The adm i set, directly sets the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList value, NOT the policies key.
Its for win2k, so its a tattoo, not a policiy. that other key never comes into play.
as i stated, in the net coonections applet it changed the adapter.
when doing an ipconfig, it didn't show up.
drive mappings and pings with single label names failed(we don't use netbios) even though it showed up in the adapter gui.
i suspect, ipconfig uses the Interfaces key under Parameters in the int guid key.
and so does ping and net use?
thanks
On 9/26/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:
As far as I can tell, DNS Suffix Search Order is not adapter specific, but rather, if you set it from the Network Connections applet, it is applied to all adapters on the system and set in the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList. Maybe you can override it per-adapter, but I didn't see where.
When you set the policy, as you noted, the registry value is set at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList. This is pretty common where some component has a "primary" registry location for configuration but then if it falls under policy control there is a reg value under the Policies key that overrides the "native" location, so I suspect that is what is happening
I tried doing a Regmon while issuing an ipconfig /all and I didn't see any queries against either of these two reg. values. That might mean that ipconfig uses some API call instead of reading out of the registry directly. This makes sense since there are obviously two potential locations that could hold the value, depending upon whether the policy has been set or not. I'm almost positive that ping is using an API call rather than reading the registry, so the "up-to-dateness" of these tools depends upon when policy is refreshed.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, September 26, 2005 12:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] flaky gpo
Cool. Good to know.
In the meantime, this
http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txt&tabid=63&mid=431 is (IMO) as good as the adm you are doing now, and it
*should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV.
TTY tomorrow :)
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Mon 9/26/2005 12:09 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] flaky gpo
oh yeah,-
wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order
On 9/26/05, Tom Kern <[EMAIL PROTECTED]> wrote:
my gpo sets it at
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
I created a Reg_SZ value called "SearchList" with the suffix values and that shows up when you right click the adapter under "DNS" tab.
However, windows seems to use the other key for things like ping and drive mappings,etc.
the only way the ipconfig.exe output changes to reflect the gui is if you issue an "ipconfig/renew".
Unfortuantely, the other key(that you gave me) has a guid for each adapter.
How am I supposed to set this via a custom adm?
thanks for all your help.
On 9/26/05, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa
ces
BTW, does this return the correct suffix for you?
wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd)
I'm just curious, and not at a place where I can test. I won't be able to see
your response for a long time. Going offline.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com <http://www.readymaids.com/> - we know IT
www.akomolafe.com <http://www.akomolafe.com/>
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Mon 9/26/2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] flaky gpo
thanks.
disregard that last email...
i guess if i find out where ipconfig reads it, i can make a adm to reflect
that and push it out?
Does this also apply to the "real" policy that comes with
winxp/2k3 as well?
thanks again!!
On 9/26/05, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote:
When MS introduced that GPO ability, someone forgot to remember where
ipconfig looks for the information it displays.
Ipconfig reads the
registry
for the information, but the suffix adm/gpo is not stored in the same
location, so ipconfig will never be able to report whatever you are
setting
in the adm/gpo.
You are not crazy. You are just observing some "known feature".
I can not answer why some clients are not getting your gpo settings,
though.
That task is reserved for "gpoguy", who will be around very shortly
;)
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com <http://www.readymaids.com/> - we know IT
www.akomolafe.com <http://www.akomolafe.com/>
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Mon 9/26/2005 9:42 AM
To: activedirectory
Subject: Re: [ActiveDir] flaky gpo
ok, last time i reply to my own email :)
I applied a gpo to add 3 domains to the dns suffix search order.
these 3 domains show up in the gui, when you right click a net
adapter but
the change is not reflected when you do an "ipconfig".
the output of "ipconfig.exe" is different than whats in the gui in
"network
connections".
also, when you ping a unqaulified name, it doesn't apply the search
list from
the gui but rather the one in the output from "ipconfig.exe"
why is that?
does "ipconfig.exe" get net info from a different place than the gui
in
"network connections"?
why would the gpo apply to the "network connections"
info but NOT the
ipconfig.exe info you see in cmd.exe?
and why is ping.exe only using the one in ipconfig.exe and not the
"network
connections" one.
thanks
P.S.- all clients are dhcp, if that provides any clue.
thanks again.
On 9/26/05, Tom Kern < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote:
To further elaborate, the setting i'm trying to apply is a
custom adm
file to add the dns search suffix to tcp/ip props.
all clients are win2k.
some get it, some never get it.
the really weird thing is, some clients after being reboot
never get
it but when you type "ipconfig /release" and then "renew", they get
it.
Thats bizzare.
how would a reboot not get the pol but i release/renew would?
thnaks again.
On 9/26/05, Tom Kern < [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED]> > wrote:
I have a computer portion gpo at the domain level that
is a
little flaky.
For some pc's it applies, others take a number of
reboots.
All my pc's are win2k.
The gpt has replicated to all DC's in all sites.
When i enable userenv debugging on the affected pc,
this is
what i get -
USERENV(a8.1e0) 08:23:36:191
MyGetUserName:
GetUserNameEx
failed with 1326
I can't find what this error means anywhere. It also
fails
with error 1317 as well.
Does anyone know?
thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/