The DNS suffix is one of the most important settings on a server’s network configuration, yet it is so easy to omit because the value is buried deep within the DNS tap of networking configuration. There are a number of ways to ensure consistent configuration of the DNS suffix, including using Group Policy.
For Windows 2000 and newer systems, Group Policy can assign the primary DNS suffix for each computer’s connection. The DNS suffix is important for various reasons; primarily, correctly configured DNS is the quickest way to ditch WINS for name resolution. The DNS suffix is also critical for Active Directory networks that have multiple network segments for name resolution that can’t use the peer-to-peer broadcast.
The DNS suffix is set in Group Policy in Computer Configuration | Policies | Administrative Templates | Network | DNS Client. From there, you can set the Primary DNS Suffix value for computer accounts. Figure A is an example of making this configuration.
Figure A
Click the image to enlarge.
The next logical step is to configure the DNS suffix search order; this is critical for proper resolution across a forest, and it can also be used to resolve to DNS zones that are not Active Directory-Integrated. In the same Group Policy section, the DNS Suffix Search List value allows administrators to configure this aspect of a computer account (Figure B).
Figure B
Click the image to enlarge.
Practically speaking, I recommend placing these configurations centrally in Group Policy instead of using security profiles or manual configuration. These two configurations can fill the gap that DHCP leaves in fully managing DNS for the client. DHCP can only assign the domain, not the suffix search order. In addition, I recommend using this for servers and clients if the DNS configuration is clean and well understood.
Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.