Why is the DNS suffix, or even a DNS suffix search order, so important?

Discussion in 'DNS Server' started by Spin, Sep 28, 2005.

  1. Spin

    Spin Guest

    Why is a DNS suffix, or even a DNS suffix search order, so important? After
    all, even if you are a non-domain client (such as a visiting laptop into the
    network), then getting name resolution by simply pointing to an internal DNS
    server will work. Why do internal clients need a DNS suffix, or even a DNS
    suffix search order, when they are already pointed at a correct DNS server
    in their network adapter's TCP/IP properties? I can't get my head around on
    this.
     
    Spin, Sep 28, 2005
    #1
    1. Advertisements

  2. In
    The search suffix is used to devolve a name during resolution. If you are
    using Win2000 or newer, and you pinged by using jsut the computername, or
    NetBIOS name, such as "ping computer1", the client side resolver will first
    attempt to suffix your search suffix and will go thru each one in the order
    listed until it runs out or suffixes or it resolves the name, then uses
    NetBIOS to resolve it. That's why the default search suffix is set to the
    Primary DNS Suffix of the machine. If the Primary DNS Suffix namespace
    starts under the 2nd level domain, such as child.domain.com, then you will
    have two search suffixes, domain.com and child.domain.com.

    If there are multiple child domains in the infrastructure, such as
    child.domain.com, child2.domain.com, child3.domain.com, etc, then the
    default the machine is under the domain name it is joined to, (unless you
    uncheck the box to not suffix the machine wiht the domain name it is
    joining). Say if that domain name is child.domain.com, and you want it to be
    able to resolve resources in child2 and child3, then we can manually or by
    script, add the additonal suffix in order for the client to properly resolve
    names in those other domains.

    So you can see it's importance in an infrastructure where many people still
    use NetBIOS naming convention to connect to shares and other resources such
    as printers. This includes Exchange/Outlook.

    Of course if you pinged using the FQDN, then the search suffix is never
    used.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    If this post is viewed at a non-Microsoft community website, and you were to
    respond to it through that community's website, I may not see your reply
    unless that website posts replies back to the original Microsoft forum.
    Therefore, please direct all replies ONLY to the Microsoft public newsgroup
    this thread originated in so all can benefit or ensure the web community
    posts it back to the original forum.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Microsot Certified Trainer
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Sep 28, 2005
    #2
    1. Advertisements

  3. Spin

    Spin Guest

    So the way I see it, the suffix is only important during short-name
    (non-fqdn) resolution. It has no meaning when you search by FQDN, and
    really doesn't have any meaning in a single domain environment either,
    correct?

    "Ace Fekay [MVP]"
     
    Spin, Sep 28, 2005
    #3
  4. In
    In a single domain environment, yes it does for proper NetBIOS name
    resolution in the environment. If not in an infrastructure, then it doesn't
    matter, like a workgroup without DNS on a single subnet, or at home.

    btw- It's really not called the short-name, but rather the NetBIOS name.

    Ace
     
    Ace Fekay [MVP], Sep 28, 2005
    #4
  5. Spin

    Spin Guest

    Oh I think I get it now. Even in a single domain environment, it's still
    very important (especially without WINS), b/c say, for example, you're
    looking for computer1. Well, given that the only name resolution system is
    DNS, and your OS is pointed at the local internal DNS server as it should
    be, the DNS will be confused by the non-FQDN query of computer1. It won't
    know what zone to look in because the client didn't append that in it's
    query. But if the default suffix is the domain name, then the DNS server
    obviously looks in the domain name zone for computer1. It will then look in
    the appropriate other zones if the client DNS resolver appends any
    additional suffixes, based on the suffix search order. Do I got this right
    Ace?

    "Ace Fekay [MVP]"
     
    Spin, Sep 28, 2005
    #5
  6. Spin

    Todd J Heron Guest

    Yes, you got that right.

    Somewhere in the world a Unix admin is laughing and thinking to himself,
    "See! Windows networks can't run without WINS!"

    I didn't make that up. Chris Wolfe did, who is an MS MVP for Windows
    Server-File System and who just wrote an excellent article entitiled
    "Windows Server-File System "DNS Suffix Struggle". In this answer I'm
    quoting from his article including that catchy sentence above. See here.

    http://mcpmag.com/columns/article.asp?editorialsid=1109#post

    Since DNS resolves fully qualified domain names to IP addresses,
    the DNS server wasn't much help when users and scripts tried to
    connect to file servers or the Web server by host name alone.
    By default, Windows clients will append their domain name to a
    host name when they try and query DNS. However, when other
    domains exist on the network, a host will not automatically
    append the names of the other domains to any DNS name
    resolution requests.

    For example, suppose a computer named bsod is a member of the
    domain mcpmag.com. If a user tried to connect to http://server1,
    the computer would query DNS for the IP address of bsod.mcpmag.com.
    If server1 was a member of redmondmag.com and thus no record for
    server1 existed in the mcpmag.com forward lookup zone on the DNS
    server, the client request would time out. At this point you
    could solve this problem the ugly way and just add an A record
    for server1 to the mcpmag.com forward lookup zone on the DNS
    server, but this is not recommended. I'm only mentioning this
    because I've seen it done in the field as a way to put out a
    name resolution fire. Each time I've run into this, the hairs on
    my neck stand on end. Well maybe I'm being a little dramatic
    here, but it does gnaw at my anal-retentive personality.

    Now let's get away from the problem and start talking about
    the solution. First, each server should have an A record in
    each domain's forward lookup zone on the DNS server. Next, you
    need to configure the DNS suffix search order on each system
    on the network. This allows a host to try multiple fully
    qualified domain name combinations when it tries to resolve a
    name using DNS. For example, if the domain name redmondmag.com
    was added to bsod's DNS suffix search order, bsod would first
    attempt to resolve the host name server1 as server1.mcpmag.com.
    It would then query DNS for server1.redmondmag.com. Once it
    received a reply from DNS, bsod would then connect to server1.

    You can configure the DNS suffix search order on a Windows
    system by following these steps:

    1. Access the properties of the network interface
    you wish to configure.
    2. Double-click on "Internet Protocol (TCP/IP)."
    3. In the Internet Protocol (TCP/IP) Properties
    dialog box, click the Advanced button.
    4. Click the DNS tab in the Advanced TCP/IP
    Settings dialog box.
    5. Click the "Append these DNS suffixes (in
    order)" radio button.
    6. Now click the Add button to add DNS suffixes
    to the connection.
    7. In the TCP/IP Domain Suffix dialog box, enter
    the name of the first domain name to append to
    any DNS search (Example: mcpmag.com).
    8. Repeat steps 6-7 for each additional domain.
    9. When finished, click OK to close the Advanced
    TCP/IP Settings dialog box.
    10. Click OK to close the Internet Protocol
    (TCP/IP) Properties dialog box.
    11. Click OK to close the network connection's
    Properties dialog box.

    Now on a large network, you'd probably be insane if you tried
    to use the above procedures to manually configure the DNS
    suffix search order on each workstation. Microsoft seemed to
    think so to, and with Windows Server 2003 you can now
    configure DNS suffix search order with a GPO. If you create a
    new GPO or edit an existing GPO on a Windows 2003 domain
    controller, you'll see that you can set the DNS suffix search
    order by navigating to Computer Configuration | Administrative
    Templates | Network | DNS Client. Then double-click on the
    DNS Suffix Search List object. Once you click the Enabled
    radio button you'll be able to add domain names (separated by
    commas) to the DNS Suffixes field. If you need further help
    with this setting, click the Explain tab.

    If you're not running a Windows 2003 domain, you could still
    change the DNS suffix search order via a VBScript. Microsoft
    has posted a sample script that works on Windows 98/NT/2000/
    XP/2003 at the TechNet Script Repository.

    Finally, if you want to see the DNS query process from a DNS
    client that is configured to search for names across multiple
    domains, you can enable debug logging on the DNS server. To
    do this, follow these steps:

    1. In the DNS MMC, right-click the DNS server
    object and select Properties.
    2. Check the Log Packets for Debugging checkbox.
    3. Leave all other default options checked and
    click OK. (No, you really don't need every
    default, but it's easier for me to document
    this way!)

    Run nslookup on a DNS client and query a name of a server (by
    host name only) that is in the second domain in the DNS suffix
    search list. Then you can open the %systemroot%\system32\dns\dns.
    log file on the DNS server to see the query results. Following
    my earlier example, after configuring mcpmag.com first and
    redmondmag.com second in the DNS suffix search order of my
    Windows XP client, I then ran the command nslookup server1 and
    received the following response from the DNS server:

    Name: server1.redmondmag.com
    Address: 192.168.0.7

    After receiving a response from the DNS, I then opened the
    dns.log file on the DNS server and scrolled the log file down
    toward the bottom (time of the query). Here are the results
    specific to my query:

    13:09:09 704 PACKET UDP Rcv 192.168.0.120 0009 Q [0001 D NOERROR]
    (7)server1(6)mcpmag(3)com(0)

    13:09:09 704 PACKET UDP Snd 192.168.0.120 0009 R Q [8385 A
    DR NXDOMAIN] (7)server1(6)mcpmag(3)com(0)

    13:09:09 704 PACKET UDP Rcv 192.168.0.120 000a Q [0001 D
    NOERROR] (7)server1(10)redmondmag(3)com(0)

    13:09:09 704 PACKET UDP Snd 192.168.0.120 000a R Q [8385 A
    DR NOERROR] (7)server1(10)redmondmag(3)com(0)

    In the first line listed, the DNS client is requesting to
    resolve the name server1.mcpmag.com. In the second line, the
    server is responding to the client with NXDomain (non-existent
    domain). The client then requests to resolve server1.
    redmondmag.com (line 3) and the DNS server replies to the
    client with the correct A record. Since DNS logging is pretty
    verbose, I would only keep it enabled long enough to perform
    your test. After that I would disable it.

    So, as you can see, properly configuring the DNS suffix search
    order can make a world of difference with name resolution on
    your network. Also, with a tuned DNS infrastructure, life
    without WINS is possible. Sometimes I think WINS is like
    crack. We were given it with Windows NT and many became
    addicted. In the end, you can break the addiction (some
    relapses are possible). If there was a 7 step program for
    WINS addiction, properly configuring DNS suffix search order
    would probably be the first step. I'll leave steps 2-7 up
    to your imagination.

    --
    Todd J Heron, MCSE
    Windows Server 2003/2000/NT; CCA
    ----------------------------------------------------------------------------
    This posting is provided "as is" with no warranties and confers no rights

    Oh I think I get it now. Even in a single domain environment, it's still
    very important (especially without WINS), b/c say, for example, you're
    looking for computer1. Well, given that the only name resolution system is
    DNS, and your OS is pointed at the local internal DNS server as it should
    be, the DNS will be confused by the non-FQDN query of computer1. It won't
    know what zone to look in because the client didn't append that in it's
    query. But if the default suffix is the domain name, then the DNS server
    obviously looks in the domain name zone for computer1. It will then look in
    the appropriate other zones if the client DNS resolver appends any
    additional suffixes, based on the suffix search order. Do I got this right
    Ace?
     
    Todd J Heron, Sep 28, 2005
    #6
  7. In
    <snip>

    Nice article.
    :)

    Ace
     
    Ace Fekay [MVP], Sep 28, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.