How DNS devolution works in Windows Server 2008 R2

Windows 7 and Server 2008 R2 ship with built-in changes to the DNS name devolution process that help boost security and simplify client access to network resources.

Domain Name System (DNS) devolution is a feature in Windows Server 2008 R2 that makes it easier for DNS clients to locate network resources. To understand DNS devolution, think about how the name resolution process works in a normal Windows environment.

For example, let’s pretend that I have a domain named Domain1.com and a server within that domain named Server1.Domain1.com. If I want to map a drive letter to a share located on Server1.Domain1.com, I don’t have to provide the server’s fully qualified domain name (FQDN). Instead, I can just specify the host name followed by the share name (\\Server1\ ). The DNS server is then able to resolve the host name to a FQDN.

This works because NetBIOS over TCP/IP is usually enabled on Windows networks. When the host name is specified, Windows performs a quick check to make sure that the specified host name does not match the local host name. Assuming that the names do not match, Windows will check the DNS resolver cache and perform a DNS Name Query Request if necessary. This request resolves the specified host name. Other resolution methods are used when the host name can’t be resolved, but for our purposes the DNS Name Query Request is of primary interest.

The DNS Name Query Request method of resolving host names works well if the host is in the same domain as the computer making the name resolution request. The process can break down, however, if the requested host resides in an alternate domain. This is where DNS devolution comes into play.

DNS devolution allows clients to query parent DNS namespaces without explicitly specifying the parent’s FQDN. For instance, imagine that I am using a computer with a FQDN of Computer1.lab.IT.Domain1.com. A normal DNS Name Query Request would search the lab.IT.Domain1.com namespace. If devolution is used, however, then the following domains would be searched as necessary:

  1. Lab.IT.Domain1.com
  2. IT.Domain1.com
  3. Domain1.com

Requirements for using DNS devolution
Even though DNS devolution is fairly simple, there are a few caveats to using it. For starters, DNS devolution requires that you select the Append Parent Suffixes in the Primary DNS Suffix check box, which is located in the Advanced TCP/IP Settings dialog box on the client computer, as shown in Figure 1. This check box is selected by default on Windows 7 clients.

Figure 1. The Append Parent Suffixes check box must be selected to use DNS devolution.
The Append Parent Suffixes of the Primary DNS Suffix check box must be selected.

Note that when using DNS devolution, you cannot provide Windows with a global suffix search list, which is sometimes done via Group Policy settings.

Configuring DNS devolution
The primary mechanism for configuring DNS devolution is the Group Policy Editor. There are two policy settings of interest and both are located at Computer Configuration \ Policies \ Administrative Templates \ Network \ DNS Client.

The first setting -- shown in Figure 2 -- is the Primary DNS Suffix Devolution setting. This is the setting that enables and disables DNS devolution.

Figure 2: DNS devolution is controlled by Group Policy settings.
DNS devolution is controlled by Group Policy settings.

The other setting you need to know about is the Primary DNS Suffix Devolution Level setting. This setting allows you to control the number of levels that are processed during DNS devolution. Earlier, I used a domain named Lab.IT.Domain1.com in one of my examples. This domain consists of three levels, including:

  1. Lab.IT.Domain1.com
  2. IT.Domain1.com
  3. Domain1.com

Setting the Primary DNS Suffix Devolution Level to 3 allows DNS devolution to occur all the way to the root domain (Domain1.com). Setting the level to 2 allows DNS devolution to occur for IT.Domain1.com, but not for Lab.IT.Domain1.com. In other words, the devolution process stops short of the root domain.

DNS devolution has been around for a while, but Windows Server 2008 R2 is the first system to introduce this concept of levels. To that end, only Windows 7 and Windows Server 2008 R2 can use all of the DNS devolution features by default. You can add full DNS devolution support to older versions of Windows, however, by downloading a DNS update.

You can follow SearchWindowsServer.com on Twitter @WindowsTT.

ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information, visit www.brienposey.com.

This was first published in January 2011

Dig deeper on Domain Name System (DNS)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close