We help IT Professionals succeed at work.

GPO - DNS Suffixes - GPO applied, but not settings on 3 of 6 sites

acmi used Ask the Experts™
We have a GPO that contains our DNS suffix list which is applied to the root of our domain.  A screen shot of our Group Policy Management page is attached for more details.

6 of 6 sites receive this GPO.  But 3 of the 6 sites that receive the GPO do not actually receive the DNS suffixes that are supplied by the GPO – which does not make sense.

Again, the GPO’s are present when you run gpresult and are present when you run the Group Policy Wizard – and with no errors.  Yet the 3 sites that receive the GPO do not receive the settings within the GPO in regards to providing the DNS suffixes.

An ipconfig /all does not display the DNS suffixes that should be in place due to the GPO – as they are in our other 3 sites.

This is the first time I have had an issue with a successfully applied GPO where the settings supplied by the GPO were not going into effect.

I could use a little advice on how to troubleshoot this.  

(2003 servers, AD domain)
 Group Policy Management Screen Shot
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sandesh DubeyTechnical Lead
Top Expert 2011

Right Click on the DNS Suffix GPO and click enforce and see if this works.


Sounds like the GPO may not be replicated across your sites correctly.  

On Succesful Site 1 DC Server -  Check the Policies "Details" tab for the User version and computer version numbers.  

Then do the same on one of the DCs in the failing site.

Are the version numbers the same?

I have attached an AD daily check sheet - censored so I've taken relevant firm's pictures out but it may help you out...

OK, I have realized the issue.

Basically, you can't have two GPO's that use the DNS Search Suffix List setting.  The two may seem to be applied when you look at the results of a gpupdate - but only the settings from one are actually applied.

An OU that inherits both will only apply one of the policies - the suffixes from two different GPO's are not combined.  

So when I removed a DNS suffix GPO from the OU, the OU then inherited the settings from the DNS suffix GPO that is applied to the root of our domain.

Well sorted - I was going to suggest that next ;-)


I answered my own question