Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, April 12, 2011 5:01 PM
Hello there,
I have two internal DNS/AD servers on my LAN. One is Server 2003 (called Server1) and one is Server 2008 (called Server3).
Let's say our internal domain name is: nc1.example.com. The "nc1" part is to denote the state of NC and the first location (1) - which is our only physical at this time.
We have a website registered as example.com that is being hosted elsewhere.
I have noticed a banking application on clients that refuses to work properly. I tracked down some more info. I have noticed that ANY DNS query on Server1 (Server 2003) using NSLookup results in:
> google.com
Server: server1.nc1.example.com
Address: 192.168.114.10
Non-authoritative answer:
Name: google.com.example.com
Address: 216.119.148.XXX
>
Any DNS query on Server3 (Server 2008) results in the same:
> google.com
Server: server3.nc1.example.com
Address: 192.168.114.9
Non-authoritative answer:
Name: google.com.example.com
Address: 216.119.148.XXX
>
I do realize that if I use google.com. (with trailing period) that it resolves properly. HOWEVER, I have basically the same setup at my home-office and it does not do this. At my office, both servers return:
> google.com
Server: [192.168.1.3]
Address: 192.168.1.3
Non-authoritative answer:
Name: google.com
Addresses: 74.125.65.106
74.125.65.147
74.125.65.99
74.125.65.103
74.125.65.104
74.125.65.105
On one of the client PCs that is joined to the AD domain at work, the DNS Search Suffix is:
Windows IP Configuration
Host Name . . . . . . . . . . . . : clientPC1
Primary Dns Suffix . . . . . . . : nc1.example.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : nc1.example.com
nc1.example.com
nc1.example.com
example.com
I think the problem lies in the last search list of "example.com". I noticed that when I unchecked Append Parent Suffixes of the Primary DNS suffix on the client PC "example.com" was removed from the list and I was able to (SO FAR) get the banking software to work. However, all DNS queries on the client PC were still appended with .example.com.
I have compared my DNS server settings at my home-office to the DNS server settings at work and from what I can tell they are the same.
Is there any way I can fix this to avoid and future problems such as this?
Thanks!
All replies (7)
Wednesday, April 13, 2011 8:53 AM ✅Answered
Hi TC10284,
Thanks for posting here.
Not sure if it is necessary to set DNS suffix search list in this scenario , but please take look the article below:
Configuring Query Settings
http://technet.microsoft.com/en-us/library/cc959339.aspx
Thanks
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Wednesday, April 13, 2011 2:25 PM ✅Answered
You found one way, to uncheck that setting to stop it appending, or when using nslookup, just put a period at the end of the query, and it won't append it. During normal use, such as in a URL, it won't append it anyway. As for the banking app, is that web based, or an installed application? You narrowed it down to a DNS lookup causing the app to not work? How did you determine that? Did you use packet captures, such as using WireShark?
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
The banking app is web-based and uses a Microsoft SSL app which I can't recall the name of. I think it is called Microsoft UAG. Basically I messed with some DNS settings, finally got to Append Parent Suffixes of the Primary DNS suffix on the local client PC**.** I am being told this morning that the banking app is now working properly.
Though I am still left with why my DNS servers are doing this.
How can I be sure that a GPO is not causing this?
**
**Also of note, when I used NSLookup on the client, they are using DNS on the local servers. HOWEVER, even if I change the server to 4.2.2.1, the domain suffix is still applied there too.
Thursday, April 14, 2011 4:51 AM ✅Answered
If the machine is joined to an AD domain called nc1.example.com, it will automatically take that on as the Primary DNS Suffix. It will also set it as the default Search Suffix, and then it will devlolve the parent level and set that as the next Search Suffix. What you are seeing is default behavior.
The client side resolver will append the search suffix on the NIC property settings. You are seeing it in action with nslookup. Have you tried a ping? Try pinging by single name and by FQDN and paste your results, please.
But this shouldn't be a problem with using something a browser. I'm kind of surprised to hear it affected an application. I'm glad to hear unchecking the box to append the suffix is working for you!
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, April 13, 2011 3:48 AM
You found one way, to uncheck that setting to stop it appending, or when using nslookup, just put a period at the end of the query, and it won't append it.
During normal use, such as in a URL, it won't append it anyway. As for the banking app, is that web based, or an installed application? You narrowed it down to a DNS lookup causing the app to not work? How did you determine that? Did you use packet captures, such as using WireShark?
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, April 13, 2011 2:42 PM
C:\Users\tpadmin>gpresult /R
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 4/13/2011 at 10:39:56 AM
RSOP data for EXAMPLE\TPAdmin on SERVER3 : Logging Mode
OS Configuration: Additional/Backup Domain Controller
OS Version: 6.0.6002
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\tpadmin
Connected over a slow link?: No
COMPUTER SETTINGS
CN=SERVER3,OU=Domain Controllers,DC=nc1,DC=example,DC=com
Last time Group Policy was applied: 4/13/2011 at 10:35:23 AM
Group Policy was applied from: Server3.nc1.example.com
Group Policy slow link threshold: 500 kbps
Domain Name: EXAMPLE
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
BUILTIN\Administrators
Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
SERVER3$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
RAS and IAS Servers
System Mandatory Level
USER SETTINGS
CN=TPAdmin,CN=Users,DC=nc1,DC=example,DC=com
Last time Group Policy was applied: 4/13/2011 at 9:50:02 AM
Group Policy was applied from: Server3.nc1.example.com
Group Policy slow link threshold: 500 kbps
Domain Name: EXAMPLE
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
Domain Users
Everyone
BUILTIN\Administrators
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Group Policy Creator Owners
Domain Admins
Enterprise Admins
Schema Admins
High Mandatory Level
Wednesday, April 13, 2011 2:55 PM
TC,
It's NOT the DNS servers doing this. This is a client-side resolver function based on the client side resolver algorithm, hence the need to address it client side, not DNS server side.
And thanks for posting the gpresult output. It appears your machines are receiving their GPOs. Was there a specific GPO you were concerned with?
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, April 13, 2011 4:22 PM
TC,
It's NOT the DNS servers doing this. This is a client-side resolver function based on the client side resolver algorithm, hence the need to address it client side, not DNS server side.
And thanks for posting the gpresult output. It appears your machines are receiving their GPOs. Was there a specific GPO you were concerned with?
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
None in particular. Just whatever is causing the domain name suffix to be appended. Why does ever system in the domain do this if there is no GPO applied doing it?