EPFL > VPSI > IT > EXAPP - Site d'information: WinAD (Windows Active Directory)
 

  Affiche tous les articles

 Mode d'emploi du moteur de recherche  Rechercher : 
Moteur de recherche
Home page
Accréditation
Activation MS
AD c'est quoi ?
AD PowerShell
Authentifications
Autorisations DHCP
bugs
Conseils AD
DCs Sécurité
Délégations OUs
Domaine SC
Gaspar
GPO
Grp-Staff
KMS
Migrations
Outils
Procès verbaux
Profiles Itinérants
PWAD
Règles de nommage
Restaurations DC Fac
ServerAD2003
ServerAD2008
Seven
Students
synchro
toto1
Trucs et Astuces
· SSL/TLS Alert Protocol & the Alert Codes
· Intégration d'un serveur et Workstation Linux dans AD
· How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows
· Remove Windows.old From a Server
· Erreur slui.exe résoudre l'activation MS
· Enable the Disk Cleanup tool 2012R2
· Sysprep échoue Windows 10
· Échec d'ouverture de session par le service Service de profil utilisateur. Impossible de charger le profil utilisateur
· Installer la version UEFI de Windows 7 ou 8/10
· Check Secure Channel d'une machine
· Rearming Sysprep
· Windows 10 / 8 / 7 Search Indexer
· Comment supprimer un service orphelin proprement
· Rejoindre une machine qui a perdu sa relation d'approbation au domaine
· Changer le profil réseau sur 2012R2
· Comment utiliser l’Enregistreur d’actions utilisateur
· Impossible d'installer/supprimer un programme
· Nettoyer le dossier "WinSxS"
· MBR ou GPT ???
· Couches de transition IPV4-IPV6
· Un profil temporaire est chargé à la place du profil local ou itinérant
· Enregistrement des événements de diagnostic d'Active Directory
· Windows 2008 et 7 « God Mode »
· AD Users & Computers : afficher l'onglet "additional account info" sur OS 64 bits
· Compter les objets d'AD
· DNS Devolution
· Profil temporaire impossible de créer un nouveau !
· Account Lockout and Management Tools
· Les smilies au clavier
· Vérifier le Secure Channel pour une machine dans l'AD
· Faire une query AD en GUI sur Vista sans ouvrir une console dsa
· CheckblockerVistaSp1-XPsp3-IE8
· Failure code kerberos
· Afficher l'appartenance des groupes universels multi domaine pour un utilisateur
· checkIE7Blocker
· Les Groupes...!
· Ajout d'un ordinateur Macintosh dans un domaine AD
· Ouvrir une invité de commande à partir d'un dossier
· Déléguer la gestion des services
· Voir les périphériques cachés dans le Device Manager
· ProblèmesMulti-CartesRéseauxSurUnSrvDCouNonDC
Win 8.1
WinAD
Windows 10
Windows 8
Windows Server
Wins
Work Shop
  Afficher une version imprimable de ce document dans une nouvelle fenêtre
 
DNS Devolution
 
DNS Devolution

Published: October 21, 2009

Updated: July 7, 2010

Applies To: Windows 7, Windows Server 2008 R2

Devolution is a behavior in Active Directory environments that allows client computers that are members of a child namespace to access resources in the parent namespace without the need to explicitly provide the fully qualified domain name (FQDN) of the resource.

With devolution, the DNS resolver creates new FQDNs by appending the single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution works by removing the left-most label and continuing to get to the parent suffix.

For example, if the primary DNS suffix is central.contoso.com and devolution is enabled with a devolution level of two, an application attempting to query the host name emailsrv7 will attempt to resolve emailsrv7.central.contoso.com and emailsrv7.contoso.com. If the devolution level is three, an attempt will be made to resolve emailsrv7.central.contoso.com, but not emailsrv7.contoso.com.

Devolution is not enabled in Active Directory domains when the following conditions are true:

  1. A global suffix search list is configured using Group Policy.

  2. The Append parent suffixes of the primary DNS suffix check box is not selected on the DNS tab in the Advanced TCP/IP Settings for IPv4 or IPv6 Internet Protocol (TCP/IP) Properties of a client computer’s network connection. Parent suffixes are obtained by devolution.

This topic describes update to the behavior of DNS devolution in Windows Server® 2008 R2 and Windows® 7. For more information about DNS devolution, see Chapter 9 – Windows Support for DNS (http://go.microsoft.com/fwlink/?LinkId=166678) in TCP/IP Fundamentals for Windows.

What are the major changes?

The DNS client in Windows Server 2008 R2 and Windows 7 introduces the concept of a devolution level, which provides control of the label where devolution will terminate. Previously, the effective devolution level was two. An administrator can now specify the devolution level, allowing for precise control of the organizational boundary in an Active Directory domain when clients attempt to resolve resources within the domain. This update to DNS devolution is also available for previous versions of Microsoft Windows. For more information, see Post-installation behavior on client computers after you install the DNS update (http://support.microsoft.com/kb/957579).

Changes to the devolution level can affect the ability of client computers to resolve the names of resources in a domain. The following is the new default behavior for DNS devolution:

First, the Forest Root Domain (FRD) and primary DNS suffix of the local computer are determined. Based on this information:

  1. If the number of labels in the forest root domain is 1 (single labeled), devolution is not performed.

    Example: The FRD is contoso and the primary DNS suffix is contoso.com. Devolution is not performed in this case because contoso is single-labeled. Previously, the devolution level was two.

  2. If the primary DNS suffix is a trailing subset of (ends with) the forest root domain, the devolution level is set to the number of labels in the FRD.

    Example: The FRD is corp.contoso.com and the primary DNS suffix is east.corp.contoso.com. Devolution level in this case is three because east.corp.contoso.com ends with corp.contoso.com and the FRD has three labels. Previously, the devolution level was two.

  3. If the primary DNS suffix is not a trailing subset of the FRD, devolution is not performed.

    Example: The FRD is corp.contoso.com and the primary DNS suffix is east.contoso.com. Devolution is not performed in this case because east.contoso.com does not end with corp.contoso.com. Previously, the devolution level was two.

The following table summarizes the default behavior for devolution after applying the update.

 

Primary DNS Suffix FRD: contoso FRD: contoso.com FRD: corp.contoso.com FRD: corp.contoso.net

contoso

OFF

(FRD is single-labeled)

OFF

(contoso does not end with contoso.com)

OFF

(contoso does not end with corp.contoso.com)

OFF

(contoso does not end with corp.contoso.net)

contoso.com

OFF

(FRD is single-labeled)

Devolution level: 2

(contoso.com ends with contoso.com and FRD has two labels)

OFF

(contoso.com does not end with corp.contoso.com)

OFF

(contoso.com does not end with corp.contoso.net)

corp.contoso.com

OFF

(FRD is single-labeled)

Devolution level: 2

(corp.contoso.com ends with contoso.com and FRD has two labels)

Devolution level: 3

(corp.contoso.com ends with corp.contoso.com and FRD has three labels)

OFF

(corp.contoso.com does not end with corp.contoso.net)

corp.contoso.net

OFF

(FRD is single-labeled)

OFF

(corp.contoso.net does not end with contoso.com)

OFF

(corp.contoso.net does not end with corp.contoso.com)

Devolution level: 3

(corp.contoso.net ends with corp.contoso.net and FRD has three labels)

Previously, devolution was done until only two labels in the suffix were left. Now, assuming a contiguous namespace, devolution proceeds down to the FRD name and no further. If DNS resolution is required past the level of the FRD, the following options are available:

  1. Configure a global suffix search list. When you configure a suffix search list, devolution is disabled and the suffix search list is used instead.

  2. Specify the devolution level. You can configure the devolution level using Group Policy or by configuring the DomainNameDevolutionLevel registry key.

Who will be interested in this feature?

This feature will be of interest to IT professionals who manage Active Directory® Domain Services (AD DS) and DNS.

Are there any special considerations?

This update to DNS devolution is also available for computers running earlier versions of the Microsoft Windows operating system. For information about this update, see the Overview section of Microsoft Security Advisory 971888 (http://go.microsoft.com/fwlink/?LinkId=166679).

What settings have been added or changed?

Devolution can be configured using Group Policy or using the Windows Registry. The following tables provide values that are used to configure DNS devolution.

Registry settings

 

Setting name Location Previous default value Default value Possible values

UseDomainNameDevolution

(DWORD)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient

1

1

0 or 1

DomainNameDevolutionLevel

(DWORD)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

N/A

(did not exist)

N/A

(does not exist by default)

1 to 50

Group Policy settings

 

Setting name Location Previous default value (if applicable) Default value Possible values

Primary DNS Suffix Devolution

Computer Configuration\Administrative Templates\Network\DNS Client

Not configured

Not configured

Enabled, Disabled, Not configured

Primary DNS Suffix Devolution Level

Computer Configuration\Administrative Templates\Network\DNS Client

N/A

(did not exist)

Not configured

Enabled, Disabled, Not configured

noteNote
If you configure both registry settings and Group Policy settings, the Group Policy settings will take precedence.

Article N° 183, du 10.03.2011, par Alain Gremaud
URL de cet article : http://winad.epfl.ch/?article=183

© 2017 VPSI - EXAPP - TC