Restrict DNS resource records updated by Netlogon
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To restrict the DNS resource records updated by the Net Logon service
Open Registry Editor.
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
- Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
In Registry Editor, navigate to the following registry key:
Add the following multi-string value (REG_MULTI_SZ) value:
In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The list of data include:
Data Value Resource Record Type DNS Resource Record
This procedure restricts DNS resource records registered by the Net Logon service for Active Directory domain controllers only.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified while the Net Logon service is stopped or within the first 15 minutes after it is started, then appropriate DNS updates may take place with a short delay; however, the delay is no later than 15 minutes after the Net Logon service starts.
Information about functional differences
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.