This Knowledge Base article contains details about the scenarios that use DNS Devolution functionality that are affected by this update. Windows administrators and support professionals should review this document to determine whether their computing environments are vulnerable to the behavior that is addressed by this update and to make sure that DNS names are successfully resolved after they install this update.
|Fully qualified domain name (FQDN)||A FQDN is the complete domain name for a specific computer, or host, on the Internet. An example is host.contoso.com. |
|Domain Name System (DNS)||The DNS is an Internet standard that translates host names to IP addresses. |
|Primary DNS Suffix (PDS)||PDS is the domain name that appears to the right of the hostname in a fully qualified hostname. Computers register host records in this DNS zone. |
|Disjoint namespace||By default, the primary DNS suffix part of a computer's FQDN is the same as the name of the Active Directory domain where the computer account is located. If the PDS is different, then the client is said to be in a disjoint namespace. For more information, visit the following Microsoft Web page:|
|Forest root domain (FRD)||The FRD is the parent, "top," or first domain in an Active Directory forest. The initial domain in an Active Directory tree. For more information, visit the following Microsoft Web page:|
|Single label domain||A single label domain is a DNS domain name that consists of a single label such as "CONTOSO." Unlike typical Active Directory domain names, they cannot be registered by using an Internet registrar. Additional configuration is required to support a single label domain namespace. For more information, visit the following Microsoft Web page:|
|Connection specific DNS suffix||A connection specific DNS suffix is a DNS suffix that is specific to a connecting adapter (modem, network adapter, and so on) on a computer. The connection specific DNS suffix is usually assigned by a Dynamic Host Configuration Protocol (DHCP) server that leases an IP address to that adapter. It can also be set manually by using the Advanced TCP/IP settings dialog box.For more information, visit the following Microsoft Web page:This can also be set by using Group Policy. |
|DNS devolution||DNS devolution is the process by which the resolver on a DNS client resolves queries for hostnames by appending a name such as "corp.microsoft.com" to a host name. If this query fails, the appended a name is devolved by one label and the new query is sent by appending only "microsoft.com." |
|Devolution level||The devolution level can be defined as the minimum number of labels to be appended for a DNS query during DNS devolution. This update gives administrators the ability to control this value. The organizational boundary should define the minimum number of labels to be appended, and therefore, the devolution level. For example, if the organization boundary for an enterprise named "contoso" is "contoso.co.us," the devolution level should be 3. Generally, the FRD is the organization boundary. |
|Active Directory ||The Active Directory directory service stores information about objects on a network and makes this information available to users and network administrators. |
Current overview of DNS devolution
DNS devolution is the process that is used by Windows computers that have not been configured with DNS suffix search lists to resolve DNS queries for single-label hostnames.Specifically, the resolver submits a DNS query for a hostname that it has been asked to resolve, and then concatenates the hostname to the local computer's primary DNS suffix. If that query is not successfully resolved, the query is iteratively retried by removing the left-most part of the remaining primary DNS suffix name until the query is either resolved, or the resolvers organizational boundary is reached.Devolution is a Windows DNS client feature.
This behavior of DNS devolution effectively enforces an organizational boundary at the second level of the domain. For example, in an Active Directory domain that has the FRD "contoso.com," "contoso" is the organizational boundary and at the second level.
The resolver on Windows clients does not rely on devolution to resolve non-fully-qualified DNS names if either of the following is true:
- A DNS suffix search list is configured. The suffix search list may be configured manually or by using Group Policy (expand Computer Configuration, expand Administrative Templates, expand Network, and then click DNS Client).For more information, click the following article number to view the article in the Microsoft Knowledge Base:
New group policies for DNS in Windows Server 2003
- The append parent suffixes of the primary DNS suffix check box is not selected on the DNS tab in the Advanced TCP/IP Settings dialog box of the Internet Protocol (TCP/IP) component.
For more information about DNS devolution, visit the following Microsoft TechNet Web page:
Changes to DNS devolution
This update to the DNS client introduces the concept of a "configurable devolution level," which provides detailed control of the label where devolution will terminate. Before this update is installed, Windows clients were hard-coded to use a two-label organizational boundary. Effectively, devolution level provides an administrator with detailed control to determine the organizational boundary of an Active Directory domain for clients that try to resolve resources within the domain.
The devolution levels for a Windows client that is joined to an Active Directory domain that has the FRDs "contoso.com" and "contoso.co.us" are 2 and 3 respectively.
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
By default, devolution is switched on for single label hostnames when a suffix search list is not defined. The devolution can be controlled, or switched on or off explicitly, either by manually by changing a registry entry or by using Group Policy.To manually change this setting by editing the registry, add a DWORD value that is named UseDomainNameDevolution
to the following registry subkey:
To add this registry entry, follow these steps:
- Click Start, click Run, type regedit in the Open box, and then click OK.
- Locate and then click the following subkey in the registry:
- On the Edit menu, point to New, and then click DWORD Value.
- Type UseDomainNameDevolution for the name of the DWORD value, and then press ENTER.
- Right-click UseDomainNameDevolution, and then click Modify.
- In the Value data box, type 1 to enable DNS devolution, and then click OK.
Note A value of 0 indicates that devolution is disabled.
- Exit Registry Editor.
When you change this setting by using Group Policy, a DWORD value that is named UseDomainNameDevolution
is added to the following registry subkey:
To locate the policy in the Group Policy editor, expand Computer Configuration
, expand Administrative Templates
, expand Network
, expand DNS Client
, and then double-click Primary DNS suffix Devolution
Setting the devolution level
The devolution level should be set to a value of 2 or higher, depending on the organizational boundary:
- A value of 2 or higher, for example, a value of 3, makes sure that a minimum of 3 labels of primary DNS suffix are appended during devolution.
- A value of 2 makes sure that the behavior is the same as it was before the installation of the update.
A table is presented later that shows the devolution behavior with different registry value combinations.
For Windows 2000, the devolution level can be set manually only by adding a DWORD value that is named DomainNameDevolutionLevel
to the following registry subkey:
For Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 operating systems, the devolution level can be set manually by making changes to the registry or by using Group Policy.
Notes about how to set devolution level
- To manually change this setting by editing the registry, add a DWORD value that is named DomainNameDevolutionLevel to the following registry subkey:
- To change this setting by using Group Policy, open the "Primary DNS Suffix Devolution Level" entry in the following location:
Computer Configuration/Administrative Templates/Network/DNS Client"Primary DNS Suffix Devolution Level" is a new policy that is introduced by this feature to define the devolution level that is appropriate to the domain, site, organizational unit, or computer.The policy stores the level in the DomainNameDevolutionLevel DWORD entry that is located in the following subkey in the registry:
- Devolution settings can be pushed over a domain by using Group Policy. For more information about how to edit and apply Group Policy, visit the following Microsoft Web page:
- The devolution level should match the organization boundary for both of the following reasons:
- Make sure that devolved queries remain inside the organization.
- Make sure that all domains that were previously available through devolution are still available.
- A setting of value 2 for devolution level means that the behavior is the same as it was before the installation of the update.
- Clients to which this Group Policy setting is being applied must be updated with update 957579 for the Group Policy setting to be effective.
- For more information about pushing scripts through Group Policy, visit the following Microsoft Web page:
- Group Policy for the devolution level is not supported in Windows Server 2000 or in Windows NT 4. To set the key manually, Domain Administrators can write scripts that are run on the domain joined clients.
- If the local registry entry and the Group Policy are set on a computer, the Group Policy will take precedence.
- The default behavior of the update on installation is to automatically determine the devolution level. The logic for this is discussed in the next section.
The following matrix explains devolution behavior and selection of the devolution level based on the following registry keys.
|Enable devolution (UseDomainNameDevolution)||Devolution level (DomainNameDevolutionLevel)||Behavior|
|0 (The devolution feature is disabled.)||Any value||Devolution is set to off. The client only appends the primary DNS suffix and connection specific suffixes. It will not devolve the primary DNS suffix. |
|1 (The devolution feature is enabled.)||1||Devolution to level 1 is not supported. Therefore, it is switched off. |
|1 (The devolution feature is enabled.)||Values 2 through 50||Devolution is turned on, and devolution level is set to the value specified between 2 and 50. |
|The key does not exist. (By default, the devolution feature is turned on.)||1||Devolution is turned off. |
|The key does not exist. (By default, the devolution feature is turned on.)||Values 2 through 50||Devolution is turned on, and devolution level is set to the value specified between 2 and 50. |
|The key does not exist. (By default, the devolution feature is turned on.)||Neither the local key nor the Group Policy key exists. ||Devolution level is set to 2. |
Devolution level behavior across platforms with and without the update
|Platforms||Update Installed||Devolution Level||Configurable|
|Windows NT 4, Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 2, Windows Vista, Windows Server 2008, Windows Vista Service Pack 1, and Windows Server 2008 Service Pack 1||No||2||No|
|Windows Vista Service Pack 2 and Windows Server 2008 SP2||No||2||Yes|
|Windows NT 4, Windows 2000 Service Pack 4,Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 2, Windows Vista, Windows Server 2008, Windows Vista Service Pack 1, Vista Service Pack 2, and Windows Server 2008 Service Pack 2||Yes||Automatic||Yes|
The default behavior of the update on installation is to automatically determine the devolution level. The logic for this behavior is discussed in the next section.
Automatic determination of the devolution level
If the devolution level registry entries that are listed earlier do not exist, the computer will automatically determine the devolution level by using the following process:
- First, the computer will determine the FRD of the computer locally. No network queries are used in this operation.
- If the FRD is obtained, it is analyzed for the following conditions:
- The devolution level will be set to 2 if the number of labels in the forest root domain is 1. That is, it is a single label domain.
- The devolution level is set to the number of labels in the forest root domain if the PDS is a trailing subset of (ends with) the forest root domain.
- Examples of trailing DNS suffixes for contoso.com and contoso.co.us are corp.contoso.com and corp.contoso.co.us.
- Examples that are not trailing suffixes for contoso.com and contoso.co.us are corp.contoso.net and corp.contoso.co.au.
- Devolution will not be performed if the primary DNS suffix is not a trailing subset of the FRD or a disjoint name scenario.
The following is the default behavior for devolution on a client computer after the DNS devolution update is installed on the computer:
- When the Suffix Search List is enabled on the computer
DNS devolution has no effect (disabled) when the Suffix Search List is enabled on the computer. There is no change in behavior after the update is installed.For more information, click the following article number to view the article in the Microsoft Knowledge Base:
How to configure a domain suffix search list on the Domain Name System clients
- When the name of the domain to which the client is joined to is a single label
- Devolution level is set as 2 if the FRD is single labeled and the PDS is a trailing subset of the FRD.
- Devolution level is turned off if the FRD is single labeled and the primary DNS suffix is not a trailing subset of the FRD.
- When the computer is in a disjoint namespace
On domain joined computers, DNS devolution depends on the FRD and PDS combinations as depicted in the following table. If FRD is completely disjointed with PDS, devolution is turned off.
The following table summarizes the behavior before and after this update is installed in some hypothetical situations.In this table, the column label FRD represents the forest root domain and the column label PDS represents the Primary DNS Suffix. The cells of the table show Devolution Level Before Update
/ Devolution Level After Update
|Contoso (single label)||Contoso.com||Contoso.co.nz||Asiapac.contoso.com|
|Contoso.com||2/OFF||2/2||2/OFF (Disjoint)||2/OFF (disjoint)|
|Contoso.co.nz||2/OFF||2/OFF (disjoint)||2/3||2/OFF (disjoint)|
|America.Contoso.co.nz||2/OFF||2/OFF (disjoint)||2/3||2/OFF (disjoint)|
|nz (single label)||No devolution because PDS is one label only. ||2/OFF (contoso.com does not end with nz)||2/2 (contoso.co.nz ends with nz)||2/OFF (asiapac.contoso.com does not end with nz)|
Potential issues because of changes to the earlier behavior, and possible resolutions for these issues, are discussed in the next section.
Resolution for potential issues
This update brings a change to the default DNS devolution behavior when devolution is enabled on the computer. After you install this update, the devolution level is dynamically calculated. Therefore, there might be scenarios that could result in name resolution failures for names that used to resolve immediately.
Administrators of affected networks can resolve this issue in three ways:
- Manually configure the devolution level limit to a value appropriate for the specific domain name
In this configuration, DNS will devolve to the administrator-specified level instead of using the level based on FRD.
- On a computer without the update, with devolution enabled:
If the FRD is Contoso.corp.com and the PDS is America.Contoso.corp.com, an unsuccessful query for "wpad" would eventually lead to a query for wpad.corp.com, which could be valid for the given organization.
- " On a computer with the update, the query for wpad would stop at wpad.contoso.corp.com. This may break name resolutions that rely on wpad.corp.com. To work around this issue, an administrator could set the devolution level on the computers as appropriate. For more information, see the "Setting the devolution level" section.
- Create a DNS suffix search list
In this configuration, when a DNS suffix search list is configured, DNS will try the suffixes in the list. Administrators can make sure that domain of all the servers that are accessed through devolution before is in the suffix search list.For more information, click the following article number to view the article in the Microsoft Knowledge Base:
How to configure a domain suffix search list on the Domain Name System clients
- Relocate the network resource to the same FRD as the computer that is trying to access it
The following files are available for download from the Microsoft Download Center:
For all supported 32-bit editions of Windows VistaDownload the package now.
For all supported x64-based editions of Windows Vista Download the package now.
For all supported 32-bit editions of Windows Server 2008 Download the package now.
For all supported x64-based editions of Windows Server 2008 Download the package now.
For all supported Itanium-based editions of Windows Server 2008 Download the package now.
For all supported 32-bit editions of Windows XPDownload the package now.
For all supported x64-based editions of Windows XPDownload the package now.
For all supported x64-based editions of Windows Server 2003Download the package now.
For all supported 32-bit editions of Windows Server 2003Download the package now.
For all supported Itanium-based editions of Windows Server 2003Download the package now.
For all supported editions of Windows 2000Download the package now.
Release Date: June 9, 2009
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
How to determine whether you are running a 32-bit or a 64-bit edition of Windows
If you are not sure which version of Windows that you are running or whether it is a 32-bit version or 64-bit version, open System Information (Msinfo32.exe), and review the value that is listed for System Type
.To do this, follow these steps:
- Click Start, and then click Run.
- Type msinfo32.exe, and then press ENTER.
- In the System Information window, review the value for System Type.
- For 32-bit editions of Windows, the System Type value is x86-based PC.
- For 64-bit editions of Windows, the System Type value is x64-based PC.
For more information about how to determine whether you are running a 32-bit or 64-bit edition of Windows, click the following article number to view the article in the Microsoft Knowledge Base:
How to determine whether your computer is running a 32-bit version or a 64-bit version of the Windows operating system
update security_patch security_update security bug flaw vulnerability malicious attacker exploit registry unauthenticated buffer overrun overflow specially-formed scope specially-crafted denial of service DoS TSE WinNT Win2000