You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you could prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives.
This command will disable the Ldap, Gc, and GcIpAddress resource records from being dynamically registered:
> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN]
DnsAvoidRegisterRecords /t REG_MULTI_SZ /d Ldap\0Gc\0GcIpAddress
The operation completed successfully.
> net stop netlogon
The Net Logon service is stopping.
The Net Logon service was stopped successfully.
> del %SystemRoot%\system32\config\netlogon.dnb
> net start netlogon
The Net Logon service is starting.......
The Net Logon service was started successfully.
' This code prevents a DC from registering the resource records ' associated with the Ldap, Gc, and GcIpAddress mnemonics and must be run ' directly on the server. ' Create Registry Value const HKLM = &H80000002 set objReg = GetObject("winmgmts:root\default:StdRegProv") strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters" ' prevent Ldap, Gc, and GCIpAddress records from being registered arrValues = Array("Ldap","Gc","GcIpAddress") if objReg.SetMultiStringValue(HKLM,strKeyPath,"DnsAvoidRegisterRecords", _ arrValues) <> 0 then WScript.Echo "Error creating registry value" else WScript.Echo "Created registry value successfully" end if ' Stop Netlogon service strService = "Netlogon" set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _ strService & "'") if objService.StopService <> 0 then WScript.Echo "Error stopping " & strService & " service" else WScript.Echo "Stopped " & strService & " service successfully" end if ' Delete netlogon.dnb file On Error Resume Next set WshShell = CreateObject("WScript.Shell") set objFSO = CreateObject("Scripting.FileSystemObject") set objFile = objFSO.GetFile( _ WshShell.ExpandEnvironmentStrings("%systemroot%") _ & "\system32\config\netlogon.dnb") objFile.Delete if (Err.Number <> 0) then WScript.Echo "Error deleting netlogon.dnb: " & Err.Description else WScript.Echo "Deleted netlogon.dnb successfully" end if ' Start Netlogon service if objService.StartService <> 0 then WScript.Echo "Error starting " & strService & " service" else WScript.Echo "Started " & strService & " service successfully" end if WScript.Echo WScript.Echo "Done"
The procedure to disable registration of certain resource records is very similar to that described in Recipe 13.14 for preventing all records from being dynamically registered, except in this case, you need to create a value called DnsAvoidRegisterRecords under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters key. The type for DnsAvoidRegisterRecords should be REG_MULTI_SZ and the data should be a whitespace separated list of mnemonics. Mnemonics are used to represent various resource records that domain controllers register. The complete list of mnemonics is included in Table 13-3.
Registry mnemonic |
Resource record type |
Resource record name |
---|---|---|
LdapIpAddress |
A |
<DnsDomainName> |
Ldap |
SRV |
_ldap._tcp.<DnsDomainName> |
LdapAtSite |
SRV |
_ldap._tcp.<SiteName>._sites.<DnsDomainName> |
Pdc |
SRV |
_ldap._tcp.pdc._msdcs.<DnsDomainName> |
Gc |
SRV |
_ldap._tcp.gc._msdcs.<DnsForestName> |
GcAtSite |
SRV |
_ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName> |
DcByGuid |
SRV |
_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> |
GcIpAddress |
A |
_gc._msdcs.<DnsForestName> |
DsaCname |
CNAME |
<DsaGuid>._msdcs.<DnsForestName> |
Kdc |
SRV |
_kerberos._tcp.dc._msdcs.<DnsDomainName> |
KdcAtSite |
SRV |
_kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName> |
Dc |
SRV |
_ldap._tcp.dc._msdcs.<DnsDomainName> |
DcAtSite |
SRV |
_ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName> |
Rfc1510Kdc |
SRV |
_kerberos._tcp.<DnsDomainName> |
Rfc1510KdcAtSite |
SRV |
_kerberos._tcp.<SiteName>._sites.<DnsDomainName> |
GenericGc |
SRV |
_gc._tcp.<DnsForestName> |
GenericGcAtSite |
SRV |
_gc._tcp.<SiteName>._sites.<DnsForestName> |
Rfc1510UdpKdc |
SRV |
_kerberos._udp.<DnsDomainName> |
Rfc1510Kpwd |
SRV |
_kpasswd._tcp.<DnsDomainName> |
Rfc1510UdpKpwd |
SRV |
_kpasswd._udp.<DnsDomainName> |
Recipe 13.14 for preventing all records from being dynamically registered, MS KB 246804 (How to Enable/Disable Windows 2000 Dynamic DNS Registrations), and MS KB 267855 (Problems with Many Domain Controllers with Active Directory Integrated DNS Zones)