You want to prevent a domain controller from dynamically registering its resource records using DDNS. If you manually register domain controllers' resource records, you'll want to prevent those domain controllers from attempting to dynamically register them. If you do not disable them from sending dynamic update requests, you may see annoying error messages on your DNS servers that certain DDNS updates are failing.
> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN] UseDynamicDNS /t REG_DWORD /d 0 The operation completed successfully. > net stop netlogon The Net Logon service is stopping. The Net Logon service was stopped successfully. > del %SystemRoot%\system32\config\netlogon.dnb > net start netlogon The Net Logon service is starting....... The Net Logon service was started successfully.
' This code prevents a DC from registering resource records dynamically. ' It must be run directly on the server. ' Create Registry Value const HKLM = &H80000002 set oReg=GetObject("winmgmts:root\default:StdRegProv") strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters" if oReg.SetDWORDValue(HKLM,strKeyPath,"UseDynamicDNS",1) <> 0 then WScript.Echo "Error creating registry value" else WScript.Echo "Created registry value successfully" end if ' Stop Netlogon service strService = "Netlogon" set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _ strService & "'") if objService.StopService <> 0 then WScript.Echo "Error stopping " & strService & " service" else WScript.Echo "Stopped " & strService & " service successfully" end if ' Delete netlogon.dnb file set WshShell = CreateObject("WScript.Shell") set objFSO = CreateObject("Scripting.FileSystemObject") set objFile = objFSO.GetFile( _ WshShell.ExpandEnvironmentStrings("%SystemRoot%") _ & "\system32\config\netlogon.dnb" ) objFile.Delete WScript.Echo "Deleted netlogon.dnb successfully" ' Start Netlogon service if objService.StartService <> 0 then WScript.Echo "Error starting " & strService & " service" else WScript.Echo "Started " & strService & " service successfully" end if WScript.Echo WScript.Echo "Done"
By default, domain controllers attempt to dynamically register their Active Directory-related resource records every hour via the NetLogon service. You can prevent a domain controller from doing this by setting the UseDynamicDNS value to 0 under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters. After you set that value, you should stop the NetLogon service, remove the %SystemRoot%\system32\config\netlogon.dnb file and then start NetLogon back up. It is necessary to remove the netlogon.dnb file because it maintains a cache of the resource records that are dynamically updated. This file will get recreated when the NetLogon service restarts.
Recipe 13.15 for preventing certain records from being dynamically registered, MS KB 198767 (How to Prevent Domain Controllers from Dynamically Registering DNS Names), and MS KB 246804 (How to Enable/Disable Windows 2000 Dynamic DNS Registrations)