Question

DNS does not work due to GPO setting not clearing out of registry

DNS errors, GPO, Windows XP, Registry

This is more an answer than a question, but it may help someone, took us a long time to figure out.

We have been battling an issue with XP SP2 laptops going on and off the domain for quite a while, and now figured out how to fix this.
First the issue: Environment: Window 2003 SP2 domain with XP SP2 computers.
[list] Symptom: XP computers (dual homed laptops) that sometimes connect to the local (Internal) network and other times to another network (typically a wireless network) have problems connecting to certain websites.
[/list][list] They can not connect because their names do not resolve. When you do an ipconfig /all , the right DNS servers show up, but when you try a nslookup , you see that another DNS server is being used for the actual DNS lookup. You can see what DNS server is being used every time you run nslookup, that information shows in the first two result lines.
[/list][list] This is important to remember: <strong>ipconfig /all does not (always) show you what is really being used</strong>. It only shows what the network interfaces are set at.
[/list][list] So what is defining what DNS server is to be used. I realised that this setting may be stored somewhere in the registry. So I ran regedit and searched the IP address of the DNS server in use according to nslookup. The search found a key called [code]HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSclient[/code]. And there they were, the IP addresses of DNS servers that were really in use, not the ones ipconfig shows.
[/list][list] How did that registry entry get in there: At some point that machine belonged to a OU (Organisational Unit) in the AD (Active Directory) GPO Global Policy Object) setting for that DNS. When a GPO defines a setting, that setting results in a value being written to the machines registry. When the machine was later moved to an OU without DNS server set (DNS server setting not defined), that registry entry was not removed when the policy was updated with gpupdate /force and reboot. Worse: Moving the machine to an OU with another DNS server setting did not work either, and that makes no sense at all.
[/list][list] We did replicate that same issue on more than one system.
[/list][list] Lessons learned:
[/list][list] GPO's create registry settings, so when a GPO does strange things, you may want to run regedit and see if you find relevant keys.
[/list][list] When you change a GPO setting from 'defined' to 'not defined' the policy change may actually not have a desired effect because the setting on the machine (or user?) level is not removed. This is a but in my opinion.
[/list][list] Running the gpresults or the GPO modeling tool in the GPO editor does not always give you the right answer. It certainly did not in our case since it said the DNS servers were different than what the machine was actually using.
[/list][list] Don't trust Microsoft software, surprize ... Because changing the DNS in the GPO from nothing to something worked. But then subsequently changing it to a third value had no effect. Another bug.
[/list]

Ifconfig | Mar 20 2008 5:29PM GMT

This sounds like registry tatooing, something that should no longer be occurring when you take the computer out of what Microsoft calls the scope of management.

While I agree with how incredibly complex Microsoft makes this stuff (especially documentation!), I’m not so sure it’s a good idea to distribute DNS server information via Group Policy because of situations like this.

Good piece of following the solution to the bitter end! ;-)