Problem solve Get help with specific problems with your technologies, process and projects.

How DNS devolution works in Windows Server 2008 R2

Windows 7 and Server 2008 R2 ship with built-in changes to the DNS name devolution process that help boost security and simplify client access to network resources.

Domain Name System (DNS) devolution is a feature in Windows Server 2008 R2 that makes it easier for DNS clients to locate network resources. To understand DNS devolution, think about how the name resolution process works in a normal Windows environment.

For example, let’s pretend that I have a domain named and a server within that domain named If I want to map a drive letter to a share located on, I don’t have to provide the server’s fully qualified domain name (FQDN). Instead, I can just specify the host name followed by the share name (\\Server1\ ). The DNS server is then able to resolve the host name to a FQDN.

This works because NetBIOS over TCP/IP is usually enabled on Windows networks. When the host name is specified, Windows performs a quick check to make sure that the specified host name does not match the local host name. Assuming that the names do not match, Windows will check the DNS resolver cache and perform a DNS Name Query Request if necessary. This request resolves the specified host name. Other resolution methods are used when the host name can’t be resolved, but for our purposes the DNS Name Query Request is of primary interest.

The DNS Name Query Request method of resolving host names works well if the host is in the same domain as the computer making the name resolution request. The process can break down, however, if the requested host resides in an alternate domain. This is where DNS devolution comes into play.

DNS devolution allows clients to query parent DNS namespaces without explicitly specifying the parent’s FQDN. For instance, imagine that I am using a computer with a FQDN of A normal DNS Name Query Request would search the namespace. If devolution is used, however, then the following domains would be searched as necessary:


Requirements for using DNS devolution

Even though DNS devolution is fairly simple, there are a few caveats to using it. For starters, DNS devolution requires that you select the Append Parent Suffixes in the Primary DNS Suffix check box, which is located in the Advanced TCP/IP Settings dialog box on the client computer, as shown in Figure 1. This check box is selected by default on Windows 7 clients.

Figure 1. The Append Parent Suffixes check box must be selected to use DNS devolution.
The Append Parent Suffixes of the Primary DNS Suffix check box must be selected.

Note that when using DNS devolution, you cannot provide Windows with a global suffix search list, which is sometimes done via Group Policy settings.

Configuring DNS devolution

The primary mechanism for configuring DNS devolution is the Group Policy Editor. There are two policy settings of interest and both are located at Computer Configuration \ Policies \ Administrative Templates \ Network \ DNS Client.

The first setting -- shown in Figure 2 -- is the Primary DNS Suffix Devolution setting. This is the setting that enables and disables DNS devolution.

Figure 2: DNS devolution is controlled by Group Policy settings.
DNS devolution is controlled by Group Policy settings.

The other setting you need to know about is the Primary DNS Suffix Devolution Level setting. This setting allows you to control the number of levels that are processed during DNS devolution. Earlier, I used a domain named in one of my examples. This domain consists of three levels, including:


Setting the Primary DNS Suffix Devolution Level to 3 allows DNS devolution to occur all the way to the root domain ( Setting the level to 2 allows DNS devolution to occur for, but not for In other words, the devolution process stops short of the root domain.

DNS devolution has been around for a while, but Windows Server 2008 R2 is the first system to introduce this concept of levels. To that end, only Windows 7 and Windows Server 2008 R2 can use all of the DNS devolution features by default. You can add full DNS devolution support to older versions of Windows, however, by downloading a DNS update.

You can follow on Twitter @WindowsTT.

More on Active Directory in Windows Server 2008 R2

Brien M. Posey, MCSE, is a Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information, visit

Dig Deeper on Windows systems and network management