This policy setting determines the Domain Name System (DNS) suffix devolution level that DNS clients will use, if the clients perform primary DNS suffix devolution in a name resolution process. When DNS suffix devolution is enabled, the leftmost label of a primary DNS suffix is dropped on each successive query attempt, when a query fails for a name to which a primary DNS suffix has been attached. The devolution level indicates the minimum number of labels that must be added to the query string after the primary DNS suffix is devolved. When a user submits a query for a single-label name, such as example, a local DNS client attaches a suffix, such as microsoft.com? to the query, before sending the query to a DNS server. In this case, this results in the query example.microsoft.com.? If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries is resolved, the client devolves the primary DNS suffix of the computer, attaches the devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. For example, if the primary DNS suffix aaa.bbb.ccc.ddd.microsoft.com is attached to the single-label name example? (which has no dot at the end), and if DNS suffix devolution is enabled and the level is set to 3, the following queries would be run: Example.aaa.bbb.ccc.ddd.microsoft.com (If this query fails, for the next query the primary DNS suffix will devolve to bbb.ccc.ddd.microsoft.com.) Example.bbb.ccc.ddd.microsoft.com (If this query fails, for the next query the primary DNS suffix will devolve to ccc.ddd.microsoft.com.) Example.ccc.ddd.microsoft.com (If this query fails, for the next query the primary DNS suffix will devolve to ddd.microsoft.com.) Example.ddd.microsoft.com (If this query fails, no further queries can be made because the devolution level is set to 3 and the primary DNS suffix contains 3 labels.) If you enable this policy setting, DNS clients on the computers to which this setting is applied attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. The DNS clients will devolve the primary DNS suffix on each query attempt until the name is successfully resolved, the devolution level specified in this setting has been reached, or the primary DNS suffix name has two labels. If you disable or do not configure this policy setting, DNS clients on the computers to which this setting is applied do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. If a Forest Root Domain (FRD) is present, no search list is configured, and the query is for a single-label name, then the DNS client will devolve up to the FRD until the name is successfully resolved. Fix: (1) GPO: Computer Configuration\Administrative Templates\Network\DNS Client!Primary DNS Suffix Devolution Level (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient!EnableDevolutionLevelControl