As far as I can tell, DNS Suffix Search Order is not adapter specific, but rather, if you set it from the Network Connections applet, it is applied to all adapters on the system and set in the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList. Maybe you can override it per-adapter, but I didn't see where.
When you set the policy, as you noted, the registry value is set at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList. This is pretty common where some component has a "primary" registry location for configuration but then if it falls under policy control there is a reg value under the Policies key that overrides the "native" location, so I suspect that is what is happening I tried doing a Regmon while issuing an ipconfig /all and I didn't see any queries against either of these two reg. values. That might mean that ipconfig uses some API call instead of reading out of the registry directly. This makes sense since there are obviously two potential locations that could hold the value, depending upon whether the policy has been set or not. I'm almost positive that ping is using an API call rather than reading the registry, so the "up-to-dateness" of these tools depends upon when policy is refreshed. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 26, 2005 12:54 PM To: [email protected] Subject: RE: [ActiveDir] flaky gpo Cool. Good to know. In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txt&tabid=63&mid=431 is (IMO) as good as the adm you are doing now, and it *should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV. TTY tomorrow :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 12:09 PM To: [email protected] Subject: Re: [ActiveDir] flaky gpo oh yeah,- wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern <[EMAIL PROTECTED]> wrote: my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called "SearchList" with the suffix values and that shows up when you right click the adapter under "DNS" tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an "ipconfig/renew". Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. I won't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> - we know IT www.akomolafe.com <http://www.akomolafe.com/> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AM To: [email protected] Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out? Does this also apply to the "real" policy that comes with winxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: When MS introduced that GPO ability, someone forgot to remember where ipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the same location, so ipconfig will never be able to report whatever you are setting in the adm/gpo. You are not crazy. You are just observing some "known feature". I can not answer why some clients are not getting your gpo settings, though. That task is reserved for "gpoguy", who will be around very shortly ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> - we know IT www.akomolafe.com <http://www.akomolafe.com/> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 9:42 AM To: activedirectory Subject: Re: [ActiveDir] flaky gpo ok, last time i reply to my own email :) I applied a gpo to add 3 domains to the dns suffix search order. these 3 domains show up in the gui, when you right click a net adapter but the change is not reflected when you do an "ipconfig". the output of "ipconfig.exe" is different than whats in the gui in "network connections". also, when you ping a unqaulified name, it doesn't apply the search list from the gui but rather the one in the output from "ipconfig.exe" why is that? does "ipconfig.exe" get net info from a different place than the gui in "network connections"? why would the gpo apply to the "network connections" info but NOT the ipconfig.exe info you see in cmd.exe? and why is ping.exe only using the one in ipconfig.exe and not the "network connections" one. thanks P.S.- all clients are dhcp, if that provides any clue. thanks again. On 9/26/05, Tom Kern < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: To further elaborate, the setting i'm trying to apply is a custom adm file to add the dns search suffix to tcp/ip props. all clients are win2k. some get it, some never get it. the really weird thing is, some clients after being reboot never get it but when you type "ipconfig /release" and then "renew", they get it. Thats bizzare. how would a reboot not get the pol but i release/renew would? thnaks again. On 9/26/05, Tom Kern < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: I have a computer portion gpo at the domain level that is a little flaky. For some pc's it applies, others take a number of reboots. All my pc's are win2k. The gpt has replicated to all DC's in all sites. When i enable userenv debugging on the affected pc, this is what i get - USERENV(a8.1e0) 08:23:36:191 MyGetUserName: GetUserNameEx failed with 1326 I can't find what this error means anywhere. It also fails with error 1317 as well. Does anyone know? thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
