DNS Devolution

Updated: July 7, 2010

Applies To: Windows 7, Windows Server 2008 R2

Devolution is a behavior in Active Directory environments that allows client computers that are members of a child namespace to access resources in the parent namespace without the need to explicitly provide the fully qualified domain name (FQDN) of the resource.

With devolution, the DNS resolver creates new FQDNs by appending the single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution works by removing the left-most label and continuing to get to the parent suffix.

For example, if the primary DNS suffix is central.contoso.com and devolution is enabled with a devolution level of two, an application attempting to query the host name emailsrv7 will attempt to resolve emailsrv7.central.contoso.com and emailsrv7.contoso.com. If the devolution level is three, an attempt will be made to resolve emailsrv7.central.contoso.com, but not emailsrv7.contoso.com.

Devolution is not enabled in Active Directory domains when the following conditions are true:

  1. A global suffix search list is configured using Group Policy.

  2. The Append parent suffixes of the primary DNS suffix check box is not selected on the DNS tab in the Advanced TCP/IP Settings for IPv4 or IPv6 Internet Protocol (TCP/IP) Properties of a client computer’s network connection. Parent suffixes are obtained by devolution.

This topic describes update to the behavior of DNS devolution in Windows Server® 2008 R2 and Windows® 7. For more information about DNS devolution, see Chapter 9 – Windows Support for DNS (https://go.microsoft.com/fwlink/?LinkId=166678) in TCP/IP Fundamentals for Windows.

What are the major changes?

The DNS client in Windows Server 2008 R2 and Windows 7 introduces the concept of a devolution level, which provides control of the label where devolution will terminate. Previously, the effective devolution level was two. An administrator can now specify the devolution level, allowing for precise control of the organizational boundary in an Active Directory domain when clients attempt to resolve resources within the domain. This update to DNS devolution is also available for previous versions of Microsoft Windows. For more information, see Post-installation behavior on client computers after you install the DNS update (https://support.microsoft.com/kb/957579).

Changes to the devolution level can affect the ability of client computers to resolve the names of resources in a domain. The following is the new default behavior for DNS devolution:

First, the Forest Root Domain (FRD) and primary DNS suffix of the local computer are determined. Based on this information:

  1. If the number of labels in the forest root domain is 1 (single labeled), devolution is not performed.

    Example: The FRD is contoso and the primary DNS suffix is contoso.com. Devolution is not performed in this case because contoso is single-labeled. Previously, the devolution level was two.

  2. If the primary DNS suffix is a trailing subset of (ends with) the forest root domain, the devolution level is set to the number of labels in the FRD.

    Example: The FRD is corp.contoso.com and the primary DNS suffix is east.corp.contoso.com. Devolution level in this case is three because east.corp.contoso.com ends with corp.contoso.com and the FRD has three labels. Previously, the devolution level was two.

  3. If the primary DNS suffix is not a trailing subset of the FRD, devolution is not performed.

    Example: The FRD is corp.contoso.com and the primary DNS suffix is east.contoso.com. Devolution is not performed in this case because east.contoso.com does not end with corp.contoso.com. Previously, the devolution level was two.

The following table summarizes the default behavior for devolution after applying the update.

Primary DNS Suffix FRD: contoso FRD: contoso.com FRD: corp.contoso.com FRD: corp.contoso.net

contoso

OFF

(FRD is single-labeled)

OFF

(contoso does not end with contoso.com)

OFF

(contoso does not end with corp.contoso.com)

OFF

(contoso does not end with corp.contoso.net)

contoso.com

OFF

(FRD is single-labeled)

Devolution level: 2

(contoso.com ends with contoso.com and FRD has two labels)

OFF

(contoso.com does not end with corp.contoso.com)

OFF

(contoso.com does not end with corp.contoso.net)

corp.contoso.com

OFF

(FRD is single-labeled)

Devolution level: 2

(corp.contoso.com ends with contoso.com and FRD has two labels)

Devolution level: 3

(corp.contoso.com ends with corp.contoso.com and FRD has three labels)

OFF

(corp.contoso.com does not end with corp.contoso.net)

corp.contoso.net

OFF

(FRD is single-labeled)

OFF

(corp.contoso.net does not end with contoso.com)

OFF

(corp.contoso.net does not end with corp.contoso.com)

Devolution level: 3

(corp.contoso.net ends with corp.contoso.net and FRD has three labels)

Previously, devolution was done until only two labels in the suffix were left. Now, assuming a contiguous namespace, devolution proceeds down to the FRD name and no further. If DNS resolution is required past the level of the FRD, the following options are available:

  1. Configure a global suffix search list. When you configure a suffix search list, devolution is disabled and the suffix search list is used instead.

  2. Specify the devolution level. You can configure the devolution level using Group Policy or by configuring the DomainNameDevolutionLevel registry key.

Who will be interested in this feature?

This feature will be of interest to IT professionals who manage Active Directory® Domain Services (AD DS) and DNS.

Are there any special considerations?

This update to DNS devolution is also available for computers running earlier versions of the Microsoft Windows operating system. For information about this update, see the Overview section of Microsoft Security Advisory 971888 (https://go.microsoft.com/fwlink/?LinkId=166679).

What settings have been added or changed?

Devolution can be configured using Group Policy or using the Windows Registry. The following tables provide values that are used to configure DNS devolution.

Registry settings

Setting name Location Previous default value Default value Possible values

UseDomainNameDevolution

(DWORD)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient

1

1

0 or 1

DomainNameDevolutionLevel

(DWORD)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

N/A

(did not exist)

N/A

(does not exist by default)

1 to 50

Group Policy settings

Setting name Location Previous default value (if applicable) Default value Possible values

Primary DNS Suffix Devolution

Computer Configuration\Administrative Templates\Network\DNS Client

Not configured

Not configured

Enabled, Disabled, Not configured

Primary DNS Suffix Devolution Level

Computer Configuration\Administrative Templates\Network\DNS Client

N/A

(did not exist)

Not configured

Enabled, Disabled, Not configured

Note

If you configure both registry settings and Group Policy settings, the Group Policy settings will take precedence.

Which editions include this feature?

This feature is available in all editions.