New group policies for DNS in Windows Server 2003 (294785)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q294785

SUMMARY

Windows Server 2003 resolves the problem of centralized DNS management by introducing group policies to configure DNS clients. For example, the following parameters are available in Windows Server 2003:
  • Enable or disable dynamic registration of the DNS records by a client
  • Configure DNS suffix search list of the clients
  • Devolution of the primary DNS suffix in a name resolution process
  • DNS suffix search list

MORE INFORMATION

These group policies are at the following location:

Computer Configuration/Administrative Templates/Network/DNS Client

Group policy always supersedes the local configuration as well as the DHCP configuration. The only exception to this rule is if the REG_DWORD value DoNotUseGroupPolicyForDisableDynamicUpdate is enabled under the following registry key to disable dynamic DNS registration:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

If this value exists and it is set to 0x1, then services do not use a group policy value; instead they use locally configured values. If DoNotUseGroupPolicyForDisableDynamicUpdate does not exist or is set to 0x0, services must use the value that is specified by the group policy.

Policy Descriptions

This section describes the settings' functions, the registry key which is modified on the client, and the valid values for the policy and the registry key. These values are stored on the client is the following registry key:

HKEY_LOCAL_MACHINE\Software\Polices\Microsoft\Windows NT\DNSClient

Primary DNS Suffix

This setting specifies the primary DNS suffix for all affected computers. The primary DNS suffix is used in DNS name registration and DNS name resolution. This setting specifies a primary DNS suffix for a group of computers, and prevents users, including administrators, from changing it.

If this setting is disabled or not configured, each computer uses its local primary DNS suffix that is usually the DNS name of the Active Directory domain that it is joined to. However, administrators can use the System tool in Control Panel to change the primary DNS suffix of a computer.

To use this setting, type the entire primary DNS suffix that you want to assign in the text box that is provided (for example, microsoft.com). This setting does not disable the DNS Suffix and NetBIOS Computer Name dialog box that administrators use to change the primary DNS suffix of a computer. However, if an administrator enters a suffix, that suffix is ignored while this setting is enabled.

IMPORTANT: For the changes to this setting to be applied, you must restart Windows Server on all computers that are affected by the setting.

TIP: To change the primary DNS suffix of a computer without setting a policy, click System in Control Panel, click the Network Identification tab, click Properties, click More, and then type a suffix in the Primary DNS suffix of this computer box.

Dynamic Update

This setting determines if dynamic update is enabled. Computers that are configured for dynamic update automatically register and update their DNS resource records with a DNS server.

If you enable this setting, the computers that this setting is applied to may use dynamic DNS registration on each of their network connections, depending on the configuration of each individual network connection. In order for dynamic DNS registration to be enabled on a specific network connection, both computer-specific and connection-specific configurations must allow dynamic DNS registration.

The Dynamic Update setting controls the computer-specific property that controls dynamic DNS registration. If you enable this setting, you allow dynamic update to be set individually for each of the network connections. If you disable this setting, the computers that this setting is applied to may not use dynamic DNS registration for any of their network connections regardless of the configuration for individual network connections. If this setting is not configured, then it is not applied to any computers, and computers use their local configuration.

This policy may have two values: 0x0 and 0x1. If the policy is set to Enable (to enable dynamic update), the value is set to 0x1. If policy is set to Disable, the value is set to 0x0.

DNS Suffix Search List

This setting determines which DNS suffixes to attach to an unqualified single-label name before you submit a DNS query for that name. An unqualified single-label name contains no dots, for example "example". This name is different from a fully qualified domain name (FQDN), for example "example.microsoft.com".

With this setting is enabled, when a user submits a query for a single-label name, such as "example", a local DNS client attaches a suffix, such as "microsoft.com". As a result, the query is changed to "example.microsoft.com" before the query is sent to a DNS server.

If you enable the DNS Suffix Search List setting, you can specify the DNS suffixes to attach before the query for an unqualified single-label name is submitted. The values of the DNS suffixes in this setting may be set using comma-separated strings, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com". One DNS suffix is attached for each submission of a query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the left value and preceding to the right.

If you enable this setting, you must specify at least one suffix. If you disable this setting, then the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. If this setting is not configured, then it is not applied to any computers and computers use their local configuration. The value of this policy may be set to the comma-separated strings of DNS suffixes. If the policy is enabled there must be at least one DNS suffix specified.

The value of this policy may be set to the comma-separated strings of DNS suffixes. Do not use spaces between the comma-separated DNS suffixes. If you add spaces, only the first DNS suffix will be applied.

Primary DNS Suffix Devolution

This setting determines whether the DNS client performs primary DNS suffix devolution in a name resolution process. When a user submits a query for a single-label name, such as "example", a local DNS client attaches a suffix, such as "microsoft.com". As a result, the query is changed to "example.microsoft.com" before the query is sent to a DNS server.

If a DNS suffix search list is not specified, then the DNS client attaches the primary DNS suffix to a single-label name, and, if this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, then the client devolves the primary DNS suffix of the computer (it drops the left label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and then submits this new query to a DNS server.

For example, if the primary DNS suffix "ooo.aaa.microsoft.com" is attached to the non-dot terminated single-label name "example", and the DNS query for example.ooo.aaa.reskit.com fails, the DNS client devolves the primary DNS suffix (drops the left label), and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further and the query "example.microsoft.com" is submitted. If this query fails, devolution continues and the query "example.microsoft.com" is submitted. The primary DNS suffix is not devolved further because the DNS suffix has two labels, "microsoft.com". The primary DNS suffix cannot be devolved to less than two labels.

If this setting is enabled, then DNS clients on the computers to which this setting is applied attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. If this setting is disabled, DNS clients on the computers to which this setting is applied do not attempt to resolve names that are concatenations of the single-label name to be resolved, and the devolved primary DNS suffix. If this setting is not configured, it is not applied to any computers and computers use their local configuration. This policy may have two values: 0x0 and 0x1. If policy is set to Enable (the customer wants to enable devolution), the value is set to 0x1. If policy is set to Disable, the value is set to 0x0.

Register PTR Records

This setting determines whether the registration of PTR resource records is enabled for the computers to which this policy is applied. By default, DNS clients that are configured to perform dynamic DNS registration attempt PTR resource record registration only if they successfully registered the corresponding "A" resource record. "A" resource records map a host DNS name to the host IP address and PTR resource records map the host IP address to the host DNS name.

To enable this policy, click Enable, and then click one of the following values:
  • Do not register: When you use this value, computers never attempt PTR resource records registration.
  • Register: When you use this value, computers attempt PTR resource records registration regardless of the success of the A records registration.
  • Register only if A record registration succeeds: When you use this value, computers attempt PTR resource records registration only if they successfully registered the corresponding A resource records.
If this policy is not configured, then it is not applied to any computers and computers use their local configuration. This policy may have two values: 0x0 and 0x1. If policy is set to Enable (the customer wants to enable PTR records registration), the value is set to 0x1. If policy is set to Disable, the value is set to 0x0.

Registration Refresh Interval

This setting specifies the registration refresh interval of A and PTR resource records for computers to which this setting is applied. This setting may be applied to computers using dynamic update only. Computers that are running Windows 2000 (and its later versions) and that are configured to perform dynamic DNS registration of A and PTR records, periodically reregister their records with DNS servers, even if their records' data has not changed. This reregistration procedure is required to indicate to DNS servers that are configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.

WARNING: If the DNS resource records are registered in zones that have the scavenging functionality enabled, the value of this setting should never be longer than the refresh interval that is configured for these zones. If you set the registration refresh interval to a value that is longer than the refresh interval of the DNS zones, some A and PTR resource records may automatically deleted.

To specify the registration refresh interval, click Enable, and then type a value that is larger than 1800. Remember, this value specifies the registration refresh interval in seconds, for example, 1800 seconds is 30 minutes.

If this setting is not configured then it is not applied to any computers and computers use their local configuration. This policy may have any value larger than or equal to 1800 seconds.

Replace Addresses in Conflicts

This setting determines whether a DNS client that attempts to register its A resource record should overwrite existing A resource records that contain conflicting IP addresses. This setting is designed for computers that register A resource records in DNS zones that do not support Secure Dynamic Update. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.

During dynamic update of a zone that does not use Secure Dynamic Update, a DNS client may discover that an existing A resource record associates the client's host DNS name with an IP address of a different computer. According to the default configuration, the DNS client attempts to replace the existing A resource record with an A resource record that associates the DNS name with the client's IP address.

If you enable the Replace Addresses in Conflicts setting, DNS clients attempt to replace conflicting A resource records during dynamic update. If you disable this setting, the DNS client still performs the dynamic update of A resource records, but if the DNS client attempts to update A resource records that contain conflicts, this attempt fails and an error message is logged in the Event Viewer log. If this setting is not configured, then it is not applied to any computers and computers use their local configuration.

This policy may have two values: 0x0 and 0x1. If policy is set to Enable (for example, customer wants to replace the A records in conflict), the value is set to 0x1. If policy is set to Disable, the value is set to 0x0.

DNS Servers

This setting defines the DNS servers to which a computer sends queries when it attempts to resolve names.

WARNING: The list of the DNS servers that are defined in this setting supersedes DNS servers that are configured locally and those that are configured using DHCP. The list of DNS servers is applied to all network connections of multihomed computers to which this setting is applied.

To use this setting, click Enable, and then type a space-delimited list of IP addresses (in dotted decimal format) in the available box. If you enable this setting, you must enter at least one IP address.

If this setting is not configured, then it is not applied to any computers and computers use their local or DHCP-configured parameters. Valid values are a space-delimited list of dotted decimal IP addresses. The list must contain at least one IP address.

Connection-Specific DNS Suffix

This setting specifies a connection-specific DNS suffix. This setting supersedes the connection-specific DNS suffixes that are set on the computers to which this setting is applied, those that are configured locally and those that are configured using DHCP.

WARNING: A connection-specific DNS suffix that is specified in this setting is applied to all the network connections used by multihomed computers to which this setting is applied.

To use this setting, click Enable, and then type a string value that represents the DNS suffix in the available box. If this setting is not configured, it is not applied to any computers and computers use their local or DHCP-configuration parameters. Valid values: Chars String - a connection-specific DNS suffix.

Register DNS Records with Connection-Specific DNS Suffix

This setting determines if a computer that is performing dynamic registration may register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.

WARNING: When you enable this group setting, it is applied to all the network connections of multihomed computers to which this setting is applied.

By default, a DNS client that is performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a concatenation of a computer name, such as "mycomputer", and the primary DNS suffix, such as "microsoft.com", results in "mycomputer.microsoft.com".

If you enable this setting, the computer registers A and PTR resource records with its connection-specific DNS suffix in addition to registering A and PTR resource records with the primary DNS suffix. For example, a concatenation of a computer name "mycomputer" and the connection-specific DNS suffix "VPNconnection" is used when A and PTR resource records are registered, the resulting name is "mycomputer.VPNconnection". If dynamic DNS registration is disabled on a computer to which this setting is applied, then, regardless of this setting's settings, a computer does not attempt dynamic DNS registration of A and PTR records that contain a concatenation of its computer name and a connection-specific DNS suffix. If dynamic DNS registration is disabled on a specific network connection of a computer to which this setting is applied, then, regardless of this setting's settings, a computer does not attempt dynamic DNS registration of A and PTR records that contain a concatenation of its computer name and a connection-specific DNS suffix on that network connection.

If this setting is disabled, a DNS client does not register A and PTR resource records with its connection-specific DNS suffix. If this setting is not configured, then it is not applied to any computers and computers use their local configuration.

If the policy is set to Enable (for example, customer wants to register a name with a connection-specific DNS suffix), the value is set to 0x1. If the policy is set to Disable, the value is set to 0x0.

TTL Set in the A and PTR Records

This setting specifies the value for the Time-To-Live (TTL) field in A and PTR resource records that are registered by the computers to which this setting is applied.

To specify the TTL, click Enable, and then type a value in seconds (for example, the value 900 is 15 minutes).
  • Minimum value: 0
  • Maximum value: 4294966296
  • Default value: 600
If this setting is not configured, it is not applied to any computer.

Update Security Level

This setting specifies whether the computers to which this setting is applied use secure dynamic update or standard dynamic update for registration of DNS records.

Note This client-side setting is independent of the setting on the authoritative DNS server. However, this setting is required only if the clients register their record to an Active Directory zone that is set to non-secure and secure updates.

To enable this setting, click Enable, and then click one of the following values:
  • Unsecure followed by secure: If you choose this option, computers send secure dynamic updates only when non-secure dynamic updates are refused.
  • Only Unsecure: If you choose this option, computers send only non-secure dynamic updates
  • Only Secure: If you choose this option, computers send only secure dynamic updates
If the Update Security Level setting is not configured, it is not applied to any computers and computers use their local configuration.
  • OnlySecure: 256
  • OnlyUnsecure: 16
  • UnsecureFollowedBySecure: 0

Update Top Level Domain Zones

This setting specifies whether the computers to which this policy is applied may send dynamic updates to the zones named with a single-label name, also known as "top level domain" zones, for example "com".

By default, a DNS client that is configured to perform dynamic DNS update send dynamic updates to the DNS zones that are authoritative for its DNS resource records, unless the authoritative zone is a top level domain and root zone.

If this policy is enabled, computers to which this policy is applied send dynamic updates to any zone authoritative for the resource records that the computer needs to update, except the root zone.

If this policy is disabled, computers to which this policy is applied do not send dynamic updates to the root or top level domain zones authoritative for the resource records that the computer needs to update.

If this policy is not configured then it is not applied to any computers and computers use their local configuration.

This policy may have two values: 0x0 and 0x1. If policy is set to Enable, the value is set to 0x1. If policy is set to Disable, the value is set to 0x0.
Modification Type:MinorLast Reviewed:8/24/2006
Keywords:kbdownload kbdownload kbenv kbinfo KB294785
©2004 Microsoft Corporation. All rights reserved.