If you have ever worked in a company with a split DNS name space or one that has gone through a merger, you have probably dealt with the DNS suffix search list.  This list allows a user to put “companyweburl” in their browser address and it actually resolve.  This works because Windows will cycle through the DNS suffix search list appending each suffix to what was typed into the address bar until it finds a site.  If the list contains contoso.com and litware.com then the OS will attempt companyweburl.contoso.com first.  If it gets a response from that site then off you go.  If it does not then it tries companyweburl.litware.com.

To set the suffix search list, open the properties of your network connection and then open the TCP/IP properties.  Now click Advanced and go to the DNS tab.  Here you can set your suffix list as shown.

DNS Suffix Search List

DNS Suffix Search List

There are two other places you can view your current suffix search list.  The first is by opening a command prompt and typing in “ipconfig /all”.  The second is in the registry and can be found in this location:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpipParameters

In a large environment making this change on all the clients can be daunting, but there are several solutions.  I won’t go into all the solutions, but VBScript or PowerShell scripts being deployed through domain group policy or user logons are good ones.  The most obvious solution is to just make the change by deploying a domain group policy.  This method has a catch in that it sets itself in a different registry key than if you set it locally through the GUI.  If a GPO pushes the setting then it takes precedence over the local configuration, but you can still set it in the GUI.  This makes you think you are changing it when you really are not.  This is a field engineer troubleshooting disaster.   The only good news is that an “ipconfig /all” will show what is actively being used.  Deploying this setting with a GPO puts its changes in the registry in the following location:

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTDNSClient

It should be noted that this setting is only available in GPOs where AD is running Windows Server 2003 or greater.  Here is the path where you can find the setting in a GPO.

Computer Configuration → Policies(If you’re running Windows Server 2008) → Administrative Templates → Network → DNS Client → DNS Suffix Search List

Here is an example.  A GPO has been deployed to Machine1 setting the DNS Suffix Search List to “contoso.com”.  On the top you can see that “litware.com” is the only suffix set in the GUI.  On the bottom you can see from an “ipconfig /all” that the suffix search list only has “contoso.com”

DNS Suffix Search List in the GUI

DNS Suffix Search List in the GUI

Actual Current DNS Suffix
Actual Current DNS Suffix

As you can imagine, there is bound to be a very frustrated desktop engineer.  Since the GPO and GUI put their settings in different registry keys you never see the GPO settings in the GUI.  For this reason I would warn against using this GPO setting.  I recommend the following work around solutions.

  • VBScript or PowerShell deployed via logon script
  • VBScript or PowerShell deployed via GPO startup or logon script
  • GPO using a direct registry change to the local GUI registry key