Understanding DNS Client Settings
Applies To: Windows Server 2008, Windows Server 2008 R2
Domain Name System (DNS) configuration involves the following configuration tasks for TCP/IP properties on each computer:
Set a DNS computer or host name for each computer. For example, in the fully qualified domain name (FQDN) wkstn1.widgets.tailspintoys.com., the DNS computer name is the left-most label wkstn1.
Set a primary DNS suffix for each computer, which is placed after the computer or host name to form the FQDN. Using the previous example, the primary DNS suffix is widgets.tailspintoys.com.
Set a list of DNS servers for clients to use when resolving DNS names, such as a preferred DNS server, and any alternate DNS servers to use if the preferred server is not available.
Set the DNS suffix search list or search method to be used by a client when it performs DNS query searches for short, unqualified domain names.
These tasks are discussed in more detail in each of the following sections.
Setting computer names
When you set computer names for DNS, it is useful to think of the name as the left-most portion of an FQDN. For example, in wkstn1.widgets.tailspintoys.com., wkstn1 is the computer name.
You can configure all Windows DNS clients with a computer name based on any of the standard supported characters that are defined in Request for Comments (RFC) 1123, "Requirements for Internet Hosts — Application and Support." These characters include the following:
Uppercase letters, A through Z
Lowercase letters, a through z
Numbers, 0 through 9
If you are supporting both NetBIOS and DNS namespaces on your network, you can use a different computer name within each namespace. It is recommended that wherever possible, however, you try to use computer names that are 15 characters or less and that you follow these RFC 1123 naming requirements.
By default, the left-most label in the FQDN for clients equals the NetBIOS computer name, unless this label is 16 or more characters, which is the maximum for NetBIOS names. When the computer name exceeds the maximum length for NetBIOS, the NetBIOS computer name is truncated based on the full label that is specified.
Before you configure computers with varying DNS and NetBIOS names, consider the following implications and their related issues for your deployment:
- If Windows Internet Name Service (WINS) lookup is enabled for zones that are hosted by your DNS servers, use the same name for both NetBIOS and DNS computer naming. Otherwise, the results of clients attempting to query and resolve the names of these computers will be inconsistent.
If you have an investment in using NetBIOS names to support legacy Microsoft networking technology, we recommend that you revise NetBIOS computer names that are used on your network to prepare for migration to a standard, DNS-only environment. This prepares your network well for long-term growth and interoperability with future naming requirements. For example, if you use the same computer name for both NetBIOS and DNS resolution, consider converting any special characters such as the underscore (_) in your current NetBIOS names that do not comply with DNS naming standards. While these characters are permitted in NetBIOS names, they are more often incompatible with traditional DNS host naming requirements and most existing DNS resolver client software.
Although the use of the underscore (_) in DNS host names or in host (A) resource records has been traditionally prohibited by DNS standards, the use of underscores in service-related names—such as the names that are used for service locator (SRV) resource records—has been proposed to avoid naming collisions in the Internet DNS namespace.
In addition to DNS standard naming conventions, Windows Server 2008 DNS supports the use of extended ASCII and Unicode characters. However, because most resolver software written for other platforms (such as UNIX) is based on the Internet DNS standards, this enhanced character support can be used only in private networks with computers running Windows 2000, Windows Server 2003, or Windows Server 2008 DNS.
The initial setup of DNS and TCP/IP displays a warning to suggest a standard DNS name if a nonstandard DNS name is entered.
By default, computers and servers use DNS to resolve any name that is greater than 15 characters in length. If the name is less than or equal to 15 characters, both NetBIOS and DNS name resolution can be attempted and used to resolve the name.
Setting domain names
The domain name is used with the client computer name to form the FQDN, also known as the full computer name. In general, the DNS domain name is the remainder of the FQDN that is not used as the unique host name for the computer.
For example, the DNS domain name for a client computer can be the following: If the FQDN, or full computer name, is wkstn1.widgets.tailspintoys.com, the domain name is the widgets.tailspintoys.com portion of this name.
DNS domain names have two variations—a DNS name and a NetBIOS name. The full computer name (a fully qualified DNS name) is used during querying and location of named resources on your network. For earlier version clients, the NetBIOS name is used to locate various types of NetBIOS services that are shared on your network.
An example of a component that has a need for both NetBIOS and DNS names is the Net Logon service. In Windows Server 2008 DNS, the Net Logon service on a domain controller registers its service locator (SRV) resource records on a DNS server. For Windows NT Server 4.0 and earlier versions, domain controllers register a DomainName entry in WINS to perform the same registration and to advertise their availability for providing authentication service to the network.
When a client computer is started on the network, it uses the DNS resolver to query a DNS server for service locator (SRV) resource records for its configured domain name. This query is used to locate domain controllers and provide logon authentication for accessing network resources. A client or a domain controller on the network can also use the NetBIOS resolver service to query WINS servers, attempting to locate DomainName [1C] entries to complete the logon process.
Your DNS domain names should follow the same standards and recommended practices that apply to DNS computer naming described in the previous section. In general, acceptable naming conventions for domain names include the use of letters A through Z, numerals 0 through 9, and the hyphen (-). A period (.) in a domain name is always used to separate the discrete parts of a domain name, which are commonly known as labels. Each label corresponds to an additional level that is defined in the DNS namespace tree.
For most computers, the primary DNS suffix that is configured for the computer can be the same as its Active Directory Domain Services (AD DS) domain name, although the two values can also be different.
By default, the primary DNS suffix portion of a computer's FQDN must be the same as the name of the AD DS domain where the computer is located. To allow different primary DNS suffixes, a domain administrator may create a restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the domain object container. A domain administrator creates and manages this attribute using Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access Protocol (LDAP).
Configuring a DNS servers list
For DNS clients to operate effectively, a prioritized list of DNS name servers must be configured for each computer to use when it processes queries and resolves DNS names. In most cases, the client computer contacts and uses its preferred DNS server, which is the first DNS server on its locally configured list. Listed alternate DNS servers are contacted and used when the preferred server is not available. For this reason, it is important that the preferred DNS server be appropriate for continuous client use under normal conditions.
For computers running Microsoft Windows XP or Windows Vista®, the DNS server list is used by clients only to resolve DNS names. When clients send dynamic updates, for example, when they change their DNS domain name or a configured IP address, they might contact these servers or other DNS servers as needed to update their DNS resource records. For more information, see Understanding Dynamic Update.
By default, the DNS client on Windows XP or Windows Vista does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network (VPN) connection. To modify this configuration, you can modify the advanced TCP/IP settings of the particular network connection or you can modify the registry. For more information, see Windows Server 2003 Resource Kit Registry Reference (https://go.microsoft.com/fwlink/?LinkId=428).
By default, the DNS client does not attempt dynamic update of top-level domain (TLD) zones. Any zone that is named with a single-label name is considered to be a TLD zone, for example, com, edu, blank, my-company. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones policy setting or you can modify the registry.
When DNS clients are configured dynamically using a Dynamic Host Configuration Protocol (DHCP) server, it is possible to have a larger list of provided DNS servers. To provide an IP address list of DNS servers to your DHCP clients, enable option code 6 on the configured options types that is provided by your DHCP server. For Windows Server 2003 and Windows Server 2008 DHCP servers, you can configure a list of up to 25 DNS servers for each client with this option.
To effectively share the load when multiple DNS servers are provided in a DHCP options-specified list, you can configure a separate DHCP scope that rotates the listed order of DNS and WINS servers that is provided to clients.
Configuring a DNS suffix search list
For DNS clients, you can configure a DNS domain suffix search list that extends or revises their DNS search capabilities. By adding additional suffixes to the list, you can search for short, unqualified computer names in more than one specified DNS domain. Then, if a DNS query fails, the DNS Client service can use this list to append other name suffix endings to your original name and repeat DNS queries to the DNS server for these alternate FQDNs.
For computers and servers, the following default DNS search behavior is predetermined and used when completing and resolving short, unqualified names.
When the suffix search list is empty or unspecified, the primary DNS suffix of the computer is appended to short unqualified names, and a DNS query is used to resolve the resultant FQDN. If this query fails, the computer can try additional queries for alternate FQDNs by appending any connection-specific DNS suffix that is configured for network connections.
If no connection-specific suffixes are configured or queries for these resultant connection-specific FQDNs fail, the client can then begin to retry queries based on systematic reduction of the primary suffix (also known as devolution).
For example, if the primary suffix is "widgets.tailspintoys.com", the devolution process is able to retry queries for the short name by searching for it in the "microsoft.com" and "com" domains.
When the suffix search list is not empty and has at least one DNS suffix specified, attempts to qualify and resolve short DNS names are limited to searching only those FQDNs that are made possible by the specified suffix list. If queries for all FQDNs that are formed as a result of appending and trying each suffix in the list are not resolved, the query process fails, which produces a "Name not found" result.
If the domain suffix list is used, clients continue to send additional alternate queries based on different DNS domain names when a query is not answered or resolved. When a name is resolved using an entry in the suffix list, unused list entries are not tried. For this reason, it is most efficient to order the list with the most-used domain suffixes first.
Domain name suffix searches are used only when a DNS name entry is not fully qualified. To fully qualify a DNS name, enter a trailing period (.) at the end of the name.
Windows Server 2008 supports a specially named zone, called GlobalNames, to provide resolution of a limited set of globally unique, single-label names in an enterprise network. You can use this zone when network requirements make it impractical to use a suffix search list for this purpose. For more information, see Deploying a GlobalNames Zone.
Configuring multiple names
Computers running Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 are given DNS names by default. Each computer can have its DNS names configured using one of two possible methods:
A primary DNS domain name, which applies as the default fully qualified DNS name for the computer and all of its configured network connections
A connection-specific DNS domain name, which can be configured as an alternate DNS domain name that applies only for a single network adapter that is installed and configured on the computer
Although most computers do not need to support or use more than one name in DNS, support for configuring multiple, connection-specific DNS names is sometimes useful. For example, by using multiple names, a user can specify which network connection to use when connecting to a multihomed computer.
Example: using connection-specific names
As shown in the following illustration, a multihomed server computer named host-a can be named according to both its primary and connection-specific DNS domain names.
In this example, the server computer host-a attaches to two separate subnets—Subnet 1 and Subnet 2—which are also linked at redundant points using two routers for additional paths between each subnet. Given this configuration, host-a provides access as follows through its separately named local area network (LAN) connections:
The name host-a.public.example.microsoft.com provides access using LAN connection 1 over Subnet 1, a lower-speed (10 megabit) Ethernet LAN, for normal access to users who have typical file and print service needs.
The name host-a.backup.example.microsoft.com" provides access using LAN connection 2 over Subnet 2, a higher-speed (100 megabit) Ethernet LAN, for reserved access by server applications and administrators who have special needs, such as troubleshooting server networking problems, performing network-based backup, or replicating zone data between servers.
In addition to the connection-specific DNS names, the computer can also be accessible using either of the two LAN connections by specifying its primary DNS domain name, "host-a.example.microsoft.com".
When it is configured as shown, a computer can register resource records in DNS according to its three distinct names and sets of IP addresses, as shown in the following table.
|DNS name||IP addresses||Description|
The primary DNS name for computer. The computer registers host (A) and pointer (PTR) resource records for all configured IP addresses under this name in the widgets.tailspintoys.com zone.
The connection-specific DNS name for LAN connection 1, which registers host (A) and pointer (PTR) resource records for IP address 10.1.1.11 in the public.widgets.tailspintoys.com zone.
The connection-specific DNS name for LAN connection 2, which registers host (A) and pointer (PTR) resource records for IP address 10.2.2.22 in the backup.widgets.tailspintoys.com zone.
DNS names can be set using remote administration and other remote configuration services, such as DHCP. For a DNS server running Windows Server 2008, the primary DNS domain name can be set using either remote administration or the unattended setup option.
For connection-specific naming, you can use TCP/IP configuration methods. You can manually configure the DNS domain name for each connection that appears in the Network Connections folder, or you can use a DHCP option type (option code 15).
For more information about DHCP options, see "DHCP Options" in the Networking Collection (https://go.microsoft.com/fwlink/?LinkId=4639).