successful.
Example 2:
Primary DNS Domain: child.parent.com
Forest Root Domain: child.parent.com
Other AD Domains: none
server2.parent.com = 10.2.2.2
ping server2
nslookup server2
Result: ping fails, nslookup is successful.
This is because nslookup determines its own search list using its own method. To view the current search list setting type the following at the command prompt
nslookup
set all
Look for the srchlist setting at the bottom of the returned values.