Tech Line

DNS Suffix Struggle

Configuring DNS suffix search order is a critical component of any multi-domain LAN without a WINS server.

• By Chris Wolf
• 09/27/2005

Chris: We recently upgraded our network to a Windows 2003 domain and got rid of WINS in the process. All of our workstations run either Windows 2000 Pro or Windows XP Pro. After the upgrade, users starting losing connectivity to mapped drives and not everyone can connect to the intranet Web server by host name. Short of rewriting my logon scripts and having users use a FQDN to connect to the intranet server or redeploying the WINS server, is there anything else that I can do?
— Andy

Somewhere in the world a Unix admin is laughing and thinking to himself, "See! Windows networks can't run without WINS!" After talking with Andy, I learned that his network has three domains. Since DNS resolves fully qualified domain names to IP addresses, the DNS server wasn't much help when users and scripts tried to connect to file servers or the Web server by host name alone. By default, Windows clients will append their domain name to a host name when they try and query DNS. However, when other domains exist on the network, a host will not automatically append the names of the other domains to any DNS name resolution requests.

Tech Help—Just An E-Mail Away Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

For example, suppose a computer named bsod is a member of the domain mcpmag.com. If a user tried to connect to http://server1, the computer would query DNS for the IP address of bsod.mcpmag.com. If server1 was a member of redmondmag.com and thus no record for server1 existed in the mcpmag.com forward lookup zone on the DNS server, the client request would time out. At this point you could solve this problem the ugly way and just add an A record for server1 to the mcpmag.com forward lookup zone on the DNS server, but this is not recommended. I'm only mentioning this because I've seen it done in the field as a way to put out a name resolution fire. Each time I've run into this, the hairs on my neck stand on end. Well maybe I'm being a little dramatic here, but it does gnaw at my anal-retentive personality.

Now let's get away from the problem and start talking about the solution. First, each server should have an A record in each domain's forward lookup zone on the DNS server. Next, you need to configure the DNS suffix search order on each system on the network. This allows a host to try multiple fully qualified domain name combinations when it tries to resolve a name using DNS. For example, if the domain name redmondmag.com was added to bsod's DNS suffix search order, bsod would first attempt to resolve the host name server1 as server1.mcpmag.com. It would then query DNS for server1.redmondmag.com. Once it received a reply from DNS, bsod would then connect to server1.

You can configure the DNS suffix search order on a Windows system by following these steps:

1. Access the properties of the network interface you wish to configure.
2. Double-click on "Internet Protocol (TCP/IP)."
3. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
4. Click the DNS tab in the Advanced TCP/IP Settings dialog box.
5. Click the "Append these DNS suffixes (in order)" radio button.
6. Now click the Add button to add DNS suffixes to the connection.
7. In the TCP/IP Domain Suffix dialog box, enter the name of the first domain name to append to any DNS search (Example: mcpmag.com).
8. Repeat steps 6-7 for each additional domain.
9. When finished, click OK to close the Advanced TCP/IP Settings dialog box.
10. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
11. Click OK to close the network connection's Properties dialog box.
    

Now on a large network, you'd probably be insane if you tried to use the above procedures to manually configure the DNS suffix search order on each workstation. Microsoft seemed to think so to, and with Windows Server 2003 you can now configure DNS suffix search order with a GPO. If you create a new GPO or edit an existing GPO on a Windows 2003 domain controller, you'll see that you can set the DNS suffix search order by navigating to Computer Configuration | Administrative Templates | Network | DNS Client. Then double-click on the DNS Suffix Search List object. Once you click the Enabled radio button you'll be able to add domain names (separated by commas) to the DNS Suffixes field. If you need further help with this setting, click the Explain tab.

If you're not running a Windows 2003 domain, you could still change the DNS suffix search order via a VBScript. Microsoft has posted a sample script that works on Windows 98/NT/2000/XP/2003 at the TechNet Script Repository.

Finally, if you want to see the DNS query process from a DNS client that is configured to search for names across multiple domains, you can enable debug logging on the DNS server. To do this, follow these steps:

1. In the DNS MMC, right-click the DNS server object and select Properties.
2. Check the Log Packets for Debugging check box.
3. Leave all other default options checked and click OK. (No, you really don't need every default, but it's easier for me to document this way!)
   

Run nslookup on a DNS client and query a name of a server (by host name only) that is in the second domain in the DNS suffix search list. Then you can open the %systemroot%\system32\dns\dns.log file on the DNS server to see the query results. Following my earlier example, after configuring mcpmag.com first and redmondmag.com second in the DNS suffix search order of my Windows XP client, I then ran the command nslookup server1 and received the following response from the DNS server:

Name: server1.redmondmag.com
Address: 192.168.0.7

After receiving a response from the DNS, I then opened the dns.log file on the DNS server and scrolled the log file down toward the bottom (time of the query). Here are the results specific to my query:

13:09:09 704 PACKET UDP Rcv 192.168.0.120 0009 Q [0001 D NOERROR] (7)server1(6)mcpmag(3)com(0)

13:09:09 704 PACKET UDP Snd 192.168.0.120 0009 R Q [8385 A DR NXDOMAIN] (7)server1(6)mcpmag(3)com(0)

13:09:09 704 PACKET UDP Rcv 192.168.0.120 000a Q [0001 D NOERROR] (7)server1(10)redmondmag(3)com(0)

13:09:09 704 PACKET UDP Snd 192.168.0.120 000a R Q [8385 A DR NOERROR] (7)server1(10)redmondmag(3)com(0)

In the first line listed, the DNS client is requesting to resolve the name server1.mcpmag.com. In the second line, the server is responding to the client with NXDomain (non-existent domain). The client then requests to resolve server1.redmondmag.com (line 3) and the DNS server replies to the client with the correct A record. Since DNS logging is pretty verbose, I would only keep it enabled long enough to perform your test. After that I would disable it.

So, as you can see, properly configuring the DNS suffix search order can make a world of difference with name resolution on your network. Also, with a tuned DNS infrastructure, life without WINS is possible. Sometimes I think WINS is like crack. We were given it with Windows NT and many became addicted. In the end, you can break the addiction (some relapses are possible). If there was a 7 step program for WINS addiction, properly configuring DNS suffix search order would probably be the first step. I'll leave steps 2-7 up to your imagination.

[Chris Wolf has just released Virtualization: From the Desktop to the Enterprise (Apress) and also welcomes your virtualization questions for this column. —Editors]