New group policies for DNS in Windows Server 2003

New group policies for DNS in Windows Server 2003


Windows Server 2003 resolves the problem of centralized DNS management by introducing group policies to configure DNS clients. For example, the following parameters are available in Windows Server 2003:
Enable or disable dynamic registration of the DNS records by a clientConfigure DNS suffix search list of the clientsDevolution of the primary DNS suffix in a name resolution processDNS suffix search list
These group policies are at the following location:
Computer Configuration/Administrative Templates/Network/DNS Client Group policy always supersedes the local configuration as well as the DHCP configuration. The only exception to this rule is if the REG_DWORD value DoNotUseGroupPolicyForDisableDynamicUpdate is enabled under the following registry key to disable dynamic DNS registration: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ParametersIf this value exists and it is set to 0x1, then services do not use a group policy value; instead they use locally configured values. If DoNotUseGroupPolicyForDisableDynamicUpdate does not exist or is set to 0x0, services must use the value that is specified by the group policy.
Policy DescriptionsThis section describes the settings' functions, the registry key which is modified on the client, and the valid values for the policy and the registry key. These values are stored on the client is the following registry key: HKEY_LOCAL_MACHINE\Software\Polices\Microsoft\Windows NT\DNSClientPrimary DNS SuffixThis setting specifies the primary DNS suffix for all affected computers. The primary DNS suffix is used in DNS name registration and DNS name resolution. This setting specifies a primary DNS suffix for a group of computers, and prevents users, including administrators, from changing it.
If this setting is disabled or not configured, each computer uses its local primary DNS suffix that is usually the DNS name of the Active Directory domain that it is joined to. However, administrators can use the System tool in Control Panel to change the primary DNS suffix of a computer.
To use this setting, type the entire primary DNS suffix that you want to assign in the text box that is provided (for example, microsoft.com). This setting does not disable the DNS Suffix and NetBIOS Computer Name dialog box that administrators use to change the primary DNS suffix of a computer. However, if an administrator enters a suffix, that suffix is ignored while this setting is enabled.
IMPORTANT: For the changes to this setting to be applied, you must restart Windows Server on all computers that are affected by the setting.
TIP: To change the primary DNS suffix of a computer without setting a policy, click System in Control Panel, click the Network Identification tab, click Properties, click More, and then type a suffix in the Primary DNS suffix of this computer box.

what is the difference between Difference between "Primary DNS Suffix" and "Connection specific DNS Suffix"??


what is the difference between Difference between "Primary DNS Suffix" and "Connection specific DNS Suffix"??

This information is presented whenever i perform a "ipconfig -all", such as:

C:\>ipconfig -all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : webserver
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : scaa.org

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : scaa.org
Description . . . . . . . . . . . : Realtek RTL8139(A) PCI Fast Ethernet
Physical Address. . . . . . . . . : 00-30-1B-3E-4E-19
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
Primary WINS Server . . . . . . . :

Answer 1:
You assign the Primary DNS Suffix and your DHCP device assigns Connection specific DNS Suffix

Answer 2:
True, but not complete.

Primary DNS Suffix is set for the entire computer and will be used on any network adaptor on which no Connection-specific DNS Suffix has been defined.

The Connection-specific DNS Suffix allows us to overide the Primary for a specific network adaptor so that when your computer registers itself with the DNS server it's presently using, it will register with a well-formed fully qualified domain name (FQDN). The thing that MS calls DNS suffix is really just everything to the right of the first dot in a FQDN.

Imagine your company-supplied laptop computer has FQDN "joe.boston.corpX.com" and it's part of an Active Directory domain at the office. It's Primary suffix is "boston.corpX.com" and it's name is "joe." When you boot it up at the office, it will DHCPDISCOVER an IP address and the AD DC's DHCP server will respond, then your computer will register itself with the DNS server on that AD DC using it's FQDN.

If you use a VPN Client on the road, though, so you can connect to your company's network from the hotel broadband service. It may be smarter (or neccessary) to have your computer register itself as joe.remote.corpX.com with the RAS server in your network. That's where the Connection-specific DNS Suffix comes in. When you installed that VPN Client Software (or your IT team did), it created another network adaptor and the Connection-specific DNS suffix on that one is ... yep, remote.corpX.com and all is well.

In general use, we don't use it. On systems with only one network adapator, just leave it blank. Unless someone in a higher paygrade that knows why you should change it tells you to, that is... :-)