Recipe 13.15 Preventing a Domain Controller from Dynamically Registering Certain Resource Records

13.15.1 Problem

You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you could prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives.

13.15.2 Solution

13.15.2.1 Using a command-line interface

This command will disable the Ldap, Gc, and GcIpAddress resource records from being dynamically registered:

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN]
 DnsAvoidRegisterRecords /t REG_MULTI_SZ /d Ldap\0Gc\0GcIpAddress
The operation completed successfully.

> net stop netlogon
The Net Logon service is stopping.
The Net Logon service was stopped successfully.

> del %SystemRoot%\system32\config\netlogon.dnb

> net start netlogon
The Net Logon service is starting.......
The Net Logon service was started successfully.
13.15.2.2 Using VBScript
' This code prevents a DC from registering the resource records
' associated with the Ldap, Gc, and GcIpAddress mnemonics and must be run
' directly on the server.

' Create Registry Value
const HKLM = &H80000002
set objReg = GetObject("winmgmts:root\default:StdRegProv")
strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters"
' prevent Ldap, Gc, and GCIpAddress records from being registered
arrValues  = Array("Ldap","Gc","GcIpAddress")
if objReg.SetMultiStringValue(HKLM,strKeyPath,"DnsAvoidRegisterRecords", _
                              arrValues) <> 0 then
   WScript.Echo "Error creating registry value"
else
   WScript.Echo "Created registry value successfully"
end if

' Stop Netlogon service
strService = "Netlogon"
set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _
                           strService & "'")
if objService.StopService <> 0 then
   WScript.Echo "Error stopping " & strService & " service"
else
   WScript.Echo "Stopped " & strService & " service successfully"
end if 

' Delete netlogon.dnb file
On Error Resume Next
set WshShell = CreateObject("WScript.Shell")
set objFSO = CreateObject("Scripting.FileSystemObject")
set objFile = objFSO.GetFile( _
                      WshShell.ExpandEnvironmentStrings("%systemroot%") _
                      & "\system32\config\netlogon.dnb")
objFile.Delete
if (Err.Number <> 0) then
   WScript.Echo "Error deleting netlogon.dnb: " & Err.Description
else
   WScript.Echo "Deleted netlogon.dnb successfully"
end if

' Start Netlogon service
if objService.StartService <> 0 then
   WScript.Echo "Error starting " & strService & " service"
else
   WScript.Echo "Started " & strService & " service successfully"
end if 

WScript.Echo
WScript.Echo "Done"

13.15.3 Discussion

The procedure to disable registration of certain resource records is very similar to that described in Recipe 13.14 for preventing all records from being dynamically registered, except in this case, you need to create a value called DnsAvoidRegisterRecords under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters key. The type for DnsAvoidRegisterRecords should be REG_MULTI_SZ and the data should be a whitespace separated list of mnemonics. Mnemonics are used to represent various resource records that domain controllers register. The complete list of mnemonics is included in Table 13-3.

Table 13-3. Registry mnemonics for resource records

Registry mnemonic

Resource record type

Resource record name

LdapIpAddress

A

<DnsDomainName>

Ldap

SRV

_ldap._tcp.<DnsDomainName>

LdapAtSite

SRV

_ldap._tcp.<SiteName>._sites.<DnsDomainName>

Pdc

SRV

_ldap._tcp.pdc._msdcs.<DnsDomainName>

Gc

SRV

_ldap._tcp.gc._msdcs.<DnsForestName>

GcAtSite

SRV

_ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>

DcByGuid

SRV

_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>

GcIpAddress

A

_gc._msdcs.<DnsForestName>

DsaCname

CNAME

<DsaGuid>._msdcs.<DnsForestName>

Kdc

SRV

_kerberos._tcp.dc._msdcs.<DnsDomainName>

KdcAtSite

SRV

_kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName>

Dc

SRV

_ldap._tcp.dc._msdcs.<DnsDomainName>

DcAtSite

SRV

_ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>

Rfc1510Kdc

SRV

_kerberos._tcp.<DnsDomainName>

Rfc1510KdcAtSite

SRV

_kerberos._tcp.<SiteName>._sites.<DnsDomainName>

GenericGc

SRV

_gc._tcp.<DnsForestName>

GenericGcAtSite

SRV

_gc._tcp.<SiteName>._sites.<DnsForestName>

Rfc1510UdpKdc

SRV

_kerberos._udp.<DnsDomainName>

Rfc1510Kpwd

SRV

_kpasswd._tcp.<DnsDomainName>

Rfc1510UdpKpwd

SRV

_kpasswd._udp.<DnsDomainName>

13.15.4 See Also

Recipe 13.14 for preventing all records from being dynamically registered, MS KB 246804 (How to Enable/Disable Windows 2000 Dynamic DNS Registrations), and MS KB 267855 (Problems with Many Domain Controllers with Active Directory Integrated DNS Zones)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List